Offline Hash Cracking: PHPass Portable MD5

Published on April 21, 2025

If you're performing a pentest or CTF and encounter a hash like $P$BINTaLa8QLMqeXbQtzT2Qfizm2P/nI0, you’ll need to confidently identify and crack it using only local tools. This guide walks you through the process of identifying the hashing scheme by sight, validating with Kali tools, and launching a structured cracking campaign.

1. Manual Hash Identification

Many hashing formats embed clues in their structure. In this case:

  • Prefix: $P$ → Indicates PHPass (portable)
  • Iteration code: B → Base-2 log of iterations (213 = 8192)
  • Salt: Next 8 chars: INTaLa8Q
  • Checksum: Remaining 22 chars of encoded base64 output

All together, this totals 34 characters, which confirms the PHPass portable MD5 format.

Common Eye-Catchers for Hash Formats

Prefix / Structure Likely Algorithm Notes
$P$ PHPass (Portable) Iterated salted MD5, used in WordPress and others
$2y$10$ bcrypt Strongly salted, slower by design, includes cost factor
$1$ MD5-Crypt Common in older Linux systems
$5$ SHA256-Crypt Linux SHA256-based password hashing
$6$ SHA512-Crypt Linux SHA512-based password hashing
32 hex chars MD5 (Raw) Unsaltted and fast to brute force
40 hex chars SHA1 Often found in Git, older certificates
64 hex chars SHA256 Used in modern certs, JWTs, APIs

2. Tool-Based Verification

Even with solid manual analysis, confirmation is wise. Use these tools:

  • hash-identifier – Python GUI for format detection
  • hashid – CLI-based detection (install with apt if needed)
  • john – Automatically detects format and uses appropriate cracking module

3. Cracking Strategies with Hashcat

Wordlist (Baseline)

hashcat -m 400 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt -O -w 3 --status

Wordlist + Rules

hashcat -m 400 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule -O -w 3 --status

Hybrid (Append Numbers)

hashcat -m 400 -a 6 hashes.txt rockyou.txt ?d?d?d

Mask Attack (Structured Guessing)

hashcat -m 400 -a 3 hashes.txt ?l?l?l?l?l?l?d?d

Brute Force (Exhaustive)

hashcat -m 400 -a 3 hashes.txt ?a?a?a?a?a?a?a?a

Only use when absolutely necessary — PHPass is slow due to high iteration count.

4. John the Ripper (CPU-Optimized)

John often auto-detects format from file. You can also specify it explicitly:

john --format=phpass --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo-small hash.txt
john --format=phpass --incremental hash.txt

5. Operational Tips

  • Track sessions: --session in Hashcat, or --restore for John
  • Monitor progress: Use --status, and tools like htop or nvidia-smi
  • Use smarter wordlists: Build custom ones with recon and profiling

Related Articles