Improve your Password Cracking skills for NCL CTFs
This post is mostly for Cybersecurity students that want to improve their password cracking skills while participating in the NCL (National Cyber League) CTF (Capture the Flag) events.
I quickly realized that password cracking was the most challenging and time-consuming category among the ten in the NCL practice, individual, and team competitions. Curious, I looked back at past seasons and discovered that no team had achieved 100% completion in this category for at least five consecutive seasons — possibly even longer (before I joined). That statistic stuck with me. It seemed like a key opportunity to give myself a competitive edge. Since then, I’ve dedicated much of my free time to studying password cracking techniques and refining my approach. That’s when the real journey began. This helped me secure 2 NCL trophies!
Optimizing Hashcat to use your GPU and not CPU
If I could offer my past self one piece of advice, it would be to ensure Hashcat is utilizing the GPU rather than defaulting to the CPU. I wasn’t aware that running Hashcat inside VirtualBox or VMware disables GPU passthrough by default, which forces it to rely solely on the CPU. A quick way to identify this issue: if a basic RockYou.txt dictionary attack takes longer than a minute, you’re likely using the CPU — not ideal. To confirm which device Hashcat is using, run the following command:
$ hashcat -I
hashcat (v7.1.2) starting in backend information mode
CUDA Info:
==========
CUDA.Version.: 13.0
Backend Device ID #01
Name...........: NVIDIA GeForce RTX 5090
Processor(s)...: 170
Preferred.Thrd.: 32
Clock..........: 2422
Memory.Total...: 32606 MB
Memory.Free....: 30841 MB
Memory.Unified.: 0
Local.Memory...: 99 KB
PCI.Addr.BDFe..: 0000:81:00.0You should see output similar to the one below. Pay attention to the line that says ID #01 and lists your GPU—for example, NVIDIA GeForce RTX 5090. That’s exactly what you want to see. It confirms that Hashcat is recognizing and using your GPU rather than defaulting to your CPU.
There are two main ways to make sure Hashcat uses your GPU:
Option 1:
This is the most straightforward approach for beginners using Linux. I recommend installing Hashcat natively on Windows instead of inside a virtual machine. Windows is more likely to detect your GPU properly, especially if you already have the NVIDIA app and CUDA drivers installed. This usually solves the problem right away.
Option 2:
Personally, I prefer working in a Linux environment, and I’m not a fan of Windows Command Prompt. So instead, I installed WSL (Windows Subsystem for Linux), which gives me a native Linux terminal inside Windows. After a few extra setup steps, I was able to get Hashcat running with GPU support. I’ve written a complete guide on how to set this up here:
https://cyberdigi.medium.com/how-i-replaced-virtual-machines-with-wsl-for-a-faster-gpu-powered-linux-workflow-4a9fe222fa32
First step in every NCL password cracking is to check rockyou.txt
Always, always, always run your first hashcat with rockyou.txt on the hashes. Why? Because NCL does a good job leaning you into a certain direction with freebies! You should gain some type of intel from the freebies.
I’ve learned a great deal about password cracking over time, and while it’s difficult to cover everything, I’ll do my best to share some valuable insights. One key takeaway: truly understanding Hashcat is essential. Don’t just stop at basic dictionary attacks — dig deeper. Explore custom rules, advanced attack modes, and the full capabilities Hashcat has to offer.
Hashcat Rules
Hashcat allows you to apply custom rules during a dictionary attack to significantly expand your cracking strategy. You can learn more about rule-based attacks here: https://hashcat.net/wiki/doku.php?id=rule_based_attack
I’ll walk through a quick demonstration to help you visualize how this works in practice.
Let’s say we have a sports.txt with the following lines:
Baseball
HockeyScenario: We ran our wordlist (sports.txt) and it didn’t get us any hits. Bummers! Now we want to try if it has a single appended digit. Based on the link above, it tells us to append a character we need to put $X where X is what we want to append. Let’s make a simple one showing only 0.
We need to create a new file called appender.rule
nano appender.rule
$0Let’s run that new rule. Now, hashcat has an option — stdout which is standard output, meaning it will visually show you the results in your terminal. I want you to use this option so you can see if your custom rules are working.
$ hashcat --stdout sports.txt -r appender.rule
Baseball0
Hockey0How cool is that? It shows up what is being attempted. Now, you might wondering, why I didn’t use a hash file for this? Well, that’s because we don’t need that yet because we only want to see if our custom rule is setup properly.
Let’s take this a step further and do all digits 0–9.
nano appender.rule
$0
$1
$2
$3
$4
$5
$6
$7
$8
$9Here are the results:
$ hashcat --stdout sports.txt -r appender.rule
Baseball0
Baseball1
Baseball2
Baseball3
Baseball4
Baseball5
Baseball6
Baseball7
Hockey0
Hockey1
Hockey2
Hockey3
Hockey4
Hockey5
Hockey6
Hockey7
Baseball8
Baseball9
Hockey8
Hockey9Cool! We officially wrote our first custom rule that has successfully appended 1 digit. Now, how do we do double digits?? Since it is over 100 lines of code, I will show you what it should look like so you can build the rest. My intention is not to be a free resource, but to guide you in the right direction so you can put in the work to be successful.
Hint: Use AI to make you a python script.
Your doubleappender.rule should look like this but 100 lines:
$0$1
$0$2
$0$3
$0$4
$0$5
$0$6
$0$7
$0$8
$0$9
$1$0
$1$1
$1$2
$1$3
...If you do this right, then you should have this result:
$ hashcat --stdout sports.txt -r doubleappender.rule
Baseball01
Baseball02
Baseball03
Baseball04
Baseball05
Baseball06
Baseball07
Baseball08
Baseball09
Baseball10
Baseball11
Baseball12Questions you should be asking yourself:
How can I toggle the casing? (lower to upper)
How can I use leetspeak? (example to ex4mpl3)
What does this rule not do that I want it to do?
The good news is hashcat has a lot of premade rules that you can use:
$ ls /usr/share/hashcat/rules
best66.rule T0XlC_3_rule.rule
combinator.rule T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule T0XlC_insert_HTML_entities_0_Z.rule
dive.rule T0XlC-insert_space_and_special_0_F.rule
generated2.rule T0XlC-insert_top_100_passwords_1_G.rule
generated.rule T0XlC.rule
hybrid T0XlCv2.rule
Incisive-leetspeak.rule toggles1.rule
InsidePro-HashManager.rule toggles2.rule
InsidePro-PasswordsPro.rule toggles3.rule
leetspeak.rule toggles4.rule
oscommerce.rule toggles5.rule
rockyou-30000.rule top10_2025.rule
specific.rule unix-ninja-leetspeak.rule
stacking58.ruleExample of running toggles1.rule with a wordlist:
hashcat -m500 -a0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/toggles1.ruleNotice: I didn’t use stdout for this and used the rule on a wordlist.
Wordlist Sanitization
Sanitizing your wordlist is a critical step in effective password cracking. Personally, I avoid using tools like Cewl, which often generate excessive and irrelevant entries — resulting in bloated wordlists with minimal value. My approach prioritizes quality over quantity: I’d take a well-curated 45K-line wordlist over a noisy one with a million entries any day.
For managing and refining your wordlists, I recommend using Notepad++. It’s lightweight and efficient, especially with features under Edit > Line Operations and powerful Find/Replace capabilities using regular expressions (regex).
If you're new to regex, this is an excellent place to start:
https://regexone.com
Why do I use Notepad++? It is like your default notepad app on Windows but on steroids! Loaded with a lot of great features!
Learn from the passwords you didn’t crack
One thing I became fixated on was understanding why certain passwords remained uncracked. Was my wordlist incomplete? Did I misconfigure my rules? What could I have done differently? These questions pushed me to improve. After each NCL game, I highly recommend checking out the Post-game Debriefs channels. Listening to how others approached and solved the challenges offers incredible insight — you’ll learn a ton.
Red Herrings / Tunnel Vision
A quick piece of advice: don’t fall into tunnel vision. It’s easy to feel like you’ve already tried everything with a given wordlist, but if you’re not making progress, it’s often better to step back, pivot, or even start fresh. Repeating the same steps won’t yield different results.
Also, avoid getting too fixated on patterns from cracked “freebie” passwords. For example, just because the first few cracked passwords all start with “S” doesn’t mean every answer follows that trend. Sure, it’s a useful starting point — but make it a habit to slowly expand your scope and consider other perspectives as well.
Deduplicate your wordlists
Stop stacking wordlists on top of each other without cleaning them up — you’re just wasting time. Break them into phases and deduplicate them before rerunning anything. If you’re hitting the same commands on bloated lists full of repeats, you’re spinning your wheels. Be smart about it. Use AI tools to help you clean things up and keep your wordlists lean and efficient.
I’ve got a ton more I could share, but I’m going to hold some info back. It’s up to you to figure out the rest. I spent way too much time getting better at password cracking, and honestly, I didn’t have a blog post like this to kick things off. What I did have was curiosity. I started analyzing letter frequencies in wordlists like the RockYou, and CrackStation — and that eventually led me to build my own site: vowelfreq.com. The site’s mainly useful for brute-forcing full words, so it’s not going to work well for NCL, but that’s not the point. The point is: start thinking differently. Don’t be afraid to get creative with how you approach challenges.
Hopefully you learned something new. Godspeed. Joshua 1:9
diGi on Discord: 0x3444
