Back to Password Attacks and Exploitation Frameworks

Password Cracking with Hashcat

5 minutes 5 Questions

Hashcat is one of the most powerful and widely used password cracking tools in cybersecurity, frequently covered in GCIH certification training. It is an advanced CPU and GPU-based password recovery utility that supports over 300 hashing algorithms, including MD5, SHA-1, SHA-256, NTLM, bcrypt, and …

Password Cracking with Hashcat: A Comprehensive Guide for GIAC GCIH

Why Password Cracking with Hashcat Is Important

Password cracking is a fundamental skill in both offensive and defensive security. Understanding how attackers crack passwords helps incident handlers assess the risk of credential exposure following a breach, determine the strength of organizational password policies, and respond effectively to incidents involving stolen credential databases. Hashcat is the industry-leading password recovery tool, and the GIAC GCIH certification expects candidates to understand its operation, capabilities, and practical use in real-world scenarios.

From a defensive perspective, knowing how quickly passwords can be cracked allows security professionals to recommend stronger hashing algorithms, enforce better password complexity requirements, and implement additional protections such as salting and key stretching. From an offensive perspective, password cracking is a critical step during penetration testing and red team exercises.

What Is Hashcat?

Hashcat is a high-performance, open-source password recovery tool that supports over 300 hash types. It is considered the world's fastest password cracker due to its ability to leverage the massive parallel processing power of GPUs (Graphics Processing Units), in addition to CPUs. Hashcat runs on Windows, Linux, and macOS.

Key characteristics of Hashcat include:

- GPU Acceleration: Hashcat harnesses the power of one or more GPUs to perform billions of hash computations per second, dramatically outperforming CPU-only tools.
- Wide Hash Support: It supports MD5, SHA-1, SHA-256, SHA-512, NTLM, NetNTLMv1, NetNTLMv2, bcrypt, WPA/WPA2, Kerberos TGS (Kerberoasting), and hundreds more.
- Multiple Attack Modes: Hashcat offers several attack strategies to suit different scenarios.
- Rule Engine: A powerful built-in rule engine allows complex password candidate manipulation.
- Session Management: Cracking sessions can be paused, resumed, and checkpointed.

How Hashcat Works

At its core, Hashcat takes a list of hashes as input, generates password candidates using a chosen attack mode, hashes each candidate using the appropriate algorithm, and compares the result against the target hashes. When a match is found, the plaintext password is recovered.

Basic Command Syntax:

hashcat -m [hash_type] -a [attack_mode] [hash_file] [dictionary/mask]

Key Flags:
- -m : Specifies the hash type (e.g., -m 0 for MD5, -m 1000 for NTLM, -m 13100 for Kerberos 5 TGS-REP, -m 5600 for NetNTLMv2)
- -a : Specifies the attack mode
- -r : Specifies a rule file
- -o : Specifies the output file for cracked passwords
- --force : Forces execution even if warnings are present
- --show : Displays previously cracked passwords from the potfile

Attack Modes in Hashcat

1. Straight/Dictionary Attack (-a 0):
This is the most common attack mode. Hashcat reads password candidates directly from a wordlist file (such as rockyou.txt) and hashes each one for comparison.

Example: hashcat -m 0 -a 0 hashes.txt rockyou.txt

This mode is highly effective because many users choose common passwords. It can be enhanced significantly with rules.

2. Combination Attack (-a 1):
Combines words from two different dictionaries. For example, if dictionary 1 contains "pass" and dictionary 2 contains "word", the candidate "password" would be generated.

Example: hashcat -m 0 -a 1 hashes.txt dict1.txt dict2.txt

3. Brute-Force/Mask Attack (-a 3):
Uses a mask to define the character set and length for each position in the candidate password. This is more efficient than a pure brute-force because you can target specific patterns.

Built-in Charsets:
- ?l = lowercase letters (a-z)
- ?u = uppercase letters (A-Z)
- ?d = digits (0-9)
- ?s = special characters
- ?a = all printable characters (?l?u?d?s)

Example: hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?d?d?d
This would try candidates like "Hello123" — an uppercase letter, four lowercase, three digits.

4. Hybrid Attacks (-a 6 and -a 7):
These combine dictionary and mask attacks. Mode -a 6 appends mask characters to dictionary words (e.g., password + ?d?d = password01). Mode -a 7 prepends mask characters to dictionary words.

Example: hashcat -m 0 -a 6 hashes.txt rockyou.txt ?d?d?d

5. Rule-Based Attack:
Rules are applied to dictionary words to create mutations. Rules can capitalize letters, append numbers, substitute characters (leet speak), reverse strings, and more. Hashcat ships with powerful rule files like best64.rule, dive.rule, and rockyou-30000.rule.

Example: hashcat -m 0 -a 0 hashes.txt rockyou.txt -r best64.rule

Common Hash Types for the GCIH Exam

You should know the following hash mode numbers and their contexts:

- -m 0: MD5 — commonly used for web application password storage (weak, fast to crack)
- -m 100: SHA-1 — slightly stronger than MD5 but still considered weak
- -m 1000: NTLM — Windows password hashes stored in SAM database or extracted via tools like Mimikatz
- -m 5500: NetNTLMv1 — captured during LLMNR/NBT-NS poisoning (e.g., via Responder)
- -m 5600: NetNTLMv2 — the more modern version captured during network poisoning attacks
- -m 13100: Kerberos 5 TGS-REP (Kerberoasting) — Service ticket hashes extracted from Active Directory
- -m 2500: WPA/WPA2 — wireless handshake cracking
- -m 3200: bcrypt — a slow, salted hash; very resistant to GPU cracking
- -m 1800: sha512crypt — Linux /etc/shadow format ($6$ prefix)
- -m 500: md5crypt — Older Linux /etc/shadow format ($1$ prefix)

Important Concepts Related to Hashcat

Salting: A salt is a random value added to a password before hashing. It ensures that identical passwords produce different hashes, defeating precomputed rainbow table attacks. Hashcat handles salted hashes natively for supported formats, but salting significantly slows down the cracking process because each hash must be attacked individually.

Key Stretching / Adaptive Hashing: Algorithms like bcrypt, scrypt, and PBKDF2 are deliberately slow, performing many iterations of hashing. This dramatically reduces the number of guesses per second, even on powerful GPUs. Hashcat supports these, but cracking speeds drop from billions per second (MD5/NTLM) to thousands or even hundreds per second (bcrypt).

Potfile: Hashcat stores all cracked hash:password pairs in a potfile (hashcat.potfile by default). It automatically skips already-cracked hashes in future sessions. Use --show to display cracked results.

Offline vs. Online Attacks: Hashcat performs offline attacks — the attacker has already obtained the hash database and can crack at maximum speed without triggering account lockouts. This contrasts with online attacks (e.g., Hydra, Medusa) which guess passwords against live services and are limited by network speed and lockout policies.

Practical Workflow Example: Kerberoasting

1. An attacker gains a foothold in an Active Directory environment.
2. Using a tool like Rubeus or Impacket's GetUserSPNs.py, the attacker requests Kerberos TGS tickets for service accounts.
3. The TGS tickets are encrypted with the service account's NTLM hash.
4. The attacker extracts these ticket hashes and feeds them into Hashcat:

hashcat -m 13100 -a 0 tgs_hashes.txt rockyou.txt -r best64.rule

5. If the service account has a weak password, Hashcat cracks it quickly, giving the attacker the plaintext password for that service account, which often has elevated privileges.

Practical Workflow Example: Cracking NTLM Hashes from a SAM Dump

1. An attacker dumps the SAM database using tools like secretsdump.py, Mimikatz, or hashdump in Meterpreter.
2. NTLM hashes are extracted (format: username:RID:LM_hash:NTLM_hash:::).
3. The NTLM hashes are fed to Hashcat:

hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt -r dive.rule

4. NTLM hashes are unsalted and fast to compute, so cracking speeds are extremely high (billions per second on modern GPUs).

Practical Workflow Example: Cracking Captured NetNTLMv2 Hashes

1. An attacker uses Responder to poison LLMNR/NBT-NS requests on the network.
2. Victim machines send NetNTLMv2 challenge-response hashes to the attacker.
3. These are cracked with:

hashcat -m 5600 -a 0 netntlmv2_hashes.txt rockyou.txt

Note: NetNTLMv2 hashes cannot be used for pass-the-hash attacks — they must be cracked or relayed.

Hashcat vs. John the Ripper

Both are popular password cracking tools, but there are key differences:
- Hashcat excels at GPU-based cracking and is generally faster for large-scale operations.
- John the Ripper is more flexible with exotic/custom hash formats and works well on CPU.
- Hashcat has a steeper learning curve but more granular control over attack parameters.
- For the GCIH exam, know that both exist but Hashcat is the preferred tool for GPU-accelerated cracking.

Defensive Countermeasures

Understanding Hashcat helps defenders implement proper mitigations:
- Use strong, slow hashing algorithms (bcrypt, scrypt, Argon2) instead of MD5/SHA-1/NTLM.
- Always use unique salts per password.
- Enforce long, complex passwords or passphrases (length matters more than complexity).
- Implement multi-factor authentication (MFA) to reduce reliance on passwords alone.
- Use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) to defend against Kerberoasting by ensuring service account passwords are long and random.
- Monitor for indicators of credential theft (unusual Kerberos ticket requests, SAM access, LSASS memory access).
- Regularly audit password strength by proactively cracking your own organization's hashes.

Exam Tips: Answering Questions on Password Cracking with Hashcat

1. Memorize key hash mode numbers: Know -m 0 (MD5), -m 1000 (NTLM), -m 5600 (NetNTLMv2), -m 13100 (Kerberos TGS/Kerberoasting), -m 2500 (WPA/WPA2), and -m 3200 (bcrypt). These are the most commonly tested.

2. Know the attack modes: Understand the difference between -a 0 (dictionary), -a 3 (mask/brute-force), -a 1 (combination), -a 6 (hybrid dictionary+mask), and -a 7 (hybrid mask+dictionary).

3. Understand mask syntax: Be able to read and interpret mask patterns. If you see ?u?l?l?l?l?l?d?d, know it means one uppercase, five lowercase, two digits.

4. Distinguish between hash types: The exam may present a hash and ask you to identify it or select the correct Hashcat mode. NTLM hashes are 32 hex characters. NetNTLMv2 hashes have a specific format with username, domain, and challenge-response components. MD5 is also 32 hex characters but context matters (web app vs. Windows).

5. Know the difference between NTLM and NetNTLMv2: NTLM (-m 1000) is a stored hash that can be used for pass-the-hash. NetNTLMv2 (-m 5600) is a challenge-response captured on the wire that must be cracked or relayed — it cannot be used for pass-the-hash.

6. Connect Hashcat to attack chains: Exam questions may describe a scenario (e.g., Responder captures, Kerberoasting, SAM dump) and ask what tool and mode to use next. Recognize the attack chain and select the appropriate Hashcat hash mode.

7. Understand why some hashes are harder to crack: bcrypt and scrypt are intentionally slow. NTLM and MD5 are fast. If a question asks about choosing a secure hashing algorithm, prefer bcrypt/scrypt/Argon2.

8. Rules enhance dictionary attacks: If asked how to improve the effectiveness of a dictionary attack without switching to brute-force, the answer is applying rule files (-r).

9. Offline vs. Online: Hashcat is always an offline tool. If a question describes rate-limiting or account lockout, that applies to online attacks (Hydra, Medusa), not Hashcat.

10. Read the command carefully: Exam questions may present a Hashcat command line and ask you to interpret it. Break it down: identify the hash type (-m), attack mode (-a), input files, and any rules or masks.

11. GPU vs. CPU: Remember that Hashcat's primary advantage is GPU acceleration. If asked why Hashcat is faster than alternatives, the answer relates to GPU parallel processing.

12. Potfile behavior: Know that Hashcat uses a potfile to track cracked hashes and uses --show to display results. If a question mentions that Hashcat reports "All hashes found in potfile," it means those hashes were already cracked in a previous session.

13. Practice interpreting scenario-based questions: The GCIH exam often frames questions within incident response scenarios. For example: "During an investigation, you discover the attacker used Responder to capture credentials and then ran hashcat -m 5600 -a 0 captured.txt wordlist.txt. What type of hashes was the attacker cracking?" The answer is NetNTLMv2.

14. Time management: Password cracking questions on the GCIH exam are typically straightforward if you know the key parameters. Don't overthink — identify the hash type, the attack context, and match it to the correct mode and methodology.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

GIAC Certified Incident Handler (GCIH) + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3480 Superior-grade GIAC Certified Incident Handler (GCIH) practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
GCIH: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Password Cracking with Hashcat questions

60 questions (total)

Start 60 question test