CyberCheatsheets

Hashcat after you extract the NTLM

Mode selection, rules vs straight cracks, and GPU hygiene when offline password attacks actually matter.

Published 2 min read
hashcatcredentialscracking

You dumped NTDS or pulled NTLM from SAM and fired hashcat with -a 0 and rockyou.txt. Eight hours later you have three passwords and a GPU that throttled itself into oblivion because someone put the cracking box in a closet.

The hashcat cheat sheet lists modes and hash types. The part that wins engagements is knowing when straight dictionaries stop making sense and how not to corrupt your potfile.

Identify the hash type correctly

NTLM is mode 1000. NetNTLMv2 is 5600. People paste the wrong line from Responder logs and wonder why cracks never hit.

hashcat -m 1000 ntlm-only.txt /usr/share/wordlists/rockyou.txt -o cracked.txt

Strip usernames unless you are using --username with formats that require it. A leading username: breaks matching silently.

Straight attack first, then rules, then stop

Rockyou straight is the baseline. If policy forced 14+ char passphrases with no complexity, you might get lucky on service accounts. You will not get domain admin.

Rules matter for corporate passwords: seasons, years, Welcome1! mutations. Example:

hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule -o cracked-rules.txt

best64.rule is not magic. It is a cheap second pass. Custom rules from prior client leaks beat generic rules when you have them legally.

Mask attacks (-a 3) are for when you know pattern: Company2024? style. Define the mask from policy documents, not from hope.

Potfile hygiene

Hashcat maintains hashcat.potfile with cracked plaintexts. Duplicate runs skip work. Also: you can accidentally mix hashes from different clients if you never rotate potfiles between engagements.

Use --potfile-path per job or --remove when you need a clean rerun after fixing hash format. Document which potfile was used in your chain of custody notes.

GPU reality

Thermal throttling shows up as wildly inconsistent H/s. Laptop "cracking" during a flight is marketing. For serious batches:

  • Watch hashcat -m 1000 --benchmark once per machine after driver updates
  • Limit -w (workload profile) on shared hardware
  • Do not run hashcat on the same box as your C2 without expecting lag

John the Ripper still earns a place. See the john cheat sheet for quick format conversions and CPU-only boxes where GPUs are banned by policy.

When to stop cracking and move on

If straight + rules + a targeted wordlist from OSINT (employee names, product names) returns nothing, password spraying with the few cracked service accounts often beats another overnight brute force.

Cracking is a funnel, not a morality play about patience.