This chapter covers Hashcat, the industry-standard password cracking tool used in penetration testing to recover plaintext passwords from captured hashes. Hashcat is a core tool tested on the PT0-002 exam under Objective 5.1 (Tools & Scripts), and questions about its modes, attack types, and optimization flags appear on roughly 5-8% of exams. Mastering Hashcat's syntax, rule-based attacks, and performance tuning is essential for both the exam and real-world password audits.
Jump to a section
Imagine a factory that must test millions of keys to open a lock, but the lock's internal mechanism is secret. The factory has a blueprint of the lock (the hash algorithm) and a list of potential key patterns (the wordlist). Each key pattern is first carved into a metal blank (candidate password), then sent through a series of machines that shape it exactly like the lock's internal pins (hashing with the algorithm). The resulting key is then inserted into the lock and turned (compare the candidate hash to the target hash). If it turns, the key is correct. The factory manager (the user) can decide how many assembly lines to run simultaneously (number of threads or devices), how many keys to batch-process at once (kernel execution width), and which specific shaping machines to use (hash mode). Different locks require different shaping machines; using the wrong machine produces keys that never fit. The factory can also receive pre-shaped key blanks (precomputed hashes from a rainbow table) to skip the shaping step entirely. The speed of the factory is measured in 'attempts per second' (hash rate). The factory can be sped up by using multiple parallel lines (GPUs), but the shaping machines themselves have a fixed maximum throughput determined by the lock's complexity (algorithm). A slow lock like bcrypt requires many more shaping steps per key, drastically reducing the factory's output compared to a simple lock like NTLM.
What is Hashcat and Why It Exists
Hashcat is an advanced password recovery tool that leverages the parallel processing power of GPUs (Graphics Processing Units) to crack password hashes at extremely high speeds. It supports a wide range of hash algorithms (over 300 hash modes) and multiple attack modes, including dictionary, brute-force, mask, combinator, and rule-based attacks. Penetration testers use Hashcat to evaluate password strength by recovering plaintext passwords from captured hash dumps (e.g., from Active Directory, Linux shadow files, or web application databases). The tool is open-source, actively maintained, and available for Windows, Linux, and macOS.
How Hashcat Works Internally
Hashcat operates by taking a candidate password (from a wordlist, mask, or brute-force pattern), hashing it using the specified algorithm, and comparing the resulting hash to a target hash (or a list of target hashes). The core mechanism involves:
Kernel Execution: Hashcat uses OpenCL or CUDA to execute kernels on the GPU. Each kernel instance processes one or more candidate passwords. The number of parallel kernels depends on the GPU's compute units and memory bandwidth.
Hash Comparison: For each candidate, the computed hash is compared against all loaded target hashes. If a match is found, the password is cracked and output.
Attack Loops: The outer loop iterates over the attack source (wordlist, mask, or rules). For dictionary attacks, each word is read, optionally modified by rules, hashed, and compared. For brute-force, the loop generates all combinations within a keyspace.
Workload Profile: The --workload-profile option (1-4) controls how aggressively Hashcat uses the GPU. Profile 4 may cause the system to become unresponsive but yields maximum speed. Profile 1 is the most conservative.
Key Components, Values, Defaults, and Timers
- Hash Modes: Each algorithm has a numeric mode. Common modes: 0 (MD5), 1000 (NTLM), 1400 (SHA256), 1700 (SHA512), 3200 (bcrypt), 5500 (NetNTLMv1), 5600 (NetNTLMv2), 13100 (Kerberos 5 TGS-REP). Use --example-hashes to see examples.
- Attack Modes:
- 0 (Dictionary): wordlist + optional rules.
- 1 (Combinator): concatenates words from two wordlists.
- 3 (Brute-force/Mask): specify a mask like ?l?l?l?l?l for 5 lowercase letters.
- 6 (Hybrid Wordlist + Mask): appends mask to each word.
- 7 (Hybrid Mask + Wordlist): prepends mask to each word.
- Rules: Files containing rule functions (e.g., $1, ^!, l, u, r). Built-in rules: best64.rule, d3ad0ne.rule, OneRuleToRuleThemAll.rule. Use -r to apply.
- Performance Options:
- -n (threads): number of threads per GPU (default auto).
- -w (workload profile): 1-4 (default 2).
- --gpu-loops and --gpu-watchdog for fine-tuning.
- Output: Cracked passwords are written to hashcat.potfile. Use --outfile to specify a custom file.
- Timers: No built-in timers; cracking continues until keyspace exhausted or user interrupts.
Configuration and Verification Commands
Basic syntax:
hashcat -m <hash_mode> -a <attack_mode> <hash_file> <wordlist> [options]Example 1: Dictionary attack with rules against NTLM hashes
hashcat -m 1000 -a 0 -r best64.rule hashes.txt wordlist.txtExample 2: Brute-force attack for 8-character numeric PIN
hashcat -m 0 -a 3 hashes.txt ?d?d?d?d?d?d?d?dExample 3: Show cracked passwords
hashcat -m 1000 --show hashes.txtBenchmarking:
hashcat -b -m 1000This runs a benchmark for NTLM mode and reports hash rate (hashes per second).
How Hashcat Interacts with Related Technologies
John the Ripper: Another password cracker, but CPU-optimized. Hashcat is GPU-optimized and generally faster for most algorithms. Both can be used together; John can convert uncommon hash formats to Hashcat-compatible formats.
Hash-Identifier: A tool to identify hash type (e.g., $2y$ indicates bcrypt). Use before running Hashcat to ensure correct mode.
Rainbow Tables: Precomputed hash chains. Hashcat can use them via the --attack-mode 3 with a mask, but rainbow tables are less common due to large storage requirements. Hashcat's brute-force is often faster for short keyspaces.
GPU Drivers: Hashcat requires proper GPU drivers (NVIDIA CUDA or AMD ROCm/OpenCL). Mismatched drivers cause errors like CL_DEVICE_NOT_FOUND.
Dictionaries: Common wordlists like rockyou.txt (14 million passwords) are essential. Hashcat can also generate candidate passwords on the fly using rules.
Attack Types in Detail
Dictionary Attack (Mode 0): The simplest attack. Each word from the wordlist is hashed and compared. Rules can modify each word before hashing. For example, the rule $1 appends '1' to the password, and c capitalizes the first letter. Rules are applied per word, increasing the effective keyspace.
Combinator Attack (Mode 1): Combines words from two wordlists. For example, wordlist1: "pass", wordlist2: "word" -> candidate: "password". Useful for cracking concatenated passwords.
Mask Attack (Mode 3): A mask defines the character set per position. Placeholders: ?l (lowercase), ?u (uppercase), ?d (digit), ?s (special), ?a (all). Custom charsets can be defined with -1, -2, etc. For example, -1 ?l?d creates a custom set of lowercase letters and digits. Mask attack is more efficient than pure brute-force because it targets likely patterns (e.g., capital letter + 5 lowercase + 2 digits).
Hybrid Attacks (Modes 6 and 7): Mode 6 appends a mask to each wordlist entry (e.g., word + 3 digits). Mode 7 prepends a mask (e.g., 3 digits + word). These are effective for passwords like "password123".
Rule-Based Attack: Rules are applied on top of any attack mode (usually dictionary). Rules can perform case changes, substitutions, append/prepend characters, reverse strings, etc. Example rule: l u $1 $2 $3 (lowercase, uppercase, append 123). Complex rule files like OneRuleToRuleThemAll.rule contain thousands of rules and are highly effective.
Performance Optimization
Use the fastest hash mode: NTLM (1000) cracks billions per second on modern GPUs, while bcrypt (3200) may only achieve thousands per second. Choose the appropriate mode.
Limit hash count: Cracking many hashes simultaneously is slower per hash due to memory constraints. Use --potfile-disable to avoid disk writes.
Optimize kernel: Use --optimized-kernel-enable (or -O) for some modes to enable faster kernels. For SHA512, this can double speed.
Segment large wordlists: Split wordlists into smaller chunks to avoid I/O bottlenecks.
Use multiple GPUs: Hashcat supports multi-GPU with -d flag. Example: -d 1,2 uses devices 1 and 2.
Common Errors and Troubleshooting
"No devices found": Install/update GPU drivers. For NVIDIA, install CUDA toolkit. For AMD, install ROCm.
"Hash mode not found": Verify the hash mode number. Use --example-hashes to see correct format.
"Line length exception": The hash file contains lines that are too long. Ensure hashes are in the correct format (hash:salt, etc.).
"Separator unmatched": The hash file uses an unexpected delimiter. Usually, hashes are separated by : or $.
1. Prepare the Hash File
Extract hashes from the target system (e.g., using secretsdump.py for Windows or unshadow for Linux). Ensure each hash is in Hashcat-compatible format: typically `hash:salt` or just `hash`. For NTLM, the format is `username:RID:LMhash:NThash:::`. For Linux shadow, use `unshadow passwd shadow > combined.txt` and then use mode 1800 (sha512crypt). Verify the hash type using `hash-identifier` or `hashid`. If the hash includes a username or other metadata, strip it to only the hash and salt. Example NTLM hash line: `Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::`. Hashcat will ignore the username and RID but requires the colons.
2. Identify the Hash Mode
Use `hashid` or `hash-identifier` to determine the hash type. For example, a hash starting with `$2y$10$` is bcrypt (mode 3200). A hash of length 32 hex characters is likely MD5 (mode 0) or NTLM (mode 1000). NTLM hashes are always 32 hex characters but are not salted. MD5 can be salted. To distinguish, check the context: NTLM comes from Windows, MD5 from Unix. Use `hashcat --example-hashes` to see examples. If unsure, try the most common mode first. The exam expects you to know common mode numbers: 0 (MD5), 1000 (NTLM), 1400 (SHA256), 1700 (SHA512), 3200 (bcrypt), 5500 (NetNTLMv1), 5600 (NetNTLMv2), 13100 (Kerberos 5 TGS-REP).
3. Choose the Attack Mode
Select the attack mode based on the scenario. For a penetration test with a wordlist, use mode 0 (dictionary) with rules. For a known password policy (e.g., minimum 8 characters, must include a digit), use mode 3 (mask) with a mask like `?l?l?l?l?l?l?d?d` (6 lowercase + 2 digits). For combining two dictionaries (e.g., first name + last name), use mode 1 (combinator). For appending digits to dictionary words, use mode 6 (hybrid wordlist + mask). The exam may ask which attack is most efficient given a password policy. Remember: mask attacks are faster than brute-force because they limit the keyspace to probable patterns.
4. Select a Wordlist and Rules
Common wordlists: `rockyou.txt` (14 million passwords), `SecLists` (collection of wordlists for various purposes). For rules, start with `best64.rule` (64 high-frequency rules) or `OneRuleToRuleThemAll.rule` (comprehensive). Use `-r` to specify a rule file. You can also use `--generate-rules` to create custom rules. The combination of a good wordlist and rules often cracks 50-70% of passwords in a typical dump. For high-value targets, run multiple passes with different rule sets. In a real test, you might run a dictionary attack with rules first, then a mask attack for remaining hashes.
5. Run Hashcat and Monitor Progress
Execute the command. Example: `hashcat -m 1000 -a 0 -r best64.rule hashes.txt rockyou.txt --status`. The `--status` flag prints real-time stats (hash rate, time left, cracked count). Hashcat will automatically use the best available device (GPU). To specify a device, use `-d 1` (device 1). Monitor the output for cracked hashes; they are saved to `hashcat.potfile`. You can view cracked passwords with `hashcat -m 1000 --show hashes.txt`. If cracking is too slow, increase workload profile with `-w 4` or reduce the number of hashes by splitting the file. For very large wordlists, consider using `--loopback` to avoid repeating candidates.
In a typical Active Directory penetration test, after gaining domain admin privileges, the tester dumps the NTDS.dit file using secretsdump.py or ntdsutil. This yields thousands of NTLM hashes. The tester uses Hashcat with mode 1000 and rockyou.txt plus best64.rule on a rig with four NVIDIA RTX 4090 GPUs. The hash rate is approximately 300 GH/s (300 billion hashes per second). Within minutes, 60-70% of hashes are cracked. For the remaining hashes, the tester runs a mask attack for 8-character passwords with at least one uppercase and one digit: ?u?l?l?l?l?l?l?d (7 lowercase + 1 uppercase at start + 1 digit at end). This cracks another 15-20%. The remaining strong passwords may require brute-force of longer keyspaces, which is often impractical. The tester reports that 85% of passwords are crackable within a few hours, highlighting weak password policy.
Another scenario: Web application assessment. The tester extracts a SQL database containing bcrypt hashes (mode 3200) for user accounts. bcrypt is intentionally slow, so the hash rate is only about 10,000 H/s on the same GPU rig. A dictionary attack with rules might only crack 5-10% of hashes per day. The tester uses a targeted wordlist built from the company's name, common terms, and variations (e.g., "Company2023!"). This yields better results. The tester also uses the --increment flag with mask attacks to try increasing lengths from 8 to 12 characters, but this is extremely slow. The report emphasizes that bcrypt effectively mitigates offline cracking.
A third scenario: Internal phishing assessment. The tester captures NetNTLMv2 hashes (mode 5600) using Responder or Inveigh. These hashes are more complex because they include a server challenge and HMAC. Hashcat's mode 5600 cracks them at about 50 MH/s on a single GPU. The tester uses a dictionary attack with rules and often cracks 40-50% of captured hashes within a day. The cracked passwords are then used to attempt lateral movement. Common misconfiguration: failing to strip the username from the hash file, causing Hashcat to misinterpret the format. Also, forgetting to specify --username flag if the hash file includes usernames (for some modes).
The PT0-002 exam tests Hashcat under Objective 5.1 (Given a scenario, use the appropriate tool to assess the security posture of an organization). You must know the syntax, common hash modes, attack modes, and rule usage. The exam will present scenarios where you must choose the correct Hashcat command to crack a specific hash type. The 3-4 most common wrong answers:
1. Choosing the wrong hash mode: Candidates confuse NTLM (1000) with MD5 (0) because both produce 32-character hex hashes. The exam distinguishes by context: NTLM comes from Windows, MD5 from Unix or web apps. Also, some hashes have a prefix like $2y$ (bcrypt) or $5$ (SHA256 crypt).
2. Using brute-force when mask attack is appropriate: The exam asks for the most efficient attack given a password policy. Brute-force tries all combinations; mask attack restricts positions. Candidates pick brute-force because it's comprehensive, but mask attack is faster and should be tried first.
3. Incorrect rule syntax: Candidates may write rules inline incorrectly. The exam expects knowledge of common rules like $1 (append 1) and c (capitalize). Also, knowing that rules are applied per word in dictionary attack.
4. Forgetting to specify the hash mode: The -m flag is mandatory. Some candidates omit it and Hashcat defaults to MD5, causing no matches.
Specific numbers: Know that -a 0 is dictionary, -a 3 is mask, -a 6 is hybrid wordlist+mask. Mode 1000 is NTLM, mode 0 is MD5, mode 1400 is SHA256, mode 1700 is SHA512, mode 3200 is bcrypt, mode 5500 is NetNTLMv1, mode 5600 is NetNTLMv2. The -r flag is for rules. --show displays cracked hashes. --status shows progress. --potfile-disable avoids writing to potfile. -O enables optimized kernels.
Edge cases: If the hash file contains usernames (e.g., NTLM format with username:RID:...), you must use --username flag to tell Hashcat to ignore the username. For Linux shadow hashes, you must use the unshadow tool first to combine passwd and shadow files. For Kerberos hashes, mode 13100 (TGS-REP) is used; the hash format includes the realm and service principal.
To eliminate wrong answers, always identify the hash type first. Look for clues: length, character set, prefix. Then determine the attack: dictionary with rules is usually first. For mask attacks, the mask must match the policy. Practice with --example-hashes to familiarize with formats.
Hashcat uses GPU parallel processing to crack hashes at high speed; use mode -m to specify the algorithm.
Common hash modes: 0 (MD5), 1000 (NTLM), 1400 (SHA256), 1700 (SHA512), 3200 (bcrypt), 5600 (NetNTLMv2).
Attack modes: 0 (dictionary), 1 (combinator), 3 (mask), 6 (hybrid wordlist+mask), 7 (hybrid mask+wordlist).
Rules are applied with -r and modify candidate passwords (e.g., $1 appends '1', c capitalizes first letter).
Mask attack uses placeholders: ?l (lower), ?u (upper), ?d (digit), ?s (special), ?a (all). Custom charsets with -1, -2.
Use --status to monitor progress and --show to display cracked passwords.
Benchmark with -b to measure performance; optimize with -w (workload) and -O (optimized kernel).
Always identify hash type before cracking; use hashid or hash-identifier.
For NTLM hashes with usernames, use --username flag.
Slow hashes (bcrypt, sha512crypt) require targeted wordlists and patience; fast hashes (NTLM, MD5) crack quickly.
These come up on the exam all the time. Here's how to tell them apart.
Hashcat
GPU-optimized, achieves billions of hashes per second for fast algorithms like NTLM
Supports over 300 hash modes including Kerberos and NetNTLM
Primarily command-line with no interactive mode
Better for large-scale cracking with multiple GPUs
Requires GPU drivers (CUDA/OpenCL) and may have compatibility issues
John the Ripper
CPU-optimized, slower for fast hashes but can crack slow hashes without GPU
Supports many hash modes but fewer than Hashcat; community patches add more
Has an interactive mode ('john --single') for single crack mode
Better for systems without a powerful GPU or for slow hashes where GPU gains are minimal
Easier to install and run on any system; no special drivers needed
Mistake
Hashcat can crack any hash instantly if you have a good wordlist.
Correct
Hashcat's speed depends on the algorithm. Simple hashes like NTLM (mode 1000) crack at billions per second, but slow hashes like bcrypt (mode 3200) only achieve thousands per second. A good wordlist helps but does not guarantee instant results; strong passwords may remain uncracked.
Mistake
You must use the exact hash format from the target system without modification.
Correct
Hashcat requires a specific format: usually `hash:salt` or just `hash`. For NTLM, the format is `username:RID:LMhash:NThash:::`. You may need to strip usernames or convert from other formats. Use `--username` flag if usernames are present.
Mistake
Brute-force attack is the most effective method for cracking all passwords.
Correct
Brute-force is the least efficient because it tries every possible combination. Mask attacks (mode 3) are far more efficient because they target likely patterns (e.g., capital letter at start, digits at end). Always try dictionary with rules and mask before brute-force.
Mistake
Hashcat can only crack one hash at a time.
Correct
Hashcat can crack multiple hashes simultaneously. It loads all target hashes into memory and compares each candidate hash against all targets. This is more efficient than cracking one hash at a time because the hashing computation is shared.
Mistake
Rules are only used with dictionary attacks.
Correct
Rules can be applied to any attack mode that generates candidates, including mask and hybrid attacks. However, rules are most commonly used with dictionary attacks (mode 0) because they modify each word. In mask attacks, rules would apply to the generated mask strings, which is less common.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The command is: `hashcat -m 1000 -a 0 -r best64.rule hashes.txt rockyou.txt`. The `-m 1000` specifies NTLM, `-a 0` is dictionary attack, `-r best64.rule` applies the rule file. Ensure hashes are in the correct format (username:RID:LM:NTLM:::). If usernames are present, add `--username`.
Use `hashcat -m 3200 -a 0 hash.txt wordlist.txt`. bcrypt is slow; expect low hash rates (thousands per second). Use a targeted wordlist and consider mask attacks for short passwords. Example bcrypt hash: `$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy`.
Mode 3 (mask) generates candidates based on a mask pattern (e.g., `?l?l?l?d?d`). Mode 6 (hybrid wordlist+mask) takes each word from a wordlist and appends the mask to it (e.g., `password` + `?d?d` = `password12`). Mode 6 is useful for cracking passwords that are dictionary words followed by digits or symbols.
Increase workload profile with `-w 4` (may cause system unresponsiveness). Use `-O` for optimized kernels if supported. Use multiple GPUs with `-d 1,2`. Ensure GPU drivers are up to date. Split large hash files into smaller chunks. Use the fastest attack mode (dictionary with rules first). For mask attacks, use the smallest possible keyspace.
Ensure GPU drivers are installed. For NVIDIA, install CUDA toolkit. For AMD, install ROCm or OpenCL runtime. Run `hashcat -I` to list devices. If no devices appear, check driver installation. On Linux, you may need to install `ocl-icd-libopencl1` or similar. Some virtual machines do not have GPU passthrough.
The potfile (`hashcat.potfile`) stores cracked hashes in the format `hash:password`. Hashcat checks the potfile before cracking to avoid re-cracking. Use `--show` to display cracked passwords. To disable potfile, use `--potfile-disable`. To use a custom potfile, use `--potfile-path path`.
Yes, Hashcat supports salted hashes. The hash file format typically includes the salt after a colon (e.g., `hash:salt`). For example, MD5 salted: `482c811da5d5b4bc6d497ffa98491e38:mysalt`. The mode for salted MD5 is 10. Always check the example hashes for the correct format.
You've just covered Hashcat and Password Cracking — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?