You cannot crack a hash until you know what made it. Point hashcat at an NTLM hash with the MD5 mode and it will run happily and find nothing, because it is computing the wrong function. Identifying the hash, then mapping it to the right -m mode, is step two of every crack and the step beginners most often get wrong. The good news: most hashes wear their identity on their sleeve. Verified against hashcat 7.1.2.
TL;DR
A hash's prefix and length usually give it away. Anything starting $2a$/$2b$/$2y$ is bcrypt; $argon2id$ is Argon2; $6$ is sha512crypt; $1$ is md5crypt; $P$ or $H$ is phpass (old WordPress). A bare 32-character hex string is MD5 or NTLM (you cannot tell them apart by sight, context decides). When in doubt, paste it into the dnschkr Hash Identifier or run name-that-hash. Then map the algorithm to the hashcat -m mode and crack. The mapping is the part most guides skip, and it is below.
Identify by sight: the fingerprint table
Salted password hashes use a structured format (often "Modular Crypt Format") whose prefix names the algorithm. Raw hashes have no prefix, so you identify them by length. This table covers what you will actually meet:
| Looks like | Algorithm | hashcat -m | John format |
|---|---|---|---|
$2a$, $2b$, $2y$ prefix, 60 chars | bcrypt | 3200 | bcrypt |
$argon2id$ / $argon2i$ prefix | Argon2 | 34000 | argon2 |
$6$ prefix | sha512crypt (Linux shadow) | 1800 | sha512crypt |
$5$ prefix | sha256crypt | 7400 | sha256crypt |
$1$ prefix | md5crypt | 500 | md5crypt |
$P$ or $H$ prefix | phpass (old WordPress, phpBB) | 400 | phpass |
$apr1$ prefix | Apache APR1-MD5 | 1600 | md5crypt-long |
| 32 hex chars, no prefix | MD5 or NTLM | 0 or 1000 | Raw-MD5 / NT |
| 40 hex chars, no prefix | SHA-1 | 100 | Raw-SHA1 |
| 64 hex chars, no prefix | SHA-256 | 1400 | Raw-SHA256 |
| 128 hex chars, no prefix | SHA-512 | 1700 | Raw-SHA512 |
aad3b435... in a pair | LM:NTLM (Windows dump) | 3000 / 1000 | LM / NT |
contains ::: , long | NetNTLMv2 (responder capture) | 5600 | netntlmv2 |
$krb5tgs$ / $krb5asrep$ | Kerberos TGS-REP / AS-REP | 13100 / 18200 | krb5tgs / krb5asrep |
$WPAPSK$ / WPA* | WPA handshake | 22000 | wpapsk |
The big trap is the 32-hex ambiguity: MD5 and NTLM are both unsalted 32-character hex strings and are visually identical. You decide by where it came from: a Windows SAM or NTDS.dit dump is NTLM (-m 1000); a web app database is most likely MD5 (-m 0). When unsure, try both.
Use a tool: the dnschkr Hash Identifier
When the prefix is unfamiliar or you have a pile of mixed hashes, let a tool fingerprint it. I use the dnschkr Hash Identifier: paste a hash and it names the algorithm out of 50-plus formats, with a confidence level and a note on where that format is used. It runs entirely in the browser, so you are not pasting a hash into someone's server log.
Try it: dnschkr Hash Identifier
Notice what it tells you about the bcrypt example above: that bcrypt is what htpasswd, WordPress 6.8+, and BSD systems use. That context matters, because it tells you immediately that you are looking at a slow hash and should reach for a wordlist, not a brute force.
The command-line tools
If you live in the terminal, two options:
-
Name-That-Hash is the current go-to. It identifies the format, ranks candidates by likelihood, and (handily) prints the hashcat mode and John format for each guess:
bashpip install name-that-hash nth -t '$2b$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW' -
hashcat itself can guess. hashcat 7 added
--identify, which lists every mode whose format matches your input:bashhashcat --identify hashes.txt(On some platforms
--identifyis less stable than name-that-hash; if it misbehaves, fall back to name-that-hash or the dnschkr tool.)
The older hash-identifier and hashid tools still work but predate many modern formats; prefer name-that-hash or the dnschkr identifier for anything current.
Why "decrypt" tools are a different thing
Search "identify hash" and you will hit sites promising to "decrypt MD5." They are not identifying or decrypting anything, they are looking your hash up in a giant table of previously-cracked hashes. If the password was cracked before, you get a hit; if not, nothing. That is a precomputed-hash lookup (often loosely called a rainbow table, though a true rainbow table is a specific time-memory structure), useful as a free first check on fast unsalted hashes, useless against anything salted, and not the same as knowing the algorithm. Identify first, then crack with the right tool.
Need to make a hash to practice on?
Learning is easier when you can generate a known hash and crack it back. The dnschkr password tools include per-algorithm generators (MD5, bcrypt via the WordPress generator, NTLM, Argon2, and more), so you can produce a hash of a word you know, identify it here, then practise cracking it.
Where to go next
- Now crack it: how to use hashcat and the hashcat cheat sheet.
- Per-hash guides: MD5 · NTLM · bcrypt · WPA2.
- The big picture: how password cracking works.
Sources
Authoritative references this article was fact-checked against.
- hashcat, example hashes and modes (official)hashcat.net
- Name-That-Hash (GitHub)github.com
- dnschkr Hash Identifierdnschkr.com
