Hashcat Tutorial: Cracking Password Hashes Step by Step

Password cracking is one of the most fundamental skills in offensive security and penetration testing. Whether you are auditing your organization's password policies, conducting an authorized red team engagement, or preparing for a career in cybersecurity, understanding how hash cracking works gives you critical insight into where defenses break down. Hashcat is the industry-standard tool for this work, trusted by security professionals worldwide for its speed, flexibility, and GPU-accelerated performance.

This guide walks you through Hashcat from installation to advanced attack techniques, with real commands and practical examples you can apply in a lab environment.

What Is Hashcat and Why Do Security Professionals Use It

Hashcat is an open-source, CPU and GPU-accelerated password recovery tool that supports over 300 hash types. It is capable of cracking MD5, SHA-1, SHA-256, bcrypt, NTLM, WPA handshakes, and dozens of other formats at speeds that far exceed older tools like John the Ripper in most scenarios.

Security professionals use Hashcat during:

• Internal password audits to identify weak credentials before attackers do
• Post-exploitation phases of penetration tests, after dumping hashes from systems like Active Directory
• Research into the effectiveness of hashing algorithms and salting strategies

If you are serious about building a career in offensive security or ethical hacking, learning Hashcat is non-negotiable. Redfox Cybersecurity Academy covers password attacks in depth as part of structured, hands-on training programs at academy.redfoxsec.com.

Installing Hashcat on Linux and Windows

Linux Installation

Most Debian-based distributions can install Hashcat directly from package managers, but it is best to grab the latest binary from the official source for access to current features.

sudo apt update && sudo apt install hashcat


[cta]

Alternatively, download the latest release:

wget https://hashcat.net/files/hashcat-6.2.6.7z
7z x hashcat-6.2.6.7z
cd hashcat-6.2.6


[cta]

Windows Installation

On Windows, download the precompiled binary from hashcat.net, extract the archive, and run commands from PowerShell or Command Prompt inside the extracted folder.

Verifying GPU Support

Hashcat relies on OpenCL or CUDA for GPU acceleration. Verify your setup with:

hashcat -I


[cta]

This lists detected platforms and devices. If you are running a virtual machine without GPU passthrough, you can force CPU mode with -D 1, though performance will be significantly reduced.

Understanding Hash Types and the -m Flag

Every Hashcat attack requires you to specify the hash type using the -m flag. Getting this wrong means Hashcat will attempt to crack the wrong format and produce no results.

Here are common hash types and their codes:

To identify an unknown hash type, use a tool like hash-identifier or hashid before running Hashcat:

hashid '$2y$10$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36WQoeG6Lruj3vjPGga31lW'


[cta]

The output will suggest likely algorithms, in this case bcrypt, so you would use -m 3200.

Hashcat Attack Modes Explained

Hashcat supports multiple attack modes, each suited to different scenarios. Choosing the right one is as important as the wordlist or rule set you apply.

Mode 0: Straight (Dictionary) Attack

The most common starting point. Hashcat tests every word in a provided wordlist against the target hash.

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt


[cta]

Here:

• -m 1000 specifies NTLM
• -a 0 is dictionary mode
• hashes.txt contains your captured hashes
• rockyou.txt is the wordlist

Mode 1: Combination Attack

Combines words from two separate wordlists, appending each word from list two to every word in list one.

hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt


[cta]

Useful for targeting passwords like "bluetiger" or "adminpassword" where users combine two dictionary words.

Mode 3: Brute-Force / Mask Attack

Generates candidates based on a character mask. Ideal when you know the password length or format.

hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?d?d?d?d


[cta]

Built-in charset tokens include:

• ?l for lowercase letters
• ?u for uppercase letters
• ?d for digits
• ?s for special characters
• ?a for all printable ASCII characters

The example above targets passwords with one uppercase letter, three lowercase letters, and four digits, a pattern that matches many corporate password policies.

Mode 6 and 7: Hybrid Attacks

Hybrid attacks combine a wordlist with a mask. Mode 6 appends the mask to each word; mode 7 prepends it.

hashcat -m 0 -a 6 hashes.txt rockyou.txt ?d?d?d?d


[cta]

This targets passwords like "password2023" or "letmein1234", a very common pattern in real-world password dumps.

Using Rules to Dramatically Increase Crack Rates

Rules are one of Hashcat's most powerful features. They instruct Hashcat to transform words from a wordlist in defined ways before testing them, without needing to store millions of variants on disk.

Hashcat ships with several rule files, typically located in the rules/ directory:

ls hashcat/rules/


[cta]

The most effective general-purpose rule file is best64.rule. To apply it:

hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rule


[cta]

You can also stack multiple rule files:

hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rule -r rules/toggles1.rule


[cta]

Common Rule Syntax

Rules follow a single-character function notation. Some of the most useful include:

l        # Lowercase all letters
u        # Uppercase all letters
c        # Capitalize first letter
$1       # Append character '1'
^!       # Prepend character '!'
r        # Reverse the word
d        # Duplicate the word


[cta]

A practical custom rule to mimic real user behavior might look like this, saved as custom.rule:

c $1 $2 $3
c $! $1
c $@ $1 $2 $3


[cta]

This generates variants like "Password123", "Password!1", and "Password@123", a pattern Redfox Cybersecurity Academy instructors frequently demonstrate when showing how quickly corporate passwords fall during authorized assessments.

Cracking NTLM Hashes: A Real-World Scenario

NTLM hashes are commonly encountered during Windows penetration tests after using tools like Impacket's secretsdump.py or mimikatz to dump credentials from domain controllers or local SAM databases.

Assume you have extracted the following hashes from a SAM file:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::


[cta]

The NTLM hash portion is the value after the third colon: 8846f7eaee8fb117ad06bdd830b7586c. Save it to a file:

echo "8846f7eaee8fb117ad06bdd830b7586c" > ntlm_hashes.txt


[cta]

Run a dictionary attack with rules:

hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt -r rules/best64.rule --force


[cta]

If the hash cracks, Hashcat displays the plaintext:

8846f7eaee8fb117ad06bdd830b7586c:password


[cta]

To show previously cracked hashes stored in the potfile:

hashcat -m 1000 ntlm_hashes.txt --show


[cta]

The potfile (~/.local/share/hashcat/hashcat.potfile on Linux) stores previously cracked results so Hashcat does not re-crack them on future runs.

Cracking WPA2 Handshakes with Hashcat

WPA2 cracking is a staple of wireless security assessments. The modern workflow uses the PMKID method or a captured four-way handshake converted to the .hc22000 format using hcxtools.

Converting a Capture File

After capturing a handshake with hcxdumptool, convert it:

hcxpcapngtool -o capture.hc22000 capture.pcapng


[cta]

Running the Crack

hashcat -m 22000 -a 0 capture.hc22000 rockyou.txt -r rules/best64.rule


[cta]

WPA2 cracking is slow even on powerful GPUs because of the PBKDF2-HMAC-SHA1 key derivation. A mask attack can be useful when you know the router's default password format, for example many ISP routers use 8-digit numeric defaults:

hashcat -m 22000 -a 3 capture.hc22000 ?d?d?d?d?d?d?d?d


[cta]

Understanding these workflows in context, knowing when to use which mode and why, is precisely the kind of applied knowledge taught at Redfox Cybersecurity Academy. Hands-on labs in the curriculum cover wireless attacks, Active Directory exploitation, and more.

Optimizing Hashcat Performance

Use the Right Workload Profile

The -w flag sets the workload profile from 1 (low) to 4 (nightmare):

hashcat -m 1000 -a 0 hashes.txt rockyou.txt -w 3


[cta]

Use -w 4 only on dedicated cracking rigs where the GPU is not driving a display, as it can make the system unresponsive.

Enable Optimized Kernels

The -O flag enables optimized OpenCL kernels, which limits password length to 32 characters but significantly boosts speed:

hashcat -m 1000 -a 0 hashes.txt rockyou.txt -O -w 3


[cta]

Benchmarking Your System

Before starting any serious cracking session, benchmark your hardware:

hashcat -b -m 1000


[cta]

This tells you your expected hash rate for NTLM on your current hardware, which helps you estimate crack time before committing to a long session.

Building a Custom Wordlist Strategy

The quality of your wordlist often matters more than raw cracking speed. For targeted engagements, a custom wordlist built around the target organization will outperform generic lists.

Using CeWL for Target-Specific Wordlists

CeWL scrapes a target website and generates a wordlist from words it finds:

cewl https://targetcompany.com -d 2 -m 6 -w target_wordlist.txt


[cta]

Combining and Deduplicating Wordlists

cat rockyou.txt target_wordlist.txt | sort -u > combined.txt


[cta]

Generating Wordlists with CUPP

CUPP (Common User Passwords Profiler) generates personalized wordlists based on information about the target individual, useful during social engineering assessments:

python3 cupp.py -i


[cta]

Pair these custom wordlists with Hashcat rules and you will crack hashes that generic dictionary attacks miss entirely. This layered methodology is covered in detail in courses available at academy.redfoxsec.com.

Cracking bcrypt and Other Slow Hashes

bcrypt, scrypt, and Argon2 are intentionally slow hashing algorithms designed to resist cracking. Hashcat supports them, but expect dramatically lower hash rates compared to MD5 or NTLM.

On a modern GPU, bcrypt (-m 3200) might process only a few hundred hashes per second compared to billions per second for MD5.

hashcat -m 3200 -a 0 bcrypt_hashes.txt rockyou.txt


[cta]

For slow hashes, prioritize your wordlists carefully. A targeted list of 50,000 high-probability candidates will outperform a generic list of 10 million in the time you have available during a real engagement. Avoid wasting GPU time with full mask attacks on bcrypt unless you have strong reason to believe the password is short and simple.

Interpreting Hashcat Output and Status

While Hashcat is running, press S to display a status update:

Session..........: hashcat
Status...........: Running
Hash.Mode........: 1000 (NTLM)
Hash.Target......: ntlm_hashes.txt
Time.Started.....: Fri Jun 05 10:22:00 2026 (2 mins, 14 secs)
Time.Estimated...: Fri Jun 05 10:29:00 2026 (6 mins, 46 secs)
Guess.Base.......: File (rockyou.txt)
Speed.#1.........: 4512.3 MH/s (1.08ms) @ Accel:1024
Recovered........: 3/10 (30.00%) Digests
Progress.........: 2500000/14344384 (17.43%)


[cta]

Key fields to monitor:

• Recovered: hashes cracked so far
• Speed: hash rate in megahashes or gigahashes per second
• Time.Estimated: projected completion time
• Progress: percentage of the candidate space exhausted

If progress stalls or estimated time is unreasonably long, consider switching attack modes or refining your wordlist rather than waiting.

Wrapping Up

Hashcat is not a point-and-click tool. Getting real results in professional engagements requires understanding hash types, choosing the right attack mode for the scenario, building quality wordlists, and applying rules that reflect how real users construct passwords. Every layer of that methodology compounds your success rate.

The commands and techniques covered in this guide represent standard practice in modern offensive security work. They apply directly to penetration testing engagements, red team operations, and internal security audits where an organization needs to know whether its password policy is holding up against real-world attack techniques.

If you want to move beyond tutorials and into structured, scenario-based training that covers password attacks, Active Directory exploitation, web application hacking, and more, Redfox Cybersecurity Academy provides the curriculum and lab environment to get you there. Start at academy.redfoxsec.com and build the skills that matter in the field.