Hashcat is the world’s fastest and most widely-used password cracking tool. GPU-accelerated, supporting 300+ hash algorithms, it’s what every serious pen-tester and every serious attacker uses after recovering password hashes.

When you use Hashcat

Pen-test: you extracted NTLM hashes from an AD dump (DCSync, ntds.dit). Crack to recover passwords.
Pen-test: you recovered /etc/shadow. Crack SHA-512 hashes.
Pen-test: Kerberoasting returned service ticket hashes (mode 13100). Crack to get service passwords.
Audit: check your own password policy by attempting to crack your own hash dumps. Gauge hygiene.

Core workflow

# Syntax
hashcat -m MODE -a ATTACK_TYPE hashfile wordlist [rules]

# Crack NTLM hashes from ntds.dit dump (mode 1000), dictionary attack
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt

# With rules (mutate each word: Password → Password1, P@ssword, etc.)
hashcat -m 1000 hashes.txt rockyou.txt -r best64.rule

# Brute force mask: 8 chars, lower + digit
hashcat -m 1000 hashes.txt -a 3 ?l?l?l?l?l?l?d?d

# Kerberoast (mode 13100 for RC4, 19700 for AES-256)
hashcat -m 13100 kerb.txt rockyou.txt -r best64.rule

Attack modes

-a 0 — Dictionary (wordlist)
-a 1 — Combinator (wordlist + wordlist)
-a 3 — Mask (brute force with pattern)
-a 6 — Hybrid Wordlist + Mask
-a 7 — Hybrid Mask + Wordlist
-a 9 — Association (hashes + hints)

Common hash modes

Mode	Hash type
`0`	MD5 (legacy, trivial)
`100`	SHA-1
`1000`	NTLM (Windows local/AD)
`1700`	SHA-512
`1800`	sha512crypt ($6$) — Linux /etc/shadow
`3200`	bcrypt
`5600`	NetNTLMv2 (SMB challenge/response)
`13100`	Kerberos TGS (RC4-HMAC) — Kerberoasting
`19700`	Kerberos TGS (AES-256)
`22000`	WPA2/WPA3 PMKID

Rules — the secret to good cracking

A wordlist alone cracks passwords like “password” and “summer”. Rules transform each word into dozens of variants:

# Transformations applied by rule engine:
password   → Password1  → P@ssword  → password123
         → password!  → PASSWORD  → passwordpassword

# Classic rule files (in hashcat/rules/):
best64.rule         # Small, fast, essential
rockyou-30000.rule  # Medium-large, derived from rockyou patterns
dive.rule           # Comprehensive, slow

GPU performance (2026 consumer hardware)

RTX 4090: ~100 GH/s on MD5, ~10 GH/s on NTLM, ~200 MH/s on bcrypt (cost-hardened)
RTX 4080: ~70% of 4090
CPU only: ~1000-10000× slower than GPU

Practical translation: weak 8-char NTLM passwords fall in minutes. bcrypt with high cost takes years. This is why correct algorithm choice matters far more than password length alone.

Legal note

Cracking hashes you don’t own = unauthorised. Even “just learning” on a hash someone posted online can be problematic if that hash was extracted from a breach. Use intentionally-vulnerable CTF hashes, your own lab dumps, or authorised pentest engagement material.

Quick reference summary

Hashcat = GPU-accelerated password cracker, 300+ hash types supported
Workflow: -m mode -a attack_type hashfile wordlist [rules]
Always learn the mode number for your hash type (-m flag)
Rules transform wordlist entries into many variants — essential for real-world cracking
GPU cracking is orders of magnitude faster than CPU; RTX 4090 is the consumer benchmark
Algorithm choice in your app defines resistance — bcrypt/argon2 >> SHA-256 >> MD5

🧠

Check your understanding

Module Quiz · 20 questions

Pass with 70%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 50% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

Module 4 · Hashcat — Password Cracking 🔒