Introduction to Hashcat
Hashcat is widely recognized as the world's fastest and most advanced password recovery utility. It is an open-source, multi-threaded, multi-platform tool that leverages the compute power of CPUs, GPUs, and other hardware accelerators to crack password hashes at extraordinary speeds. Originally developed as a CPU-only tool called "hashcat," the project evolved dramatically with the introduction of "oclHashcat" for GPU acceleration, and the two were eventually unified into the modern Hashcat we use today.
Hashcat supports over 300 different hash types, ranging from simple MD5 and SHA variants to complex algorithms like bcrypt, WPA/WPA2, NTLM, Kerberos, and cryptocurrency wallet passwords. It can operate on Windows, Linux, and macOS, and supports AMD, NVIDIA, and Intel GPUs through multiple backend APIs including OpenCL, CUDA, and Metal. Whether you are a penetration tester, a security researcher, a system administrator auditing password strength, or a digital forensics investigator, understanding Hashcat is essential to your toolkit.
Why Hashcat Matters
🚀 Deploy your AI agent in 10 minutes
Managed Hermes hosting. Zero DevOps. 100M tokens/mo included.
Try it free →Password-based authentication remains the dominant security mechanism across virtually every digital system. Understanding how quickly and efficiently these passwords can be recovered under different attack scenarios is critical for designing secure systems and educating users. Hashcat matters because it provides real-world, practical metrics on password security. It is not merely a cracking tool; it is a measuring instrument that reveals the true strength—or weakness—of cryptographic hash storage.
Several factors make Hashcat indispensable:
- Unmatched Performance: Hashcat can achieve billions of hash computations per second on modern GPU hardware, making it orders of magnitude faster than CPU-only alternatives.
- Algorithmic Versatility: With support for over 300 hash types, Hashcat covers virtually every hashing scheme encountered in real-world engagements.
- Advanced Attack Modes: Beyond simple dictionary attacks, Hashcat supports combinator attacks, mask attacks, hybrid attacks, rule-based permutations, and association attacks, giving practitioners granular control over password candidate generation.
- Session Management: Long-running cracking sessions can be paused, resumed, and monitored, which is essential for professional workflows.
- Community and Ecosystem: A vast collection of pre-built rules, wordlists, and masks are available, and the active community continuously pushes the boundaries of password cracking research.
Installation and Setup
Choosing Your Platform
Hashcat runs natively on Linux, Windows, and macOS. For maximum performance, a dedicated Linux machine with one or more powerful GPUs is the gold standard. Windows installations are perfectly viable and benefit from vendor-supplied GPU drivers. macOS support exists but is limited to CPU and Intel/AMD GPUs via OpenCL, as Apple Silicon GPU acceleration via Metal is still maturing in Hashcat's codebase.
Installing on Linux (Debian/Ubuntu)
The recommended approach is to download the latest version directly from Hashcat's official site rather than relying on distribution packages, which often lag significantly behind. First, ensure your GPU drivers are properly installed.
Step 1: Install GPU Drivers
For NVIDIA GPUs, install the proprietary NVIDIA driver and CUDA toolkit:
# Add the NVIDIA driver PPA and install drivers
sudo add-apt-repository ppa:graphics-drivers/ppa
sudo apt update
sudo apt install nvidia-driver-545 nvidia-cuda-toolkit
# Verify installation
nvidia-smi
For AMD GPUs, install the ROCm stack or the AMDGPU-PRO drivers:
# Install ROCm on Ubuntu 22.04
wget https://repo.radeon.com/amdgpu-install/6.0/ubuntu/jammy/amdgpu-install_6.0.60002-1_all.deb
sudo dpkg -i amdgpu-install_6.0.60002-1_all.deb
sudo amdgpu-install --usecase=rocm,opencl --no-dkms
# Verify OpenCL is available
clinfo
Step 2: Download and Extract Hashcat
# Download the latest hashcat binaries
wget https://hashcat.net/files/hashcat-6.2.6.7z
# Install 7zip if needed
sudo apt install p7zip-full
# Extract
7z x hashcat-6.2.6.7z
cd hashcat-6.2.6
Step 3: Test the Installation
# Run a quick benchmark to confirm GPU acceleration
./hashcat -b -m 0
# Run the built-in self-test
./hashcat --self-test
If the benchmark displays GPU devices and respectable hash rates, your installation is functional.
Installing on Windows
On Windows, Hashcat is distributed as pre-compiled binaries. Download the latest archive from hashcat.net. Extract the contents to a permanent directory such as C:\Tools\hashcat. GPU driver installation is handled separately through NVIDIA's or AMD's official driver packages. Ensure you install the latest drivers that include OpenCL and CUDA support.
Open a Command Prompt or PowerShell window, navigate to the Hashcat directory, and run:
hashcat.exe -I
This lists available OpenCL devices. If GPUs appear, you are ready to proceed.
Installing on macOS
On macOS, Hashcat can be installed via Homebrew or built from source. Note that GPU acceleration on Apple Silicon (M1/M2/M3) GPUs is experimental. For Intel-based Macs with AMD GPUs, OpenCL acceleration works reliably.
# Install via Homebrew
brew install hashcat
# Verify devices
hashcat -I
Core Concepts and Terminology
Before diving into cracking, it is essential to understand the fundamental concepts Hashcat operates on. The tool processes hashes by taking candidate passwords from various sources, hashing them with the specified algorithm, and comparing the resulting hash against a target hash list.
- Hash Type (-m): Specified by numeric ID. For example,
-m 0is MD5,-m 1000is NTLM,-m 3200is bcrypt. - Attack Mode (-a): Defines how candidate passwords are generated. Modes include dictionary (0), combinator (1), mask (3), hybrid (6/7), and association (9).
- Wordlist: A file containing candidate passwords, one per line.
- Rules: Transformations applied to wordlist entries to generate permutations.
- Masks: Patterns that define character sets for each password position.
- Potfile: A persistent file where successfully cracked hashes and their plaintext passwords are stored.
Basic Usage and Attack Modes
Straight Dictionary Attack (Attack Mode 0)
The simplest and most common attack mode. Hashcat reads a wordlist and tests each entry against the target hashes. This is the baseline attack you should always run first.
hashcat -m 0 -a 0 /path/to/md5_hashes.txt /path/to/rockyou.txt
Key parameters explained:
-m 0: Hash type MD5-a 0: Attack mode straight dictionary- First positional argument: File containing the target hashes (one hash per line)
- Second positional argument: The wordlist file
Dictionary Attack with Rules (Attack Mode 0 + Rules)
Rules are the soul of Hashcat. A rule file contains lines of rule syntax that mutate each wordlist entry. A single word can spawn dozens or hundreds of candidates through capitalization changes, leet-speak substitutions, digit appending, and more.
# Using the built-in best64 rule set
hashcat -m 1000 -a 0 /path/to/ntlm_hashes.txt /path/to/wordlist.txt -r rules/best64.rule
# Using multiple rule files sequentially
hashcat -m 1000 -a 0 hashes.txt wordlist.txt -r rules/d3ad0ne.rule -r rules/T0XlC.rule
The -r flag specifies a rule file. You can stack multiple -r flags. Hashcat ships with an impressive collection of rules in the rules/ directory. Study these files to understand rule syntax.
Combinator Attack (Attack Mode 1)
Combines words from two wordlists. Every word from the first list is concatenated with every word from the second list. This is excellent for discovering two-word passphrases.
hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt
You can apply rules to the combined output as well:
hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt -r rules/best64.rule
Mask Attack (Attack Mode 3)
Mask attacks are brute-force attacks with precision. Instead of blindly iterating through all possible combinations (which is infeasible beyond short lengths), you define a pattern that specifies which character sets occupy which positions.
Hashcat uses a built-in charset notation:
?l= lowercase letters (a-z)?u= uppercase letters (A-Z)?d= digits (0-9)?s= special characters (!@#$% etc.)?a= all printable ASCII characters?b= all bytes (0x00-0xFF)?H= all characters from a custom charset defined by-1through-4
# Brute force an 8-character lowercase+digits password
hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?d?d
# Use custom character sets for efficiency
# -1 defines charset 1 as lowercase+digits, -2 as uppercase+special
hashcat -m 0 -a 3 hashes.txt -1 ?l?d -2 ?u?s ?1?1?1?1?1?1?2?2
# Incremental mask attack: try lengths 1 through 8
hashcat -m 0 -a 3 hashes.txt --increment --increment-min=1 --increment-max=8 ?a?a?a?a?a?a?a?a
Hybrid Attacks (Attack Modes 6 and 7)
Hybrid attacks combine dictionary and mask approaches. Mode 6 appends mask-generated suffixes to each wordlist entry; Mode 7 prepends mask-generated prefixes.
# Mode 6: Append 3 digits to each dictionary word
hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d
# Mode 7: Prepend 2 special characters to each dictionary word
hashcat -m 0 -a 7 hashes.txt ?s?s wordlist.txt
# Combine with rules for even more coverage
hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d -r rules/best64.rule
Configuration and Optimization
Hashcat Configuration Files
Hashcat's primary configuration is handled through hashcat.conf files. The default configuration is embedded in the binary, but you can override settings by placing a hashcat.conf file in the working directory or specifying one with --config.
Common configuration directives:
# Example hashcat.conf entries
# Limit GPU temperature (Celsius)
--gpu-temp-threshold=90
# Set custom OpenCL kernel paths
--opencl-kernels-path=./my_kernels
# Disable specific devices by ID
--opencl-devices=1,2,3
# Set quiet mode
--quiet
# Always enable potfile
--potfile-path=hashcat.pot
Device Selection and Tuning
Hashcat automatically detects all available compute devices. You can restrict which devices are used with the -d (devices) or --opencl-devices flags. The -I flag lists all detected devices with their IDs and capabilities.
# List all available devices with detailed information
hashcat -I
# Use only device 1 and 2
hashcat -d 1,2 -m 0 -a 0 hashes.txt wordlist.txt
# Exclude device 3 (use all except 3)
hashcat -d 1,2,4 -m 0 -a 0 hashes.txt wordlist.txt
Workload Profiles and Kernel Acceleration
Hashcat offers workload profiles that trade off between performance and system responsiveness. The -w flag accepts values 1 through 4:
-w 1: Low performance, minimal system impact (good for desktop use while multitasking)-w 2: Default profile, balanced-w 3: High performance, noticeable system impact-w 4: Maximum performance, system may become unresponsive (suitable for dedicated cracking rigs)
# Maximum performance on a dedicated rig
hashcat -w 4 -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a
# Low-impact cracking while working
hashcat -w 1 -m 0 -a 0 hashes.txt wordlist.txt
For slow hash types like bcrypt or WPA/WPA2, the -O flag enables optimized kernel code that can dramatically improve speeds, but it imposes a maximum password length limit (typically 32 characters). Use this when applicable.
# Optimized kernel for bcrypt (hash type 3200)
hashcat -O -m 3200 -a 0 bcrypt_hashes.txt wordlist.txt
GPU Temperature Control
On systems with inadequate cooling, GPUs can overheat under sustained load. Hashcat includes built-in temperature monitoring and automatic throttling or shutdown.
# Set maximum GPU temperature to 85°C; hashcat will pause if exceeded
hashcat --gpu-temp-threshold=85 -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a
# Set temperature retry interval (seconds)
hashcat --gpu-temp-retry=30 --gpu-temp-threshold=85 ...
Advanced Techniques
Custom Character Sets and Mask Files
Beyond the four built-in custom sets (-1 through -4), you can create persistent custom character sets using mask files. This is useful for region-specific character sets or frequently reused patterns.
Create a file named my_charset.hcmask:
# Lines starting with # are comments
# Define charset named "especial"
?1,special,áéíóúñÁÉÍÓÚÑüÜ
?2,hexcase,ABCDEFabcdef0123456789
# Use the charsets in a mask
?1?2?2?2?2?2?2?2
Then reference the mask file:
hashcat -m 0 -a 3 hashes.txt my_charset.hcmask
Pipe and Stdin Attacks
Hashcat can read candidates from standard input, enabling integration with external password generators. This is attack mode 0 with the wordlist argument replaced by a single dash.
# Generate candidates with a script and pipe to hashcat
python3 password_generator.py | hashcat -m 0 -a 0 hashes.txt -
# Use hashcat's stdout mode to output candidates without cracking
hashcat -m 0 -a 3 --stdout ?d?d?d?d | head -1000
The --stdout flag is incredibly useful for debugging masks, rules, and combinators to see exactly what candidates will be generated before committing to a full cracking run.
Rule-Based Attack Deep Dive
Hashcat's rule engine is a domain-specific language for transforming words. Understanding rule syntax allows you to craft highly targeted attacks. Rules operate on a word character by character, applying functions like substitution, insertion, deletion, case modification, and positional manipulation.
Key rule functions:
# Common rule operations
# : - Do nothing (no-op), used as placeholder
# l - Convert all characters to lowercase
# u - Convert all characters to uppercase
# c - Capitalize first character, lower the rest
# C - Lowercase first character, uppercase the rest
# t - Toggle case (swap case of all characters)
# Tn - Toggle case of character at position n (0-indexed)
# r - Reverse the entire word
# d - Duplicate the entire word
# pN - Append a space and then N duplicates
# $X - Append character X to end
# ^X - Prepend character X
# iNX - Insert character X at position N
# oNX - Overwrite character at position N with X
# Dn - Delete character at position n
# [X - Split word at character X, keep left portion
# ]X - Split word at character X, keep right portion
# sXY - Substitute character X with Y
# @X - Purge all occurrences of character X
# eX - Title case: capitalize first letter, but treat character X as word separator
# +N - Shift characters forward in ASCII table by N
# -N - Shift characters backward in ASCII table by N
# ZN - Append N copies of the entire word
Create a custom rule file for a specific pattern:
# File: corporate_rules.rule
# Assume users follow CompanyName + Year + Special pattern
# Append current year with exclamation
$2 $0 $2 $4 $!
# Append last year with hash
$2 $0 $2 $3 $#
# Prepend "Corp" then append quarter
^C ^o ^r ^p $Q $1
# Substitute 'o' with '0' then append 2024!
s o0 $2 $0 $2 $4 $!
# Capitalize, leet-speak, then append
c so0 sa@ se3 $! $!
hashcat -m 1000 -a 0 ntlm_hashes.txt company_wordlist.txt -r corporate_rules.rule
Association Attack (Attack Mode 9)
Association attacks use a two-column input file where the first column contains words and the second column contains associated words or patterns. Hashcat combines them in a one-to-one mapping rather than a full cross-product.
# Association file: users.txt
# Format: username,password_candidate
john.doe,Summer2024!
jane.smith,Winter2023@
admin,Welcome123#
# Run association attack
hashcat -m 1000 -a 9 ntlm_hashes.txt users.txt
This is powerful for cracking password dumps where usernames and known password patterns are correlated.
Session Management and Resume
Professional cracking runs can take days, weeks, or even months. Hashcat's session management system allows you to pause, resume, and monitor long-running jobs without losing progress.
# Start a session with a named checkpoint file
hashcat --session=ntlm_crack_01 -m 1000 -a 0 hashes.txt wordlist.txt -r rules/best64.rule
# The session creates a .restore file and updates the potfile
# To pause gracefully, press 'p' in the interactive console or send SIGINT (Ctrl+C)
# Hashcat will write checkpoint data and exit cleanly
# Resume the session later
hashcat --restore --session=ntlm_crack_01
# Alternatively, specify the restore file directly
hashcat --restore ntlm_crack_01.restore
The interactive console during a cracking run provides real-time status. Press 's' to display detailed status including progress, speed, estimated time remaining, and temperature. Press 'p' to pause and checkpoint.
Potfile Management
The potfile (hashcat.pot by default) stores all recovered plaintext-to-hash mappings. Hashcat consults this file before processing any hash, skipping already-cracked entries automatically. This means you can safely re-run commands and only uncracked hashes will consume resources.
# Specify a custom potfile
hashcat --potfile-path=engagement_123.pot -m 1000 -a 0 hashes.txt wordlist.txt
# Show cracked passwords from potfile
hashcat --show -m 1000 hashes.txt
# Show cracked passwords with usernames (if hash file had user:hash format)
hashcat --show --username -m 1000 hashes.txt
# Output cracked passwords to a file
hashcat --show -m 1000 hashes.txt > recovered_passwords.txt
Performance Benchmarking and Tuning
Before undertaking a large cracking job, benchmarking helps you understand expected speeds and set realistic expectations. The -b flag runs a comprehensive benchmark across all hash types and devices.
# Full benchmark
hashcat -b
# Benchmark a specific hash type
hashcat -b -m 1000
# Benchmark with specific devices
hashcat -b -m 1000 -d 1
For slow hash types, consider these optimization strategies:
# Use optimized kernels
hashcat -O -m 3200 -a 0 bcrypt_hashes.txt wordlist.txt
# Reduce iteration count (if you control the hash parameters)
# Use --iterations to specify exact iteration count for algorithms like WPA
hashcat --iterations=4096 -m 2500 -a 0 wpa_handshake.hccapx wordlist.txt
# Use rules that generate fewer candidates but higher quality ones
hashcat -m 3200 -a 0 bcrypt_hashes.txt wordlist.txt -r rules/best64.rule
Distributed Cracking with Hashtopolis
For extremely large jobs, Hashcat integrates with Hashtopolis, a distributed cracking platform that coordinates multiple Hashcat clients across a network. While Hashcat itself is the engine, Hashtopolis provides the web-based management interface, task distribution, and result aggregation. Setting this up is beyond the scope of this tutorial, but it is the standard solution for enterprise-scale password auditing.
Best Practices
1. Start Simple, Then Escalate
Always begin with a fast dictionary attack using a high-quality wordlist and a moderate rule set. Only proceed to mask attacks or combinator attacks after exhausting dictionary-based approaches. This progression maximizes efficiency—each subsequent attack should target the remaining uncracked hashes with increasing computational cost.
# Phase 1: Quick dictionary
hashcat -m 1000 -a 0 hashes.txt rockyou.txt
# Phase 2: Dictionary + rules
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rule
# Phase 3: Exhaustive rules on a larger wordlist
hashcat -m 1000 -a 0 hashes.txt large_wordlist.txt -r rules/d3ad0ne.rule
# Phase 4: Targeted mask attacks on remaining hashes
hashcat -m 1000 -a 3 hashes.txt -1 ?l?d ?1?1?1?1?1?1?1?1
2. Use the Potfile Religiously
Never disable the potfile. It prevents redundant work and serves as an audit trail of recovered passwords. Regularly back up your potfile to avoid data loss. If you are working across multiple machines, synchronize the potfile to avoid re-cracking the same hashes.
3. Understand Your Hardware Limits
Monitor GPU temperatures and ensure adequate cooling. Overheating GPUs will throttle, reducing performance and potentially causing hardware damage over extended periods. Set temperature thresholds appropriate to your hardware:
# Conservative temperature limit
hashcat --gpu-temp-threshold=80
# Aggressive limit for well-cooled systems
hashcat --gpu-temp-threshold=90
4. Choose Attack Strategies Based on Hash Type
Fast hashes (MD5, SHA1, NTLM) can withstand massive mask attacks. Slow hashes (bcrypt, scrypt, Argon2) demand highly targeted approaches. For slow hashes, invest time in crafting high-probability wordlists and precise rules rather than broad brute-force.
# Fast hash: aggressive mask attack is viable
hashcat -m 0 -a 3 md5_hashes.txt -1 ?l?d ?1?1?1?1?1?1?1?1
# Slow hash: precise, high-quality wordlist with targeted rules
hashcat -m 3200 -a 0 bcrypt_hashes.txt handcrafted_wordlist.txt -r rules/InsidePro-Passwords.rule
5. Leverage Pre-built Resources, But Customize
The Hashcat community maintains excellent wordlists and rule collections. The rockyou.txt wordlist, the best64.rule, and the d3ad0ne.rule are classics. However, generic resources only go so far. For specific engagements, invest in building custom wordlists from target-specific data: company names, local sports teams, regional slang, internal jargon, and observed password patterns.
6. Validate Hash Files Carefully
A corrupted or malformed hash file will cause Hashcat to skip entries or behave unpredictably. Always verify that your hash file is properly formatted. Each line should contain exactly the hash (or user:hash for usernamed formats), with no trailing whitespace or extraneous characters.
# Use hashcat's --verify to check hash file integrity
hashcat --verify -m 1000 hashes.txt
# Count lines and check for anomalies
wc -l hashes.txt
# Look for lines that don't match expected hash format
grep -v -E '^[a-fA-F0-9]{32}$' md5_hashes.txt # for raw MD5
7. Document Your Cracking Methodology
For professional engagements, maintain a cracking log that records which attacks were run, in what order, with which wordlists and rules, and what the results were. This is essential for reproducibility and for defending your methodology if results are challenged. A simple text file or spreadsheet suffices:
# cracking_log.md
## Session 2024-01-15: NTLM Corpus (10,000 hashes)
1. rockyou.txt, no rules: 2,341 cracked (23%)
2. rockyou.txt + best64.rule: +1,203 (35% cumulative)
3. rockyou.txt + d3ad0ne.rule: +892 (44% cumulative)
4. Custom corp wordlist + best64.rule: +456 (49% cumulative)
Remaining: 5,108 hashes uncracked
Next: Mask attack on remaining, focus on 10-char patterns
8. Respect Legal and Ethical Boundaries
Hashcat is a powerful tool that must be used responsibly. Only crack passwords on systems you own or have explicit written authorization to test. In penetration testing engagements, ensure password cracking is within the scope defined by your rules of engagement. Never crack password hashes obtained from unauthorized sources. In many jurisdictions, unauthorized password cracking is a criminal offense. Be professional, obtain proper authorization, and handle recovered passwords securely—never store plaintext passwords in unencrypted, shared, or publicly accessible locations.
Troubleshooting Common Issues
GPU Not Detected
If Hashcat reports no OpenCL devices, first verify your GPU drivers are installed correctly. On Linux, ensure the ocl-icd-libopencl1 package is installed. On Windows, reinstall the latest drivers from your GPU vendor. Run clinfo (Linux) or hashcat -I to diagnose.
# Install OpenCL ICD loader on Ubuntu
sudo apt install ocl-icd-libopencl1
# Check OpenCL devices
clinfo
Out of Memory Errors
Large rule sets or combinator attacks can generate enormous candidate sets that exhaust GPU memory. Reduce the workload by splitting attacks or using smaller wordlists. The --backend-devices-max flag can limit memory usage per device.
Driver/Kernel Timeouts
On Windows, GPU drivers may reset if a kernel execution exceeds a timeout threshold (typically 2 seconds). This affects slow hash types. Use the --force flag cautiously or adjust the Windows registry to increase the TdrDelay value.
# Use force to bypass some driver protections (use with caution)
hashcat --force -m 3200 -a 0 bcrypt_hashes.txt wordlist.txt
Conclusion
Hashcat is more than a password cracker—it is the definitive platform for understanding password security in practical, measurable terms. Through its versatile attack modes, extensive hash type support, and extraordinary performance, it empowers security professionals to audit authentication systems realistically. The journey from basic dictionary attacks to custom rule sets and distributed cracking mirrors the evolution of password security itself: as defenses grow more sophisticated, so too must the tools we use to test them.
Mastering Hashcat means mastering the interplay of wordlists, rules, masks, and hardware optimization. It requires patience, methodology, and continuous learning. The best practitioners combine technical proficiency with creativity, crafting attacks that mirror real-world user behavior. Remember that with great power comes great responsibility—use Hashcat ethically, professionally, and always within authorized boundaries. Whether you are hardening your organization's password policy or recovering a lost credential, the principles and practices outlined in this tutorial will serve as a foundation for effective, efficient, and responsible password security work.