Hashcat Training Lab - Dark Arts Vault

What is Hashcat?

Hashcat is the world's fastest and most advanced password recovery tool. Unlike traditional CPU-based crackers, Hashcat leverages the massive parallel processing power of modern GPUs to crack password hashes at extraordinary speeds.

It supports over 350 different hash algorithms and 5 unique attack modes, making it the tool of choice for penetration testers, security researchers, and password recovery specialists worldwide.

Legal and Ethical Notice: Password cracking tools like Hashcat must ONLY be used on systems and data you own or have explicit written permission to test. Unauthorized password cracking is a federal crime under the Computer Fraud and Abuse Act (CFAA) and equivalent laws worldwide. This training is for authorized security testing and educational purposes only.

Hashcat vs John the Ripper

Key Differences

Processing Power: Hashcat uses GPU acceleration (OpenCL/CUDA), making it 10-100x faster than CPU-only tools like John the Ripper
Speed Example: Cracking MD5 hashes - Hashcat can achieve 50+ GH/s (billions per second) on modern GPUs vs 1-2 GH/s with John on CPU
Hash Support: Hashcat supports 350+ hash algorithms with consistent syntax
Attack Modes: Hashcat has 5 distinct attack modes (dictionary, combination, brute-force, hybrid wordlist+mask, hybrid mask+wordlist)
Platform: Hashcat runs on Windows, Linux, and macOS with GPU support

When to Use Each

Use Hashcat when: You have a GPU, need maximum speed, working with modern hash formats, or have large wordlists
Use John when: No GPU available, need specific format support, or want built-in wordlist mangling rules

GPU vs CPU Cracking

Why GPUs Are Faster

Modern CPUs have 4-16 cores optimized for sequential tasks. Modern GPUs have thousands of smaller cores designed for parallel operations. Password cracking is perfectly suited for parallelization - each hash attempt is independent.

# Speed comparison (MD5 hashing):
CPU (Intel i7):    ~1,500 MH/s  (1.5 billion hashes/second)
GPU (RTX 4090):   ~120,000 MH/s (120 billion hashes/second)

# That's 80x faster!
                            

Hash Speed Rankings (Fastest to Slowest)

Different algorithms have different computational costs:

Fast: MD5, SHA1, NTLM - Designed for speed, easy to crack (billions/second)
Moderate: SHA256, SHA512 - More computational work (millions/second)
Slow: bcrypt, PBKDF2, scrypt - Intentionally slow to resist cracking (thousands/second)
Very Slow: Argon2 - Modern memory-hard algorithm (hundreds/second)

Security Insight: This speed difference is why security best practices recommend using slow hashing algorithms like bcrypt or Argon2 for password storage, never MD5 or SHA1.

Hash Modes

Hashcat uses numeric mode identifiers to specify which algorithm to crack. You must identify the correct hash mode before starting an attack.

Common Hash Modes

Mode	Algorithm	Common Uses	Speed Class
`0`	MD5	Legacy systems, older web apps	Very Fast
`100`	SHA1	Git commits, older security	Very Fast
`1000`	NTLM	Windows password hashes	Very Fast
`1400`	SHA256	Modern applications	Fast
`1700`	SHA512	Linux /etc/shadow (older)	Fast
`3200`	bcrypt	Modern secure storage	Slow
`1800`	sha512crypt	Linux /etc/shadow (modern)	Slow
`13100`	Kerberos 5 TGS-REP	Active Directory attacks	Moderate
`22000`	WPA-PBKDF2-PMKID+EAPOL	WiFi handshakes	Slow

Identifying Hash Types

Common hash patterns:

# MD5 (32 hex characters):
5f4dcc3b5aa765d61d8327deb882cf99

# SHA1 (40 hex characters):
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

# NTLM (32 hex characters, uppercase):
8846F7EAEE8FB117AD06BDD830B7586C

# SHA256 (64 hex characters):
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

# bcrypt (starts with $2a$, $2b$, or $2y$):
$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
                            

Attack Modes

Hashcat supports 5 distinct attack modes, each optimized for different scenarios:

Mode 0: Dictionary Attack

Tries every word from a wordlist against the hash. Fast and efficient when attackers have good wordlists.

hashcat -m 0 -a 0 hash.txt rockyou.txt
# Tries each word from rockyou.txt as-is
                            

Mode 1: Combination Attack

Combines words from two different wordlists (wordlist1 + wordlist2). Useful for compound passwords.

hashcat -m 0 -a 1 hash.txt wordlist1.txt wordlist2.txt
# Tries "word1word2" combinations
                            

Mode 3: Brute-Force (Mask Attack)

Tries all possible character combinations matching a pattern (mask). Most thorough but slowest.

hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l
# Tries all 6-character lowercase passwords
                            

Mode 6: Hybrid Wordlist + Mask

Takes words from wordlist and appends a mask pattern. Great for "password123" style combinations.

hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d
# Tries wordlist entries + 3 digits (e.g., "password123")
                            

Mode 7: Hybrid Mask + Wordlist

Prepends a mask pattern to wordlist words. Less common but useful for specific patterns.

hashcat -m 0 -a 7 hash.txt ?d?d?d wordlist.txt
# Tries 3 digits + wordlist entries (e.g., "123password")
                            

Mask Attacks and Charsets

Masks define the pattern of characters to try. Each position uses a charset placeholder:

Built-in Charsets

Mask	Charset	Characters	Count
`?l`	Lowercase	abcdefghijklmnopqrstuvwxyz	26
`?u`	Uppercase	ABCDEFGHIJKLMNOPQRSTUVWXYZ	26
`?d`	Digits	0123456789	10
`?s`	Special	!"#$%&'()*+,-./:;<=>?@[\]^_`{\|}~	32
`?a`	All printable	?l + ?u + ?d + ?s	95
`?b`	Binary	All bytes (0x00-0xFF)	256

Mask Examples

# 8 lowercase letters:
?l?l?l?l?l?l?l?l
# Keyspace: 26^8 = 208,827,064,576 combinations

# Capital letter + 6 lowercase + 2 digits:
?u?l?l?l?l?l?l?d?d
# Pattern: "Password99"

# 4 digits (PIN):
?d?d?d?d
# Keyspace: 10,000 combinations (very fast)

# 6 characters, any printable:
?a?a?a?a?a?a
# Keyspace: 95^6 = 735,091,890,625 combinations
                            

Custom Charsets

You can define your own character sets:

hashcat -m 0 -a 3 hash.txt -1 ?l?d ?1?1?1?1?1?1?1?1
# -1 defines custom charset 1 (lowercase + digits)
# ?1 uses custom charset 1
                            

Rules and Rule Files

Rules transform wordlist entries to generate variations. This is incredibly powerful - a 1000-word wordlist with 100 rules becomes 100,000 password attempts.

Common Rule Operations

: - Do nothing (use word as-is)
l - Convert to lowercase
u - Convert to uppercase
c - Capitalize first letter
$X - Append character X
^X - Prepend character X
r - Reverse the word
d - Duplicate the word

Rule Examples

# If wordlist contains "password":

c        → Password   (capitalize)
$1 $2 $3 → password123 (append 123)
c $!     → Password!  (capitalize + append !)
r        → drowssap   (reverse)
d        → passwordpassword (duplicate)
                            

Using Rule Files

hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule
# Applies the "best64" ruleset (64 common transformations)
                            

Hashcat includes several built-in rule files:

best64.rule - 64 most effective rules
dive.rule - Extensive ruleset
leetspeak.rule - L33t sp34k transformations
toggles1.rule - Case toggles

Legal and Ethical Considerations

This is NOT optional - these are legal requirements: Understanding the legal and ethical boundaries of password cracking is as important as understanding the technical aspects. Ignorance is not a defense in court.

When Is It Legal?

Your Own Systems: Testing passwords on systems you personally own and administer
Written Authorization: Penetration testing with a signed contract/statement of work
CTF Competitions: Capture The Flag events explicitly designed for security education
Academic Research: Using publicly disclosed breach data for research (not exploitation)
Password Recovery: Recovering your own forgotten passwords from your own files

When Is It ILLEGAL?

Cracking passwords to access systems you don't own or have permission to test
Using breached password databases to attempt account access
Testing corporate systems without explicit written permission
"Just seeing if I can" - curiosity is not a legal justification
Accessing someone else's accounts, even if you know them personally

Real-World Consequences

Federal Charges: Unauthorized password cracking can result in charges under the Computer Fraud and Abuse Act (CFAA):

First offense: Up to 5 years in federal prison
Repeat offense: Up to 10 years
Plus: Fines, civil liability, permanent criminal record
Employment: Security clearances revoked, tech jobs unavailable

Professional Ethics

As a security professional, you must:

Get it in writing: Never start testing without a signed authorization
Stay in scope: Only test what's explicitly authorized
Protect findings: Treat cracked credentials as highly sensitive data
Responsible disclosure: Report vulnerabilities to the organization, not publicly
Secure your tools: Don't leave Hashcat sessions or potfiles accessible

Best Practices for Authorized Testing

Obtain written authorization specifying scope, duration, and approved methods
Document all activities with timestamps and commands used
Store cracked passwords securely (encrypted, access-controlled)
Provide findings in a professional report with remediation recommendations
Delete cracked credentials after the engagement unless retention is required
Never use cracked credentials for purposes beyond the authorized test scope

Remember: The goal of password cracking in security is to IMPROVE defenses, not exploit them. Your role is to help organizations understand their password security posture so they can strengthen it. This is a responsibility that requires both technical skill and ethical judgment.

Getting Started with Real Hashcat

Ready to try Hashcat on your own system? Here's how to get started:

Installation

# Linux (Ubuntu/Debian):
sudo apt update && sudo apt install hashcat

# macOS (Homebrew):
brew install hashcat

# Windows:
# Download from https://hashcat.net/hashcat/
                            

Your First Hash Crack (Practice)

# Create a test hash (MD5 of "password"):
echo -n "password" | md5sum > test.hash

# Create a simple wordlist:
echo -e "admin\npassword\n12345\nhello" > wordlist.txt

# Run hashcat:
hashcat -m 0 -a 0 test.hash wordlist.txt

# You should see it crack immediately!
                            

Useful Hashcat Options

--show - Display cracked hashes from previous runs
--force - Bypass warnings (use carefully)
-w 3 - Workload profile (1=low, 2=default, 3=high, 4=extreme)
-O - Enable optimized kernels (faster but limited password length)
--status - Auto-update status screen
--session=NAME - Name your session for pause/resume

Target Hash (paste hash here)

Hash Mode (-m)

Attack Mode (-a)

Wordlist (simulated - enter words separated by commas)

Mask Pattern (e.g., ?l?l?l?l?l?l for 6 lowercase)

hashcat (v6.2.6) simulated training environment

Ready to crack. Configure your attack and press "Start Cracking"

Tip: Try cracking the MD5 hash of "password": 5f4dcc3b5aa765d61d8327deb882cf99

Hashcat Challenges

Complete these challenges to test your Hashcat knowledge. Each challenge has a specific goal - use the Cracker Lab tab or think through the answer.

Hashcat Command Reference

Basic Dictionary Attacks

hashcat -m 0 -a 0 hash.txt wordlist.txt

Crack MD5 with dictionary

hashcat -m 1000 -a 0 hash.txt wordlist.txt

Crack NTLM with dictionary

hashcat -m 1400 -a 0 hash.txt wordlist.txt

Crack SHA256 with dictionary

hashcat -m 100 -a 0 hash.txt rockyou.txt

Crack SHA1 with RockYou wordlist

Brute-Force (Mask) Attacks

hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l

6 lowercase letters

hashcat -m 0 -a 3 hash.txt ?d?d?d?d

4 digits (PIN codes)

hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?d?d

Capital + 5 lower + 2 digits

hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a?a?a

8 characters, any printable

Hybrid Attacks

hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d

Wordlist + 3 digits (password123)

hashcat -m 0 -a 6 hash.txt wordlist.txt ?s

Wordlist + special char

hashcat -m 0 -a 7 hash.txt ?d?d?d wordlist.txt

3 digits + wordlist (123password)

hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d?d

Wordlist + year (password2024)

Using Rules

hashcat -m 0 hash.txt wordlist.txt -r rules/best64.rule

Apply best64 rules

hashcat -m 0 hash.txt wordlist.txt -r rules/dive.rule

Apply dive rules (extensive)

hashcat -m 0 hash.txt wordlist.txt -r rules/leetspeak.rule

Apply l33tspeak transformations

Performance Options

hashcat -m 0 hash.txt wordlist.txt -w 3

High workload profile

hashcat -m 0 hash.txt wordlist.txt -O

Optimized kernels (faster)

hashcat -m 0 hash.txt wordlist.txt --force

Bypass warnings

Session Management

hashcat --session=mysession -m 0 hash.txt wordlist.txt

Named session (pauseable)

hashcat --restore --session=mysession

Resume paused session

hashcat -m 0 hash.txt --show

Display previously cracked

Mask Charset Reference

?l = lowercase (a-z)

26 characters

?u = uppercase (A-Z)

26 characters

?d = digits (0-9)

10 characters

?s = special (!@#$...)

32 characters

?a = all printable

95 characters (l+u+d+s)

?b = binary (0x00-0xFF)

256 bytes

Common Hash Modes Quick Reference

-m 0

MD5

-m 100

SHA1

-m 1000

NTLM (Windows)

-m 1400

SHA256

-m 1700

SHA512

-m 3200

bcrypt

-m 1800

sha512crypt (Linux)

-m 22000

WPA/WPA2

Export Progress

Save your challenge progress and settings to continue later.

Export your progress data

Import Progress

Load previously saved progress.

Import progress data

Reset Progress

Clear all challenge progress and start fresh.

This cannot be undone!

Statistics

Total Challenges Completed 0

Total Points Earned 0

Hashes Cracked 0