Hashcat Cheatsheet - Common Hash Types & Commands¶

Quick Hash Identification¶

Hash Examples & Identification¶

# Identify hash type automatically
hashcat --identify hash.txt
hashid hash.txt
haiti 5f4dcc3b5aa765d61d8327deb882cf99

# Common hash formats
MD5:           32 hex chars    → 5f4dcc3b5aa765d61d8327deb882cf99
SHA1:          40 hex chars    → 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
SHA256:        64 hex chars    → 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
NTLM:          32 hex chars    → 8846f7eaee8fb117ad06bdd830b7586c
NetNTLMv1:     $NetNTLM$...   → username::domain:lmhash:nthash:challenge
NetNTLMv2:     $NetNTLMv2$... → username::domain:challenge:hash:response
Kerberos 5:    $krb5tgs$23$*  → $krb5tgs$23$*user$realm$service*$hash
bcrypt:        $2a$, $2b$     → $2a$10$N9qo8uLOickgx2ZMRZoMye
SHA512crypt:   $6$            → $6$rounds=5000$salt$hash
MD5crypt:      $1$            → $1$salt$hash

Basic Hashcat Commands¶

Essential Syntax¶

# Basic attack
hashcat -m [hash_type] -a [attack_mode] [hashfile] [wordlist]

# With rules
hashcat -m [hash_type] -a 0 [hashfile] [wordlist] -r [rulefile]

# Show cracked passwords
hashcat -m [hash_type] [hashfile] --show

# Continue/restore session
hashcat --restore
hashcat --session mysession --restore

# Benchmark specific hash type
hashcat -m [hash_type] -b

Attack Modes¶

-a 0  # Straight/Dictionary attack (default)
-a 1  # Combination attack (combine 2 wordlists)
-a 3  # Brute-force/Mask attack
-a 6  # Hybrid wordlist + mask
-a 7  # Hybrid mask + wordlist
-a 9  # Association attack

Output & Session Management¶

# Output formats
-o cracked.txt                     # Output file
--outfile-format=2                 # Plain format
--outfile-format=3                 # hash:plain
--outfile-format=5                 # hash:plain:hex_plain

# Session management
--session=mysession               # Name session
--restore-file-path=./            # Session location
--potfile-disable                 # Don't save to potfile
--potfile-path=./my.potfile      # Custom potfile location

# Status & monitoring
--status                          # Auto status updates
--status-timer=10                 # Update every 10 seconds

Windows Hashes¶

NTLM (Mode 1000)¶

# Single NTLM hash
hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

# From secretsdump/hashdump format
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
# Extract NTLM (4th field)
cut -d: -f4 hashdump.txt > ntlm.txt
hashcat -m 1000 ntlm.txt rockyou.txt

# With rules
hashcat -m 1000 ntlm.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Mask attack for common patterns
hashcat -m 1000 -a 3 ntlm.txt ?u?l?l?l?l?l?d?d?s  # Ullllldd!

NetNTLMv1 (Mode 5500)¶

# From Responder/Inveigh
hashcat -m 5500 netntlmv1.txt rockyou.txt

# Example hash format:
# username::domain:lmhash:nthash:challenge
hashcat -m 5500 -a 0 netntlmv1.txt rockyou.txt --force

NetNTLMv2 (Mode 5600)¶

# Most common from Responder
hashcat -m 5600 netntlmv2.txt rockyou.txt

# Example format:
# USER::DOMAIN:challenge:hash:response
hashcat -m 5600 netntlmv2.txt rockyou.txt -r rules/InsidePro-PasswordsPro.rule

# Optimized for NetNTLMv2
hashcat -m 5600 netntlmv2.txt rockyou.txt -O -w 3

LM Hash (Mode 3000)¶

# Legacy LM hashes
hashcat -m 3000 -a 3 lm.txt ?a?a?a?a?a?a?a

# LM is case-insensitive, max 7 chars per half
hashcat -m 3000 lm.txt -a 3 ?u?u?u?u?u?u?u

Active Directory Hashes¶

Kerberoast - TGS-REP (Mode 13100)¶

# From GetUserSPNs.py or Rubeus
hashcat -m 13100 kerberoast.txt rockyou.txt

# Common Kerberoast passwords
hashcat -m 13100 kerberoast.txt passwords.txt -r rules/d3ad0ne.rule

# Targeted attack with company name
echo "Company2024!" | hashcat -m 13100 kerberoast.txt -a 0 -r rules/toggles1.rule

AS-REP Roast (Mode 18200)¶

# From GetNPUsers.py
hashcat -m 18200 asreproast.txt rockyou.txt

# With common AD password patterns
hashcat -m 18200 -a 3 asreproast.txt ?u?l?l?l?l?l?l?d?d?s
hashcat -m 18200 -a 6 asreproast.txt wordlist.txt ?d?d?d?d

Kerberos 5 TGT (Mode 13100)¶

hashcat -m 13100 kirbi.txt rockyou.txt --force

DCC2/MS-Cache v2 (Mode 2100)¶

# Domain cached credentials
hashcat -m 2100 dcc2.txt rockyou.txt

# Format: $DCC2$iterations#username#hash
# Slower due to iterations (default 10240)
hashcat -m 2100 dcc2.txt rockyou.txt -w 3 -O

Linux Hashes¶

SHA512crypt $6$ (Mode 1800)¶

# From /etc/shadow
hashcat -m 1800 shadow.txt rockyou.txt

# Example: $6$rounds=5000$salt$hash
hashcat -m 1800 -a 0 shadow.txt rockyou.txt -r rules/unix-ninja-lemmatization.rule

SHA256crypt $5$ (Mode 7400)¶

hashcat -m 7400 sha256crypt.txt rockyou.txt

MD5crypt $1$ (Mode 500)¶

# Legacy Linux/BSD
hashcat -m 500 md5crypt.txt rockyou.txt

# Apache htpasswd MD5
hashcat -m 1600 htpasswd.txt rockyou.txt

bcrypt $2a$/$2b$ (Mode 3200)¶

# Very slow - use targeted wordlist
hashcat -m 3200 bcrypt.txt passwords.txt

# With lower workload for testing
hashcat -m 3200 bcrypt.txt wordlist.txt -w 1

Web Application Hashes¶

MD5 (Mode 0)¶

# Raw MD5
hashcat -m 0 -a 0 md5.txt rockyou.txt

# MD5 with mask
hashcat -m 0 -a 3 md5.txt ?a?a?a?a?a?a?a?a

# Double MD5
hashcat -m 2600 double_md5.txt rockyou.txt

SHA1 (Mode 100)¶

hashcat -m 100 sha1.txt rockyou.txt

# SHA1(salt.pass)
hashcat -m 110 sha1_salt.txt rockyou.txt

# SHA1(pass.salt)
hashcat -m 120 sha1_salt.txt rockyou.txt

SHA256 (Mode 1400)¶

hashcat -m 1400 sha256.txt rockyou.txt

# SHA256(salt.pass)
hashcat -m 1410 sha256_salt.txt rockyou.txt

SHA512 (Mode 1700)¶

hashcat -m 1700 sha512.txt rockyou.txt

# SHA512(salt.pass)
hashcat -m 1710 sha512_salt.txt rockyou.txt

WordPress (Mode 400)¶

# phpass, WordPress MD5
hashcat -m 400 wp.txt rockyou.txt

# Format: $P$B... or $H$9...
hashcat -m 400 wordpress.txt rockyou.txt -r rules/best64.rule

Drupal7 (Mode 7900)¶

# SHA512 based
hashcat -m 7900 drupal.txt rockyou.txt

# Format: $S$...
hashcat -m 7900 drupal7.txt passwords.txt -O

Django SHA256 (Mode 124)¶

# pbkdf2_sha256$iterations$salt$hash
hashcat -m 124 django.txt rockyou.txt

JWT (Mode 16500)¶

# JSON Web Tokens
hashcat -m 16500 jwt.txt rockyou.txt

# Format: eyJ...eyJ...signature
hashcat -m 16500 jwt.txt wordlist.txt -r rules/dive.rule

Database Hashes¶

MySQL 4.1/5 (Mode 300)¶

# MySQL5 SHA1
hashcat -m 300 mysql5.txt rockyou.txt

# Format: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
hashcat -m 300 mysql.txt rockyou.txt -O -w 3

PostgreSQL MD5 (Mode 12)¶

# Format: md5$salt$hash
hashcat -m 12 postgres.txt rockyou.txt

MSSQL 2012/2014 (Mode 1731)¶

# SHA512
hashcat -m 1731 mssql2012.txt rockyou.txt

# Format: 0x0200...
hashcat -m 1731 mssql.txt passwords.txt -r rules/InsidePro-PasswordsPro.rule

Oracle 11g/12c (Mode 112)¶

hashcat -m 112 oracle.txt rockyou.txt

# Format: hash:salt
hashcat -m 112 oracle11g.txt rockyou.txt -O

File/Document Hashes¶

PDF 1.4-1.6 (Mode 10500)¶

# From pdf2john.py
hashcat -m 10500 pdf.hash rockyou.txt

# Slower hash - use targeted list
hashcat -m 10500 pdf.hash passwords.txt -r rules/toggles1.rule

Office 2013/2016 (Mode 9600/9700)¶

# Word 2013
hashcat -m 9600 office2013.hash rockyou.txt

# Excel 2013
hashcat -m 9700 excel2013.hash rockyou.txt

# Very slow - use masks or small wordlists
hashcat -m 9600 -a 3 office.hash ?d?d?d?d?d?d?d?d

ZIP/7-Zip (Mode 13600/11600)¶

# ZIP with AES
hashcat -m 13600 zip.hash rockyou.txt

# 7-Zip
hashcat -m 11600 7z.hash rockyou.txt

# From zip2john
hashcat -m 17200 pkzip.hash rockyou.txt

RAR5 (Mode 13000)¶

# From rar2john
hashcat -m 13000 rar5.hash rockyou.txt

# RAR3
hashcat -m 12500 rar3.hash passwords.txt

WiFi Hashes¶

WPA/WPA2 (Mode 22000)¶

# From hcxdumptool/hcxtools (.22000 format)
hashcat -m 22000 wifi.22000 rockyou.txt

# WPA PMKID or EAPOL
hashcat -m 22000 capture.hccapx rockyou.txt

# With common WiFi patterns
hashcat -m 22000 -a 3 wifi.22000 ?d?d?d?d?d?d?d?d  # 8 digits
hashcat -m 22000 -a 3 wifi.22000 ?h?h?h?h?h?h?h?h  # 8 hex chars

# Phone number pattern
hashcat -m 22000 -a 3 wifi.22000 555?d?d?d?d?d?d?d

WPA2 Enterprise (Mode 5500)¶

# NetNTLMv1 from WPA Enterprise
hashcat -m 5500 wpa_enterprise.txt rockyou.txt

Cryptocurrency¶

Bitcoin Wallet (Mode 11300)¶

# From bitcoin2john
hashcat -m 11300 bitcoin.hash rockyou.txt

# Very slow - use targeted attack
hashcat -m 11300 -a 6 wallet.hash wordlist.txt ?d?d?d?d

Ethereum Wallet (Mode 15700)¶

# Scrypt based - extremely slow
hashcat -m 15700 ethereum.hash passwords.txt -w 1

Litecoin (Mode 12700)¶

hashcat -m 12700 litecoin.hash rockyou.txt

Mask Attack Patterns¶

Common Masks¶

# Character sets
?l = lowercase     # a-z
?u = uppercase     # A-Z
?d = digit         # 0-9
?h = hex lowercase # 0-9, a-f
?H = hex uppercase # 0-9, A-F
?s = special       # !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = all           # ?l?u?d?s
?b = byte          # 0x00-0xff

# Common patterns
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?d?d              # Ullllldd
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?l?d?d?s         # Ullllllldd!
hashcat -m 0 -a 3 hash.txt ?d?d?d?d?d?d?d?d              # 8 digits
hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l                  # 6 lowercase
hashcat -m 0 -a 3 hash.txt password?d?d?d?d              # password + 4 digits

# Custom charsets
-1 ?l?u -2 ?d?s -3 ?l?d -a 3 hash.txt ?1?1?1?1?2?2?3?3  # Custom mix
--custom-charset1=?l?u --custom-charset2=?d -a 3 hash.txt ?1?1?1?1?2?2?2?2

Increment Mode¶

# Try all lengths from 1-8
hashcat -m 0 -a 3 hash.txt ?a --increment --increment-min=1 --increment-max=8

# Digits from 4-8 length
hashcat -m 0 -a 3 hash.txt ?d?d?d?d?d?d?d?d --increment --increment-min=4

Rules¶

Built-in Rules¶

# Common hashcat rules
/usr/share/hashcat/rules/best64.rule          # Top 64 most effective
/usr/share/hashcat/rules/d3ad0ne.rule         # Good general purpose
/usr/share/hashcat/rules/dive.rule            # Huge ruleset
/usr/share/hashcat/rules/InsidePro-PasswordsPro.rule  # Professional
/usr/share/hashcat/rules/rockyou-30000.rule   # Based on RockYou patterns
/usr/share/hashcat/rules/OneRuleToRuleThemAll.rule  # Comprehensive

# Apply multiple rules
hashcat -m 1000 hash.txt wordlist.txt -r best64.rule -r toggles1.rule

# Generate random rules
hashcat -m 0 hash.txt wordlist.txt -g 1000  # Generate 1000 random rules

Custom Rules¶

# Rule syntax examples
:     # Do nothing
l     # Lowercase all
u     # Uppercase all
c     # Capitalize first, lower rest
t     # Toggle case
r     # Reverse
d     # Duplicate
$1    # Append '1'
^1    # Prepend '1'
]     # Delete last
[     # Delete first
'5    # Truncate at position 5
s@a   # Substitute @ with a

# Create custom rule file
echo '$1$2$3' > append123.rule
echo 'c$!' > capitalize_bang.rule
echo '$2$0$2$4' > add2024.rule

hashcat -m 0 hash.txt wordlist.txt -r custom.rule

Hybrid Attacks¶

Mode 6: Wordlist + Mask¶

# Append 4 digits to wordlist
hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d?d

# Append year
hashcat -m 0 -a 6 hash.txt wordlist.txt 202?d

# Append special + digits
hashcat -m 0 -a 6 hash.txt wordlist.txt ?s?d?d

Mode 7: Mask + Wordlist¶

# Prepend digits to wordlist
hashcat -m 0 -a 7 hash.txt ?d?d?d?d wordlist.txt

# Common prefixes
hashcat -m 0 -a 7 hash.txt 2024 wordlist.txt

Combination Attack¶

Mode 1: Combine Two Wordlists¶

# Combine two lists
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt

# With rules on left side
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt -j '$-'

# With rules on right side
hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt -k '$!'

Performance Optimization¶

Workload Profiles¶

-w 1  # Low (minimal desktop impact)
-w 2  # Default
-w 3  # High (may cause screen lag)
-w 4  # Nightmare (headless/dedicated)

# Optimized kernels (faster but limits password length)
-O    # Enable optimized kernels (up to 32 chars)

# Manual performance tuning
--kernel-accel=1     # Workload tuning
--kernel-loops=1024  # Workload fine-tuning

GPU Settings¶

# Device selection
-d 1              # Use device 1
-d 1,2            # Use devices 1 and 2
-D 1              # OpenCL device types (1=CPU, 2=GPU)

# Temperature management
--hwmon-temp-abort=100  # Abort at 100°C
--hwmon-disable         # Disable temperature monitoring

# Backend/device info
hashcat -I              # Show device info
hashcat -b              # Benchmark all hash types
hashcat -b -m 1000      # Benchmark specific hash

Advanced Options¶

Debugging & Logging¶

# Debug modes
--debug-mode=1     # Show rule finding
--debug-mode=2     # Show rule original word
--debug-mode=3     # Show rule rejections
--debug-mode=4     # Show passwords in potfile

# Save all attempts
--debug-file=debug.txt

# Logging
--logfile-disable            # Disable logging
--outfile-check-timer=30     # Check outfile every 30 sec

Distributed Cracking¶

# Split work across systems
--skip=0 --limit=1000000     # First million
--skip=1000000 --limit=1000000  # Second million

# Using brain server (shared potfile)
hashcat --brain-client --brain-host=10.0.0.1 --brain-port=13743
hashcat --brain-server --brain-host=0.0.0.0 --brain-port=13743

Username Handling¶

# Ignore usernames in hash file
--username

# Format: username:hash
admin:5f4dcc3b5aa765d61d8327deb882cf99

# Left/right masks for formats
--separator=:

Common Wordlists¶

# Popular wordlists
/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
/usr/share/seclists/Passwords/Leaked-Databases/
/usr/share/wordlists/fasttrack.txt

# Generate custom wordlist
cewl https://target.com -d 2 -m 5 -w wordlist.txt
crunch 8 8 -t @@@@2024 > passwords2024.txt

Quick Examples by Scenario¶

Active Directory Attack¶

# After secretsdump
cut -d: -f4 secretsdump.txt | grep -v "31d6cfe0d16ae931b73c59d7e0c089c0" > ntlm.txt
hashcat -m 1000 ntlm.txt rockyou.txt -r best64.rule

# Kerberoast
hashcat -m 13100 kerberoast.txt rockyou.txt -O -w 3

# AS-REP roast
hashcat -m 18200 asrep.txt rockyou.txt

Web Application¶

# SQL dump with MD5
hashcat -m 0 sqldump.txt rockyou.txt

# Django/Flask/WordPress
hashcat -m 124 django.txt rockyou.txt  # Django
hashcat -m 400 wordpress.txt rockyou.txt  # WordPress

WiFi Attack¶

# Convert and crack
hcxpcapngtool -o wifi.22000 capture.pcapng
hashcat -m 22000 wifi.22000 rockyou.txt

# Common router defaults
hashcat -m 22000 -a 3 wifi.22000 ?d?d?d?d?d?d?d?d  # 8 digits

Targeted Corporate Attack¶

# Create custom wordlist
echo "Company" > company.txt
echo "Corp" >> company.txt
echo "company" >> company.txt

# Generate variations
hashcat -m 1000 -a 6 ntlm.txt company.txt ?d?d?d?d
hashcat -m 1000 -a 6 ntlm.txt company.txt 20?d?d
hashcat -m 1000 -a 6 ntlm.txt company.txt ?d?d?d?d!

# Season + Year
echo -e "Winter\nSpring\nSummer\nFall\nAutumn" > seasons.txt
hashcat -m 1000 -a 6 ntlm.txt seasons.txt 202?d!

Troubleshooting¶

# Common issues and solutions

# "Token length exception"
# → Check hash format, remove usernames/salts if needed

# "Line-length exception"
# → Hash is malformed or wrong mode selected

# "No hashes loaded"
# → Check file encoding (should be UTF-8 without BOM)
dos2unix hashfile.txt

# "Separator unmatched"
# → Use --username if format is username:hash

# Out of memory
# → Reduce -w value or use -O (optimized kernels)

# Temperature abort
# → Improve cooling or set --hwmon-temp-abort=95

# Restore issues
# → Delete .restore file and .potfile if corrupted

Notes¶

Always try dictionary attack first before brute force
Use targeted wordlists based on the context (corporate, region, language)
Start with common/fast hashes (NTLM, MD5) before slow ones (bcrypt, scrypt)
Check potfile for previously cracked: hashcat -m X hash.txt --show
For slow hashes, use rules instead of large wordlists
Consider the hash algorithm's speed when planning attacks
Monitor GPU temperature on long runs
Save sessions for long-running attacks