Hashcat Cheat Sheet

As a penetration tester we can’t ignore hash cracking if we even can do pass-the-hash. Hash cracking could be one of the last resort if nothing work. Hashcat is the most popular and fastest program to crack password hash. I have included most common technique that can be used in hashcat to crack password hash.


apt install cmake build-essential -y
apt install checkinstall git -y
git clone https://github.com/hashcat/hashcat.git
make && make install

Performance on nVidia 3080 Ti

Performance check for all supported hash:

hashcat -b

Here is the full output

Performance check for specific hash:

hashcat -b -m 100


Hashcat Basic Command

#Available commands
hashcat --help

#Identify hash
hashcat --identify hash.txt

#Restore Session
hashcat --restore
hashcat --restore --session session_name


This command will make a dictionary attack against SHA1 hash by specifying session name

#Start Brute Forcing
hashcat -a 0 -m 100 --session session1 hash.txt pass.txt

#Restore later, if you terminated the brute force
hashcat --restore --session session1

-a 0 is the attack mode, -m 100 is the hash type, --session session1 is the session name to restore later

Attack Mode

Attack mode:

#Attack Mode                    -a digit
1. Dictionary Attack            -a 0 
2. Combination Attack           -a 1 
3. Brute Force Attack            -a 3
4. Mask Attack and Hybrid        -a 6 or 7
5. Rule Based Attack            
6. Association                    -a 9

Dictionary Attack

If this attack mode is used, hashcat will use a dictionary file to check against the hash/hashes. The dictionary file could be rockyou.txt or other better one.

hashcat -a 0 -m 100 --session session1 hash.txt words.txt

Combination Attack

This attack mode combine two dictionary to make valid passwords. For example if we have words.txt contains:


And words1.txt


Then with this attack mode password word will be generated contains:


hashcat -a 1 -m 100 hash.txt words.txt words1.txt

Valid password will be generated:


It is also possible to append or prepends additional characters:

hashcat -a 1 --rule-left='$#' --rule-right='$$' --stdout words.txt words1.txt
hashcat -a 1 -m 100 --rule-left='$#' --rule-right='$$' words.txt words1.txt

Brute Force Attack

Traditionally brute force mean, try all possible words combination of a-zA-z~!@#$%^&*()_+=|\]}{/ which is not realistic(at least for me). If we want to brute force e61a5821062add06b1b6e96a228c378d6f187cec with length of 8, the command is:

hashcat -a 3 -m 100 -O -1 ?u?l?s?d /tmp/hash.txt ?1?1?1?1?1?1?1?1

It needs more than 3 days:

Imagine, how long hashcat needs to crack a hash of 10 chars password(2 years?).

Mask and Charsets

From Hashcat website:

Hashcat charsets:

?l = abcdefghijklmnopqrstuvwxyz
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

So a custom charsets can be like:

-1 ?l?u?d
-1 ubcdefUBCDEF?s?d

Using custom charset technique we still can crack the password in a short time:

hashcat -a 3 -m 100 -O -1 esTt?d?s /tmp/hash.txt Test?1?1?1?1?1?1

hashcat -a 3 -m 100 -O -1 Test?d?s /tmp/hash.txt ?d?d?d?s

The requirement for this to work we need to know/guess the Password length, and first few chars. But if we know nothing about the password then best bet is Rule based attack with a good dictionary.

Association attack

This is a new feature added to hashcat which is use an username, a filename, a hint, or any other pieces of information which could have had an influence in the password generation to attack one specific hash.

hashcat -m 3200 has1.txt words.txt -o result.txt -a 9 -r /opt/hashcat/rules/best64.rule

Hybrid Attack

Hybrid attack is combined dictionary with Brute force attack. This mean, the brute force word will be appended or prepended.

As an example the words.txt contains:


If we want to add all possible 4 digits at the end of each word in the words.txt, following command will do the trick:

.... -a 6 words.txt ?d?d?d?d

and if we want to prepend:

.... -a 7 ?d?d?d?d words.txt

As a demonstration, hashcat is in --stdout mode:

test@redtm: hashcat -a 6 --stdout words.txt ?d

test@redtm: hashcat -a 6 -j '^#' --stdout words.txt ?d

If appended then -a 6 and if prepended -a 7

#Appened brute force digits and also prepend an special char
#Cracked- 03174b1c507223f0b5bb5349cf999c33678bd0fc:#password1

hashcat -m 100 -a 6 -j '^#' hash2.txt words.txt ?d

#Prepend brute forced digits and appened an special char
# Cracked - 734eab43f4d197ab226ce5b12cfcc4ded486af72:21admin#

hashcat -m 100 -a 7 -k '$#' hash2.txt ?d?d words.txt

Rule-based attack(Favorite)

This is the most efficient attack for password cracking. A simple password can be converted to a complex password with hashcat rules. For example with only one word password combining two hashcat rules can generate 44113 unique complex password.

When Rule-based attack is useful?
  1. Common dictionary failed.
  2. Password is in a minimum length.
  3. Password has a specific policy(Upper+Lower+Num+Special=Valid password?).

If we want to do traditional brute force a hash of plaintext Pas$w0rd! it may take years. Rockyou.txt will fail because it does not has such a complex word but it must contains password . Peoples choose the easy password but meet the password policy just by replacing some characters.

Here rule based attack comes to play.

Built-in rules in hashcat
test@redtm: ls /opt/hashcat/rules/
best64.rule      d3ad0ne.rule     generated.rule           InsidePro-HashManager.rule   oscommerce.rule     T0XlC-insert_00-99_1950-2050_toprules_0_F.rule  T0XlC.rule     toggles2.rule  toggles5.rule
combinator.rule  dive.rule        hybrid                   InsidePro-PasswordsPro.rule  rockyou-30000.rule  T0XlC-insert_space_and_special_0_F.rule         T0XlCv1.rule   toggles3.rule  unix-ninja-leetspeak.rule
custom.rule      generated2.rule  Incisive-leetspeak.rule  leetspeak.rule               specific.rule       T0XlC-insert_top_100_passwords_1_G.rule         toggles1.rule  toggles4.rule

test@redtm: ls /opt/hashcat/rules/hybrid
append_d_passthrough.rule    append_hl.rule               append_ldus_passthrough.rule  append_lus.rule             prepend_ds_passthrough.rule   prepend_hu.rule                prepend_l_passthrough.rule    prepend_s.rule
append_d.rule                append_hu_passthrough.rule   append_ldus.rule              append_s_passthrough.rule   prepend_ds.rule               prepend_ld_passthrough.rule    prepend_l.rule                prepend_u_passthrough.rule
append_ds_passthrough.rule   append_hu.rule               append_l_passthrough.rule     append_s.rule               prepend_du_passthrough.rule   prepend_ld.rule                prepend_ls_passthrough.rule   prepend_u.rule
append_ds.rule               append_ld_passthrough.rule   append_l.rule                 append_u_passthrough.rule   prepend_du.rule               prepend_lds_passthrough.rule   prepend_ls.rule               prepend_us_passthrough.rule
append_du_passthrough.rule   append_ld.rule               append_ls_passthrough.rule    append_u.rule               prepend_dus_passthrough.rule  prepend_lds.rule               prepend_lu_passthrough.rule   prepend_us.rule
append_du.rule               append_lds_passthrough.rule  append_ls.rule                append_us_passthrough.rule  prepend_dus.rule              prepend_ldu_passthrough.rule   prepend_lu.rule
append_dus_passthrough.rule  append_lds.rule              append_lu_passthrough.rule    append_us.rule              prepend_hl_passthrough.rule   prepend_ldu.rule               prepend_lus_passthrough.rule
append_dus.rule              append_ldu_passthrough.rule  append_lu.rule                prepend_d_passthrough.rule  prepend_hl.rule               prepend_ldus_passthrough.rule  prepend_lus.rule
append_hl_passthrough.rule   append_ldu.rule              append_lus_passthrough.rule   prepend_d.rule              prepend_hu_passthrough.rule   prepend_ldus.rule              prepend_s_passthrough.rule
Combine two or more rules

In my opinion, For effectiveness it is best to combine two or more rules to meet the password policy. For example:

hashcat ..... -r /opt/hashcat/rules/leetspeak.rule -r /opt/hashcat/rules/InsidePro-HashManager.rule ...
Can we Crack sha1 of P@ssword?

I have not tried all rules but i think a single rule can’t crack it

hashcat -a 0 -m 100 -r /opt/hashcat/rules/leetspeak.rule hash.txt words.txt

But combining two rule was able to crack

hashcat -a 0 -m 100 -r /opt/hashcat/rules/leetspeak.rule -r /opt/hashcat/rules/InsidePro-HashManager.rule hash.txt words.txt
Can we Crack sha1 of P@ssw0rd92?

I was able to crack the hash by combining 3 rules:

hashcat -a 0 -m 100 -r /opt/hashcat/rules/leetspeak.rule -r /opt/hashcat/rules/InsidePro-HashManager.rule -r /opt/hashcat/rules/best64.rule hash.txt words.txt
Writing rules

Hashcat allow to write our own rule. This is useful when we want more custom word from a dictionary file. For example, combining bellow rule can generate P@ssw0rd1@ if the dictionary has password word:


Here is the output from hashcat stdout mode:

For quick reference a screenshot taken from hashcat website for available functions:


Lot’s can be done with hashcat. But password cracking success depend on how good our dictionary is and how we combine the rules. This post is for future reference so that i can do some copy pasting in real job :) . Also i will keep updating when i do more experiment!