Hashcat: Advanced Password Cracking with GPU Acceleration
Master Hashcat for password recovery and security testing. Complete guide covering hash modes, attack types, rules, and optimization techniques.
Introduction
Hashcat is the world's fastest password recovery tool, leveraging GPU acceleration to crack hashes at unprecedented speeds. It supports over 350 hash types and multiple attack modes, making it essential for penetration testing, password auditing, and digital forensics. This guide covers everything from basic usage to advanced optimization techniques.
Hashcat is open-source and licensed under the MIT license. It runs on Linux, Windows, and macOS, with support for AMD, NVIDIA, and Intel GPUs through OpenCL and CUDA.
Installation
Install Hashcat
# Kali Linux (pre-installed)
hashcat --version
# Ubuntu/Debian
sudo apt install hashcat
# From source
git clone https://github.com/hashcat/hashcat.git
cd hashcat
make
sudo make installVerify GPU Support
# Check available OpenCL/CUDA devices
hashcat -I
# Should show your GPU(s)
# Backend Device ID #1
# Name: NVIDIA GeForce RTX 3080Test with Simple Hash
# Create test MD5 hash
echo -n "password123" | md5sum > test.hash
# Crack with wordlist
hashcat -m 0 test.hash /usr/share/wordlists/rockyou.txtCommon Hash Modes
Hashcat uses numeric mode identifiers for different hash types. Here are the most commonly used modes:
Password Hashes
| Hash Type | Mode | Category |
|---|---|---|
| MD5 | 0 | Raw Hash |
| SHA1 | 100 | Raw Hash |
| SHA2-256 | 1400 | Raw Hash |
| SHA2-512 | 1700 | Raw Hash |
| NTLM | 1000 | Operating System |
| bcrypt | 3200 | Operating System |
Windows & Active Directory
| Hash Type | Mode | Use Case |
|---|---|---|
| NTLM | 1000 | Windows local accounts |
| NetNTLMv1 | 5500 | Network authentication |
| NetNTLMv2 | 5600 | Network authentication |
| Domain Cached Credentials (DCC) | 1100 | Cached domain creds |
| Domain Cached Credentials 2 (DCC2) | 2100 | Cached domain creds |
Kerberos
| Hash Type | Mode | Attack Type |
|---|---|---|
| Kerberos 5 AS-REP (etype 23) | 18200 | AS-REP Roasting |
| Kerberos 5 TGS-REP (etype 23) | 13100 | Kerberoasting |
| Kerberos 5 etype 17 TGS-REP | 19600 | TGS-REP cracking |
| Kerberos 5 etype 18 Pre-Auth | 19900 | Pre-Auth cracking |
Application Hashes
| Hash Type | Mode | Application |
|---|---|---|
| KeePass | 13400 | Password manager |
| 1Password cloudkeychain | 8200 | Password manager |
| LastPass | 6800 | Password manager |
| BitLocker | 22100 | Full disk encryption |
| VeraCrypt | 13711+ | Disk encryption |
Use hashcat --help | grep -i <keyword> to search for specific hash modes. The full list contains over 350 supported formats.
Hash Identification
Before cracking, you need to identify the hash type.
Using hash-identifier
# Interactive mode
hash-identifier
# Paste your hash when prompted
# Example: 5f4dcc3b5aa765d61d8327deb882cf99Using hashid
# More accurate than hash-identifier
hashid '$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy'
# Output:
# Analyzing '$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy'
# [+] Blowfish(OpenBSD)
# [+] Woltlab Burning Board 4.x
# [+] bcryptUsing Hashcat Directly
# Let hashcat identify the hash
hashcat --identify hash.txt
# Shows all possible hash typesOnline Hash Analyzer
For complex or unknown hashes, use:
- Tunnel's Up Hash Analyzer
- Provides detailed analysis with examples
Attack Modes
Hashcat supports multiple attack strategies:
Mode 0: Straight (Dictionary Attack)
Uses wordlist directly, optionally with rules.
# Basic wordlist attack
hashcat -m 1000 -a 0 ntlm.hash /usr/share/wordlists/rockyou.txt
# With rules to mutate passwords
hashcat -m 1000 -a 0 ntlm.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Multiple rule files
hashcat -m 1000 -a 0 ntlm.hash wordlist.txt -r best64.rule -r toggles.ruleMode 3: Brute-Force (Mask Attack)
Tries all combinations based on character sets.
# 8-character lowercase
hashcat -m 0 -a 3 md5.hash ?l?l?l?l?l?l?l?l
# 6-8 characters, all types
hashcat -m 0 -a 3 md5.hash ?a?a?a?a?a?a --increment --increment-min 6
# Common pattern: capital + lowercase + digits
hashcat -m 0 -a 3 md5.hash ?u?l?l?l?l?d?d?d?dBuilt-in Character Sets:
?l- abcdefghijklmnopqrstuvwxyz?u- ABCDEFGHIJKLMNOPQRSTUVWXYZ?d- 0123456789?h- 0123456789abcdef (hex)?s- Special characters (!@#$%^&*)?a- All of the above
Mode 1: Combination Attack
Combines words from two wordlists.
# Combine two wordlists
hashcat -m 0 -a 1 hash.txt words1.txt words2.txt
# Example: "password" + "123" = "password123"Mode 6/7: Hybrid Attacks
Combines wordlist with brute-force masks.
# Wordlist + mask (e.g., "password" + "123")
hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d
# Mask + wordlist (e.g., "123" + "password")
hashcat -m 0 -a 7 hash.txt ?d?d?d wordlist.txtRules and Password Mutations
Rules transform wordlist entries to generate candidates.
Using Pre-built Rules
# Best64 - highly effective, balanced
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
# Dive - more aggressive
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/dive.rule
# Leetspeak
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/leetspeak.rule
# Combine multiple rules
hashcat -m 1000 hash.txt wordlist.txt -r best64.rule -r toggles.ruleTesting Rules
Preview how rules will transform passwords:
# Test rule transformations
echo "password" | hashcat --stdout -r custom.rule
# Example output with best64.rule:
# password
# Password
# PASSWORD
# password1
# password123
# drowssap (reversed)Creating Custom Rules
# Example custom.rule
cat > custom.rule << EOF
# Capitalize first letter
c
# Append year
$2 $0 $2 $3
# Append common suffix
$! $!
# Leetspeak substitution
sa@ so0 se3
EOF
# Use custom rule
hashcat -m 1000 hash.txt wordlist.txt -r custom.ruleThe best64.rule file is a great starting point. It contains 64 highly effective rules based on real-world password patterns.
Practical Examples
Cracking NTLM Hashes
# Windows NTLM hash format
# Example: Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
# Extract just the NTLM hash (second part after third colon)
echo "8846f7eaee8fb117ad06bdd830b7586c" > ntlm.hash
# Crack with wordlist and rules
hashcat -m 1000 ntlm.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
# Optimized for NTLM (fast hash)
hashcat -m 1000 ntlm.hash /usr/share/wordlists/rockyou.txt -O -w 3Kerberoasting (TGS-REP)
# Crack Kerberos TGS-REP tickets (from impacket GetUserSPNs.py)
hashcat -m 13100 tgs.hash /usr/share/wordlists/rockyou.txt --force
# With rules for service accounts
hashcat -m 13100 tgs.hash wordlist.txt -r best64.ruleAS-REP Roasting
# Crack AS-REP responses (from impacket GetNPUsers.py)
hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt --forceNetNTLMv2 from Responder
# Format: username::domain:challenge:HMAC-MD5:blob
hashcat -m 5600 netntlmv2.hash /usr/share/wordlists/rockyou.txt -r best64.rule
# High workload profile for faster cracking
hashcat -m 5600 netntlmv2.hash /usr/share/wordlists/rockyou.txt -w 3Multiple Hash Files
# Crack multiple hashes at once
cat hash1.txt hash2.txt hash3.txt > all_hashes.txt
hashcat -m 1000 all_hashes.txt /usr/share/wordlists/rockyou.txt
# Remove cracked hashes from file
hashcat -m 1000 all_hashes.txt --removePerformance Optimization
Workload Profiles
# -w 1: Low (2ms, minimal impact)
# -w 2: Default (12ms, balanced)
# -w 3: High (96ms, desktop unresponsive)
# -w 4: Nightmare (480ms, headless systems)
hashcat -m 1000 hash.txt wordlist.txt -w 3Optimized Kernels
# Enable optimized kernels (limits password length)
hashcat -m 1000 hash.txt wordlist.txt -O
# Combine with workload profile
hashcat -m 1000 hash.txt wordlist.txt -O -w 3Device Selection
# Use specific GPU
hashcat -m 1000 hash.txt wordlist.txt -d 1
# Use multiple GPUs
hashcat -m 1000 hash.txt wordlist.txt -d 1,2,3
# Check device info
hashcat -ISession Management
# Name session for resume capability
hashcat -m 1000 hash.txt wordlist.txt --session mysession
# Resume interrupted session
hashcat --session mysession --restore
# Status of running session
hashcat --session mysession --statusAdvanced Techniques
Hex-encoded Output
Some hashes return passwords in hex format:
# Hashcat output: 2e208ad146efda5bc44869025e06544a:$HEX[7261626269743a29]
# Decode hex to plaintext
echo -n '7261626269743a29' | xxd -r -p && echo
# Output: rabbit:)Debugging and Analysis
# Show cracked passwords
hashcat -m 1000 hash.txt --show
# Show remaining uncracked hashes
hashcat -m 1000 hash.txt --left
# Benchmark hash mode
hashcat -b -m 1000
# Get detailed status
hashcat -m 1000 hash.txt wordlist.txt --status --status-timer=5Potfile Management
Hashcat stores cracked passwords in a potfile:
# Default location: ~/.hashcat/hashcat.potfile
# Use custom potfile
hashcat -m 1000 hash.txt wordlist.txt --potfile-path custom.pot
# Disable potfile
hashcat -m 1000 hash.txt wordlist.txt --potfile-disable
# Compare hash with potfile
hashcat -m 1000 hash.txt --showLoopback Mode
Reuse cracked passwords for further cracking:
# Enable loopback
hashcat -m 1000 hashes.txt wordlist.txt --loopback
# Cracked passwords become new candidates with rules appliedCommon Flags Reference
# Essential flags
-m, --hash-type # Hash type (see mode list)
-a, --attack-mode # 0=straight, 1=combination, 3=brute-force
-r, --rules-file # Apply rules from file
-w, --workload-profile # 1-4, performance level
-O, --optimized-kernel # Enable optimized kernels
-d, --backend-devices # Select GPU(s)
# Output control
-o, --outfile # Write cracked passwords to file
--show # Display cracked passwords
--left # Display uncracked hashes
--username # Parse username from hash file
# Session management
--session # Name for resumable sessions
--restore # Resume previous session
--status # Show status during cracking
# Advanced
--increment # Increment mask length
--increment-min # Start mask length
--increment-max # End mask length
--force # Ignore warnings
--remove # Remove hash after cracking
--quiet # Suppress outputReal-World Scenarios
Scenario 1: Compromised SAM Database
# Extract hashes from SAM
secretsdump.py -sam SAM -system SYSTEM LOCAL
# Crack NTLM hashes
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r best64.rule -O -w 3
# Try brute-force for remaining hashes (8 chars max)
hashcat -m 1000 ntlm_hashes.txt -a 3 ?a?a?a?a?a?a?a?a --increment --increment-min 6Scenario 2: Kerberoasting Attack
# Get service tickets
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request
# Crack TGS-REP tickets
hashcat -m 13100 tickets.txt /usr/share/wordlists/rockyou.txt -r best64.rule --force
# Service accounts often use weak passwords
hashcat -m 13100 tickets.txt common_passwords.txtScenario 3: Password Policy Brute-Force
If you know the password policy (e.g., 1 uppercase, 6 lowercase, 2 digits):
# Create mask matching policy
hashcat -m 1000 hash.txt -a 3 ?u?l?l?l?l?l?l?d?d
# Or with hybrid approach
hashcat -m 1000 hash.txt -a 6 wordlist.txt ?d?dTroubleshooting
Insufficient Memory
# Reduce workload profile
hashcat -m 1000 hash.txt wordlist.txt -w 2
# Use segment size limit
hashcat -m 1000 hash.txt wordlist.txt -c 32GPU Not Detected
# Check OpenCL/CUDA installation
hashcat -I
# Force specific backend
hashcat --backend-devices 1 -m 1000 hash.txt wordlist.txt
# Update GPU drivers
# NVIDIA: https://www.nvidia.com/drivers
# AMD: https://www.amd.com/supportHash Format Issues
# Some hashes need specific formatting
# Check example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
# Use --example-hashes to see format
hashcat -m 1000 --example-hashesResources
- Hashcat Wiki - Official documentation
- Example Hashes - Hash format reference
- Hashcat Forums - Community support
- Hashcat Discord - Real-time help
- Rule-based Attack - Rule syntax guide
- Mask Attack - Brute-force patterns
Conclusion
Hashcat is an essential tool for password auditing and security assessments. Its GPU acceleration, extensive hash support, and flexible attack modes make it the industry standard for password recovery. Master the basics with dictionary and rule-based attacks, then advance to hybrid and brute-force techniques for comprehensive testing.
Always ensure you have proper authorization before conducting password cracking activities. Use Hashcat responsibly for legitimate security testing, research, and forensics purposes only.
For additional security tools and techniques, check out our guides on John the Ripper, Nmap, and Impacket.
Last updated on
BloodHound: Active Directory Attack Paths
Comprehensive guide to BloodHound for Active Directory attack path analysis, enumeration, and identifying privilege escalation vectors in AD environments.
John the Ripper: Comprehensive Password Cracking Guide
Master John the Ripper for password recovery and security testing. Complete guide covering hash formats, attack modes, rules, and session management.