Hashcat Cheatsheet 2026

Every hashcat command you need — hash modes (-m), attack modes (-a), rules, masks and ready-to-run recipes for NTLM, bcrypt, Kerberoast, AS-REP and WPA. For CTFs, labs and authorized pentests.

Last updated:

New to pentesting? Read our complete beginner's guide to see where password cracking fits in the methodology.

Quick Navigation

01 Basic Syntax 02 Hash Modes (-m) 03 Attack Modes (-a) 04 Dictionary + Rules 05 Mask Attacks 06 Combinator & Hybrid 07 Pentest Recipes 08 Performance 09 Manage Sessions 10 Identify Hashes

# Basic Syntax

The core form is hashcat -m MODE -a ATTACK hashes.txt wordlist. Everything else is refinement.

hashcat -m 1000 -a 0 hashes.txt rockyou.txt
Dictionary attack on NTLM hashes
hashcat -m 0 hash.txt rockyou.txt
Crack a single MD5 (attack mode 0 is the default)
hashcat -m 1000 hashes.txt --show
Show already-cracked hash:password pairs from the potfile
hashcat -m 1000 hashes.txt rockyou.txt -o cracked.txt
Write cracked results to a file
hashcat --benchmark
Benchmark your GPU across hash types

# Common Hash Modes (-m)

Getting the mode right is essential — the wrong -m simply won't crack. Look one up with hashcat --help | grep -i ntlm.

-mHash type
0MD5
100SHA1
1400SHA-256
1000NTLM
1800sha512crypt ($6$) — Linux /etc/shadow
500md5crypt ($1$)
3200bcrypt ($2*$)
5600NetNTLMv2 (Responder)
13100Kerberoast — TGS-REP ($krb5tgs$)
18200AS-REP roast ($krb5asrep$)
22000WPA-PBKDF2-PMKID+EAPOL
1700SHA-512
2100Domain Cached Credentials (DCC2)

# Attack Modes (-a)

Choose how hashcat generates candidate passwords.

-aAttackUse case
0Straight (dictionary)Wordlist, usually with rules
1CombinatorJoin two wordlists word-by-word
3Brute-force / maskPattern-based when policy is known
6Hybrid wordlist + maskword then appended pattern
7Hybrid mask + wordlistpattern then prepended word

# Dictionary + Rules

Dictionary with rules is the highest-yield attack. Rules mutate each word (capitalise, append digits, leetspeak).

hashcat -m 1000 hashes.txt rockyou.txt -r rules/best64.rule
The everyday combo — rockyou + best64 rules
hashcat -m 1000 hashes.txt rockyou.txt -r rules/OneRuleToRuleThemAll.rule
Aggressive, large rule set (slower, higher hit rate)
hashcat -m 1000 hashes.txt rockyou.txt -r r1.rule -r r2.rule
Stack multiple rule files (multiplies combinations)
hashcat -m 1000 hashes.txt wl1.txt wl2.txt
Use several wordlists in one run
💡 Tip: Rules live in /usr/share/hashcat/rules/. Start with best64, escalate to rockyou-30000 or OneRuleToRuleThemAll if it doesn't crack.

# Mask Attacks (-a 3)

Masks brute-force a known pattern efficiently. Charsets: ?l lower, ?u upper, ?d digit, ?s special, ?a all.

hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?d
Upper + 5 lower + 2 digits (e.g. Summer24)
hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a
All-charset brute-force of length 6
hashcat -m 1000 -a 3 hashes.txt -i --increment-min=6 --increment-max=8 ?a?a?a?a?a?a?a?a
Incremental length from 6 to 8
hashcat -m 1000 -a 3 hashes.txt -1 ?u?l ?1?l?l?l?l?d?d?d
Custom charset ?1 = upper or lower
hashcat -m 1000 -a 3 hashes.txt Company?d?d?d?d
Fixed prefix + 4 digits — targeting a known base word

# Combinator & Hybrid

Blend wordlists and masks for patterns like word+year or year+word.

hashcat -m 1000 -a 1 hashes.txt list1.txt list2.txt
Combinator — every word1+word2 pair
hashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?d?d
Hybrid — each word followed by 4 digits (e.g. password2026)
hashcat -m 1000 -a 7 hashes.txt ?d?d?d?d rockyou.txt
Hybrid — 4 digits followed by each word

# Pentest Recipes

Ready-to-run commands for the hashes you meet most on engagements.

hashcat -m 13100 kerb.txt rockyou.txt -r rules/best64.rule
Crack Kerberoast TGS hashes (from GetUserSPNs)
hashcat -m 18200 asrep.txt rockyou.txt -r rules/best64.rule
Crack AS-REP roast hashes (from GetNPUsers)
hashcat -m 5600 netntlm.txt rockyou.txt
Crack NetNTLMv2 captured with Responder
hashcat -m 1800 shadow.txt rockyou.txt -r rules/best64.rule
Crack Linux /etc/shadow sha512crypt hashes
hashcat -m 3200 bcrypt.txt rockyou.txt
Crack bcrypt (slow — use a targeted wordlist)
hcxpcapngtool -o hash.22000 capture.pcapng && hashcat -m 22000 hash.22000 rockyou.txt
Convert a WPA capture then crack the handshake

# Performance & Tuning

Squeeze more speed out of your GPU and manage heat.

hashcat -m 1000 hashes.txt rockyou.txt -w 3
Workload profile 3 (high) — faster, more GPU load
hashcat -m 1000 hashes.txt rockyou.txt -O
Optimized kernels — much faster, limits max password length
hashcat -I
List detected devices (GPUs/CPUs)
hashcat -m 1000 hashes.txt rockyou.txt -d 1
Use only device 1 (multi-GPU selection)

# Manage Sessions

Pause, resume and name long-running cracks.

hashcat -m 1000 hashes.txt rockyou.txt --session mycrack
Name the session so you can restore it
hashcat --session mycrack --restore
Resume a named session after interruption
hashcat -m 1000 hashes.txt rockyou.txt --remove
Remove cracked hashes from the input file as they fall
hashcat -m 1000 hashes.txt rockyou.txt --status --status-timer 10
Print status every 10 seconds
💡 Keys: While running — s status, p pause, r resume, q quit.

# Identify Hashes

Pick the right -m by identifying the hash first.

hashid '$2b$12$...'
Identify a hash format (suggests hashcat modes)
nth --text '48bb6e862e54f2a795ffc4e541caed4d'
name-that-hash — richer identification with -m hints
hashcat --help | grep -i kerberos
Search hashcat's own mode list by keyword

❓ Hashcat FAQ

The world's fastest password recovery tool. It uses your GPU to crack 300+ hash types with multiple attack modes. Pentesters use it to recover plaintext from hashes dumped during an engagement.

The hash type. Common: 0=MD5, 1000=NTLM, 3200=bcrypt, 5600=NetNTLMv2, 13100=Kerberoast, 18200=AS-REP, 22000=WPA. Find one with hashcat --help | grep -i name.

0=straight (dictionary), 1=combinator, 3=brute-force/mask, 6=hybrid word+mask, 7=hybrid mask+word. Mode 0 with rules is the most common.

Use hashid or name-that-hash, or the hashcat example-hashes page. NTLM = 32 hex chars, bcrypt = $2a$/$2b$, sha512crypt = $6$, Kerberoast = $krb5tgs$.

Mutations applied to each word on the fly — capitalise, append digits, leetspeak. They expand coverage massively without a bigger list. Start with -r rules/best64.rule.

Brute-force patterns using charsets: ?l ?u ?d ?s ?a. E.g. -a 3 ?u?l?l?l?l?d?d. Far more efficient than pure brute-force when you know the password policy.

hashcat -m 1000 hashes.txt rockyou.txt -r rules/best64.rule. NTLM is very fast to crack — pair a good wordlist with rules. Dump NTLM with secretsdump / from NTDS.dit or SAM.

Add --show: hashcat -m 1000 hashes.txt --show. Results persist in the potfile (~/.local/share/hashcat/hashcat.potfile) so you never lose progress.

📚 Related Resources

AI-Assisted Pentest Report

Turn your cracked credentials into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This hashcat cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →