Skip to content
>_devvkit
$devvkit learn --librarie hashcat-guide

Hashcat Guide

[crypto][password][gpu][security]
Security & Cryptography
Install
brew install hashcat
# Download: hashcat.net/hashcat/
sudo apt install hashcat
# Windows: download from website (no installer needed)

hashcat harnesses GPU power (NVIDIA CUDA, AMD ROCm, or Apple Metal) to crack password hashes at billions of guesses per second. It supports 320+ hash modes (MD5, SHA1/256/512, bcrypt, scrypt, NTLM, Kerberos, WPA/WPA2, etc.).

The basic workflow: get a hash (e.g., from a breach dump), identify the hash type (`hashid` or `hashcat --example-hashes`), pick a wordlist (rockyou.txt, SecLists), and choose appropriate rules. Typical: `hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r best64.rule`.

Hash modes: `-m 0` = MD5, `-m 1000` = NTLM, `-m 1400` = SHA256, `-m 3200` = bcrypt (cost factor 5+), `-m 17200` = PKZIP. Attack modes: `-a 0` = dictionary, `-a 3` = brute-force mask, `-a 6` = hybrid dict + mask, `-a 7` = hybrid mask + dict.

Dictionary Attack

Dictionary attackBasic wordlist attack.
hashcat -m 1000 -a 0 hashes.txt rockyou.txt
# -m 1000 = NTLM, -a 0 = dictionary
# Default: use all GPUs, auto-detect
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt  # MD5
Show cracked passwordsList recovered hashes.
hashcat -m 1000 --show hashes.txt                # Show cracked: hash:password
hashcat -m 1000 --left hashes.txt                 # Show remaining uncracked
hashcat -m 1000 --show --username hashes.txt      # If hashes have usernames

Rule-Based

With rulesMutations on wordlist.
# best64.rule: common mutations (append digit, capitalize, l33t)
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rule

# OneRuleToRuleThemAll (more comprehensive):
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r /opt/OneRuleToRuleThemAll.rule

# Custom rule: append 2 digits and a special char
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -j "$?d$?d$?s"

Brute-Force Mask

Brute-force maskExhaustive pattern search.
# ?l = lowercase, ?u = uppercase, ?d = digit, ?s = special, ?a = all
hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l?l?l?l?l        # 8 lowercase chars
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d       # Capital + 6 lower + 2 digits
hashcat -m 1000 -a 3 hashes.txt -i ?a                    # Incrementing length
Hybrid attackDict + mask combined.
# -a 6: wordlist + mask (Password -> Password123)
hashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?d

# -a 7: mask + wordlist (123Password)
hashcat -m 1000 -a 7 hashes.txt ?d?d?d rockyou.txt
WPA/WPA2 handshakeCrack Wi-Fi passwords.
# hcxdumptool captures handshakes
# Convert to hashcat format:
hcxpcapngtool -o capture.hccapx capture.pcapng
# OR use hcxpcapngtool for new format:
hcxpcapngtool -o capture.22000 capture.pcapng

# Crack:
hashcat -m 22000 capture.22000 rockyou.txt -r rules/best64.rule

# Verify PMKID:
hashcat -m 22002 capture.22000 rockyou.txt  # PMKID mode

Benchmark

Benchmark performanceTest hash/s rate.
hashcat -b                               # Default benchmark
hashcat -b --benchmark-all               # All hash types (loooong)
hashcat -b -m 1000                       # NTLM only
hashcat -b -m 3200                       # bcrypt (slow, realistic)

# Compare GPU vs CPU:
hashcat -b -D 1                          # Only CPU devices
hashcat -b -D 2                          # Only GPU devices

Mode Detection

Identify hash typeGuess the hash format.
# Hashid:
hashid '$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy'
# Detects: bcrypt $2y$ (mode 3200)

# hashcat example hashes:
hashcat --example-hashes | grep -i bcrypt
hashcat --example-hashes | grep NTLM
hashcat --identify myhash.txt