Hashcat

Hashcat Logo
Hashcat is a powerful and versatile password-cracking tool widely used in security testing. It supports a vast range of hash types and leverages GPUs for fast and efficient cracking. Hashcat is a favorite among penetration testers for uncovering weak passwords and assessing password policies, helping identify vulnerabilities that could lead to unauthorized access or privilege escalation within a network. his cheat sheet provides practical Hashcat commands used by penetration testers to crack password hashes including NTLM, Kerberos, WPA/WPA2, Office documents, and encrypted archives.
Download Hashcat
Navigation

Installation and Setup

From Package Managers

Kali Linux:
Pre-installed. Run directly with hashcat.

Debian/Ubuntu:

sudo apt update && sudo apt install hashcat

MacOS:

brew install hashcat

From Source:

git clone https://github.com/hashcat/hashcat.git
cd hashcat
make
./hashcat --help

Using Docker

docker pull hashcat/hashcat
docker run -it --rm hashcat/hashcat --help

Updating Hashcat

From Source

cd hashcat && git pull && make clean && make

From Package Manager

sudo apt update && sudo apt upgrade hashcat

Hashcat Basics

Hashcat Hash Modes

The following table lists some of the common hashcat hash modes. A full list can be found here.

hashcat -m 0 hashes.txt wordlist.txt                       #MD5 Hash
hashcat -m 100 hashes.txt wordlist.txt                     #SHA1
hashcat -m 1400 hashes.txt wordlist.txt                    #SHA256
hashcat -m 1700 hashes.txt wordlist.txt                    #SHA512
hashcat -m 500 hashes.txt wordlist.txt                     #md5crypt
hashcat -m 1500 hashes.txt wordlist.txt                    #descrypt (DES Unix)
hashcat -m 1800 hashes.txt wordlist.txt                    #sha512crypt (Unix)
hashcat -m 3200 hashes.txt wordlist.txt                    #bcrypt
hashcat -m 1000 hashes.txt wordlist.txt                    #NTLM Hash
hashcat -m 3000 hashes.txt wordlist.txt                    #LM Hash
hashcat -m 5500 hashes.txt wordlist.txt                    #NetNTLMv1
hashcat -m 5600 hashes.txt wordlist.txt                    #NetNTLMv2
hashcat -m 13100 hashes.txt wordlist.txt                   #Kerberos 5 TGS-REP etype 23
hashcat -m 7500 hashes.txt wordlist.txt                    #Kerberos 5 AS-REQ Pre-Auth etype 23
hashcat -m 7300 hashes.txt wordlist.txt                    #IPMI2 RAKP HMAC-SHA1
hashcat -m 15300 hashes.txt wordlist.txt                   #DPAPI masterkey file v1
hashcat -m 15900 hashes.txt wordlist.txt                   #DPAPI domain backup key
hashcat -m 2100 hashes.txt wordlist.txt                    #Domain Cached Credentials (DCC2)
hashcat -m 2500 -a 3 handshake.hccapx wordlist.txt         #WPA/WPA2 Handshake (old format)
hashcat -m 22000 -a 3 handshake.22000 wordlist.txt         #WPA/WPA2 PMKID/EAPOL (recommended)
hashcat -m 12500 hashes.txt wordlist.txt                   #Kerberos 5 TGS-REP etype 17/18
hashcat -m 16800 hashes.txt wordlist.txt                   #WPA-PMKID (no EAPOL)
hashcat -m 7100 hashes.txt wordlist.txt                    #macOS v10.8+ (PBKDF2-SHA512)
hashcat -m 11600 hashes.txt wordlist.txt                   #7-Zip
hashcat -m 13400 hashes.txt wordlist.txt                   #KeePass 1.x
hashcat -m 13711 hashes.txt wordlist.txt                   #VeraCrypt SHA256 + XTS 512 bit
hashcat -m 11300 hashes.txt wordlist.txt                   #TrueCrypt PBKDF2-SHA512 + XTS
hashcat -m 18300 hashes.txt wordlist.txt                   #BitLocker
hashcat -m 19500 hashes.txt wordlist.txt                   #MS Office 2016

Haschat Attack Modes

The attack modes available are:

-a

0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
9 | Association

Some examples of common attack modes are shown below:

hashcat -a 0 -m 0 hashes.txt wordlist.txt                 #Wordlist Attack
hashcat -a 3 -m 0 hashes.txt ?a?a?a?a                     #Mask Attack
hashcat -a 6 -m 0 hashes.txt wordlist.txt ?d?d            #Hybrid Wordlist + Mask
hashcat -a 7 -m 0 hashes.txt ?d?d wordlist.txt            #Hybrid Mask + Wordlist
hashcat -a 1 -m 0 hashes.txt wordlist1.txt wordlist2.txt  #Combinator Attack

Real Pentesting Attack Scenarios

hashcat -m 1000 hashes.txt rockyou.txt               #Crack NTLM hashes from a Windows dump
hashcat -m 5600 netntlmv2.txt rockyou.txt            #Crack captured NetNTLMv2 hashes
hashcat -m 18200 asrep_hashes.txt rockyou.txt        #Crack AS-REP roasted Kerberos hashes
hashcat -m 13100 kerberoast_hashes.txt rockyou.txt   #Crack Kerberoasted service tickets
hashcat -m 2100 dcc_hashes.txt rockyou.txt           #Crack Domain Cached Credentials (DCC2)
hashcat -m 7500 wifi.hccapx rockyou.txt              #Crack WPA/WPA2 handshake
hashcat -m 11600 7zip.hash rockyou.txt               #Crack 7zip encrypted archive
hashcat -m 13600 keepass.hash rockyou.txt            #Crack KeePass database password
hashcat -m 9600 office.hash rockyou.txt              #Crack MS Office document password
hashcat -m 10500 pdf.hash rockyou.txt                #Crack PDF password

Identifying Hash Types

hashid hashes.txt                                #Use hashid to identify hash
hashcat -m 0 --example-hashes                    #View example hashes for mode 0
hashcat --example-hashes | grep NTLM             #Search example hashes for NTLM
hashcat --example-hashes > examples.txt          #Export all example hashes

More generic hash types can be found here https://hashcat.net/wiki/doku.php?id=example_hashes

Performance Tuning

Optimizing Performance

hashcat -w 3 -m 1000 hashes.txt wordlist.txt             #Workload level 3 (high)
hashcat -w 4 -m 1000 hashes.txt wordlist.txt             #Workload level 4 (max)
hashcat --opencl-device-types 1,2                        #Select CPU (1) and GPU (2)
hashcat --backend-info                                   #Display backend info

Benchmarking

Benchmarking allows testing GPU or CPU performance before running long cracking jobs.

hashcat -b                                                #Run benchmark for default hash types
hashcat --benchmark-all                                   #Benchmark all supported hash modes
hashcat --speed-only -m 1000 hashes.txt wordlist.txt      #Estimate cracking speed and exit
hashcat --progress-only -m 1000 hashes.txt wordlist.txt   #Display expected workload size

Device and Hardware Control

hashcat -I                                                     #Display available OpenCL devices
hashcat -D 1 -m 1000 hashes.txt wordlist.txt                   #Use CPU only
hashcat -D 2 -m 1000 hashes.txt wordlist.txt                   #Use GPU only
hashcat -D 1,2 -m 1000 hashes.txt wordlist.txt                 #Use CPU and GPU
hashcat -d 1 -m 1000 hashes.txt wordlist.txt                   #Select specific device ID
hashcat --opencl-platforms=1 -m 1000 hashes.txt wordlist.txt   #Select OpenCL platform

Hardware Monitoring

Useful when cracking on GPUs to prevent overheating.

hashcat --hwmon-disable -m 1000 hashes.txt wordlist.txt           #Disable hardware monitoring
hashcat --hwmon-temp-abort=90 -m 1000 hashes.txt wordlist.txt     #Abort if GPU temperature reaches 90°C
hashcat --hwmon-temp-retain=80 -m 1000 hashes.txt wordlist.txt    #Throttle GPU to maintain temperature

Workload Tuning

These options are used when optimising cracking speed on specific GPUs or CPUs.

hashcat -w 1 -m 1000 hashes.txt wordlist.txt                   #Low workload profile
hashcat -w 2 -m 1000 hashes.txt wordlist.txt                   #Default workload profile
hashcat -w 3 -m 1000 hashes.txt wordlist.txt                   #High workload profile
hashcat -w 4 -m 1000 hashes.txt wordlist.txt                   #Nightmare workload profile
hashcat --kernel-accel=64 -m 1000 hashes.txt wordlist.txt      #Manually tune GPU acceleration
hashcat --kernel-loops=1024 -m 1000 hashes.txt wordlist.txt    #Adjust kernel loop count
hashcat --nvidia-spin-damp=50 -m 1000 hashes.txt wordlist.txt  #Reduce GPU spin-wait load

Wordlist and Rules

Using Wordlists

hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 0 -a 0 hashes.txt custom_wordlist.txt

Applying Rules

hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/combinator.rule

Wordlist Encoding and Hex Handling

These options help when cracking hashes that use non-standard encodings or binary inputs.

hashcat --encoding-from=utf-16 --encoding-to=utf-8 -m 1000 hashes.txt wordlist.txt   #Convert wordlist encoding
hashcat --hex-wordlist -m 1000 hashes.txt wordlist.txt                               #Treat wordlist entries as hex
hashcat --hex-salt -m 1000 hashes.txt wordlist.txt                                   #Treat salt as hex
hashcat --hex-charset -m 1000 -a 3 hashes.txt ?b?b?b?b                               #Interpret charset as hex

Generating Wordlists

hashcat --stdout -a 3 ?u?u?u?d?d > generated_wordlist.txt         #Generate a wordlist consisting of combinations of 3 uppercase letters followed by 2 digits
hashcat --stdout -a 3 ?l?l?l?l?d > generated_wordlist.txt         #Generate a wordlist consisting of combinations of 4 lowercase letters followed by a 1 digit 
hashcat --stdout -a 3 ?l?l?l?l?l?u > generated_wordlist.txt       #Generate a wordlist consisting of combinations of 5 lowercase letters followed by 1 uppercase letter
hashcat --stdout -a 3 ?d?d?s?s?s > generated_wordlist.txt         #Generate a wordlist consisting of combinations of 2 digits followed by 3 special characters
hashcat --stdout -a 3 ?l?l?l?u?u?d > generated_wordlist.txt       #Generate a wordlist consisting of 3 lowercase letters, 2 uppercase letters, and 1 digit
hashcat --stdout -a 3 ?l?l?l?l?l?l?d?d > generated_wordlist.txt   #Generate a wordlist consisting of 6 lowercase letters followed by 2 digits
hashcat --stdout -a 3 ?l?d?l?d > generated_wordlist.txt           #Generate a wordlist consisting of alternating lowercase letters and digits (e.g., `a1b2`)
hashcat --stdout -a 3 ?d?d?d?l?l?l > generated_wordlist.txt       #Generate a wordlist consisting of 3 digits followed by 3 lowercase letters
hashcat --stdout -a 3 ?u?u?u?u?s > generated_wordlist.txt         #Generate a wordlist consisting of 4 uppercase letters followed by 1 special character

Mask Attacks

The character sets for mask attacks in Hashcat are:

l | abcdefghijklmnopqrstuvwxyz [a-z]
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
d | 0123456789                 [0-9]
h | 0123456789abcdef           [0-9a-f]
H | 0123456789ABCDEF           [0-9A-F]
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

Common Masks

hashcat -a 3 -m 0 hashes.txt ?d?d?d?d                     #4-digit PIN
hashcat -a 3 -m 0 hashes.txt ?u?l?l?l?d                   #Upper, lower, lower, lower, digit
hashcat -a 3 -m 0 hashes.txt ?a?a?a?a                     #Any 4 printable ASCII characters
hashcat -a 3 -m 0 hashes.txt ?u?u?u?u                     #4 uppercase letters
hashcat -a 3 -m 0 hashes.txt ?l?l?l?l                     #4 lowercase letters
hashcat -a 3 -m 0 hashes.txt ?d?d?d?d?d                   #5-digit PIN
hashcat -a 3 -m 0 hashes.txt ?u?u?u?l?l                   #3 uppercase and 2 lowercase letters
hashcat -a 3 -m 0 hashes.txt ?l?l?l?d?d                   #3 lowercase letters followed by 2 digits
hashcat -a 3 -m 0 hashes.txt ?l?l?l?l?d                   #4 lowercase letters followed by 1 digit
hashcat -a 3 -m 0 hashes.txt ?l?d?l?d?l                   #Alternating lowercase and digits (e.g., `a1b2c`)
hashcat -a 3 -m 0 hashes.txt ?u?d?u?d?l                   #Upper, digit, upper, digit, lower
hashcat -a 3 -m 0 hashes.txt ?a?a?a?d                     #Any 3 printable ASCII characters followed by a digit
hashcat -a 3 -m 0 hashes.txt ?d?d?d?l                     #3 digits followed by a lowercase letter
hashcat -a 3 -m 0 hashes.txt ?u?d?d?d?u                   #Upper, digit, digit, digit, upper
hashcat -a 3 -m 0 hashes.txt ?s?s?s?s                     #Any 4 special characters
hashcat -a 3 -m 0 hashes.txt ?l?u?d?s                     #Lowercase, uppercase, digit, special character
hashcat -a 3 -m 0 hashes.txt ?d?d?l?l?l                   #2 digits followed by 3 lowercase letters

Custom Charset Masks

hashcat -a 3 -m 0 hashes.txt -1 ?l?u ?1?1?1?1             #4 mixed-case letters
hashcat -a 3 -m 0 hashes.txt -2 abc ?2?2?2?2              #4 characters from 'abc'

Incremental Mask Attacks

hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l?l?l --increment           #Enable mask increment
hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l?l?l --increment-min=4     #Minimum mask length
hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l?l?l --increment-max=8     #Maximum mask length

Hybrid Attacks

hashcat -a 6 -m 0 hashes.txt wordlist.txt ?d?d            #Wordlist + 2 digits
hashcat -a 7 -m 0 hashes.txt ?d?d wordlist.txt            #2 digits + Wordlist

Markov Attacks

Markov chains optimise brute-force attacks by prioritising likely character sequences.

hashcat -m 1000 -a 3 --markov-hcstat2=my.hcstat2 hashes.txt ?a?a?a?a?a?a   #Use custom Markov statistics file
hashcat -m 1000 -a 3 --markov-disable hashes.txt ?a?a?a?a?a?a              #Disable Markov optimization
hashcat -m 1000 -a 3 --markov-classic hashes.txt ?a?a?a?a?a?a              #Use classic Markov chains
hashcat -m 1000 -a 3 --markov-threshold=100 hashes.txt ?a?a?a?a?a?a        #Limit Markov candidate acceptance

Hashcat Brain (Distributed Cracking)

The brain feature prevents duplicate cracking attempts across multiple cracking machines.

hashcat --brain-server                                                                                    #Start brain server
hashcat --brain-client --brain-host=127.0.0.1 -m 1000 hashes.txt wordlist.txt                             #Connect to brain server
hashcat --brain-client --brain-host=10.10.10.5 --brain-password=secret -m 1000 hashes.txt wordlist.txt    #Authenticate to brain server
hashcat --brain-client --brain-host=10.10.10.5 --brain-port=13743 -m 1000 hashes.txt wordlist.txt         #Specify custom brain port

Common Hash Types

hashcat -m 22000 -a 3 handshake.22000 ?a?a?a?a?a?a?a?a           #WPA/WPA2 Handshake Cracking
hashcat -m 1000 -a 0 ntlm_hashes.txt wordlist.txt                #NTLM Hashes
hashcat -m 1400 -a 0 sha256_hashes.txt wordlist.txt              #SHA256 Hashes
hashcat -m 0 -a 0 md5_hashes.txt wordlist.txt                    #MD5 Hashes
hashcat -m 100 -a 0 sha1_hashes.txt wordlist.txt                 #SHA1 Hashes
hashcat -m 3200 -a 0 bcrypt_hashes.txt wordlist.txt              #bcrypt Hashes
hashcat -m 1700 -a 0 sha512_hashes.txt wordlist.txt              #SHA512 Hashes
hashcat -m 11000 -a 0 cisco_pix_hashes.txt wordlist.txt          #Cisco PIX Hashes
hashcat -m 300 -a 0 mysql_hashes.txt wordlist.txt                #MySQL 5.x Hashes
hashcat -m 9600 -a 0 office2013_hashes.txt wordlist.txt          #Office 2013 Hashes (RC4)
hashcat -m 3900 -a 0 cfhashes.txt wordlist.txt                   #Adobe ColdFusion 10 Hashes
hashcat -m 18200 -a 0 kerberos_hashes.txt wordlist.txt           #Kerberos 5 AS-REQ Pre-Auth Hashes
hashcat -m 1500 -a 0 des_hashes.txt wordlist.txt                 #DES Hashes
hashcat -m 7400 -a 0 hmac_sha256_hashes.txt wordlist.txt         #HMAC-SHA256 Hashes
hashcat -m 2200 -a 0 pbkdf2_hmac_sha1_hashes.txt wordlist.txt    #PBKDF2-HMAC-SHA1 Hashes
hashcat -m 3000 -a 0 lm_hashes.txt wordlist.txt                  #LM Hashes (Windows Legacy)
hashcat -m 400 -a 0 wordpress_hashes.txt wordlist.txt            #WordPress Hashes (MD5-based)
hashcat -m 13000 -a 0 radmin_hashes.txt wordlist.txt             #Radmin 3.x Hashes
hashcat -m 900 -a 0 openssl_md5_hashes.txt wordlist.txt          #OpenSSL MD5 Hashes
hashcat -m 12500 -a 0 rar3_hashes.txt wordlist.txt               #Rar3 Hashes (Rar3.x Archives)
hashcat -m 110 -a 0 office2007_2013_hashes.txt wordlist.txt      #MS Office 2007-2013 Hashes
hashcat -m 10500 -a 0 pdf_hashes.txt wordlist.txt                #PDF 1.7 Hashes (Encrypted PDFs)
hashcat -m 5000 -a 0 aix_hashes.txt wordlist.txt                 #AIX LM Hashes
hashcat -m 6211 -a 0 truecrypt_hashes.txt wordlist.txt           #TrueCrypt Hashes

Working with Files

Splitting and Sorting

split -l 1000 large_wordlist.txt smaller_list             #Split large wordlist
sort wordlist.txt | uniq > sorted_wordlist.txt            #Sort and remove duplicates

Cleaning Hashes

cat hashes.txt | sort | uniq > clean_hashes.txt           #Remove duplicate hashes

Using Potfile

Default Potfile

hashcat -m 0 -a 0 hashes.txt wordlist.txt --potfile-disable   #Disable potfile
hashcat --show -m 0 hashes.txt                                #Show cracked passwords
hashcat --left -m 1000 hashes.txt                             #Show remaining uncracked hashes
hashcat --potfile-disable -m 1000 hashes.txt wordlist.txt     #Disable writing to potfile

Custom Potfile

hashcat -m 0 -a 0 hashes.txt wordlist.txt --potfile-path=custom.pot

Session and Restore

Save a Session

hashcat -m 0 -a 0 hashes.txt wordlist.txt --session=my_session

Restore a Session

hashcat --restore --session=my_session

Disable Restore File Creation

hashcat --restore-disable -m 1000 hashes.txt wordlist.txt

Runtime Control

hashcat --runtime=3600 -m 1000 hashes.txt wordlist.txt     #Stop after one hour
hashcat --runtime=86400 -m 1000 hashes.txt wordlist.txt    #Run for 24 hours

Output and Logging

hashcat -o cracked.txt --outfile-format=2 -m 1000 hashes.txt wordlist.txt   #Custom output format
hashcat --outfile-check-timer=30 -m 1000 hashes.txt wordlist.txt            #Check outfile every 30 seconds
hashcat --separator=":" -m 1000 hashes.txt wordlist.txt                     #Change output separator
hashcat --logfile-disable -m 1000 hashes.txt wordlist.txt                   #Disable log file creation

The following custom output formats are available:

--outfile-format=

1 | hash[:salt]
2 | plain
3 | hex_plain
4 | crack_pos
5 | timestamp absolute
6 | timestamp relative

Monitoring and Status

hashcat --status -m 1000 hashes.txt wordlist.txt                      #Enable runtime status display
hashcat --status-timer=30 -m 1000 hashes.txt wordlist.txt             #Update status every 30 seconds
hashcat --machine-readable --status -m 1000 hashes.txt wordlist.txt   #Machine-readable status output
hashcat --logfile-disable -m 1000 hashes.txt wordlist.txt             #Disable log file creation