Ultimate Hashcat Cheat Sheet

Samir KC

March 15, 2026 March 15, 2026

Ultimate Hashcat Cheat Sheet

The world's fastest password cracker. GPU power required.

1. Basic Usage

The syntax for Hashcat is generally: hashcat [options] hash wordlist.

Dictionary Attack

Crack an MD5 hash using the rockyou wordlist.

hashcat -m 0 -a 0 hashes.txt rockyou.txt

Show Cracked Hashes

Hashcat stores results in a "potfile". To view results you've already cracked, use --show.

hashcat -m 0 --show hashes.txt

Tip: Always identify the hash type first (use hash-identifier or an online tool) to find the correct -m number.

2. Attack Modes (-a)

Hashcat has specific modes for how it generates guesses. Use the -a flag.

Code	Mode	Description
`-a 0`	Straight	Standard wordlist attack.
`-a 1`	Combination	Combines two words from two lists (Left + Right).
`-a 3`	Brute-Force	Mask attack. Tries every character combination.
`-a 6`	Hybrid 1	Wordlist + Mask (e.g., password123).
`-a 7`	Hybrid 2	Mask + Wordlist (e.g., 123password).

3. Common Hash Types (-m)

You must specify the hash type. Below are the most common codes.

General

-m 0: MD5
-m 100: SHA1
-m 1400: SHA256
-m 1700: SHA512

Windows / Web

-m 1000: NTLM (Windows)
-m 3000: LM (Old Windows)
-m 1800: sha512crypt (Linux Shadow)
-m 3200: bcrypt (Blowfish)

WiFi (WPA)

-m 22000: WPA-PBKDF2-PMKID+EAPOL (Modern)
-m 2500: WPA/WPA2 (Deprecated)

To search for a specific hash type code:

hashcat --help | grep "MySQL"

4. Mask Attack (-a 3)

Used when you know the structure of the password (e.g., 6 lowercase letters followed by 2 numbers).

Mask	Description	Example
`?l`	Lowercase (a-z)	abc
`?u`	Uppercase (A-Z)	ABC
`?d`	Digits (0-9)	123
`?s`	Special Symbols	!@#
`?a`	All characters	Any

Example Commands

8 character password (Lower + Digit + Digit ...):

hashcat -a 3 -m 0 hash.txt ?l?d?d?d?d?d?d?d

Increment (Try 1 char, then 2, up to 5):

hashcat -a 3 -m 0 hash.txt --increment --increment-max 5 ?a?a?a?a?a

5. Rules & Hybrid Attacks

Rule-Based Attack

Take a wordlist and apply transformations (uppercase, append numbers, leetspeak) using the "Best64" or "OneRuleToRuleThemAll" rule sets.

hashcat -a 0 -m 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Hybrid Attack (Wordlist + Mask)

Use this to crack "Wordlist" + "Year" (e.g., Summer2023).

hashcat -a 6 -m 0 hash.txt rockyou.txt ?d?d?d?d

6. Performance & Optimization

Workload Profiles (-w)

Tell Hashcat how much of your GPU to use. Default is 2.

-w 1: Low (Desktop use while cracking)
-w 3: High (Dedicated cracking machine)
-w 4: Nightmare (Max performance, may freeze desktop)

hashcat -m 0 hash.txt rockyou.txt -w 3 -O

Optimized Kernels (-O)

Use -O to limit the max password length to 32 characters, which significantly speeds up cracking.

Device Selection

List devices:

hashcat -I

Select specific GPU (e.g., Device 2):

hashcat -d 2 ...

⇧

Kali Linux

Cyber Samie

Ultimate Hashcat Cheat Sheet

Ultimate Hashcat Cheat Sheet

1. Basic Usage

Dictionary Attack

Show Cracked Hashes

2. Attack Modes (-a)

3. Common Hash Types (-m)

General

Windows / Web

WiFi (WPA)

4. Mask Attack (-a 3)

Example Commands

5. Rules & Hybrid Attacks

Rule-Based Attack

Hybrid Attack (Wordlist + Mask)

6. Performance & Optimization

Workload Profiles (-w)

Optimized Kernels (-O)

Device Selection

Post a Comment