WordPress versions equal or greater than v2.5 use a salted hash to prevent Rainbow Table attacks, based on the work by Solar Designer. Previous releases (v2.4 and below) use an MD5 unsalted hash.
To verify a salted hash is used, you can check the contents of the wp-includes\class-phpass.php file.
The hash is stored in the MySQL database, inside the wp_users table.
If you're able to crack the hash, then you can simply log in to the /wp-admin/ page with the correct password and administer the website. Alternatively, it is common to discover that people re-use passwords in other locations, so the plain-text password may be used for the cPanel installation or the MySQL database root user.
There are a few tools out there which support PHPass salt and hash.
One example is hashcat, which can be downloaded from http://hashcat.net/hashcat/.
The software comes pre-compiled, with versions for both 32bit and amd64 architectures, and Windows and Linux binaries.
There is also the optional GUI which can be downloaded from http://hashcat.net/hashcat-gui/
In our example, we are running a Linux operating system.
So lets say you've managed to recover the admin hash from the wp_users table, which in our example is:
Create an empty text file and paste the hash into the document and save the file as 'hash.txt'. Next, run hashcat with '-m 400' which is the PHPass / WordPress cipher mode and provide a suitable dictionary file.
Note: the .bin extension is for Linux operating system. Use the .exe files for execution under Windows.
$ ./hashcat-cli64.bin -m 400 hash.txt /usr/share/dict/cracklib-small
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...
Added hashes from file hash.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt
NOTE: press enter for status-screen
All hashes have been recovered
The example hash password is 'aaron' – we can then login to /wp-admin/ as 'admin' with password 'aaron'
It is worth noting that hashcat supports dictionary, bruteforce, hybrid and other modes. Use the '--help' switch for further information.