OFFSITE.DARK
← Tools
  • cracking

Market

Hashcat

Overview

Hashcat performs offline password recovery using CPU, GPU (OpenCL/CUDA), or both. It supports 300+ hash modes (-m): NTLM, bcrypt, WPA-PBKDF2, Kerberos TGS-REP, Office, PDF, blockchain wallets, and raw ciphers via specific mode numbers.

Attack modes: straight (-a 0 wordlist), combination (-a 1), brute-force/mask (-a 3), hybrid wordlist+mask (-a 6/7), and association (-a 9). Rules (-r best64.rule) mutate wordlist entries; masks like ?u?l?l?l?d?d?d?d define charset positions.

Performance depends on hash type: NTLM is fast on GPU (billions/sec); bcrypt/scrypt are intentionally slow. Use --benchmark and --machine-readable for capacity planning. potfile (hashcat.pot) caches cracked hashes.

Input formats vary by mode: use --example-hashes to see expected hash line format. HCCAPX for WPA; keepass hash modes for KeePass databases; kerberos 13100 for TGS-REP etype 23.

Primary use cases

  • Cracking NTLM dumps from LSASS/secretsdump for lateral movement
  • WPA2 handshake recovery after capture with aircrack-ng/hcxdumptool
  • Rules-based attacks against enterprise password patterns
  • Mask attacks when policy enforces length/complexity (e.g., Summer2024!)
  • Benchmarking GPU rig before engagement

Key commands

NTLM wordlist attack

hashcat -m 1000 -a 0 ntlm_hashes.txt wordlist.txt -r rules/best64.rule

Mask brute-force (8 char, upper+lower+digit)

hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?d

WPA-PBKDF2 (mode 22000)

hashcat -m 22000 -a 0 capture.hc22000 wordlist.txt

Show cracked

hashcat -m 1000 hashes.txt --show

Notable modules / features

  • Brain server for distributed cracking across nodes
  • Princeprocessor integration for advanced word generation
  • Restore/checkpoint (-restore) for long mask runs
  • Hashcat-utils: cap2hccapx, maskprocessor, statsprocessor

Detection / defense notes

  • Use slow KDFs (bcrypt, Argon2) for application passwords
  • Long passphrases defeat mask attacks more than complexity rules
  • Monitor for bulk auth failures; NTLM relay differs from offline crack but often paired
  • WPA3-SAE reduces offline handshake attack surface vs WPA2

Related tools

  • johnPassword hash cracker (John the Ripper). Wordlist and rule-based attacks.
  • hydraParallelized network login cracker. Supports dozens of protocols and brute-force modes.
  • ImpacketPython protocol implementations. secretsdump, psexec, getTGT, and SMB/Kerberos tooling for Windows networks.
  • aircrack-ng802.11 WEP/WPA cracking suite. Monitor mode, packet injection, handshake capture.
→ official site