Hashcat
GPU-accelerated password recovery tool supporting 350+ hash types for validating password security and conducting credential audits.
Continue your mission
GPU-accelerated password recovery tool supporting 350+ hash types for validating password security and conducting credential audits.
# Hashcat
Hashcat is an open-source password recovery tool designed to reverse password hashes through high-speed, GPU-accelerated computation. It exists because password hashes, while not stored in plaintext, are not inherently secure: any hash algorithm that can be computed quickly can also be attacked quickly. Organizations deploy Hashcat during penetration tests, red team engagements, and incident response operations to determine whether their stored password hashes can be cracked within a realistic timeframe. The answer to that question directly informs password policy decisions, storage mechanism choices, and account security controls. Without tools like Hashcat, security teams would have no practical way to measure the actual resilience of their credential storage practices against real-world adversary techniques.
---
Hashcat is a command-line password recovery utility that accepts one or more cryptographic hash values as input and attempts to find the plaintext strings that produced those hashes. It operates entirely offline, meaning it does not interact with authentication services, does not trigger account lockouts, and does not appear in authentication logs. This distinguishes it sharply from online password attacks such as credential stuffing or brute-force login attempts against web applications or Active Directory endpoints.
Hashcat is not a hash-cracking service, a network attack tool, or a vulnerability scanner. It does not extract hashes from systems. Extraction is a separate step, accomplished through tools like Mimikatz, secretsdump, or volatility-based memory forensics. Hashcat receives the output of that extraction process and performs the analytical work of reversing hashes to plaintext.
The tool supports more than 350 hash types, organized by numeric mode identifiers. Common modes include mode 0 (MD5), mode 1000 (NTLM), mode 1800 (SHA-512 Unix), mode 2500 and 22000 (WPA/WPA2 wireless), mode 13100 (Kerberoast), and mode 3200 (bcrypt). Each mode implements the specific computation required by that hash algorithm, including salting, stretching, and iteration logic where applicable.
Hashcat should not be confused with rainbow table attacks, which rely on precomputed hash-to-plaintext databases. Hashcat computes hashes in real time, which allows it to handle salted hashes that would defeat rainbow tables entirely. It is also distinct from John the Ripper, a competing tool with similar functionality but different performance characteristics and a different rule syntax. Security teams sometimes use both tools in parallel because their respective rule engines and wordlist handling differ in ways that produce complementary results.
---
Hashcat operates by accepting a target hash or a file containing multiple target hashes, selecting an attack mode, and then computing candidate hashes at maximum speed until a match is found or the search space is exhausted.
Preprocessing and Configuration
Before any attack begins, the operator specifies the hash type using the -m flag, the attack mode using the -a flag, and the input source. The input source varies by attack mode: a wordlist file for dictionary attacks, a character set definition for brute-force and mask attacks, or two wordlist files for combinator attacks. The operator also specifies an output file where cracked pairs (hash:plaintext) will be written.
Hashcat reads the hash file and loads hash values into memory. For algorithms that use per-hash salts (bcrypt, SHA-512 Unix, Argon2), each hash includes its salt value within the hash string itself, and Hashcat incorporates that salt into every candidate computation for that specific hash.
Attack Modes in Depth
Dictionary mode (-a 0) reads each line of a wordlist and computes the hash of that word. If the computed hash matches any target hash in the loaded set, that plaintext is recorded as cracked. A typical wordlist like rockyou.txt contains approximately 14 million entries. Hashcat can exhaust this list against NTLM hashes in under a second on a modern GPU.
Rule-based attacks extend dictionary mode by applying transformation rules to each input word before hashing. A rule might uppercase the first character, append two digits, substitute the letter "a" with "@", or reverse the string. Hashcat ships with rule sets including best64.rule and OneRuleToRuleThemAll.rule, which contains over 52,000 individual transformation rules. Applying that rule set to a wordlist of 14 million words generates over 700 billion candidate strings, covering an enormous portion of real-world user password patterns.
Mask attacks (-a 3) define character set patterns using positional placeholders. The mask "?u?l?l?l?d?d" specifies one uppercase letter, three lowercase letters, and two digits, targeting a common password pattern. The operator can define custom character sets for domain-specific patterns, such as targeting passwords that begin with a company name abbreviation.
Combinator attacks (-a 1) take two wordlists and concatenate every word from the first list with every word from the second list. This targets passwords like "bluesky" or "summer2024" where users concatenate common nouns.
GPU Acceleration and Performance
Hashcat's performance advantage over CPU-based tools comes from offloading hash computations to the GPU. Modern GPUs contain thousands of shader cores designed for parallel floating-point and integer operations. Hash functions are computationally independent across candidates: computing the hash of "password1" does not depend on the result of computing the hash of "password2." This independence makes password cracking an ideal workload for GPU parallelism.
Hashcat communicates with GPUs through OpenCL or CUDA, depending on the hardware vendor. On a single consumer-grade NVIDIA RTX 4090, Hashcat achieves approximately 160 billion MD5 computations per second and approximately 100 billion NTLM computations per second. Bcrypt at cost factor 10 drops to roughly 184,000 computations per second on the same hardware, illustrating why algorithm choice matters so significantly.
Practical Scenario: Post-Breach Credential Assessment
Consider a scenario where a penetration tester has extracted the NTLM password hashes from a domain controller's NTDS.dit file using secretsdump. The file contains 4,200 hashes. The tester runs Hashcat in dictionary mode with the rockyou.txt wordlist and the best64 rule set. Within 30 minutes on a single GPU machine, 3,100 of the 4,200 hashes are cracked. Of those, 420 accounts share the password "Company2023!" or minor variations. This result tells the client that their password policy, which requires complexity and 90-day rotation, is producing predictable patterns that attackers can crack rapidly. The recommendation becomes: increase minimum length to 16 characters, disable complexity requirements in favor of passphrase guidance, and implement FIDO2 hardware authentication for privileged accounts.
Session Management and Distributed Work
Hashcat supports named sessions, allowing operators to pause and resume long-running attacks without losing progress. The brain feature coordinates multiple Hashcat instances running in parallel, maintaining a shared record of already-tested candidates to prevent duplicated computation across distributed nodes. Temperature monitoring and automatic fan speed adjustment prevent GPU thermal throttling during extended sessions.
---
The practical significance of Hashcat in security operations comes down to one question: can an adversary who obtains your password database recover usable credentials before your organization detects and responds to the breach? For most organizations storing passwords in MD5, SHA-1, or unsalted SHA-256, the answer is yes, within hours.
The Business Impact of Weak Hashing
When the LinkedIn breach of 2012 exposed 117 million SHA-1 password hashes without salt, the majority of those hashes were cracked within days of the data being published to underground forums. Those cracked passwords were then used in credential stuffing campaigns against other services, because password reuse was common. The downstream business impact included unauthorized account access across unrelated platforms, fraud losses, and reputational damage to LinkedIn that persisted for years. The technical root cause was a decision to use a fast, unsalted hash algorithm for password storage.
Hashcat makes this threat concrete and measurable. When a security team runs Hashcat against their own password hashes during an authorized assessment and cracks 60 percent within four hours, they have a data point that justifies investment in migrating to bcrypt, Argon2, or scrypt. Without that test, the organization relies on assumptions about adversary capability that are almost always optimistic.
Common Misconceptions
A frequent misconception is that password complexity requirements make passwords resistant to cracking. In practice, users given complexity requirements produce predictable patterns: capitalize the first letter, put a number at the end, substitute one symbol. Hashcat rule sets are specifically designed to exploit these patterns. Complexity requirements create an illusion of security while delivering minimal actual resistance against GPU-accelerated attacks.
Another misconception is that long passwords are always secure regardless of algorithm. A 20-character password stored as unsalted MD5 can be cracked if it appears in a large wordlist or follows a predictable construction. Algorithm choice and salting matter independently of password length.
Regulatory and Compliance Consequences
Organizations that suffer breaches involving cracked passwords face scrutiny under GDPR, HIPAA, PCI-DSS, and state-level privacy laws. Regulators and auditors increasingly ask whether password storage mechanisms meet current standards. Demonstrating that passwords were stored using appropriately slow, salted algorithms, and that periodic internal cracking assessments validated those controls, provides meaningful defensibility. Failing to have conducted those tests weakens the organization's position in post-breach regulatory proceedings.
---
The Cyber Defense Agency approaches password security through the Planetary Defense Model, specifically within the Identity and Access Threat (IAT) domain and the Vulnerability and Security Design (VSD) domain. The governing methodology is Zero Possession Architecture (ZPA): Trust nothing. Possess nothing. Verify everything.
From a ZPA standpoint, stored password hashes represent a category of possession that creates risk. Every hash database is a latent credential exposure waiting for the moment of extraction. The ZPA response is to minimize hash possession wherever possible: enforce federated identity through SAML or OIDC so that service providers never possess password hashes at all, implement hardware-bound authentication (FIDO2/WebAuthn) that eliminates shared secrets entirely, and architect systems so that even internal identity providers are not storing recoverable credential material.
Where possession of hashes cannot be eliminated, CDA mandates specific storage controls: Argon2id as the default password hashing algorithm with memory parameters tuned to produce computation times above 300 milliseconds per verification, bcrypt as the minimum acceptable alternative with a cost factor of no less than 12, and prohibition of MD5, SHA-1, and unsalted SHA-256 for any credential storage purpose.
CDA incorporates Hashcat operationally through mandatory Credential Resilience Assessments (CRAs). These assessments extract hashes from identity infrastructure in authorized test environments, run standardized Hashcat campaigns using the organization's own hardware profile as the adversary baseline, and measure the percentage of hashes cracked at the 1-hour, 8-hour, and 24-hour marks. Results feed directly into IAT risk scoring within the Planetary Defense Model. Any system where more than 10 percent of hashes crack within 8 hours receives a critical IAT finding requiring remediation within 30 days.
This approach differs from conventional penetration testing practice, which often treats Hashcat use as optional or ad hoc. CDA treats it as a required measurement instrument, the same way a physical security assessment requires testing lock resistance rather than assuming it. The ZPA principle of "verify everything" means that assumptions about password storage security are never accepted: they are tested, measured, and documented.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.