Keyboard shortcuts

Press ← or β†’ to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Hashcat Cheatsheet

Basic Syntax

hashcat -a <attack_mode> -m <hash_type> <hashes> [wordlist, rule, mask, ...]
OptionDescription
-aAttack mode
-mHash type ID
-rRules file
-oOutput file for cracked hashes
--showShow previously cracked hashes
--forceIgnore warnings

Attack Modes (-a)

ModeNameDescription
0Straight/DictionaryWordlist-based attack
1CombinationCombines words from two wordlists
3Brute-force/MaskUses masks to define keyspace
6Hybrid Wordlist + MaskAppends mask to wordlist entries
7Hybrid Mask + WordlistPrepends mask to wordlist entries

Common Hash Types (-m)

IDHash Type
0MD5
100SHA1
500MD5 Crypt / Cisco-IOS / FreeBSD MD5
900MD4
1000NTLM
1300SHA2-224
1400SHA2-256
1700SHA2-512
1800SHA-512 Crypt (Unix)
3000LM
3200bcrypt
5600NetNTLMv2
13100Kerberos 5 TGS-REP
18200Kerberos 5 AS-REP
22000WPA-PBKDF2-PMKID+EAPOL

Full list: hashcat --help or hashcat.net/wiki/doku.php?id=example_hashes

Mask Attack Character Sets

SymbolCharset
?labcdefghijklmnopqrstuvwxyz
?uABCDEFGHIJKLMNOPQRSTUVWXYZ
?d0123456789
?h0123456789abcdef
?H0123456789ABCDEF
?sSpecial characters (space, punctuation)
?a?l?u?d?s (all printable)
?b0x00 - 0xff (all bytes)

Custom charsets: -1, -2, -3, -4 β†’ Reference with ?1, ?2, ?3, ?4

Quick Reference Commands

Dictionary Attack

hashcat -a 0 -m 0 hash.txt /usr/share/wordlists/rockyou.txt

Dictionary Attack with Rules

hashcat -a 0 -m 0 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Mask Attack (8 char: 6 lowercase + 2 digits)

hashcat -a 3 -m 0 hash.txt ?l?l?l?l?l?l?d?d

Mask Attack with Custom Charset

hashcat -a 3 -m 0 hash.txt -1 ?l?u ?1?1?1?1?d?d?d?d

Hybrid Attack (wordlist + mask)

hashcat -a 6 -m 0 hash.txt /usr/share/wordlists/rockyou.txt ?d?d?d

Show Cracked Hashes

hashcat -m 0 hash.txt --show

Identify Hash Type

hashid -m '<hash_string>'

Common Rule Files

Rule FileDescription
best64.rule64 standard password modifications
rockyou-30000.ruleLarge ruleset based on rockyou patterns
dive.ruleComprehensive rule set
d3ad0ne.rulePopular community ruleset
leetspeak.ruleLeet speak substitutions
toggles1-5.ruleCase toggling rules

Location: /usr/share/hashcat/rules/

Useful Options

OptionDescription
--statusEnable automatic status updates
--status-timer=NSet status update interval (seconds)
-w 3Workload profile (1=low, 2=default, 3=high, 4=nightmare)
--incrementEnable mask increment mode
--increment-min=NStart mask length
--increment-max=NEnd mask length
-OEnable optimized kernels (faster, but limits password length)
--usernameIgnore username in hash file
--potfile-disableDon’t write to potfile

Cracking Protected Files & Archives

Common Hash Modes for Files

IDType
9400-9600MS Office 2007-2013
10400-10700PDF
13600WinZip
17200-17225PKZIP
22100BitLocker
13400KeePass
6211-6243TrueCrypt
13711-13723VeraCrypt

Crack BitLocker Drive

# Extract hash with bitlocker2john (from JtR)
bitlocker2john -i Backup.vhd > backup.hashes
grep "bitlocker\$0" backup.hashes > backup.hash

# Crack with hashcat
hashcat -a 0 -m 22100 backup.hash /usr/share/wordlists/rockyou.txt

Crack ZIP File (PKZIP)

# Extract hash with zip2john (from JtR)
zip2john protected.zip > zip.hash

# Crack with hashcat (mode depends on ZIP type)
hashcat -a 0 -m 17200 zip.hash /usr/share/wordlists/rockyou.txt

Crack MS Office Document

# Extract hash with office2john (from JtR)
office2john.py document.docx > office.hash

# Crack with hashcat (mode depends on Office version)
hashcat -a 0 -m 9600 office.hash /usr/share/wordlists/rockyou.txt

Crack PDF

# Extract hash with pdf2john (from JtR)
pdf2john.py document.pdf > pdf.hash

# Crack with hashcat
hashcat -a 0 -m 10500 pdf.hash /usr/share/wordlists/rockyou.txt

Crack KeePass Database

# Extract hash with keepass2john (from JtR)
keepass2john database.kdbx > keepass.hash

# Crack with hashcat
hashcat -a 0 -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt