How to Use Hashcat for Password Cracking (2024 Guide)

How to Use Hashcat

If you want to use Hashcat for password cracking, you've come to the right place.

Hashcat is a great tool for cracking passwords offline using the power of your graphics processor unit computational power. It can process an astounding number of password guesses per second, cutting down the time it takes to crack password hashes.

In this article, we will show you how to use Hashcat. We will discuss password lists, and running Hashcat in different environments, be it on a local machine, a virtual environment, or even in the cloud.

Finally, we'll provide hands-on demonstrations to show you how to deploy Hashcat to crack some of the most commonly encountered hashes.

What Is Hashcat?

Let’s look at what Hashcat is and how it can use the power of the graphics processing unit (GPU) to crack hashes. 

Hashcat

Hashcat is a popular open-source software for cracking passwords that can crack various hashes using various attack modes. 

It takes advantage of hardware acceleration from the GPU, which can perform computational tasks more efficiently than a general-purpose CPU could.

The speed of a GPU directly affects the cracking speed because a faster GPU can process more password guesses simultaneously, significantly reducing the time required to find the correct password.

Depending on the type of hash, the complexity of the password, and the GPU being used, Hashcat can test up to millions of password combinations per second during a brute force attack, greatly beyond the capacity of a CPU.

What’s a Hash?

A hash is a fixed-length string representation created from the password using a hash function.

Simply put, a hash function takes input data and returns a fixed-length string through mathematical computations. Once the data has been hashed, there is no way to reverse the process and retrieve the original data from the hash.

Here is an example of an MD5 hash of the password “password123”.

Password123

And here is the MD5 hash of the password “password1234”.

Password1234

As you can see, even though we only added a single number to the end of “password123”, it created a completely unique hash. 

Websites create a hash of the password as a measure of security to protect users' sensitive data. When a user logs in, the password entered is hashed, and if this hash matches the hash stored in the database, the user is logged in.

Password Lists for Hashcat

Now that you understand Hashcat and password hashes, let’s look at where we can find password lists to use with it.

Password Lists In Kali

Kali comes pre-packaged with wordlists that can be used for cracking passwords. The wordlist files are in the /usr/share/wordlists directory.

The one that is used the most, especially when doing a CTF (capture the flag), is the rockyou.txt file. This file is massive, It contains over fourteen million user passwords.

Password Lists In Kali
Rockyou

The rockyou.txt file comes from the over 32 million user credentials exposed due to a data breach in 2009 on the social media platform RockYou. These passwords were kept in plain text, not hashed or otherwise obfuscated. 

Other Locations for Password Lists

Another great resource for passwords is SecLists on GitHub. This list contains many password lists, including “500-worst-passwords.txt” and “darkweb2017-top10000.txt.” The password lists are collections of commonly used, default, or leaked passwords. 

Sec Lists

The right wordlist for Hashcat can significantly boost the effectiveness of password cracking by being tailored to the organization or demographic being tested. 

It should be comprehensive yet specific and consider common weak passwords, organization-specific terms, language and localization, and common password mutations. 

Hashcat in Virtual Machine, Host Machine, or the Cloud?

Now let’s discuss three options for running Hashcat.

Hashcat in a Virtual Machine

Hashcat can be run inside a virtual machine such as Kali Linux, however it will not use the GPU but the CPU instead, making it much slower. 

If you’re looking to install Kali Linux in a virtual machine, we have two great articles on installing it on VirtualBox and VMware.

It can have both advantages and disadvantages. Here's a quick rundown:

Pros:  

Environment Isolation: Running Hashcat in a VM keeps your main OS separate from your Host OS

Ease of Setup: Hashcat is already installed on Kali, making it easier to get up and running without installation or configuration.

Testing and Experimentation: Using Hashcat in a VM allows you to test and experiment without affecting your host OS.

Cons:

Performance Overhead: Running Hashcat in a VM is slower than running it on native hardware, especially due to its GPU-intensive tasks, because of the additional layer of abstraction provided by the VM. 

Hardware Access: While most VM solutions support passing through USB devices to the guest operating system, GPU passthrough (beneficial for a tool like Hashcat) can be complex and may only be supported on some systems or with some VM software.

Resource Allocation: VMs require a portion of your system's resources. Running intensive applications in a VM could impact the performance of the host system.

Hashcat on Host Machine

The decision to run Hashcat directly on the host OS versus in a VM depends on your specific needs and resources. Running Hashcat natively on the host operating system like Windows has its own set of pros and cons.

Pros:

Performance: Running Hashcat on the host OS performs better than running it inside a VM. This is because there are no additional layers of abstraction between the application and the hardware.

Simplicity: It might be simpler to install and run for users who are more comfortable working in a Windows environment than a Linux one or for those unfamiliar with setting up VMs.

Cons:

Resource Consumption: Hashcat is designed to use as much of your system's resources as possible to perform its tasks quickly. While running, your computer might be slow to respond to other tasks.

System Compatibility: While Hashcat is built to be compatible with a wide range of systems and hardware, there can always be unforeseen compatibility issues or bugs that could impact its performance or stability on some systems.

Installing Hashcat on Windows

Let’s walk you through installing Hashcat on a Windows system. 

The first step is to download the binary from the Hashcat site. 

The first step is to download the binary from the Hashcat site

Once downloaded, you will need to extract the 7Zip file, we put ours in the C:\Hashcat folder, but you can put yours wherever makes the most sense for you.

Extract the 7Zip file

To start using Hashcat in Windows, head to the command line and move into the directory you saved it. Next, you need to load hashcat.exe and any options you want to run. We'll discuss these in another section. 

Head to the command line

Hashcat in the Cloud

Running Hashcat in the cloud, like on AWS, Azure, or Google Cloud, also comes with its own set of advantages and disadvantages: 

Pros:

Scalability: Cloud platforms offer the ability to easily scale up your resources. If you need more computing power quickly, you can start a powerful GPU instance, run your task, and shut it down when you're done.

Cost-Effectiveness: You only pay for what you use. This can be much more cost-effective than buying expensive hardware, particularly if you only need it occasionally.

Access from Anywhere: Your cloud environment can be accessed from anywhere, which can be beneficial if you work from different locations or collaborate with others.

Cons:

Price: While cloud services can be cost-effective, the costs can also add up quickly if you're running powerful instances for long periods of time. GPU instances can be particularly expensive.

Complexity: While cloud platforms can offer a lot of flexibility, they can also be complex to set up and manage, particularly if you're unfamiliar with the particular service.

Legal and Ethical Considerations: Using cloud resources for cracking passwords might violate the provider's terms of service. Be sure to verify this before proceeding.

If you’re interested in setting up resources in the cloud to perform your cracking, we recommend checking out a few resources: 

Cracking With Hashcat in the Cloud

Good cloud GPU providers?

Now that you’ve seen the pros and cons of running Hashcat on a VM, host machine, or in the cloud, the choice ultimately depends on your specific requirements, resource availability, and the level of risk you're willing to accept.

How to Use Hashcat

Now that you’re ready to crack hashes with Hashcat, let’s talk about the different hashes you may encounter and how to identify them. Then, we’ll show you this tool in action. 

Hashes Available in Hashcat

The Hashcat Wiki has a great resource for finding all the hashes that work with the program. It gives you a table view of hashes.

Hashes Available in Hashcat

You can easily search through this with the find command in your browser. This will help you find which hash mode to use with the hash you need to crack. 

Command in your browser

You can also view the list of hashes from the command line using --help.

Command line

And scroll down a little until you see the section titled “Hash modes.”

Hash modes

On a Linux system, you can also use the grep command to search quickly for a specific hash, such as hashcat --help | grep md5.

Popular Hashes Used

Here are some hash types you may see as a penetration tester or ethical hacker.

SHA-256 (Secure Hash Algorithm 256-bit): This is part of the SHA-2 family and is widely used in cryptographic applications and protocols, including TLS and SSL, PGP, SSH, and Bitcoin, among others.

Here is an example of an SHA-256 hash:

f2881bb653e5a11780fad1b3a7ef2d4fd10f1cced3d71c76443d7670aa0257d8

AS-REP (Authentication Service Response): This hash is part of the Kerberos protocol used for network authentication, including in Windows Active Directory domains and some Unix environments. This hash is acquired through AS-REP roasting, which extracts users' password hashes with the activated "Do not require Kerberos preauthentication" setting.

Here is an example of a Kerberos AS-REP hash:

$krb5asrep$23$auston@xyz.local:3171EA207B3A6FDAEE52BA247C20362E$56FE7DC0CABA8CB7D3A02A140C612A917DF3343C01BCDAB0B669EFA15B29B2AEBBFED2B4F3368A897B833A6B95D5C2F1C2477121C8F5E005AA2A588C5AE72AADFCBF1AEDD8B7AC2F2E94E94CB101E27A2E9906E8646919815D90B4186367B6D5072AB9EDD0D7B85519FBE33997B3D3B378340E3F64CAA92595523B0AD8DC8E0ABE69DDA178D8BA487D3632A52BE7FF4E786F4C271172797DCBBDED86020405B014278D5556D8382A655A6DB1787DBE949B412756C43841C601CE5F21A36A0536CFED53C913C3620062FDF5B18259EA35DE2B90C403FBADD185C0F54B8D0249972903CA8FF5951A866FC70379B9DA

NTLM Hash: The NTLM hash is utilized in older Microsoft systems and applications, notably in workgroup environments and for local authentication on non-domain controllers. While it remains in use, more secure protocols like Kerberos are favored. NTLM support remains across all Windows systems to maintain compatibility with older server and client setups.

Here is an example of an NTLM hash: 

58A478135A93AC3BF058A5EA0E8FDB71

For a great representation of how NTLM works, see our article “Pass the Hash Attacks: How to Make Network Compromise Easy.”

Identify Hashes

If you come across a hash and aren’t sure what hashing algorithm is being used, some tools can help you identify them, such as Hash-Identifer or hashID. 

hashID replaces Hash-Identifier, although it can still be used and is installed by default on Kali. 

hashID can be installed from the command line using the following.

pip install hashid

Once installed, you simply type hashid -m and the hash you need to be identified, as seen below. This will show the corresponding Hashcat mode alongside the potential hash. Let’s take the following hash and put it into hashID.

7eb126739275d3717e981a78311dbdf6f71b7a74

hashid -m

The hash is identified as being a SHA-1 hash. 

These tools do their best at guessing the correct hash but may not be able to accurately identify all hashes you input. Understanding the technology you are working with will go a long way in knowing which hash is being used.

Using Hashcat 

Now we will show you how to crack multiple hashes using Hashcat. 

Hashcat can run different attacks, such as a dictionary, combination, mask, and hybrid, but we will use the dictionary attack for our demo. 

In dictionary attacks, each word in the password file is hashed and compared with the target hashes. If the hashes match, then the original password has been found. 

You can run a basic Hashcat dictionary attack using the following command.

hashcat -m 0 -a 0 hash.txt wordlist.txt

  • hashcat: This is the main command to run the Hashcat program (on Windows, use hashcat.exe).
  • -m 0: This is the option for the hash type. In this case, 0 represents MD5. The value here would change depending on the hash type you are trying to crack. For instance, -m 1000 would be used for NTLM hashes.
  • -a 0: This is the attack mode. In this case, 0 stands for "straight" mode, a dictionary attack.
  • hash.txt: This file contains the hash or hashes you're trying to crack. It should be a text file with one hash per line.
  • wordlist.txt: This is your dictionary or list of potential passwords. Like the hash file, this should be a text file with one entry per line.

Hahscat can be used with other options, depending on what you need. Here are some examples:

  • -r: This option allows you to specify a rules file. Rules in Hashcat allow you to modify the words from your wordlist in certain ways, which can greatly expand the number of potential passwords you're testing. For example, a rule could be to try the word in lowercase and uppercase or to append certain numbers to the end of the word.
  • --debug: This option enables debug mode. In debug mode, Hashcat will provide additional output to help you troubleshoot issues. For instance, if you're using a rules file, debug mode can show you exactly how the rules modify the words from your wordlist.
  • --force: This option forces Hashcat to start even if it detects that your system might not be capable of running it correctly. Using this option's generally only recommended if you know what you're doing, as it could lead to incorrect results or even damage your hardware.

Let’s try to crack two of the hashes from our popular hashes section. We will be using the rockyou.txt as our wordlist file.

This demonstration will show you how to run Hashcat in Windows, but it’s the same syntax when you run this in Linux. Ensure that you save the hash as a .txt file. 

Our first hash is the Kerberos AS-Rep one shown in the previous section. 

hashcat.exe -m 18200 asrep.txt -a 0 rockyou.txt

Let’s try to crack two

And we’ve cracked the password in only two seconds. As you can see, the weaker the password, the easier for Hashcat to crack.

You're likely to encounter the NTLM hash, our second hash type, quite frequently if you're pursuing a career as a penetration tester or interested in learning to attack Active Directory. The NTLM hash is still frequently used today in Windows operating systems.

The syntax you need to use is:

hashcat.exe -m 1000 ntlmhash.txt -a 0 rockyou.txt 

The syntax you need to use is

This time we have the password cracked in only three seconds. 

Conclusion

Hashcat is a potent tool that can be deployed to crack a diverse range of hashed passwords, from SHA-256 to NTLM and Kerberos. Hashcat can swiftly crack many passwords by harnessing your GPU's power using a dictionary attack.

You've now learned how Hashcat works and how to use it. Additionally, you've discovered that Hashcat can run in various environments, including in a virtual machine (VM) or the cloud, expanding its versatility.

If you’re ready to level up your skills, join our StationX Accelerator for a massive selection of courses.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

  • James says:

    So nice

  • >