🛡️ Methodology Checklist
- Identify hash mode:
hashcat --example-hashes | grep -A2 [HASH_FRAGMENT] - Dictionary attack:
hashcat -m [MODE] [HASH_FILE] [WORDLIST] - Rules:
hashcat -m [MODE] [HASH_FILE] [WORDLIST] -r /usr/share/hashcat/rules/best64.rule - Mask attack (brute):
hashcat -m [MODE] [HASH_FILE] -a 3 ?u?l?l?l?d?d?d?d - Combination:
hashcat -m [MODE] [HASH_FILE] -a 1 [WORDLIST1] [WORDLIST2] - Check GPU status:
hashcat -m [MODE] [HASH_FILE] --status - Show cracked:
hashcat -m [MODE] [HASH_FILE] --show
🎯 Operational Context
Use when: Hash obtained (NTLM, Net-NTLMv2, Kerberoast, DPAPI, bcrypt) — GPU-accelerated offline cracking with hashcat.
Think Dumber First: Always try rockyou first (-a 0 -m [MODE] hash.txt rockyou.txt) before rules. Then rockyou + best64.rule. NTLM cracks in seconds with GPU for common passwords — don’t over-engineer the first attempt.
Skip when: bcrypt with cost factor ≥12 and no short wordlist — not worth GPU time; prioritize other attack paths.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
hashcat -a 0 -m 0 [HASH_FILE] /usr/share/wordlists/rockyou.txt | Dictionary attack (MD5) |
hashcat -a 0 -m 1000 [HASH_FILE] /usr/share/wordlists/rockyou.txt | Dictionary attack (NTLM) |
hashcat -a 0 -m 1800 [HASH_FILE] /usr/share/wordlists/rockyou.txt | Dictionary attack (sha512crypt Linux) |
hashcat -a 0 -m 5600 [HASH_FILE] /usr/share/wordlists/rockyou.txt | Dictionary attack (NetNTLMv2) |
hashcat -a 0 -m 0 [HASH] rockyou.txt -r /usr/share/hashcat/rules/best64.rule | Dictionary + rules |
hashcat -a 3 -m 0 [HASH] '?u?l?l?l?l?d?s' | Mask attack (known password pattern) |
hashcat -a 1 passlist.txt passlist.txt --stdout > combined.txt | Combinator mode — join wordlists |
hashcat -m [ID] [HASH_FILE] --show | Show already-cracked passwords |
hashcat --help | grep -i "[KEYWORD]" | Search hash modes by name |
hashid -m [HASH] | Identify hash type + Hashcat mode number |
hashcat -a 0 -m 22100 [HASH_FILE] rockyou.txt | Crack BitLocker hash (mode 22100) |
hashcat -a 0 -m 2100 [HASH_FILE] rockyou.txt | Crack DCC2 cached domain creds |
🔬 Deep Dive & Workflow
General Syntax
hashcat -a <attack_mode> -m <hash_type_id> <hash_file> [wordlist/mask] [options]
Critical Hash Mode IDs
| ID | Hash Type | Notes |
|---|---|---|
0 | MD5 | Web applications |
100 | SHA1 | |
1000 | NTLM | Windows local accounts |
1800 | sha512crypt $6$ | Linux /etc/shadow |
3200 | bcrypt $2*$ | Modern web apps |
5600 | NetNTLMv2 | Captured network hashes |
2100 | DCC2 (mscash2) | Windows cached domain creds (slow) |
22100 | BitLocker | Encrypted drive volumes |
Attack Mode Reference
| Mode | Flag | Use Case |
|---|---|---|
| Dictionary | -a 0 | Wordlist against hash |
| Combinator | -a 1 | Join two wordlists together |
| Mask | -a 3 | Brute-force with known pattern |
| Dictionary + Rules | -a 0 -r rules | Expand wordlist with mutations |
Mask Attack — When You Know the Pattern
Use built-in charsets:
| Symbol | Matches |
|---|---|
?l | Lowercase a-z |
?u | Uppercase A-Z |
?d | Digit 0-9 |
?s | Special chars |
?a | All of the above |
Example — password like “Password1!”:
# Pattern: Capital + 7 lowercase + digit + special
hashcat -a 3 -m 0 hash.txt '?u?l?l?l?l?l?l?l?d?s'Rules — Extending Wordlists Without Expanding Files
Rules apply transformations at crack time; the wordlist file stays small:
hashcat -a 0 -m 1000 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rulebest64.rule applies 64 common mutations (capitalize, add numbers, l33t speak, append symbols).
Combinator Workflow (Long Password Policy Bypass)
When policy requires 12+ chars, users often combine two words:
# Step 1: combine wordlist with itself
hashcat -a 1 passlist.txt passlist.txt --stdout > combined.txt
# "baseball" + "1998" → "baseball1998"
# Step 2: apply rules to meet complexity
hashcat -a 0 -m 1000 hash.txt combined.txt -r custom.rulePerformance Flags
| Flag | Effect |
|---|---|
-O | Optimized kernels (faster, max password length limited) |
-w 3 | High workload profile (uses more GPU) |
--force | Force GPU/CPU use (use only in VMs) |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| hashcat not detecting GPU | OpenCL/CUDA not configured | Test: hashcat -I to list devices; install CUDA toolkit for Nvidia or OpenCL for AMD |
| Hashcat mode unknown | Wrong -m value | Use: hashcat --example-hashes | grep -A3 '[HASH_TYPE]'; or haiti [HASH] to identify |
| Hash rejected ‘invalid format’ | Extra whitespace or incorrect format | Check: no BOM, no Windows line endings; use dos2unix hash.txt |
| NTLM crack very slow on CPU | No GPU available | Use AWS P3 spot instance ($0.90/hr); hashcat on CPU is 100x slower than GPU |
| Kerberoast hash returns ‘password not in list’ | Wordlist exhausted | Try rules: -r /usr/share/hashcat/rules/dive.rule; or mask attack for service account patterns |
📝 Reporting Trigger
Finding Title: NTLM Hash Cracked — Plaintext Password Recovered Impact: Offline NTLM hash cracking recovers plaintext passwords without any authentication attempts against the target, bypassing lockout controls and network monitoring, enabling account compromise and lateral movement. Root Cause: Weak password susceptible to dictionary attack. NTLM hashes obtained via credential dump or network capture without requiring additional exploitation. Recommendation: Enforce minimum 12-character passwords with complexity. Enable Microsoft Credential Guard to prevent NTLM hash extraction from memory. Implement monitored tiered administration to limit high-privilege account exposure.