Hashcat
World's fastest password recovery tool with GPU acceleration and multiple attack modes
Methods12 commands
#password#cracking#hash#gpu#bruteforce
Installation
1Install via apt
2Download from website
3Verify installation
# Ubuntu/Debian
sudo apt install hashcat
# Download binary
wget https://hashcat.net/files/hashcat-6.2.6.7z
7z x hashcat-6.2.6.7z
# Verify
hashcat --version
# List supported hash modes
hashcat --help | grep 'SHA|MD5|bcrypt'Basic Usage
Crack password hashes using dictionary, brute-force, and rule-based attacks
# Dictionary attack
hashcat -m 0 -a 0 hash.txt wordlist.txt
# Mask attack (brute-force)
hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l
# Rule-based attack
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule
# Combination attack
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt
# Show cracked passwords
hashcat -m 0 --show hash.txt
# Benchmark
hashcat -b --benchmark-allCommand Reference
12 commands
1Hash type (0=MD5, 1000=NTLM, 3200=bcrypt)
-m2Attack mode (0=dictionary, 3=mask, 6=hybrid)
-a3Rules file for word mangling
-r4Output file for cracked hashes
-o5Show cracked passwords
--show6Ignore warnings
--force7Custom potfile path
--potfile-path8Workload profile (1-4)
-w9Device type (1=CPU, 2=GPU)
-D10Show status updates
--status11Status update interval
--status-timer12Optimized kernel
-OWhen to Use
1
Password cracking in penetration tests2
Recovering lost passwords from hashes3
Auditing password policy strength4
CTF challenges involving hash cracking5
Validating hash extraction resultsNotes & Tips
1
GPU acceleration makes it significantly faster than CPU-based tools2
Always use rules with dictionary attacks for better results3
The rockyou.txt wordlist is a good starting point4
Use --force only when you understand the warningsCommon Errors & Solutions
No hashes cracked
Try larger wordlists like rockyou, add rules with -r, or use mask attacks
CUDA/OpenCL device not found
Install GPU drivers, or use CPU with -D 1 flag