Password Cracking with Hashcat: A Practical Guide
Learn how Hashcat works, common attack modes, and how to audit password strength. Includes practical examples with different hash types.
What Is Hashcat?
Hashcat is the world’s fastest and most advanced password recovery tool. It leverages the massive parallel processing power of GPUs to crack hashed passwords at extraordinary speeds — billions of candidates per second depending on the hash algorithm and hardware.
Security professionals use Hashcat during penetration tests and password audits to evaluate the strength of password policies, recover credentials from database breaches, and demonstrate real-world attack scenarios to stakeholders. It supports over 350 hash types and runs on Linux, Windows, and macOS.
Understanding Hash Types
Before cracking anything, you need to identify what you’re dealing with. Every hash algorithm has a corresponding mode number in Hashcat.
Common Hash Types
| Algorithm | Hashcat Mode | Example Hash |
|---|---|---|
| MD5 | -m 0 | 5d41402abc4b2a76b9719d911017c592 |
| SHA-1 | -m 100 | aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d |
| SHA-256 | -m 1400 | 2cf24dba5fb0a30e26e83b2ac5b9e29e... |
| NTLM | -m 1000 | a4f49c406510bdcab6824ee7c30fd852 |
| bcrypt | -m 3200 | $2a$10$N9qo8uLOickgx2ZMRZoMye... |
| WPA2-PBKDF2 | -m 22000 | (captured .hc22000 file) |
You can identify hash types manually or use tools like hashid or haiti:
hashid '5d41402abc4b2a76b9719d911017c592'
# Output: [+] MD5The difference in cracking speed between algorithms is dramatic. MD5 and NTLM can be cracked at rates exceeding 50 billion hashes/sec on modern GPUs, while bcrypt with a cost factor of 10 might only reach 30,000 hashes/sec — making it exponentially harder to brute-force.
Attack Modes
Hashcat offers several attack modes, each suited for different scenarios.
Dictionary Attack (Mode 0)
The most straightforward approach. Hashcat reads a wordlist line by line and hashes each candidate for comparison.
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txtThis tests every word in rockyou.txt against your MD5 hashes. Simple but surprisingly effective — a huge number of real-world passwords appear in common wordlists.
Brute-Force / Mask Attack (Mode 3)
When wordlists fail, you define a pattern using character masks. Hashcat generates all possible combinations matching that pattern.
# Crack an 8-character password: uppercase + 6 lowercase + digit
hashcat -m 1000 -a 3 ntlm_hashes.txt '?u?l?l?l?l?l?l?d'Built-in charsets include:
?l— lowercase (a-z)?u— uppercase (A-Z)?d— digits (0-9)?s— special characters?a— all printable ASCII
You can also define custom charsets:
hashcat -m 0 -a 3 hashes.txt -1 '?l?d' '?1?1?1?1?1?1?1?1'Rule-Based Attack (Mode 0 + Rules)
Rules transform wordlist entries on the fly — appending digits, capitalizing letters, substituting characters, reversing strings, and more. This is where Hashcat truly shines.
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rulePopular rule files included with Hashcat:
best64.rule— 64 high-yield transformationsrockyou-30000.rule— aggressive, broad coveraged3ad0ne.rule— classic community rulesetdive.rule— deep mutations, slower but thorough
You can write custom rules too. A rule file is just a text file with one transformation per line:
: # no-op (original word)
l # lowercase all
u # uppercase all
c # capitalize first letter
$1 # append "1"
$! # append "!"
sa@ # replace 'a' with '@'
se3 # replace 'e' with '3'
^2 ^0 ^2 ^5 # prepend "2025"Combinator Attack (Mode 1)
Combines words from two different wordlists by concatenating them:
hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txtThis produces candidates like sunflower + 2024 = sunflower2024. It’s highly effective against users who combine two common words as their password.
Wordlists and Resources
The quality of your wordlist directly determines your success rate. Essential resources include:
- rockyou.txt — 14 million leaked passwords, the classic starting point
- SecLists — curated collection at
github.com/danielmiessler/SecLists - CrackStation — 1.5 billion entries, available at
crackstation.net - Weakpass — massive wordlists optimized for various scenarios
You can also generate targeted wordlists with tools like cewl (scrapes websites for keywords) or cupp (creates custom profiles based on target information).
Practical Examples
Cracking a Dumped NTLM Hash
After extracting NTLM hashes with secretsdump.py from an Active Directory environment:
hashcat -m 1000 -a 0 domain_hashes.txt rockyou.txt -r best64.rule -O -w 3Flags explained:
-O— optimized kernels (faster, limited password length to 31)-w 3— high workload profile (aggressive GPU usage)
Cracking bcrypt Hashes from a Web App Database
hashcat -m 3200 -a 0 bcrypt_hashes.txt rockyou.txt -w 2bcrypt is intentionally slow, so expect this to take considerably longer. Focus on short, targeted wordlists and smart rules rather than brute-force.
Resuming and Managing Sessions
# Name your session for easy management
hashcat -m 0 -a 0 hashes.txt rockyou.txt --session=audit01
# Resume an interrupted session
hashcat --session=audit01 --restore
# Show cracked results
hashcat -m 0 hashes.txt --showDefending Against Password Cracking
Understanding offensive techniques is essential for building better defenses. Here’s what actually works:
Use Slow Hashing Algorithms
Never store passwords with MD5, SHA-1, or SHA-256 alone. Use algorithms specifically designed for password storage:
- bcrypt — time-tested, adjustable cost factor, widely supported
- Argon2id — modern winner of the Password Hashing Competition, memory-hard
- scrypt — memory-hard alternative, good for high-security contexts
Salt Everything
A unique random salt per password ensures that identical passwords produce different hashes, making precomputed attacks (rainbow tables) useless and forcing attackers to crack each hash individually.
# Python example with bcrypt
import bcrypt
password = b"hunter2"
salt = bcrypt.gensalt(rounds=12)
hashed = bcrypt.hashpw(password, salt)Enforce Strong Password Policies
- Minimum 12 characters
- Encourage passphrases over complex short passwords
- Check candidates against breach databases (e.g., HaveIBeenPwned API)
- Implement multi-factor authentication as a second layer
Legal Disclaimer
Password cracking without explicit authorization is illegal in most jurisdictions. Only use Hashcat on systems you own or have written permission to test. Unauthorized access to computer systems can result in severe criminal penalties.
Always operate under a signed scope of work or rules of engagement document during penetration tests. Use these techniques responsibly — the goal is to improve security, not undermine it.