Hashcat is the world’s fastest password recovery utility, using your GPU to crack hashes at billions of attempts per second. Whether you’re doing CTF challenges, penetration testing, or auditing your organization’s password hygiene, understanding Hashcat is essential. This guide covers installation, hash identification, all major attack modes, and practical strategies.
Installing Hashcat
Hashcat is pre-installed on Kali Linux and Parrot OS. For other systems:
# Ubuntu/Debian
sudo apt install hashcat
# Windows: download the binary from hashcat.net
# macOS
brew install hashcat
Check GPU support:
hashcat -I
This lists your OpenCL/CUDA devices. Hashcat works on NVIDIA (CUDA), AMD, and even Intel integrated graphics — though dedicated GPUs are dramatically faster.
Identifying Hash Types
Before cracking, you need to know what type of hash you have. Use hash-identifier or hashid:
# Install hashid
pip3 install hashid
# Identify a hash
hashid '$2y$10$abcdefghijklmnopqrstuuABC123'
Common hash types and their Hashcat mode numbers:
| Hash Type | Mode | Example |
|---|
| MD5 | 0 | 5f4dcc3b5aa765d61d8327deb882cf99 |
| SHA-1 | 100 | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 |
| SHA-256 | 1400 | |
| bcrypt | 3200 | $2y$10$... |
| NTLM | 1000 | Windows password hashes |
| NetNTLMv2 | 5600 | Captured with Responder |
| WPA-PMKID | 22000 | WiFi handshakes |
| SHA-512crypt | 1800 | Linux /etc/shadow |
| Kerberos 5 TGS | 13100 | Kerberoasting output |
The full list: hashcat --example-hashes | grep "MODE:" | head -50
Attack Modes Overview
Hashcat has six attack modes (-a flag):
| Mode | Name | Flag |
|---|
| 0 | Straight (dictionary) | -a 0 |
| 1 | Combination | -a 1 |
| 3 | Brute-force / mask | -a 3 |
| 6 | Hybrid wordlist + mask | -a 6 |
| 7 | Hybrid mask + wordlist | -a 7 |
| 9 | Association | -a 9 |
Mode 0: Dictionary Attack
The fastest starting point. Throw a wordlist at the hash:
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
-m 1000: NTLM hash type
-a 0: dictionary mode
hashes.txt: one hash per line
rockyou.txt: the classic 14M-entry wordlist
With Rules
Rules transform wordlist entries (e.g., capitalize, append numbers, substitute letters). They dramatically expand coverage without needing a bigger wordlist:
hashcat -m 0 -a 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
Popular rule files on Kali: best64.rule, rockyou-30000.rule, d3ad0ne.rule, OneRuleToRuleThemAll.rule.
Stack multiple rules:
hashcat -m 0 -a 0 hash.txt rockyou.txt \
-r rules/best64.rule \
-r rules/toggles5.rule
Mode 3: Brute-Force / Mask Attack
When you know the password structure (e.g., 8 chars, ends in 2 digits):
# Crack 8-character passwords
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a?a?a
# Password ending in 2 digits
hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l?d?d
Mask charset placeholders:
| Placeholder | Character set |
|---|
?l | Lowercase a-z |
?u | Uppercase A-Z |
?d | Digits 0-9 |
?s | Special chars |
?a | All printable |
?h | Lowercase hex |
Increment mode
Try all lengths up to a maximum:
hashcat -m 0 -a 3 hash.txt --increment --increment-min 4 --increment-max 8 ?a?a?a?a?a?a?a?a
Mode 1: Combination Attack
Combines entries from two wordlists:
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt
Useful for cracking passwords like dragonfire or adminpanel.
Mode 6: Hybrid Attack
Wordlist entries with a mask appended:
# wordlist entry + 4 digits
hashcat -m 0 -a 6 hash.txt rockyou.txt ?d?d?d?d
Mode 7 reverses it (mask + wordlist):
hashcat -m 0 -a 7 hash.txt ?d?d?d?d rockyou.txt
Practical Penetration Testing Workflows
Cracking NTLM hashes (Windows)
After dumping with Mimikatz or Secretsdump:
hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt -r rules/best64.rule
Cracking NetNTLMv2 (Responder captures)
hashcat -m 5600 -a 0 responder_hashes.txt rockyou.txt
Cracking Kerberoast TGS tickets
hashcat -m 13100 -a 0 kerberoast_hashes.txt rockyou.txt -r rules/best64.rule
WPA2 WiFi
Convert .cap to hashcat format first:
hcxpcapngtool capture.pcapng -o hash.22000
hashcat -m 22000 -a 0 hash.22000 rockyou.txt
# Show cracking speed
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a -b
# Use workload profile (1=low, 4=nightmare)
hashcat -m 0 -a 0 hash.txt wordlist.txt -w 3
# Force CPU usage (slower but works without GPU)
hashcat -m 0 -a 0 hash.txt wordlist.txt --force -D 1
Restoring and Managing Sessions
# Name a session
hashcat -m 0 -a 0 hash.txt wordlist.txt --session mysession
# Restore a session
hashcat --restore --session mysession
# Show cracked passwords
hashcat -m 0 hash.txt --show
Always use --session for long-running cracks so you can resume after interruption.
Building Better Wordlists
- CeWL: spider a website and generate a custom wordlist from its text
- Mentalist: GUI tool for building targeted wordlists
- CUPP: Common User Password Profiler — generates personalized wordlists from victim info
- Hob0Rules + Kaonashi: statistically optimized wordlist + rules combos
Hashcat’s potfile (.hashcat/hashcat.potfile) stores all cracked hashes automatically, so rerunning against already-cracked hashes skips them instantly.