# Basic Syntax
The core form is hashcat -m MODE -a ATTACK hashes.txt wordlist. Everything else is refinement.
hashcat -m 1000 -a 0 hashes.txt rockyou.txthashcat -m 0 hash.txt rockyou.txthashcat -m 1000 hashes.txt --showhashcat -m 1000 hashes.txt rockyou.txt -o cracked.txthashcat --benchmark# Common Hash Modes (-m)
Getting the mode right is essential — the wrong -m simply won't crack. Look one up with hashcat --help | grep -i ntlm.
| -m | Hash type |
|---|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1400 | SHA-256 |
| 1000 | NTLM |
| 1800 | sha512crypt ($6$) — Linux /etc/shadow |
| 500 | md5crypt ($1$) |
| 3200 | bcrypt ($2*$) |
| 5600 | NetNTLMv2 (Responder) |
| 13100 | Kerberoast — TGS-REP ($krb5tgs$) |
| 18200 | AS-REP roast ($krb5asrep$) |
| 22000 | WPA-PBKDF2-PMKID+EAPOL |
| 1700 | SHA-512 |
| 2100 | Domain Cached Credentials (DCC2) |
# Attack Modes (-a)
Choose how hashcat generates candidate passwords.
| -a | Attack | Use case |
|---|---|---|
| 0 | Straight (dictionary) | Wordlist, usually with rules |
| 1 | Combinator | Join two wordlists word-by-word |
| 3 | Brute-force / mask | Pattern-based when policy is known |
| 6 | Hybrid wordlist + mask | word then appended pattern |
| 7 | Hybrid mask + wordlist | pattern then prepended word |
# Dictionary + Rules
Dictionary with rules is the highest-yield attack. Rules mutate each word (capitalise, append digits, leetspeak).
hashcat -m 1000 hashes.txt rockyou.txt -r rules/best64.rulehashcat -m 1000 hashes.txt rockyou.txt -r rules/OneRuleToRuleThemAll.rulehashcat -m 1000 hashes.txt rockyou.txt -r r1.rule -r r2.rulehashcat -m 1000 hashes.txt wl1.txt wl2.txt/usr/share/hashcat/rules/. Start with best64, escalate to rockyou-30000 or OneRuleToRuleThemAll if it doesn't crack.# Mask Attacks (-a 3)
Masks brute-force a known pattern efficiently. Charsets: ?l lower, ?u upper, ?d digit, ?s special, ?a all.
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?dhashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?ahashcat -m 1000 -a 3 hashes.txt -i --increment-min=6 --increment-max=8 ?a?a?a?a?a?a?a?ahashcat -m 1000 -a 3 hashes.txt -1 ?u?l ?1?l?l?l?l?d?d?dhashcat -m 1000 -a 3 hashes.txt Company?d?d?d?d# Combinator & Hybrid
Blend wordlists and masks for patterns like word+year or year+word.
hashcat -m 1000 -a 1 hashes.txt list1.txt list2.txthashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?d?dhashcat -m 1000 -a 7 hashes.txt ?d?d?d?d rockyou.txt# Pentest Recipes
Ready-to-run commands for the hashes you meet most on engagements.
hashcat -m 13100 kerb.txt rockyou.txt -r rules/best64.rulehashcat -m 18200 asrep.txt rockyou.txt -r rules/best64.rulehashcat -m 5600 netntlm.txt rockyou.txthashcat -m 1800 shadow.txt rockyou.txt -r rules/best64.rulehashcat -m 3200 bcrypt.txt rockyou.txthcxpcapngtool -o hash.22000 capture.pcapng && hashcat -m 22000 hash.22000 rockyou.txt# Performance & Tuning
Squeeze more speed out of your GPU and manage heat.
hashcat -m 1000 hashes.txt rockyou.txt -w 3hashcat -m 1000 hashes.txt rockyou.txt -Ohashcat -Ihashcat -m 1000 hashes.txt rockyou.txt -d 1# Manage Sessions
Pause, resume and name long-running cracks.
hashcat -m 1000 hashes.txt rockyou.txt --session mycrackhashcat --session mycrack --restorehashcat -m 1000 hashes.txt rockyou.txt --removehashcat -m 1000 hashes.txt rockyou.txt --status --status-timer 10s status, p pause, r resume, q quit.# Identify Hashes
Pick the right -m by identifying the hash first.
hashid '$2b$12$...'nth --text '48bb6e862e54f2a795ffc4e541caed4d'hashcat --help | grep -i kerberos❓ Hashcat FAQ
The world's fastest password recovery tool. It uses your GPU to crack 300+ hash types with multiple attack modes. Pentesters use it to recover plaintext from hashes dumped during an engagement.
The hash type. Common: 0=MD5, 1000=NTLM, 3200=bcrypt, 5600=NetNTLMv2, 13100=Kerberoast, 18200=AS-REP, 22000=WPA. Find one with hashcat --help | grep -i name.
0=straight (dictionary), 1=combinator, 3=brute-force/mask, 6=hybrid word+mask, 7=hybrid mask+word. Mode 0 with rules is the most common.
Use hashid or name-that-hash, or the hashcat example-hashes page. NTLM = 32 hex chars, bcrypt = $2a$/$2b$, sha512crypt = $6$, Kerberoast = $krb5tgs$.
Mutations applied to each word on the fly — capitalise, append digits, leetspeak. They expand coverage massively without a bigger list. Start with -r rules/best64.rule.
Brute-force patterns using charsets: ?l ?u ?d ?s ?a. E.g. -a 3 ?u?l?l?l?l?d?d. Far more efficient than pure brute-force when you know the password policy.
hashcat -m 1000 hashes.txt rockyou.txt -r rules/best64.rule. NTLM is very fast to crack — pair a good wordlist with rules. Dump NTLM with secretsdump / from NTDS.dit or SAM.
Add --show: hashcat -m 1000 hashes.txt --show. Results persist in the potfile (~/.local/share/hashcat/hashcat.potfile) so you never lose progress.
📚 Related Resources
- Active Directory Cheatsheet — Where Kerberoast and AS-REP hashes come from
- Windows Privilege Escalation Cheatsheet — Dump SAM/NTLM hashes, then crack them here
- Wireshark Cheatsheet — Sniff the NetNTLMv2 / WPA hashes you then crack here
- Full Pentesting Cheatsheet — 200+ commands for web, network, AD and privesc
- Pentesting Glossary — Hash, NTLM, rainbow table and 60+ key terms defined
Turn your cracked credentials into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This hashcat cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →