Ethical Hacking #hashcat#password cracking#ethical hacking

Hashcat Password Cracking: Complete Beginner's Guide

Master Hashcat for GPU-accelerated password cracking. Covers hash identification, attack modes, rules, and wordlist strategies.

8 min read

Hashcat is the world’s fastest password recovery utility, using your GPU to crack hashes at billions of attempts per second. Whether you’re doing CTF challenges, penetration testing, or auditing your organization’s password hygiene, understanding Hashcat is essential. This guide covers installation, hash identification, all major attack modes, and practical strategies.

Installing Hashcat

Hashcat is pre-installed on Kali Linux and Parrot OS. For other systems:

# Ubuntu/Debian
sudo apt install hashcat

# Windows: download the binary from hashcat.net
# macOS
brew install hashcat

Check GPU support:

hashcat -I

This lists your OpenCL/CUDA devices. Hashcat works on NVIDIA (CUDA), AMD, and even Intel integrated graphics — though dedicated GPUs are dramatically faster.

Identifying Hash Types

Before cracking, you need to know what type of hash you have. Use hash-identifier or hashid:

# Install hashid
pip3 install hashid

# Identify a hash
hashid '$2y$10$abcdefghijklmnopqrstuuABC123'

Common hash types and their Hashcat mode numbers:

Hash TypeModeExample
MD505f4dcc3b5aa765d61d8327deb882cf99
SHA-11005baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
SHA-2561400
bcrypt3200$2y$10$...
NTLM1000Windows password hashes
NetNTLMv25600Captured with Responder
WPA-PMKID22000WiFi handshakes
SHA-512crypt1800Linux /etc/shadow
Kerberos 5 TGS13100Kerberoasting output

The full list: hashcat --example-hashes | grep "MODE:" | head -50

Attack Modes Overview

Hashcat has six attack modes (-a flag):

ModeNameFlag
0Straight (dictionary)-a 0
1Combination-a 1
3Brute-force / mask-a 3
6Hybrid wordlist + mask-a 6
7Hybrid mask + wordlist-a 7
9Association-a 9

Mode 0: Dictionary Attack

The fastest starting point. Throw a wordlist at the hash:

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
  • -m 1000: NTLM hash type
  • -a 0: dictionary mode
  • hashes.txt: one hash per line
  • rockyou.txt: the classic 14M-entry wordlist

With Rules

Rules transform wordlist entries (e.g., capitalize, append numbers, substitute letters). They dramatically expand coverage without needing a bigger wordlist:

hashcat -m 0 -a 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Popular rule files on Kali: best64.rule, rockyou-30000.rule, d3ad0ne.rule, OneRuleToRuleThemAll.rule.

Stack multiple rules:

hashcat -m 0 -a 0 hash.txt rockyou.txt \
  -r rules/best64.rule \
  -r rules/toggles5.rule

Mode 3: Brute-Force / Mask Attack

When you know the password structure (e.g., 8 chars, ends in 2 digits):

# Crack 8-character passwords
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a?a?a

# Password ending in 2 digits
hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l?d?d

Mask charset placeholders:

PlaceholderCharacter set
?lLowercase a-z
?uUppercase A-Z
?dDigits 0-9
?sSpecial chars
?aAll printable
?hLowercase hex

Increment mode

Try all lengths up to a maximum:

hashcat -m 0 -a 3 hash.txt --increment --increment-min 4 --increment-max 8 ?a?a?a?a?a?a?a?a

Mode 1: Combination Attack

Combines entries from two wordlists:

hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt

Useful for cracking passwords like dragonfire or adminpanel.

Mode 6: Hybrid Attack

Wordlist entries with a mask appended:

# wordlist entry + 4 digits
hashcat -m 0 -a 6 hash.txt rockyou.txt ?d?d?d?d

Mode 7 reverses it (mask + wordlist):

hashcat -m 0 -a 7 hash.txt ?d?d?d?d rockyou.txt

Practical Penetration Testing Workflows

Cracking NTLM hashes (Windows)

After dumping with Mimikatz or Secretsdump:

hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt -r rules/best64.rule

Cracking NetNTLMv2 (Responder captures)

hashcat -m 5600 -a 0 responder_hashes.txt rockyou.txt

Cracking Kerberoast TGS tickets

hashcat -m 13100 -a 0 kerberoast_hashes.txt rockyou.txt -r rules/best64.rule

WPA2 WiFi

Convert .cap to hashcat format first:

hcxpcapngtool capture.pcapng -o hash.22000
hashcat -m 22000 -a 0 hash.22000 rockyou.txt

Performance Tuning

# Show cracking speed
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a -b

# Use workload profile (1=low, 4=nightmare)
hashcat -m 0 -a 0 hash.txt wordlist.txt -w 3

# Force CPU usage (slower but works without GPU)
hashcat -m 0 -a 0 hash.txt wordlist.txt --force -D 1

Restoring and Managing Sessions

# Name a session
hashcat -m 0 -a 0 hash.txt wordlist.txt --session mysession

# Restore a session
hashcat --restore --session mysession

# Show cracked passwords
hashcat -m 0 hash.txt --show

Always use --session for long-running cracks so you can resume after interruption.

Building Better Wordlists

  • CeWL: spider a website and generate a custom wordlist from its text
  • Mentalist: GUI tool for building targeted wordlists
  • CUPP: Common User Password Profiler — generates personalized wordlists from victim info
  • Hob0Rules + Kaonashi: statistically optimized wordlist + rules combos

Hashcat’s potfile (.hashcat/hashcat.potfile) stores all cracked hashes automatically, so rerunning against already-cracked hashes skips them instantly.

#penetration testing #ethical hacking #password cracking #hashcat