Hashcat Tutorial
Intermediate · ⏱ 20 min read · Bug Bounty & Offensive Security
Crack hashes at GPU speed. Master Hashcat.
Hashcat is the world's fastest password recovery tool leveraging GPU acceleration to crack hashes at billions of guesses per second.
Prerequisites
- Hashcat installed (hashcat.net)
- GPU with updated drivers
- Wordlists (rockyou.txt minimum)
- Sample hashes to crack
Installation & GPU Setup
Install hashcat and verify GPU recognition with --benchmark.
Supported GPUs
NVIDIA (CUDA) and AMD (OpenCL) supported. RTX 4090 offers best single-GPU performance.
Hash Identification
Identify hash type first using hashid or hash-identifier, then find the hashcat mode number.
Attack Modes
Dictionary (-a 0), Combination (-a 1), Brute-force/Mask (-a 3), Rule-based (-a 0 -r), Hybrid (-a 6, -a 7).
Rules & Wordlist Engineering
Rules transform wordlist entries: capitalize, append digits, leet-speak. Combine with quality wordlists.
Common Hash Types
NTLM (1000), bcrypt (3200), SHA-256 (1400), MD5 (0), Kerberoast (13100), NetNTLMv2 (5600).
Performance Optimization
Tune workload (-w 3), optimize kernel, use --session for resumable cracks.
Frequently Asked Questions
Is Hashcat legal?
Legal on hashes from authorized pentests or your own systems. Cracking stolen credentials is illegal.
Hashcat vs John the Ripper?
Hashcat excels at GPU cracking with more hash types. John is better for CPU-based cracking. Most pros use both.
Best GPU in 2026?
NVIDIA RTX 4090 or 5090 for single-GPU. Multi-GPU rigs with 4080/4090s for teams.