hashcat is an advanced password recovery tool featuring GPU acceleration and support for over 300 hash types. It's the fastest and most advanced password cracking tool available.
Basic Syntax
- hashcat -m <hash_type> <hash_file> <wordlist> - Basic attack
- hashcat -m 0 hash.txt wordlist.txt - MD5 attack
- hashcat -m 1000 hash.txt wordlist.txt - NTLM attack
- hashcat -m 22000 hash.hc22000 wordlist.txt - WPA/WPA2 attack
Common Hash Types
- -m 0 - MD5
- -m 100 - SHA1
- -m 1000 - NTLM
- -m 1800 - sha512crypt $6$ (Linux)
- -m 22000 - WPA/WPA2 PMKID+EAPOL (hc22000 format)
- -m 16800 - WPA/WPA2 PMKID
- -m 2500 - WPA/WPA2 handshake
- -m 500 - md5crypt $1$ (Linux)
- -m 3200 - bcrypt $2$
- -m 17210 - sha256crypt $5$ (Linux)
- -m 1410 - sha256($salt.$pass)
- -m 13100 - Kerberos 5 TGS-REP
Attack Modes
- -a 0 - Dictionary attack (default)
- -a 1 - Combinator attack
- -a 3 - Brute-force/Mask attack
- -a 6 - Hybrid wordlist + mask
- -a 7 - Hybrid mask + wordlist
Brute-Force Masks
- -a 3 ?l?l?l?l?l?l?l?l - 8 lowercase letters
- -a 3 ?u?u?u?u - 4 uppercase letters
- -a 3 ?d?d?d?d - 4 digits
- -a 3 ?l?l?d?d - 2 letters + 2 digits
- -a 3 ?a?a?a?a - 4 characters (any)
- -a 3 password?d?d?d - "password" + 3 digits
Mask Characters
- ?l - Lowercase letters (a-z)
- ?u - Uppercase letters (A-Z)
- ?d - Digits (0-9)
- ?s - Special characters (!@#$%^&*...)
- ?a - All characters (?l?u?d?s)
- ?b - Binary (0x00-0xff)
- ?h - Lowercase hex (0-9a-f)
- ?H - Uppercase hex (0-9A-F)
Performance Options
- -w <1-4> - Workload profile (1=low, 2=default, 3=high, 4=insane)
- -O - Optimized kernels (may reduce supported password lengths)
- --force - Ignore warnings
- --hwmon-temp-abort=<temp> - Abort if GPU temp exceeds (Celsius)
- --hwmon-disable - Disable hardware monitoring
Output Options
- -o <file> - Output file for recovered hashes
- --outfile-format=<num> - Output format (1=hash:pass, 2=hex, 3=hash[:salt]:pass)
- --show - Show cracked hashes
- --left - Show uncracked hashes
- --username - Show username (for formats with username)
- --remove - Remove cracked hashes from hash file
- --potfile-path=<file> - Path to potfile
- --outfile-autohex-disable - Disable hex encoding in output
Session Options
- --session=<name> - Session name
- --restore - Restore session
- --status - Enable status update screen
- --status-timer=<sec> - Status update interval (default 10)
- --stdout - Output to stdout (no status screen)
- --quiet - Suppress output
Rules and Masks
- -r <file> - Rules file
- -g <num> - Generate num random rules
- --rules-file=<file> - Rules file
Common Examples
MD5 Dictionary Attack
hashcat -m 0 hash.txt wordlist.txtWPA/WPA2 Attack
hashcat -m 22000 hash.hc22000 wordlist.txtNTLM Attack
hashcat -m 1000 ntlm_hash.txt wordlist.txtBrute Force 8 Lowercase
hashcat -m 0 hash.txt -a 3 ?l?l?l?l?l?l?l?lBrute Force 4-8 Digits
hashcat -m 0 hash.txt -a 3 -i --increment-min=4 --increment-max=8 ?d?d?d?dCombinator Attack
hashcat -m 0 hash.txt -a 1 wordlist1.txt wordlist2.txtWith Rules
hashcat -m 0 hash.txt wordlist.txt -r rules/best64.ruleShow Cracked Hashes
hashcat -m 0 hash.txt --showResume Session
hashcat --restore --session my_sessionHigh Performance
hashcat -m 0 hash.txt wordlist.txt -w 4 -OSave Results
hashcat -m 0 hash.txt wordlist.txt -o cracked.txtTips
- Use -w 4 for maximum performance (may affect system usability)
- Use -O for optimized kernels (faster but limited password length)
- Use --show to display already cracked hashes
- Save session with --session to resume later
- Use -a 3 with masks for targeted brute force
- Combine dictionary with rules (-r) for better results
- Monitor GPU temperature to prevent damage
- Use -m 22000 for modern WPA/WPA2 captures (hc22000 format)
- Always test on authorized systems only
- Check hashcat examples on website for specific hash types
- Use --remove to clean up successfully cracked hashes
- Start with small wordlists before large brute force attacks