CyberCheatsheets

Hashcat Cheat Sheet

GPU-accelerated offline password and hash recovery.

Passwords & CrackingcrackinggpuhashofflinepasswordsUpdated 2026-06-02

Overview

Hashcat is the standard tool for offline hash recovery. It supports hundreds of hash modes (NTLM, NetNTLMv2, bcrypt, WPA, Kerberos TGS, etc.) on CPU and GPU. Only crack hashes you are legally authorized to test (your lab, CTF, or explicit written scope).

Install

sudo apt install hashcat hashcat-utils
hashcat -I                    # list OpenCL/CUDA devices
hashcat --help                # modes and examples

Essential commands

Identify mode from hash format (or use hash-identifier)

hashcat -m 1000 hashes.txt rockyou.txt          # NTLM
hashcat -m 5600 hashes.txt wordlist.txt         # NetNTLMv2
hashcat -m 3200 hashes.txt wordlist.txt         # bcrypt

Show cracked passwords

hashcat -m 1000 hashes.txt --show

Benchmark a mode on your hardware

hashcat -m 1000 -b

Quick one-liners

Crack NTLM hashes with rockyou

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

Show already cracked passwords

hashcat -m 1000 hashes.txt --show

Crack NetNTLMv2 from responder capture

hashcat -m 5600 netntlm.txt /usr/share/wordlists/rockyou.txt

Benchmark mode 1000 on your GPU

hashcat -m 1000 -b

Resume a long cracking session

hashcat --session lab01 --restore

Common workflows

Dictionary attack —

hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 ntlm_hashes.txt rockyou.txt -r rules/best64.rule

8 chars: upper + lower + digit + special

hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?d?s

Company prefix + 4 digits

hashcat -m 1000 hashes.txt -a 3 'Corp?d?d?d?d'

Combinator and hybrid —

hashcat -m 1000 hashes.txt -a 1 wordlist1.txt wordlist2.txt
hashcat -m 1000 hashes.txt -a 6 wordlist.txt ?d?d?d?d

Restore long sessions —

hashcat -m 1000 hashes.txt rockyou.txt --session lab01
hashcat --session lab01 --restore

Extract hashes from captures (hashcat-utils) —

cap2hccapx capture.pcap capture.hccapx
hashcat -m 2500 capture.hccapx wordlist.txt

Flags reference

-m

Hash mode

-a

Attack mode (0=dict, 3=mask, 1=combinator)

-r

Rules file

-O

Optimized kernels (faster, max 31 char)

-w

Workload profile 1–4

--show

Print cracked hashes

--username

Show username with hash

--force

Ignore warnings (lab only)

--session

Named restore point

Tips

  • Run hashcat --example-hashes to match -m numbers to sample formats.
  • Use -O on GPU for speed; drop it if passwords may exceed 31 characters.
  • Split large jobs: dictionary first, then targeted masks from policy hints.
  • Store wordlists and .potfile outside the repo; never commit real customer hashes.

References

Related cheat sheets