⚠️ Authorised Systems Only. All Hashcat exercises in this lesson must be performed on hashes you legally own or have explicit written permission to crack — your own test accounts, your own lab systems, or authorised penetration test targets. Cracking hashes without authorisation violates computer misuse legislation regardless of whether you succeed.
Hashcat Tutorial Kali Linux 2026 :— Day 18 built the wordlist. Day 19 fires it at GPU speed. Hashcat is the industry-standard offline password cracker, capable of testing billions of password candidates per second against captured hashes when GPU acceleration is available. The speed difference between CPU and GPU cracking is not incremental — it’s transformational. An MD5 hash that takes a CPU 40 minutes to exhaust a wordlist against takes a mid-range GPU under two seconds. Understanding Hashcat’s attack modes, hash type identification, rule application, and mask construction separates penetration testers who recover passwords from those who run tools without results. This lesson covers every mode you’ll use in practice.
🎯 What You’ll Master Today
Identify hash types using hashid and length/structure recognition before cracking
Benchmark Hashcat on your hardware to understand speed and crack-time estimation
Execute dictionary attacks (Mode 0) with rockyou.txt and custom Crunch wordlists
Apply rule files (best64.rule, OneRuleToRuleThemAll) for intelligent password mutation
Build mask attacks (Mode 3) for known-pattern password patterns like Company2026!
Combine modes, manage sessions, and recover cracked hashes from the potfile
⏱️ 50 min · 3 terminal exercises · Kali Linux required
📋 Prerequisites — Complete Before Day 19
Day 18: Crunch Tutorial — understand custom wordlist generation; Day 19 uses your Crunch lists directly as Hashcat input
Day 10: Metasploit Tutorial — post-exploitation scenarios produce the NTLM and SAM hashes that Hashcat cracks
Hash Type Identification — Finding the Right -m Mode
Hashcat requires you to specify the hash type with the -m flag. Using the wrong mode number produces zero results because Hashcat generates hashes of the specified type and the comparison never matches. Hash identification is therefore the essential first step before running any crack attempt. There are three reliable methods to determine hash type before cracking.
The first method is visual recognition by length and character set. MD5 produces a 32-character hexadecimal string. SHA-1 produces 40 characters. SHA-256 produces 64 characters. NTLM produces 32 hex characters but looks identical to MD5 — context determines which it is (Windows system = NTLM). Bcrypt hashes begin with $2y$ or $2b$. SHA-512crypt begins with $6$. WPA2-PMKID hashes from hcxtools begin with the PMKID field format. Once you recognise these patterns, identification becomes instant.
The second method is the hashid tool on Kali, which analyses a hash string and returns the most likely algorithm along with the Hashcat mode number. The third method is consulting the Hashcat hash mode reference at hashcat.net — a searchable list of all 300+ supported hash types with example hashes for verification. For any unfamiliar hash encountered in a penetration test, the reference confirms the exact mode before spending time on a crack attempt.
Before starting any serious crack operation, run Hashcat’s built-in benchmark to understand your hardware’s capabilities. The benchmark reveals actual speeds for every hash type, which determines whether a given attack is feasible in your timeframe. It also reveals whether Hashcat is successfully using your GPU — a common issue in VM environments.
On modern GPU hardware, MD5 cracking rates typically reach 10,000–50,000 MH/s (million hashes per second), meaning rockyou.txt (14 million entries) exhausts in under one millisecond. NTLM is similarly fast. Bcrypt ($2b$) is intentionally slow — GPU rates of 50,000 hashes per second are typical, meaning a full rockyou.txt attack takes hours. SHA-512crypt ($6$) lands between these extremes. Understanding these speeds informs your attack strategy: fast hashes justify large wordlists and all rule sets; slow hashes require more targeted approaches.
BENCHMARKING — HARDWARE SPEED TEST
# Full benchmark — all hash types (takes several minutes)
hashcat -b
# Benchmark specific hash type only (faster)
hashcat -b -m 0
* Device #1: NVIDIA GeForce RTX 4070, …
Benchmark relevant algorithms…
* Hash-Mode 0 (MD5)
Speed.#1………: 18234.5 MH/s (53.14ms)
# VM without GPU — use –force to run on CPU
hashcat -b -m 0 –force
* Hash-Mode 0 (MD5)
Speed.#1………: 245.6 MH/s (CPU)
# GPU: ~74× faster than CPU for MD5
# Estimate crack time before running
wc -l /usr/share/wordlists/rockyou.txt
14344391
# 14.3M words / 18,234 MH/s = 0.00078 seconds on GPU
# 14.3M words / 245 MH/s = 0.058 seconds on CPU
securityelites.com
Hashcat — GPU vs CPU Speed by Hash Type
Hash Type
GPU Speed
CPU Speed
Mode
MD5
18,000 MH/s
245 MH/s
0
NTLM
32,000 MH/s
410 MH/s
1000
SHA-256
7,200 MH/s
90 MH/s
1400
bcrypt
50 KH/s
1 KH/s
3200
WPA2-PMKID
1,200 KH/s
15 KH/s
22000
📸 Hashcat GPU vs CPU speed comparison by hash type. MD5 and NTLM are computationally cheap — GPU cracking exhausts rockyou.txt in under a second. bcrypt is intentionally expensive — the same wordlist takes 4+ hours even on GPU. This table determines your attack strategy: fast hashes justify exhaustive wordlists and all rule sets; slow hashes like bcrypt require targeted lists built with intelligence, not brute-force enumeration.
Dictionary Attacks — Mode 0 with Wordlists
Mode 0 is the dictionary attack — Hashcat takes each entry from your wordlist, hashes it with the specified algorithm, and compares against the target hash file. It is the starting point for all crack attempts because rockyou.txt alone cracks 40–60% of MD5 and NTLM hashes from real-world databases within seconds on GPU hardware. Dictionary attacks use the -a 0 flag (which is the default, so -a 0 can often be omitted).
The wordlist input can be any text file with one password candidate per line — rockyou.txt for broad coverage, or the targeted Crunch list from Day 18 for precision attacks against specific environments. Multiple wordlists can be specified in sequence. The -o flag writes cracked hashes to an output file. The --show flag at the end of any hashcat run displays all hashes already cracked and stored in the potfile, preventing unnecessary re-cracking of already-solved hashes.
DICTIONARY ATTACK — MODE 0 COMPLETE SYNTAX
# Basic dictionary attack on MD5 hashes
hashcat -m 0 -a 0 md5_hashes.txt /usr/share/wordlists/rockyou.txt
# NTLM hashes from Windows SAM dump (most common pentest scenario)
# Watch the status: press ‘s’ during run to see speed and progress
# Step 4: View cracked results
cat /tmp/cracked_md5.txt
482c811da5d5b4bc6d497ffa98491e38:password123
0d107d09f5bbe40cade3de5c71e9e9b7:letmein
f25a2fc72690b780b2a14e140ef6a9e0:iloveyou
# Step 5: Verify with –show flag
hashcat -m 0 /tmp/test_md5.txt –show
# Potfile stores results — –show works without re-running
✅ What you just learned: The exercise establishes the full hash lifecycle: create hash → save to file → crack with wordlist → view results. The –show flag demonstrates the potfile — Hashcat’s persistent crack cache that stores all previously cracked hashes. Any hash already in the potfile returns instantly without re-cracking. For the penetration test workflow, this means dumping new hashes into a file and running Hashcat against it will immediately reveal any passwords already cracked in previous sessions.
📸 Screenshot the cracked output showing all three hash:password pairs. Post to #day-19-hashcat on Discord.
Rule-based attacks are the most efficient crack technique for real-world environments. Rules apply transformations to wordlist entries before hashing them — capitalising the first letter, appending digits, substituting letters for numbers, adding a trailing special character. A single wordlist entry like “password” becomes dozens of candidates: Password, PASSWORD, p@ssword, password1, Password1!, and so on. This covers the exact mutations that corporate password policies force users to make, which is why rockyou.txt + best64.rule outperforms much larger wordlists alone.
Kali Linux includes Hashcat’s full rule library at /usr/share/hashcat/rules/. The most important rule files are best64.rule (64 high-yield transformations, fastest to run), dive.rule (hundreds of thousands of rules for thorough coverage), and OneRuleToRuleThemAll.rule (a community-curated comprehensive set). For corporate NTLM hash dumps, best64.rule typically cracks an additional 15–25% of hashes that plain rockyou.txt misses.
RULE-BASED ATTACKS — SYNTAX AND KEY RULE FILES
# Dictionary + rules: add -r flag with rule file path
📸 The best64.rule transformation effect on a single word. One entry becomes 64 candidates covering all the mutations corporate password policies force users to make — capitalisation, digit appending, leet substitution, special character addition. Applied to rockyou.txt, this generates 915 million candidates from 14.3 million words — an attack that still completes in seconds on GPU for MD5/NTLM and catches the 15–25% of passwords that plain wordlist attacks miss.
Mask Attacks — Mode 3 for Pattern-Based Cracking
Mask attacks (Mode 3) generate all character combinations matching a specific pattern you define using placeholder characters. Unlike brute force which tries every combination of every character, masks focus on a specific structure — for example, all 8-character passwords that start with an uppercase letter, followed by five lowercase letters, followed by two digits. This dramatically reduces the keyspace compared to pure brute force while covering the exact pattern of a known password convention.
Hashcat’s mask characters are: ?l for any lowercase letter (a–z), ?u for any uppercase letter (A–Z), ?d for any digit (0–9), ?s for any special character, and ?a for all printable ASCII. You can also define custom charsets with -1 through -4 flags for specific character combinations. Masks integrate naturally with OSINT intelligence: if you discover a company uses Company+Year+! as a password convention, -t CompanyYear?s in Crunch or the equivalent Hashcat mask covers the entire space efficiently.
✅ What you just learned: This exercise demonstrates exactly why rules are essential — mutations like Password1, p@ssw0rd, and letmein! are not in rockyou.txt but are produced by best64.rule applied to the base words password, letm3in. The failure of the plain dictionary followed by the success with rules shows the real-world crack rate increase. The mask attack on a 4-digit PIN shows how Hashcat exhausts small known-structure keyspaces almost instantly — a PIN has only 10,000 combinations, which is trivial even on CPU.
📸 Screenshot the –show output confirming all three mutation hashes cracked. Post to #day-19-hashcat on Discord.
Hybrid Attacks, Session Management and the Potfile
Hybrid attacks combine wordlists with masks to cover the extremely common pattern of a common word with digits or special characters appended. Mode 6 appends a mask to each wordlist entry — so “password” from rockyou.txt becomes password0000 through password9999 with ?d?d?d?d. Mode 7 prepends the mask. For corporate environments where employees are forced to add “Year!” to their base password (“summer2026!”), Mode 6 with ?d?d?d?d?s covers the entire year+special combination space applied to every word in your list.
Session management is essential for long-running crack operations. Use --session=name to name a crack session. If the terminal closes or the machine reboots, restore with --restore. Press s during a running session to see current status including speed, estimated time, and percentage complete. The potfile (~/.local/share/hashcat/hashcat.potfile) stores all cracked hashes permanently — running --show against a hash file returns previously cracked results instantly without repeating the crack.
securityelites.com
Hashcat — Session Status Screen (press ‘s’ during run)
hashcat (v6.2.6) starting in restore…
Session……..: ntlm_corporate
Status………: Running
Hash.Mode……: 1000 (NTLM)
Hash.Target….: ntlm_dump.txt
Recovered……: 47/203 (23.15%) Digests
Speed.#1…….: 28,432.7 MH/s
Progress…….: 8,834,971,648/14,344,391 (61.59%)
ETA…………: 00:00:01
Candidates.#1..: passw0rd1 -> passw0rd9
📸 Hashcat session status screen shown by pressing ‘s’ during a running crack. Key fields to monitor: Recovered (how many hashes cracked so far out of total), Speed (current hash rate), Progress (how far through the wordlist/keyspace), and ETA (estimated time to completion). The session name allows this exact job to be restored if interrupted. “Candidates” shows the current word being tested, confirming the rule transformations are running correctly.
WPA2 Hash Cracking with Hashcat
WPA2 cracking with Hashcat requires converting the captured handshake or PMKID to Hashcat’s hccapx or 22000 format using hcxtools. Once converted, the crack process is identical to any other hash mode — specify -m 22000 and run your wordlist or mask attack. The key difference from Windows NTLM cracking is speed: WPA2 PBKDF2 is computationally expensive, providing 1–2 million hashes per second on GPU hardware vs billions per second for NTLM. This makes rockyou.txt attacks on WPA2 feasible (14 minutes on a modern GPU) but exhaustive mask attacks impractical — targeted Crunch wordlists using the network name and known conventions are far more effective.
Day 18 → Day 19 Chain in Practice: The full credential attack workflow is: (1) Collect intelligence — SSID, company name, known date patterns, discovered usernames from Day 17 WPScan. (2) Day 18 Crunch — generate a 5,000-word targeted list using that intelligence: crunch 10 10 -t CompanyName%%%% -o targeted.txt. (3) Day 19 Hashcat — crack the captured WPA2 handshake with the targeted list: hashcat -m 22000 handshake.hc22000 targeted.txt. A 5,000-word targeted list takes under a second. It either cracks the password or it doesn’t — there is no wasted time on 14 million irrelevant entries.
✅ What you just learned: Mode 6 hybrid attack covers one of the most common corporate password patterns — a dictionary word with a PIN or year appended. “welcome2026”, “summer1234”, “password2025” — these all appear complex but are trivially cracked by a hybrid attack that combines rockyou.txt with ?d?d?d?d. The session management exercise shows how to handle long crack jobs in professional engagements: name sessions, resume after interruption, and always check the potfile before starting a new crack to avoid redundant work.
📸 Screenshot the hybrid attack output showing all three hashes cracked. Post to #day-19-hashcat on Discord. Tag #day19complete
⚠️ GPU in VM Warning: In a VirtualBox or VMware Kali VM without explicit GPU passthrough configured, Hashcat runs on CPU only. Always add --force for VM environments. Actual penetration testing engagements with large hash dumps should be run on bare-metal Kali or a cloud GPU instance (AWS p3.2xlarge, Google Cloud g2-standard-4). The speed difference is 50–200× — a job that takes 8 hours on CPU takes minutes on GPU, which matters significantly for time-boxed assessments.
🧠 QUICK CHECK — Day 19 Hashcat
You have 200 NTLM hashes from a Windows SAM dump. After running rockyou.txt with Mode 0, 85 hashes remain uncracked. What is the single best next step to crack the most additional hashes with the least additional time?
📋 Hashcat Quick Reference — Day 19
hashcat -b -m 0Benchmark MD5 speed on your hardware before starting any crack
hashcat -m 1000 -a 0 hashes.txt rockyou.txtDictionary attack on NTLM hashes with rockyou.txt
hashcat -m 0 -a 6 hashes.txt rockyou.txt ?d?d?d?dHybrid Mode 6 — wordlist with 4-digit suffix (summer2026)
hashcat -m 0 hashes.txt –showDisplay all previously cracked hashes from potfile without re-running
–session=name / –restoreName long sessions for resume if interrupted
🏆 Mark Day 19 Complete — Hashcat GPU Password Cracking
The credential attack chain is complete: Day 17 WPScan discovers targets, Day 18 Crunch builds precision wordlists, Day 19 Hashcat cracks the hashes. Day 20 covers Medusa — parallel online brute force for SSH, FTP, HTTP, and 20+ live services.
❓ Frequently Asked Questions — Hashcat Kali Linux 2026
What is Hashcat and how does it work?
Hashcat is an open-source GPU-accelerated password cracker that recovers plaintext passwords from hashes. It generates password candidates from wordlists, masks, or rules, hashes each candidate with the target algorithm, and compares against captured hashes. It supports 300+ hash types including MD5, NTLM, SHA-256, bcrypt, and WPA2-PMKID.
What is the difference between Hashcat attack modes?
Mode 0: dictionary (wordlist only). Mode 0+rules: wordlist with transformations applied. Mode 1: combinator (two wordlists combined). Mode 3: mask/brute-force (all combinations matching a character pattern). Mode 6: hybrid wordlist+mask (appends mask to wordlist words). Mode 7: hybrid mask+wordlist (prepends). Dictionary+best64.rule covers 80%+ of real-world passwords in most environments.
How do I find the Hashcat -m mode number for my hash?
Three ways: use hashid [hash_value] tool on Kali; run hashcat –help | grep -i [algorithm_name]; or check hashcat.net for the full hash mode reference. Common modes: 0=MD5, 100=SHA-1, 1000=NTLM, 1400=SHA-256, 1800=SHA-512crypt, 3200=bcrypt, 22000=WPA2-PMKID.
Why does Hashcat say ‘No devices found’ in Kali?
In a VM without GPU passthrough, Hashcat can’t access the host GPU. Add –force flag to run on CPU. For GPU access, install Kali on bare metal or configure GPU passthrough in your VM. Cloud GPU instances (AWS p3, GCP T4) are the practical alternative for large hash dumps in VMs.
How long does Hashcat take to crack a password?
Depends on hash type and hardware. MD5/NTLM on GPU: rockyou.txt in under 1 second. bcrypt on GPU: rockyou.txt in 4+ hours. WPA2 on GPU: 14 minutes for rockyou.txt. Mask attacks depend on pattern size — a 4-digit PIN takes milliseconds; 8 mixed characters takes days. Always benchmark first to estimate time.
What comes after Hashcat in the Kali Linux course?
Day 20 covers Medusa — parallel online brute force for SSH, FTP, HTTP, and 20+ live services. Where Hashcat cracks hashes offline at GPU speed, Medusa tests live credentials against running services. Together they cover both the offline and online credential attack phases.
← Previous
Day 18: Crunch — Custom Wordlists
Next →
Day 20: Medusa — Parallel Brute Force
📚 Further Reading
Day 18: Crunch Tutorial — Custom Wordlists— Builds the targeted wordlists Hashcat cracks — the Day 18 → Day 19 chain is the most efficient credential recovery workflow in the course.
Kali Linux 180-Day Course Hub— Full course overview — Day 19 Hashcat completes the wordlist attack chain that began with Day 17 WPScan and Day 18 Crunch.
GPU vs CPU Password Cracking Speed Comparison 2026— Full benchmark comparison across hardware tiers — helps teams decide whether to invest in a cracking rig or use cloud GPU for penetration test engagements.
Hashcat Official Wiki— Complete hash mode reference, attack mode documentation, rule syntax, and example commands — the definitive Hashcat reference for all supported algorithms and configurations.
Hashcat Rules GitHub Repository— Full collection of Hashcat rule files including best64.rule and OneRuleToRuleThemAll — browse the rule syntax to understand exactly what transformations each rule applies.
ME
Mr Elite
Owner, SecurityElites.com
The moment Hashcat clicked for me was during a corporate pentest where we’d dumped 400 NTLM hashes from a domain controller. Plain rockyou.txt cracked about 180 of them in three seconds. I added best64.rule and got another 90 in under a minute — that’s 90 more employee passwords recovered without any additional intelligence work, just by applying transformations the users had made to their passwords to meet the “must have uppercase, number, and special character” policy. The remaining 130 included some high-privilege accounts. I built targeted masks based on the company name and founding year from LinkedIn. Twenty minutes of Crunch + Hashcat later: CIO password, 3 domain admins, 2 service accounts. The entire privilege escalation path from those 400 hashes took less than an hour on a laptop.
