The Expert's Hashcat Guide
A comprehensive guide to password cracking and recovery with Hashcat
Hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. This powerful tool leverages the computational capabilities of CPUs and GPUs to perform high-speed hash cracking, making it an essential component in any penetration tester's toolkit.
Hashcat is an advanced password recovery tool that uses brute force and dictionary-based methods to crack password hashes. Originally developed as two separate tools (Hashcat and oclHashcat), they were merged into a single application in 2015. Hashcat is designed to be high-performance, utilizing the parallel processing power of modern GPUs to achieve unprecedented cracking speeds. It supports a wide range of hash types, from common formats like MD5 and SHA to more specialized algorithms used in various applications and systems.
Why Use Hashcat?
- Performance: Unmatched speed utilizing GPU acceleration for password recovery
- Versatility: Supports over 300 hash types and multiple attack modes
- Customization: Extensive rule-based attack capabilities for targeted cracking
- Community Support: Active development and large user community
- Free and Open Source: Available to everyone with regular updates and improvements
- Advanced Features: Includes sophisticated techniques like fingerprinting, markov chains, and table lookups
Getting Started with Hashcat
Install Hashcat
Hashcat is available for Windows, Linux, and macOS. For Linux distributions:
sudo apt update
sudo apt install hashcat
For other operating systems, download from the official GitHub repository:
git clone https://github.com/hashcat/hashcat.git
cd hashcat
make
sudo make install
Verify Installation
Test your installation by running:
hashcat --version
Check GPU support with:
hashcat --benchmark
This will display supported devices and perform a benchmark test.
Understand Basic Syntax
The basic syntax for Hashcat is:
hashcat [options] hashfile [dictionary|mask|directory]
For example, to crack an MD5 hash using a dictionary:
hashcat -m 0 -a 0 hash.txt wordlist.txt
Where -m 0 specifies MD5 hash type and -a 0 indicates a dictionary attack.
Hash Types and Modes
Hashcat supports over 300 hash types, each identified by a specific mode number. Here are some commonly used hash types:
| Mode | Hash Type | Example |
|---|---|---|
| 0 | MD5 | 8743b52063cd84097a65d1633f5c74f5 |
| 100 | SHA1 | b89eaac7e61417341b710b727768294d0e6a277b |
| 1000 | NTLM | b4b9b02e6f09a9bd760f388b67351e2b |
| 1800 | SHA512crypt | $6$rounds=5000$salt$hash |
| 2500 | WPA/WPA2 | HCCAP or HCCAPX file format |
| 3000 | LM | 299bd128c1101fd6 |
To identify an unknown hash type, you can use Hashcat's built-in hash identification:
hashcat --identify hash.txt
Attack Modes
Hashcat offers five primary attack modes, each suited for different scenarios:
Dictionary attacks use wordlists to attempt password recovery. This is often the most efficient method when the password is a common word or phrase.
hashcat -m 0 -a 0 hash.txt wordlist.txt
Popular wordlists include:
- RockYou.txt (14 million common passwords)
- SecLists (collection of multiple wordlists)
- CrackStation's wordlist (1.5 billion entries)
Advanced Techniques
Custom Rule Creation
Rules allow you to create sophisticated password mutations. Here's an example rule file:
# Append digits
$1
$2
$3
# Capitalize first letter
c
# Replace letters with numbers (leetspeak)
sa4
se3
si1
so0
Save this as custom.rule and use it with:
hashcat -m 0 -a 0 hash.txt wordlist.txt -r custom.rule
Optimizing Performance
To maximize Hashcat's performance:
-
Workload profiles: Adjust with
-wflag (1-4, where 4 is highest)hashcat -m 0 -a 0 hash.txt wordlist.txt -w 3 -
Segment size: Optimize memory usage with
--segment-sizehashcat -m 0 -a 0 hash.txt wordlist.txt --segment-size=256 -
Kernel optimization: Use
--kernel-acceland--kernel-loopshashcat -m 0 -a 0 hash.txt wordlist.txt --kernel-accel=1 --kernel-loops=1024
Distributed Cracking
For large-scale operations, distribute workloads across multiple machines:
# On machine 1
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a --skip=0 --limit=500000000
# On machine 2
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a --skip=500000000 --limit=500000000
Practical Examples
Cracking MD5 Hashes
hashcat -m 0 -a 0 md5hashes.txt wordlist.txt -r rules/best64.rule
Cracking Windows NTLM Hashes
hashcat -m 1000 -a 0 ntlm_hashes.txt wordlist.txt
Cracking WPA/WPA2 Handshakes
# Convert cap to hccapx format
cap2hccapx capture.cap output.hccapx
# Crack the handshake
hashcat -m 2500 -a 0 output.hccapx wordlist.txt
Cracking Linux Shadow Hashes
hashcat -m 1800 -a 0 shadow.txt wordlist.txt
Note:
Always ensure you have proper authorization before attempting to crack any passwords. Unauthorized password cracking is illegal and unethical.
Guide Structure
This guide is organized into several sections:
- Core Operations: Basic syntax, hash types, and fundamental usage
- Attack Modes: Detailed exploration of each attack strategy
- Advanced Techniques: Rule creation, optimization, and specialized approaches
- Best Practices: Ethical considerations, performance tuning, and workflow optimization
Each section provides detailed explanations, command examples, and real-world use cases to help you master Hashcat for ethical penetration testing and security assessment.
Next Steps
Now that you understand the basics of Hashcat, explore the following sections to deepen your knowledge:
- Core Operations - Learn the fundamental commands and operations
- Advanced Techniques - Explore sophisticated cracking strategies
- Best Practices - Optimize your workflow and ensure ethical usage