Hashcat is the world’s fastest and most advanced password recovery tool. Where online tools like THC Hydra test credentials directly against a live service, Hashcat works offline — taking a captured hash and running millions or billions of candidate passwords through the same hashing algorithm until it finds a match. With GPU acceleration, modern hardware can test billions of hashes per second, making even complex passwords vulnerable to the right attack strategy.
This guide covers installation, hash type identification, attack modes, wordlists, rules, and real cracking workflows.
Installing Hashcat
Hashcat is preinstalled on Kali Linux. To install manually:
sudo apt install hashcat
For Windows, download the prebuilt binary from hashcat.net. The Windows version often outperforms Linux on consumer GPUs due to driver differences.
Verify the install and check GPU support:
hashcat -I
This lists detected OpenCL/CUDA devices and their capabilities.
Identifying Hash Types
Before cracking, you need to know what type of hash you have. Use hashid or hash-identifier:
hashid '$2y$10$EiqFk.B.0rYBmjwHlJvXEu0jKXmVQgWv4WTQhFwCqKjfEIg3lP.gm'
# Output: [+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
hash-identifier
# Interactive — paste the hash and it identifies it
Common Hash Types and Hashcat Modes
| Hash Type | Hashcat Mode | Example Hash (truncated) |
|---|
| MD5 | 0 | 5f4dcc3b5aa765d61d8327de |
| SHA-1 | 100 | 5baa61e4c9b93f3f0682250b6 |
| SHA-256 | 1400 | 5e884898da28047151d0e56f8d |
| SHA-512 | 1700 | b109f3bbbc244eb82441917ed0 |
| bcrypt | 3200 | $2y$10$... |
| NTLM | 1000 | 32ed87bdb5fdc5e9cba8885 |
| NetNTLMv2 | 5600 | user::domain:... |
| WPA2 | 22000 | (PMKID/HCCAPX format) |
| MD5crypt | 500 | $1$salt$hash |
| SHA512crypt | 1800 | $6$salt$hash |
| Kerberos 5 TGS-REP | 13100 | $krb5tgs$23$... |
Attack Modes
Hashcat supports six attack modes. Each has different performance characteristics and use cases.
| Mode | Name | Description |
|---|
| 0 | Dictionary | Try every word in a wordlist |
| 1 | Combination | Concatenate words from two wordlists |
| 3 | Brute-force/Mask | Try all combinations of a charset mask |
| 6 | Hybrid (wordlist + mask) | Wordlist entry + mask appended |
| 7 | Hybrid (mask + wordlist) | Mask prepended to wordlist entry |
| 9 | Association | Use hint/username to guess passwords |
Core Syntax
hashcat [options] hashfile [wordlist|mask]
Essential flags:
| Flag | Description |
|---|
-m | Hash type (mode number) |
-a | Attack mode (0, 1, 3, 6, 7) |
-w | Workload profile (1=Low, 2=Default, 3=High, 4=Nightmare) |
-r | Rules file |
-o | Output file for cracked hashes |
--show | Show previously cracked hashes |
--status | Show status at runtime |
--runtime | Stop after N seconds |
Dictionary Attack (Mode 0)
The most common attack. Test every password in a wordlist:
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
Crack NTLM hashes (common in Windows pentests):
hashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
Brute-Force with Masks (Mode 3)
Masks define a character pattern. Use masks when you know the password structure:
| Mask Char | Character Set |
|---|
?l | Lowercase letters (a-z) |
?u | Uppercase letters (A-Z) |
?d | Digits (0-9) |
?s | Special characters |
?a | All printable ASCII |
?h | Hex characters (0-9, a-f) |
Crack all 8-character lowercase+digit passwords:
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?d?d?d?d
Common password patterns:
# UpperLower6digits (like "Admin123456")
hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?d?d?d?d?d?d
# 4-digit PIN
hashcat -m 0 -a 3 hashes.txt ?d?d?d?d
# 8-character alphanumeric
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a?a?a
Rules-Based Attack
Rules mutate wordlist entries — adding numbers, capitalizing letters, substituting characters. This is often the most effective technique:
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
Bundled Rule Files
| Rules File | Description |
|---|
best64.rule | 64 of the most effective rules |
rockyou-30000.rule | Derived from RockYou patterns |
OneRuleToRuleThemAll.rule | Community mega-ruleset |
d3ad0ne.rule | High-coverage ruleset |
Hob0Rules.rule | Good general-purpose rules |
Stack multiple rules:
hashcat -m 1000 -a 0 hashes.txt rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule \
-r /usr/share/hashcat/rules/leetspeak.rule
Hybrid Attacks (Modes 6 and 7)
Combine wordlists with masks for targeted attacks on passwords like Password123!:
# Wordlist + mask appended (mode 6)
hashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?d?s
# Mask prepended + wordlist (mode 7)
hashcat -m 1000 -a 7 hashes.txt ?d?d?d rockyou.txt
Cracking WPA2 Handshakes
Capture WPA2 handshakes with hcxdumptool, convert them, and crack:
# Convert PCAP to Hashcat format
hcxpcapngtool -o hash.hc22000 capture.pcapng
# Crack with dictionary
hashcat -m 22000 -a 0 hash.hc22000 rockyou.txt
Cracking Kerberoast Hashes
Kerberoasting is a common Active Directory attack. Crack the resulting TGS tickets:
hashcat -m 13100 -a 0 krb5tgs_hashes.txt rockyou.txt -r best64.rule
Checking Progress and Results
During a running session, press s to see status, p to pause, r to resume, and q to quit.
After a session, view cracked passwords with:
hashcat -m 1000 hashes.txt --show
Workload Profile
hashcat -m 1000 -a 0 hashes.txt wordlist.txt -w 3
Profile 3 (High) and 4 (Nightmare) use the GPU aggressively and may cause display lag on systems where the GPU also drives a monitor.
Enable Optimized Kernels
hashcat -m 1000 -a 0 hashes.txt wordlist.txt -O
The -O flag enables optimized kernels, often 2-3x faster, but limits maximum password length to 32 characters.
Use CUDA Over OpenCL
On NVIDIA hardware, use the CUDA backend for best performance. Hashcat auto-detects it when CUDA drivers are installed.
Recommended Wordlists
- rockyou.txt — 14 million real-world passwords
- SecLists passwords —
/usr/share/seclists/Passwords/
- hashesorg2019 — Billions of real cracked passwords from database dumps
- weakpass wordlists — weakpass.com — multi-gigabyte curated lists
Summary
Hashcat is unmatched for offline password cracking. Its combination of GPU speed, flexible attack modes, and rules-based mutations means that even well-chosen passwords fall with the right strategy. Master dictionary attacks first, add rules for coverage, use masks for targeted structural attacks, and always identify your hash type before you start. The cracked passwords you recover from a pentest engagement are often the key to deeper network access.