Hashcat: GPU Cracking at Scale
Hashcat is the world’s fastest password recovery tool. Designed for brute-force and rule-based attacks, it leverages your GPU to crack passwords faster than any CPU-based tool can dream of. When you need to process massive hash dumps or custom password formats at scale, Hashcat is the go-to weapon.
In this post, we’ll cover how Hashcat works, its core features, and the exact syntax and options you’ll use in the field.
What Is Hashcat?
Hashcat is an advanced password cracking tool that supports hundreds of algorithms. It supports brute-force, dictionary, mask, hybrid, and rule-based attacks — all GPU-accelerated. It can be used for anything from cracking NTLM hashes to WPA2 handshakes and bcrypt hashes.
Key Features for Pentesters
- GPU-powered cracking (AMD, NVIDIA, Intel)
- Supports a huge range of hash formats
- Multiple attack modes (dictionary, brute, hybrid)
- Highly customizable
- Resume sessions and benchmarking built-in
Installing Hashcat
On Kali Linux:
apt install hashcat
On other systems, download from:
https://hashcat.net/hashcat/
Verify GPU drivers are properly installed and detected using:
hashcat -I
Common Hash Modes
Hashcat uses numeric codes for hash types. Here are some you’ll often encounter:
| Mode | Hash Type |
|---|---|
| 0 | MD5 |
| 1000 | NTLM (Windows) |
| 1400 | SHA-256 |
| 1800 | SHA-512 |
| 3200 | bcrypt |
| 5500 | NetNTLMv1 |
| 5600 | NetNTLMv2 |
| 13100 | Kerberos 5 TGS-REP |
| 22000 | WPA/WPA2 (handshakes) |
To see all modes:
hashcat -h | grep -A20 'Hash modes'
Basic Syntax
hashcat -m <mode> -a <attack-mode> <hashfile> <wordlist>
Attack Modes:
| Mode | Type |
|---|---|
| 0 | Dictionary |
| 1 | Combination |
| 3 | Brute-force (mask) |
| 6 | Hybrid dict+mask |
| 7 | Hybrid mask+dict |
Examples
1. NTLM Hash Cracking
hashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
2. Brute Force Simple 6-digit PIN
hashcat -m 0 -a 3 md5hash.txt ?d?d?d?d?d?d
# ?d = digit
3. WPA2 Handshake (22000 format)
First, convert the .pcap to .22000 using hcxpcapngtool:
hcxpcapngtool -o output.22000 capture.pcapng
hashcat -m 22000 -a 0 output.22000 rockyou.txt
4. Cracking bcrypt Hashes
hashcat -m 3200 bcrypt.txt rockyou.txt --force
Masks and Custom Charset
Mask Examples:
?a = all characters
?l = lowercase
?u = uppercase
?d = digits
?s = special chars
Crack a 5-character lowercase password:
hashcat -m 0 -a 3 md5.txt ?l?l?l?l?l
Tuning and Performance
Benchmark your system
hashcat -b
Restore a session
hashcat --restore
Start a named session
hashcat -m 1000 -a 0 -o cracked.txt --session ntlm-crack hashes.txt rockyou.txt
hashcat --restore --session ntlm-crack
Using Rules for Smarter Cracking
Rules mutate your wordlist to increase success rates.
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rule
Rule files are located in the rules/ directory in Hashcat’s install folder.
Output and Cracked Passwords
View cracked hashes:
hashcat -m 1000 --show hashes.txt
Save cracked passwords to a file:
-o found.txt
Tips for Real-World Usage
- Filter large hash dumps with
sort | uniqbefore cracking - Always identify the correct hash type before attacking
- Use
--statusto monitor cracking progress live - For slow hash types (bcrypt, scrypt), brute force is usually not practical — use targeted wordlists
- Use
hashidorhash-identifierto detect unknown hash formats
Hashcat vs John (Quick Recap)
| Feature | Hashcat | John the Ripper |
|---|---|---|
| GPU Support | Native + optimized | Partial (jumbo only) |
| Mask Attacks | Full support | Limited |
| Rules + Wordlist | Powerful combo | Strong, but slower |
| Cracks | Fast, high-volume | Smarter, format-rich |
Use Hashcat when speed and scale matter. It’s the hammer for large corp hash dumps or WPA2 cracking.
Final Thoughts
Hashcat is the final boss of password cracking. When you’ve got the hashes and the hardware, this is the tool to reach for. Whether you’re targeting a handful of NTLM hashes or brute-forcing a handshake, Hashcat turns raw computing power into real pentest results.