How to use HASHCAT in Kali Linux?

The legendary Hashcat

Hashcat is a legendary password cracker designed to crack even the most complex passwords. The popular tool allows you to crack a password in different ways. Hashcat translates the data into a hashed state (it’s a fixed-size random string). Hashes do not allow someone to decrypt the data using a specific key, as standard encryption protocols allow. The traditional hashing attack can be considered obsolete, and the Hashcat development team recommends the masking attack as a complete replacement. Hashcat uses pre-computed dictionaries, rainbow tables, and even brute force techniques to find an efficient and effective way to crack passwords. The program allows us to configure an attack with specified rules and masks. Hashcat is a very interesting GPU application for password cracking. Allows you to multiply the speed of password retrieval when using different encryption algorithms: md5, md4, sha1, sha256 and others. The program uses a parallel sorting algorithm based on CUDA (NVidia) and OpenCL (AMD/ATI) technology.

The program is cross-platform and works on all versions of Windows, Linux and Max OS X. In Kali Linux, it is installed on the system. Hashcat offers a variety of attack models to obtain efficient and comprehensive coverage of the hash space. Many of the algorithms supported by Hashcat can be cracked in less time using the well-documented capabilities of GPUs. The oclHashcat program is intended for this purpose, when using it, a significant increase in such algorithms as MD5, SHA1 and others is achieved. Currently, Hashcat has combined these two separate branches of the program. Now absolutely all versions have been merged into one, which uses the central processor and video card when recovering passwords.

Features of Hashcat

  • Free of charge

  • Session support

  • Recovery support

  • The world’s fastest cracker

  • Built-in system of benchmarks

  • Integrated thermal guard

  • Open Source (MIT License)

  • Interactive pause/resume support

  • Multi-platform (Linux, Windows and OSX)

  • Many hashes (simultaneous cracking of many hashes)

  • Support for automatic performance fine-tuning

  • Support for automatic ordering of the key space of Markov chains

  • Supports distributed hacking over the network (using an overlay)

  • Support for hex salts and hex character sets

  • Support for reading password candidates from a file and standard input

  • Support for distributed hacking systems (using an additional segment)

  • The world’s first and only intranuclear rule engine

  • 350+ implemented with performance in mind hash types

  • Uses multiple devices (uses multiple devices on the same system)

  • Uses different types of devices (uses different types of devices on the same system)

  • Multi-platform (CPU, GPU, DSP, FPGA, etc., anything that comes with the OpenCL runtime)

Installation and help

In Kali Linux, the utility is already installed. If you don’t have it, use the following commands:

apt update

apt install hashcat

To display help, we use the –help argument:

hashcat –help

Example of use

The -b option starts the hashcat benchmark. This benchmark measures how fast passwords are sorted. Running the benchmark will be successful only if the drivers are installed correctly and everything is fine. That is, Benchmark is also a way to check the system and hashcat. The speed is displayed for each device separately, as well as for all devices together (record Speed.Dev.#*).

Let’s assume we are given the hash 53ab0dff8ecc7d5a18b4416d00568f02, which needs to be cracked. This hash is known to be obtained using the MD5 hashing algorithm (that is, it is an MD5 hash). It is also known that the encrypted string consists only of small letters of the English alphabet and has a length of six to ten characters.

In order to properly launch an attack in Hashcat, it is necessary to specify the type of hash being attacked. For this, the -m option is used, after which a number corresponding to the selected hash type must be specified. The number can be found in the help of the tool. In our case, the number is “0”.

Based on the knowledge gained, we launch the attack:

hashcat.exe -m 0 -a 0 53ab0dff8ecc7d5a18b4416d00568f02 dict.txt

dict.txt is the path to the dictionary file.

The first line 53ab0dff8ecc7d5a18b4416d00568f02:hackware contains the hash that is being attacked and after the colon the cracked password – in this case it is hackware. It is not necessary to specify the hash in the command line – it can be written to a file, then when the hack is launched, the path to the file containing the hash is indicated. If you repeat the examples, you will see the message: INFO: All hashes found in potfile! Use –show to display them. It means that the hash you are trying to crack has already been cracked before. All cracked hashes are stored in hashcat.potfile in the same directory as Hashcat. This file can be deleted to re-run the attack on the same hash in different ways. There is also a –show option, after which you need to specify the hash of interest: hashcat –show 53ab0dff8ecc7d5a18b4416d00568f02 and if it is found in the file hashcat.potfile, information about the cracked password will be displayed.

Mask attack

Hashcat does not have such a mode as brute force – a complete search of passwords. He was swallowed by the mask attack mode. This is a more flexible type of attack, which allows you to implement both full traversal and traversal based on fine-tuned criteria.

Sets of symbols are used to compose masks. Character sets in Hashcat are of two types:

  • built-in character sets

  • user character set

In Hashcat, the built-in character set is:

For example, ?u means all capital letters, ?d – all numbers. Suppose we know that the password consists of four characters, the first two characters are capital letters, and the third and fourth characters are numbers, then the mask will be:


To crack the password from our hash given as an example, it is necessary to create a mask consisting of eight characters, each of which is a lowercase letter. This is a mask: ?l?l?l?l?l?l?l?l

hashcat -m 0 -a 3 53ab0dff8ecc7d5a18b4416d00568f02 ?l?l?l?l?l?l?l?l

In order to generate passwords of different lengths, there are the following options:

  • -i – Enable mask zoom mode

  • –increment-min | Number | Start mask increment by X, usage example: –increment-min=4

  • –increment-max | Number | Stop mask increment at X, usage example: –increment-max=8

The -i option is optional. If it is used, it means that the length of the password candidates should not be fixed, it should increase by the number of characters. The –increment-min option is also optional. It defines the minimum length of password candidates. If the -i option is used, -increment-min defaults to 1. And the –increment-max option is optional. It determines the maximum length of password candidates. If the -i option is specified but the –increment-max option is omitted, it defaults to the mask length.

Rules for using mask enlargement options

  • the -i option must be specified before using –increment-min and –increment-max

  • the value of the –increment-min option can be less than or equal to the value of the –increment-max option, but cannot exceed it

  • the length of the mask can be greater than or equal to the number of characters set by the –increment-max option, but the length of the mask cannot be less than the character length set by –increment-max.

Found an error?
If you find an error, take a screenshot and send it to the bot.