Terminal GuideHashcat: Advanced Password Recovery Guide
Master Hashcat for GPU-accelerated password recovery. Learn attack modes, hash types, rule-based attacks, mask attacks, and GPU optimization techniques for security auditing.
Dai Aoki
CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm
Quick Reference
Attack Modes
-a 0Dictionary attack (straight)-a 1Combinator attack-a 3Brute-force / Mask attack-a 6Hybrid: wordlist + mask-a 7Hybrid: mask + wordlistCommon Hash Modes
-m 0MD5-m 100SHA-1-m 1400SHA-256-m 1800sha512crypt (Linux)-m 1000NTLM (Windows)-m 22000WPA-PBKDF2-PMKID+EAPOLWorkload & Performance
-w 1Low workload (desktop use)-w 2Default workload-w 3High workload (dedicated)-w 4Nightmare (max performance)-OOptimized kernels (faster)Output & Session
-o output.txtWrite results to file--showShow already cracked hashes--session=nameName session for restore--restoreRestore paused session--statusEnable auto status displayMask Charsets
?lLowercase a-z?uUppercase A-Z?dDigits 0-9?sSpecial characters?aAll printable charactersUseful Flags
-r rules.ruleApply rule file--incrementIncrement mask length--potfile-pathCustom potfile location-bBenchmark mode--hwmon-temp-abortSet GPU temp limitDownloadable Image Preview
Overview
Hashcat is the world's fastest and most advanced password recovery utility. It leverages the massive parallel processing power of modern GPUs to crack password hashes at speeds that far exceed CPU-based tools. Supporting over 350 hash types and multiple attack modes, Hashcat is the industry standard for password security auditing.
Key features that make Hashcat stand out include:
- GPU-accelerated cracking with support for NVIDIA (CUDA), AMD (OpenCL), and Intel GPUs
- Multi-GPU support for distributed cracking across multiple devices
- Over 350 hash types including MD5, SHA-family, bcrypt, NTLM, WPA, and more
- Five primary attack modes with rule-based mutations
- Session management with pause, resume, and restore functionality
- Automatic performance tuning and thermal management
- Open source and actively maintained
Installation
Hashcat is available on all major platforms. The installation method depends on your operating system and whether you need the latest version with cutting-edge features.
Linux (apt)
# Install from package manager (Debian/Ubuntu)
sudo apt update
sudo apt install hashcat
# Verify installation
hashcat --version
# Install on Kali Linux (pre-installed)
# Hashcat is included by default in Kali Linux
hashcat --version
# Install on Fedora/RHEL
sudo dnf install hashcat
# Install on Arch Linux
sudo pacman -S hashcatmacOS (Homebrew)
# Install via Homebrew
brew install hashcat
# Verify installation
hashcat --version
# Check available OpenCL devices
hashcat -IFrom Source
Building from source gives you the latest features and performance improvements.
# Clone the repository
git clone https://github.com/hashcat/hashcat.git
cd hashcat
# Build with make
make -j$(nproc)
# Install system-wide (optional)
sudo make install
# Verify the build
./hashcat --version
# Run a quick benchmark
./hashcat -bGPU Driver Setup
GPU drivers are critical for Hashcat performance. Without proper drivers, Hashcat will fall back to CPU mode, which is orders of magnitude slower.
# NVIDIA GPU: Install CUDA toolkit and drivers
sudo apt install nvidia-driver-535 nvidia-cuda-toolkit
# Verify NVIDIA driver
nvidia-smi
# AMD GPU: Install ROCm or AMDGPU-PRO drivers
# For Ubuntu 22.04+
sudo apt install rocm-opencl-runtime
# Intel GPU: Install OpenCL runtime
sudo apt install intel-opencl-icd
# Check detected devices in Hashcat
hashcat -I
# Benchmark all detected devices
hashcat -bhashcat -I to verify your GPU is detected correctly.Attack Modes
Hashcat supports five primary attack modes, each suited for different scenarios. Understanding when to use each mode is key to efficient password recovery.
Dictionary Attack (-a 0)
The most common attack mode. It tests each word in a wordlist against the target hash. Combine with rules for maximum effectiveness.
# Basic dictionary attack
hashcat -m 0 -a 0 hash.txt wordlist.txt
# Dictionary attack with rules
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule
# Use multiple wordlists
hashcat -m 0 -a 0 hash.txt wordlist1.txt wordlist2.txt
# Dictionary attack against SHA-256
hashcat -m 1400 -a 0 sha256_hashes.txt rockyou.txt
# Dictionary attack with multiple rule files
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule -r rules/toggles1.ruleCombinator Attack (-a 1)
Combines words from two dictionaries by concatenating every possible pair. Useful for passwords that consist of two common words joined together (e.g., "sunflower", "bluesky").
# Combine words from two wordlists
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt
# Example: if wordlist1 contains "sun" and wordlist2 contains "flower"
# Hashcat will try "sunflower"
# Combinator with a rule applied to the left side
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt -j '$-'
# Combinator with a rule applied to the right side
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt -k '$!'Brute-Force / Mask Attack (-a 3)
Generates password candidates using a mask pattern. More efficient than pure brute-force because you can define the character set for each position.
# Brute-force all 8-character lowercase passwords
hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l?l?l
# Try passwords like "Pass1234" (upper + lower + digits)
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?d?d?d?d
# Use increment mode to try lengths 1 through 8
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a?a?a --increment --increment-min=1
# Custom charset: only hex characters
hashcat -m 0 -a 3 hash.txt -1 '?l?d' '?1?1?1?1?1?1'
# Mask with special characters at the end
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?d?d?s| Charset | Characters | Description |
|---|---|---|
| ?l | a-z | Lowercase letters |
| ?u | A-Z | Uppercase letters |
| ?d | 0-9 | Digits |
| ?s | !@#$%... (special) | Special / symbol characters |
| ?a | ?l?u?d?s | All printable ASCII characters |
| ?b | 0x00-0xff | Full byte range (binary) |
Rule-Based Attack
Rules modify dictionary words on the fly, generating variations without creating huge wordlists. This is the most efficient attack strategy for most real-world scenarios.
# Use built-in best64 rules (most effective compact ruleset)
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule
# Use dive rules (comprehensive mutations)
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/dive.rule
# Use rockyou-30000 rules (aggressive, slower)
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/rockyou-30000.rule
# Generate and test rules inline
hashcat -m 0 -a 0 hash.txt wordlist.txt -j 'c$1$!'
# c = capitalize first letter, $1 = append "1", $! = append "!"
# Stack multiple rule files for exponential combinations
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule -r rules/toggles1.ruleHybrid Attacks (-a 6 / -a 7)
Hybrid attacks combine dictionary words with mask-generated patterns. Mode 6 appends the mask to wordlist entries; mode 7 prepends it.
# Hybrid: wordlist + mask (append digits to words)
# e.g., "password" + "123" = "password123"
hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d
# Hybrid: mask + wordlist (prepend digits to words)
# e.g., "123" + "password" = "123password"
hashcat -m 0 -a 7 hash.txt ?d?d?d wordlist.txt
# Append year to dictionary words
hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d?d
# Append special char + digits
hashcat -m 0 -a 6 hash.txt wordlist.txt ?s?d?dHash Types
Hashcat supports over 350 hash types, each identified by a numeric mode (-m). Below are the most commonly encountered hash types in security assessments.
| Mode (-m) | Hash Type | Example Use Case |
|---|---|---|
| 0 | MD5 | Legacy web applications, database hashes |
| 100 | SHA-1 | Older application hashes, Git commits |
| 1400 | SHA-256 | Modern web apps, cryptocurrency wallets |
| 1700 | SHA-512 | High-security applications |
| 1800 | sha512crypt ($6$) | Linux /etc/shadow passwords |
| 500 | md5crypt ($1$) | Older Linux/BSD passwords |
| 1000 | NTLM | Windows Active Directory passwords |
| 3200 | bcrypt ($2*$) | Modern web applications |
| 5600 | NetNTLMv2 | Windows network authentication captures |
| 13100 | Kerberos TGS-REP (Kerberoasting) | Active Directory service accounts |
| 22000 | WPA-PBKDF2-PMKID+EAPOL | Wi-Fi WPA/WPA2 handshakes |
| 18200 | Kerberos AS-REP (ASREPRoast) | Active Directory user accounts |
# List all supported hash modes
hashcat --help | grep -i "hash modes"
# Search for a specific hash type
hashcat --help | grep -i "ntlm"
hashcat --help | grep -i "sha256"
# Show example hashes for a specific mode
hashcat -m 1000 --example-hashesBasic Usage
The fundamental Hashcat workflow involves specifying a hash mode, attack mode, the target hash(es), and the attack source (wordlist or mask).
# Basic syntax
hashcat -m <hash_mode> -a <attack_mode> <hash_file> <wordlist|mask>
# Crack an MD5 hash using a dictionary
hashcat -m 0 -a 0 md5_hash.txt /usr/share/wordlists/rockyou.txt
# Crack a single hash (inline)
hashcat -m 0 -a 0 '5f4dcc3b5aa765d61d8327deb882cf99' wordlist.txt
# Crack NTLM hashes from a file
hashcat -m 1000 -a 0 ntlm_hashes.txt wordlist.txt
# Save cracked passwords to a file
hashcat -m 0 -a 0 hash.txt wordlist.txt -o cracked.txt
# Show previously cracked hashes
hashcat -m 0 hash.txt --show
# Check benchmark speed for a hash type
hashcat -m 0 -b
# Run with status updates every 30 seconds
hashcat -m 0 -a 0 hash.txt wordlist.txt --status --status-timer=30~/.local/share/hashcat/hashcat.potfile). Use --show to display previously cracked hashes without re-running the attack, or --potfile-disable to skip the potfile entirely.Advanced Techniques
Rules in Depth
Rules are the most powerful feature in Hashcat. They transform dictionary words into candidate passwords using character manipulation operations. A single word can generate thousands of variations.
| Rule | Description | Input → Output |
|---|---|---|
| l | Lowercase all | Password → password |
| u | Uppercase all | Password → PASSWORD |
| c | Capitalize first | password → Password |
| t | Toggle case all | Password → pASSWORD |
| $X | Append character X | password + $1 → password1 |
| ^X | Prepend character X | password + ^! → !password |
| d | Duplicate word | pass → passpass |
| r | Reverse word | password → drowssap |
| sa@ | Substitute a with @ | password → p@ssword |
# Create a custom rule file
cat > custom.rule << 'EOF'
:
c
c$1
c$1$!
c$1$2$3
sa@
se3
so0
c sa@ se3 so0
$2$0$2$4
$2$0$2$5
EOF
# Apply the custom rule file
hashcat -m 0 -a 0 hash.txt wordlist.txt -r custom.rule
# Generate random rules on the fly
hashcat -m 0 -a 0 hash.txt wordlist.txt -g 10000
# Debug rules to see transformations (stdout mode)
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule --stdout | head -50Mask Patterns
Masks allow you to define precise password patterns. Custom charsets (-1 through -4) let you restrict character sets per position for more targeted attacks.
# Custom charset 1: lowercase + digits
hashcat -m 0 -a 3 hash.txt -1 '?l?d' '?1?1?1?1?1?1?1?1'
# Custom charset for common substitutions
hashcat -m 0 -a 3 hash.txt -1 'aA@' -2 'sS$5' -3 'eE3' '?1?2?2w?3rd'
# Use a mask file (hcmask) for multiple patterns
cat > patterns.hcmask << 'EOF'
?u?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?d?d?s
?d?d?d?d?d?d
EOF
hashcat -m 0 -a 3 hash.txt patterns.hcmask
# Increment mask length from 4 to 8
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a?a?a --increment --increment-min=4 --increment-max=8GPU Optimization
Proper GPU configuration can dramatically improve cracking speed. Hashcat provides several options for tuning performance, managing thermals, and distributing workloads across multiple GPUs.
Workload Profiles
The workload profile (-w) controls how aggressively Hashcat utilizes your GPU. Higher values yield better performance but make the system less responsive.
# Low workload - suitable for desktop use while working
hashcat -m 0 -a 0 hash.txt wordlist.txt -w 1
# Default workload
hashcat -m 0 -a 0 hash.txt wordlist.txt -w 2
# High workload - for dedicated cracking machines
hashcat -m 0 -a 0 hash.txt wordlist.txt -w 3
# Nightmare mode - maximum GPU utilization
hashcat -m 0 -a 0 hash.txt wordlist.txt -w 4
# Use optimized kernels for 30%+ speed boost (limits password length to 31)
hashcat -m 0 -a 0 hash.txt wordlist.txt -O
# Select specific GPU devices
hashcat -m 0 -a 0 hash.txt wordlist.txt -d 1
hashcat -m 0 -a 0 hash.txt wordlist.txt -d 1,2
# Force OpenCL device type (1=CPU, 2=GPU, 3=FPGA)
hashcat -m 0 -a 0 hash.txt wordlist.txt -D 2Temperature Management
Prolonged cracking sessions can cause GPU overheating. Hashcat includes built-in thermal management to protect your hardware.
# Set abort temperature (default: 90C)
hashcat -m 0 -a 0 hash.txt wordlist.txt --hwmon-temp-abort=85
# Disable temperature monitoring (not recommended)
hashcat -m 0 -a 0 hash.txt wordlist.txt --hwmon-disable
# Monitor GPU status during cracking
# Press 's' during execution to see status including temperature
# Use session management for long-running tasks
hashcat -m 0 -a 0 hash.txt wordlist.txt --session=audit01
# Pause session (Ctrl+C or press 'c' for checkpoint)
# Resume later:
hashcat --session=audit01 --restorenvidia-smi orwatch -n 1 sensors. Consider setting--hwmon-temp-abort=80 for 24/7 cracking rigs.Practical Examples
Password Audit Workflow
A typical password security audit follows a structured approach, starting with the fastest attacks and progressing to more computationally expensive methods.
# Step 1: Prepare the hash file
# Extract hashes from /etc/shadow (Linux)
sudo cat /etc/shadow | grep '\$6\$' > sha512_hashes.txt
# Extract NTLM hashes with secretsdump (Windows AD)
# secretsdump.py -just-dc-ntlm domain/admin@dc-ip > ntlm_hashes.txt
# Step 2: Quick wins - dictionary attack with common passwords
hashcat -m 1800 -a 0 sha512_hashes.txt /usr/share/wordlists/rockyou.txt -O
# Step 3: Dictionary attack with best64 rules
hashcat -m 1800 -a 0 sha512_hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O
# Step 4: Targeted mask attack (common patterns)
hashcat -m 1800 -a 3 sha512_hashes.txt ?u?l?l?l?l?l?d?d -O
hashcat -m 1800 -a 3 sha512_hashes.txt ?u?l?l?l?l?l?d?d?s -O
# Step 5: Hybrid attacks
hashcat -m 1800 -a 6 sha512_hashes.txt wordlist.txt ?d?d?d?d -O
# Step 6: Review results
hashcat -m 1800 sha512_hashes.txt --show
# Generate a report of cracked vs. total
total=$(wc -l < sha512_hashes.txt)
cracked=$(hashcat -m 1800 sha512_hashes.txt --show | wc -l)
echo "Cracked: $cracked / $total"Hash Identification
Before cracking, you need to identify the hash type. Hashcat can help, along with dedicated tools.
# Common hash format indicators:
# MD5: 32 hex chars (e.g., 5f4dcc3b5aa765d61d8327deb882cf99)
# SHA-1: 40 hex chars (e.g., 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8)
# SHA-256: 64 hex chars (e.g., 5e884898da28047151d0e56f8dc...)
# NTLM: 32 hex chars (e.g., a4f49c406510bdcab6824ee7c30fd852)
# sha512crypt: starts with $6$ (e.g., $6$rounds=5000$salt$hash)
# md5crypt: starts with $1$ (e.g., $1$salt$hash)
# bcrypt: starts with $2b$ (e.g., $2b$12$salt.hash)
# Use hashid to identify unknown hashes
pip install hashid
hashid '5f4dcc3b5aa765d61d8327deb882cf99'
# Use hash-identifier (included in Kali)
hash-identifier
# Use Hashcat's built-in example hashes to compare
hashcat -m 0 --example-hashes
hashcat -m 1000 --example-hashes
hashcat -m 1800 --example-hashesOptions Reference
Comprehensive reference of the most important Hashcat command-line options.
| Option | Description |
|---|---|
| -m <num> | Hash type (mode number) |
| -a <num> | Attack mode (0=dict, 1=combinator, 3=mask, 6/7=hybrid) |
| -o <file> | Output file for cracked hashes |
| -r <file> | Rule file for word mutations |
| -w <num> | Workload profile (1=low, 2=default, 3=high, 4=nightmare) |
| -O | Enable optimized kernels (faster, password length limited) |
| -d <devices> | Select specific compute devices (e.g., 1,2) |
| -D <type> | OpenCL device type (1=CPU, 2=GPU, 3=FPGA) |
| -b | Run benchmark for all or specified hash types |
| -I | Show detected compute devices and exit |
| --show | Display cracked hashes from the potfile |
| --left | Display hashes that have NOT been cracked |
| --session=<name> | Define a session name for pause/restore |
| --restore | Restore a previously saved session |
| --status | Enable automatic status display |
| --status-timer=<sec> | Status display interval in seconds |
| --increment | Enable mask increment mode |
| --increment-min=<n> | Start mask increment at length n |
| --increment-max=<n> | Stop mask increment at length n |
| -g <num> | Generate num random rules |
| --potfile-disable | Do not read or write the potfile |
| --hwmon-temp-abort=<c> | Abort if GPU temp exceeds value (Celsius) |
| --force | Ignore warnings (use with caution) |
| --stdout | Output candidates to stdout (no cracking) |
| --example-hashes | Show example hashes for specified -m mode |
Tips & Best Practices
1. Start with Quick Wins
Begin every engagement with a straight dictionary attack using rockyou.txt and best64.rule. This combination cracks a surprising number of weak passwords in seconds before investing time in more complex attacks.
2. Use Optimized Kernels
Always add the -O flag unless you are targeting passwords longer than 31 characters. Optimized kernels can provide a 30-50% performance improvement on most hash types.
3. Organize Your Wordlists
Maintain curated wordlists tailored to your target. Include company names, common project names, city names, and industry-specific terms. Sort wordlists by frequency for better early results. Remove duplicates with sort -u.
4. Use Sessions for Long Attacks
Always name your sessions with --session=name for long-running attacks. This allows you to pause, resume, and track progress. Hashcat saves checkpoint data automatically so you can recover from interruptions.
5. Layer Your Attacks
Follow a structured progression: dictionary → dictionary+rules → hybrid → mask. Each layer targets a different password pattern. Move to the next layer only after exhausting the previous one. This maximizes results per unit of compute time.
6. Monitor Your Hardware
Keep GPU temperatures below 85C for sustained operation. Use --hwmon-temp-abort=85 as a safety net. Clean dust from GPU fans regularly if running extended cracking sessions. Consider undervolting GPUs for better thermal performance without significant speed loss.
7. Document Everything
In professional engagements, log all commands, sessions, and results. Use-o results.txt to save output and maintain an audit trail. Record the percentage of passwords cracked, common password patterns found, and compliance with the organization's password policy.
Related Tools
Hashcat is most effective when used alongside complementary security tools. Here are tools commonly paired with Hashcat in password security assessments:
| Tool | Purpose | Relationship to Hashcat |
|---|---|---|
| John the Ripper | CPU-based password cracker | Alternative cracker; better for certain hash types and CPU-only environments |
| Hydra | Online brute-force tool | Attacks live services (SSH, HTTP, FTP) vs. Hashcat's offline hash cracking |
| CeWL | Custom wordlist generator | Scrapes websites to build target-specific wordlists for Hashcat |
| Responder | LLMNR/NBT-NS poisoner | Captures NetNTLMv2 hashes that Hashcat can crack offline |
| Impacket | Network protocol toolkit | Extracts NTLM hashes and Kerberos tickets for offline cracking |
| hcxtools / hcxdumptool | Wi-Fi capture tools | Captures WPA handshakes and PMKIDs in the format Hashcat expects |
Interactive Keyboard Shortcuts
While Hashcat is running, you can use these keyboard shortcuts to control the session:
s- Display current statusb- Bypass current attack and move to nextc- Create a checkpoint and continuep- Pause executionr- Resume executionq- Quit gracefully (saves session)
Related Articles
John the Ripper: Password Cracker Guide
Master John the Ripper for password security testing. Learn cracking modes, custom rules, wordlist optimization, and hash format support.
THC Hydra: Network Login Brute Force Guide
Complete guide to THC Hydra for network authentication testing. Learn protocol-specific attacks for SSH, FTP, HTTP, and more with practical examples.
Nmap: Network Scanner & Security Auditing Tool Guide
Comprehensive guide to Nmap for network discovery and security auditing. Learn port scanning, OS detection, NSE scripts, and practical penetration testing workflows.
Metasploit Framework: Penetration Testing Guide
Complete guide to the Metasploit Framework for penetration testing. Learn msfconsole, exploit modules, payloads, and post-exploitation techniques.