Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Basic Syntax
hashcat -m <HASH_TYPE> -a <ATTACK_MODE> hash.txt wordlist.txt
Common Options
| Option | Description |
|---|
-m | Hash type |
-a | Attack mode |
-o | Output file |
-r | Rules file |
--force | Ignore warnings (CPU only) |
--show | Show cracked hashes |
--left | Show uncracked hashes |
-w 3 | Workload profile (1-4, higher = faster) |
--potfile-disable | Don’t save to potfile |
--username | Hash file contains usernames |
-O | Optimized kernels (faster, limits password length) |
Attack Modes
| Mode | Name | Example |
|---|
0 | Dictionary | hashcat -m 0 -a 0 hash.txt rockyou.txt |
1 | Combination | hashcat -m 0 -a 1 hash.txt list1.txt list2.txt |
3 | Brute-force / Mask | hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a |
6 | Dictionary + Mask | hashcat -m 0 -a 6 hash.txt rockyou.txt ?d?d?d |
7 | Mask + Dictionary | hashcat -m 0 -a 7 hash.txt ?d?d?d rockyou.txt |
Mask Charsets
| Charset | Meaning |
|---|
?l | Lowercase (a-z) |
?u | Uppercase (A-Z) |
?d | Digits (0-9) |
?s | Special chars |
?a | All printable (?l?u?d?s) |
?b | All bytes (0x00-0xff) |
Custom Charset
hashcat -m 0 -a 3 hash.txt -1 ?l?d ?1?1?1?1?1?1?1?1
Mask with Known Pattern
# Password1 to Password9999
hashcat -m 0 -a 3 hash.txt "Password?d?d?d?d"
# Summer2024! pattern
hashcat -m 0 -a 3 hash.txt "?u?l?l?l?l?l?d?d?d?d?s"
# Company name + digits
hashcat -m 0 -a 6 hash.txt company_names.txt "?d?d?d?d"
Common Hash Types
Linux
| Mode | Hash | Example |
|---|
500 | MD5crypt | $1$salt$hash |
1800 | SHA-512crypt | $6$salt$hash |
7400 | SHA-256crypt | $5$salt$hash |
28400 | yescrypt | $y$salt$hash |
3200 | bcrypt | $2*$rounds$hash |
Windows
| Mode | Hash | Example |
|---|
1000 | NTLM | aad3b435... |
3000 | LM | Legacy |
5600 | NetNTLMv2 | user::domain:challenge:hash:blob |
5500 | NetNTLMv1 | Legacy |
Kerberos
| Mode | Hash | Example |
|---|
13100 | Kerberoast TGS (RC4) | $krb5tgs$23$... |
18200 | AS-REP Roast | $krb5asrep$23$... |
19600 | Kerberos AES128 | $krb5tgs$17$... |
19700 | Kerberos AES256 | $krb5tgs$18$... |
Web / Application
| Mode | Hash | Example |
|---|
0 | MD5 | 5d41402abc4b2a76b9719d911017c592 |
100 | SHA1 | aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d |
1400 | SHA256 | e3b0c44298fc1c149afbf4c8996fb924... |
1700 | SHA512 | Full hash |
400 | WordPress (phpass) | $P$B... |
3200 | bcrypt (Blowfish) | $2a$... |
16500 | JWT | eyJhbG... |
11600 | 7-Zip | $7z$... |
Database
| Mode | Hash | Example |
|---|
300 | MySQL4.1+ | *hash |
200 | MySQL323 | Legacy |
1731 | MSSQL (2012/2014) | 0x0200... |
12 | PostgreSQL | md5hash |
Wireless
| Mode | Hash | Example |
|---|
22000 | WPA-PBKDF2-PMKID+EAPOL | .hc22000 |
2500 | WPA/WPA2 (legacy) | .hccapx |
16800 | WPA-PMKID-PBKDF2 | PMKID |
Other
| Mode | Hash | Example |
|---|
1600 | Apache apr1 | $apr1$salt$hash |
1500 | DES (Unix) | Legacy |
7900 | Drupal7 | $S$... |
13400 | KeePass | $keepass$... |
16600 | Electrum Wallet | |
22500 | MultiBit Classic | |
Rules
Rules modify wordlist entries on the fly (append digits, capitalize, etc.).
Built-in Rules
# Best rules (most efficient)
hashcat -m 1000 -a 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Comprehensive
hashcat -m 1000 -a 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
# OneRuleToRuleThemAll
hashcat -m 1000 -a 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
Common Rule Files
| File | Rules | Speed |
|---|
best64.rule | 64 | Fast |
toggles1.rule | 15 | Fast |
d3ad0ne.rule | 34,101 | Medium |
rockyou-30000.rule | 30,000 | Medium |
dive.rule | 99,092 | Slow |
OneRuleToRuleThemAll.rule | 51,995 | Medium |
Stack Multiple Rules
hashcat -m 1000 -a 0 hash.txt rockyou.txt -r rule1.rule -r rule2.rule
Custom Rule Syntax
| Function | Description | Example |
|---|
: | Do nothing | |
l | Lowercase all | password |
u | Uppercase all | PASSWORD |
c | Capitalize first | Password |
t | Toggle case | pASSWORD |
$X | Append char X | password1 |
^X | Prepend char X | 1password |
d | Duplicate word | passwordpassword |
r | Reverse | drowssap |
sXY | Replace X with Y | p@ssword |
echo -e 'c\nc$1\nc$!\nc$1$!' > custom.rule
hashcat -m 1000 -a 0 hash.txt rockyou.txt -r custom.rule
Common Cracking Workflows
NTLM (Windows)
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
NetNTLMv2 (Responder)
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Kerberoast
hashcat -m 13100 tgs_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
AS-REP Roast
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
Linux Shadow (/etc/shadow)
hashcat -m 1800 shadow_hash.txt /usr/share/wordlists/rockyou.txt
Wi-Fi WPA2
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt
WordPress
hashcat -m 400 wp_hashes.txt /usr/share/wordlists/rockyou.txt
MD5 (Generic)
hashcat -m 0 md5_hashes.txt /usr/share/wordlists/rockyou.txt
Identify Hash Type
hashcat --identify hash.txt
# hashid
pip install hashid
hashid '$6$salt$hash'
# hash-identifier
hash-identifier
# haiti
gem install haiti
haiti '$6$salt$hash'
Useful Commands
Show Cracked
hashcat -m 1000 hash.txt --show
Resume Session
hashcat --restore
hashcat --session=mysession --restore
Benchmark
hashcat -b
hashcat -b -m 1000
Status While Running
Press s during execution for status.
GPU Setup
Hashcat uses GPU by default — massively faster than CPU. Needs proper drivers.
Check Detected Devices
Shows all OpenCL/CUDA devices. If no GPU listed → driver issue.
Required Drivers
| GPU | Driver |
|---|
| NVIDIA | NVIDIA Driver 520+ (includes CUDA) |
| AMD | ROCm (Linux) or Adrenalin (Windows) |
| Intel | Intel OpenCL Runtime |
NVIDIA Setup (Linux)
# Check if NVIDIA driver installed
nvidia-smi
# Install on Kali/Debian
sudo apt install nvidia-driver nvidia-cuda-toolkit
# Reboot required
sudo reboot
NVIDIA Setup (Windows)
Download latest Game Ready or Studio driver from nvidia.com. CUDA included.
AMD Setup (Linux)
# ROCm (recommended for hashcat)
# Follow AMD ROCm installation guide for your distro
# https://rocm.docs.amd.com
# Verify
rocminfo
clinfo
Select Specific Device
# Use device 1 only
hashcat -m 1000 hash.txt wordlist.txt -d 1
# Use multiple GPUs
hashcat -m 1000 hash.txt wordlist.txt -d 1,2
# Force OpenCL
hashcat -m 1000 hash.txt wordlist.txt -D 2
# Force CUDA (NVIDIA only)
hashcat -m 1000 hash.txt wordlist.txt -D 2
Device Types (-D)
| Value | Type |
|---|
1 | CPU |
2 | GPU |
3 | FPGA/DSP |
Temperature Control
# Abort at 90°C (default)
hashcat --hwmon-temp-abort=90
# Disable temperature limit
hashcat --hwmon-disable
# Check temperature during run
# Press 's' for status
VM / Cloud GPU
# If running in VM, may need --force
hashcat --force -m 1000 hash.txt wordlist.txt
# AWS p3/p4 instances (NVIDIA Tesla)
# Install CUDA toolkit, then hashcat works normally
Running hashcat without GPU is extremely slow. A single NVIDIA RTX 4090 cracks ~160 billion MD5/sec vs ~50 million on CPU. Always use GPU.
| Tip | Command |
|---|
| Use GPU | Default (auto-detected) |
| Optimized kernels | -O (faster, max 32 chars) |
| High workload | -w 3 or -w 4 |
| Select GPU only | -D 2 |
| Multiple GPUs | -d 1,2 |
| Check devices | -I |
| Benchmark GPU | -b |
| Disable potfile | --potfile-disable |
| Temp control | --hwmon-temp-abort=95 |
Wordlists
# Kali default
/usr/share/wordlists/rockyou.txt
# SecLists
https://github.com/danielmiessler/SecLists
# CeWL (custom from website)
cewl https://target.com -d 3 -m 5 -w custom_wordlist.txt