hack3rs.ca network-security
/learning/tools/hashcat :: tool-guide-7

defender@hack3rs:~/learning/tools$ open hashcat

Hashcat

Password audit & recovery validation

Hashcat password cracking is a high-performance password auditing tool defenders use to test whether an organization's stored hashes would fall quickly to realistic attacks. When used with proper authorization, it turns abstract password policy questions into measurable risk.

how-to-learn-this-tool-like-a-defender

Work through the stages in order. Each one builds on the previous. Skipping straight to 'run a command' without knowing what the output means is how analysts end up misreading evidence under pressure.

  • $Name the specific question this tool answers — and one question it cannot answer alone.
  • $Run the simplest command in a lab against a host you control; read every field in the output before moving on.
  • $Identify which output fields are direct evidence and which are inferences the tool made on your behalf.
  • $Pull a second source — a log, a PCAP, a SIEM event — that either confirms or contradicts what the tool reported.
  • $Write down the exact command you ran, what you expected, what you got, and what you are doing next.

preflight-checklist-before-using-tool

  • $Confirm in writing: who authorized this, what hosts are in scope, and what the maximum acceptable impact is.
  • $State the question you are trying to answer — not 'run the tool' but 'confirm whether port 443 is open on 10.10.20.15'.
  • $Name the second source you will use if the tool output is ambiguous (log, PCAP, CMDB, another tool).
  • $Record the start time, the host or interface you ran it on, and the exact command — enough for another analyst to reproduce it.
  • $Know what normal output looks like for this host before you run anything in anger.

how-experts-read-output

  • $Field recognition: identify the two or three fields that directly answer your question and ignore the rest for now.
  • $Scope check: confirm the output covers the host, interface, and time window you intended — not a cached or adjacent result.
  • $Evidence type: is this a direct observation (packet captured, port open) or an inference the tool made (service guessed from banner)?
  • $Correlation: name the one other source — a log line, a PCAP stream, a CMDB entry — that would confirm or contradict this.
  • $Decision: close the question, escalate with evidence, refine the scope, or collect another source — pick one and do it.

official-links

open docs Official Hashcat wiki and usage documentation release notes Hashcat forums and release announcements example hashes Official example hash modes and test formats

ethical-use-and-defense-scope

Use Hashcat only for authorized defensive password auditing, incident response validation, or credential recovery workflows. Hash files, wordlists, and recovered passwords are sensitive security data and require strict access controls and secure storage.

Run password audits only with explicit written approval and a documented scope. Recovered credentials are live secrets — treat them that way and rotate or disable them according to your remediation plan.

Document the full workflow: which hash source, which modes and rules, the time budget, how results will be reported, and what remediation actions follow. An undocumented password audit is a liability, not a defense.

tool-history-origin-and-purpose

  • $When created: Initial public release in the early 2010s (commonly cited around 2011), evolving from earlier GPU password recovery tooling by atom.
  • $Why it was created: Teams needed a practical way to validate password policy weakness and demonstrate real risk from stolen hashes in authorized environments, especially as CPU-only cracking became too slow for realistic assessments.

Hashcat was developed to accelerate password hash recovery using GPUs so defenders, researchers, and authorized auditors could test password strength and verify credential security assumptions efficiently.

why-defenders-still-use-it

Defenders use Hashcat to perform authorized password audits, validate password policy changes, test cracking resistance of captured hashes in labs, and train analysts on the real-world impact of weak passwords and reused credentials.

How the tool evolved
  • +Advanced rapidly with GPU support, hash mode coverage, and attack modes for audit workflows.
  • +Became a standard tool in password auditing and DFIR lab validation work.
  • +Commonly paired with strict authorization and handling controls because it is powerful and dual-use.

when-this-tool-is-a-good-fit

  • +Authorized password policy validation: test whether a policy produces passwords that resist realistic attacks.
  • +Post-breach credential risk assessment using hash sets from a compromised system or directory.
  • +Legacy system migration planning where the password storage algorithm and current strength are unknown.
  • +Security awareness training with controlled examples that show what weak passwords look like to a GPU.

when-to-use-another-tool-or-source

  • !When you need host process/user context, pair with endpoint or OS logs.
  • !When you need ownership and business impact, pair with CMDB/ticketing/asset context.
  • !When the tool output is ambiguous, validate using a second evidence source before concluding.
  • !When production risk is high, test in a lab first and use change coordination.

1. What Hashcat Solves for Defenders

The uncomfortable question Hashcat helps answer: if an attacker grabbed our password hashes right now, how many passwords would fall in the first hour? That is not a hypothetical — it is the first thing an attacker does with leaked credentials, and knowing the answer before they do drives better decisions.

For blue teams, Hashcat is a validation tool. It tests whether password length policies are working, whether banned-password lists are catching common patterns, whether privileged accounts have weak credentials, and whether a hash storage configuration is appropriately costly.

Audit results that show 40% of passwords cracked in two hours do not need a lengthy write-up to get executive attention. The numbers speak, and they drive MFA rollouts and policy changes faster than any abstract risk statement.

2. Defensive Audit Workflow and Scope Control

Define the audit goal before opening the tool. Password policy validation, incident scoping after a breach, legacy hash migration risk assessment, and security training each require different scope, hash sources, and time budgets.

Treat the entire workflow as sensitive. Hash files, internal-term wordlists, rule files, session data, and recovered password output all contain information that requires encrypted storage, access controls, and a documented retention and deletion plan.

Communicate scope and purpose to stakeholders before running anything. They should know which systems or directories are in scope, how recovered credentials will be handled, and what remediation actions follow the audit results.

3. Hash Modes, Inputs, and Operator Accuracy

Wrong hash mode selection is the most common way to waste time and produce false confidence. A “nothing cracked” result from an incorrect mode does not mean the passwords are strong. Learn to validate sample hashes, check for salts and delimiters, and confirm the source application format before scaling to a large run.

Record the hash source, extraction method, suspected algorithm, and confidence level for each audit. If the format is uncertain, test five known-password hashes at the correct mode setting and confirm before committing to a full run.

Hashcat password cracking is an evidence workflow, not a speed competition. The point is accurate risk validation and a defensible remediation plan — not maximizing GPU utilization for its own sake.

4. Wordlists, Rules, and Realistic Password Testing

An audit reflects realistic risk only when the wordlist and rules reflect how your users actually create passwords. Use approved wordlists, authorized organizational pattern files, and rule sets that you can explain to a non-technical stakeholder.

Rules and masks model common human password habits: capitalize the first letter, add digits at the end, replace letters with numbers. Document which patterns succeeded so the results can feed banned-password lists, training talking points, and password manager adoption campaigns.

A “nothing cracked” result under a short test budget is not proof of strong passwords. Document the wordlist, rules, and time window clearly so leadership understands what was tested and what was not.

5. Interpreting Results and Turning Them Into Remediation

Every recovered password should have a remediation path: forced reset, MFA enrollment, service account review, or policy update. If the audit does not change anything in production, it was not worth running.

Prioritize by account criticality. A weak password on a retired dev server is not the same risk as the same password on a privileged AD admin account or a VPN gateway. Sort and present results accordingly.

Document non-results with equal care. If a hash set resisted your full test plan, record the algorithm, parameters, and time budget. Leadership needs to understand where controls are working, not just where they failed.

6. Training Strategy for Ethical Use

Start in a lab with test hashes and known passwords. Learn mode selection, session management, and output reading before working with any production-related hash data.

Build a password audit runbook that includes authorization checks, storage requirements, approved command templates, and a remediation step for every result type. Converting an ad hoc risky activity into a documented controlled process is how you make it repeatable and reviewable.

When training others, teach the reason behind the tool: why hash algorithms matter, what makes a password weak against GPU-scale attacks, how MFA changes the risk model, and what detection looks like for leaked credential use. That context prevents misuse and makes the exercise produce lasting change.

scenario-teaching-playbooks

Work through each scenario step by step. The goal is to practice making decisions with the tool — not just executing commands — so the workflow becomes automatic before you need it under pressure.

1. Authorized password policy validation: test whether a policy produces passwords that resist realistic attacks.

Suggested starting block: Hash Identification And Baseline Audit (Lab)

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

2. Post-breach credential risk assessment using hash sets from a compromised system or directory.

Suggested starting block: Rule-Based Testing And Session Safety

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

3. Legacy system migration planning where the password storage algorithm and current strength are unknown.

Suggested starting block: Defensive Reporting Workspace

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

4. Security awareness training with controlled examples that show what weak passwords look like to a GPU.

Suggested starting block: Hash Identification And Baseline Audit (Lab)

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

cli-workflows

Lab-safe commands for authorized environments. Run each one, read the output, and note what field or value tells you something useful before moving to the next.

cli-walkthroughs-with-expected-output

One command per block, with sample output. Study the output before you run the command yourself — you should recognize what you are looking at when it appears on your screen.

Hash Identification And Baseline Audit (Lab)

Beginner
Command
hashcat --example-hashes | head -n 40
Example Output
MODE: 0
TYPE: MD5
HASH: 8743b52063cd84097a65d1633f5c74f5
PASS: hashcat

MODE: 100
TYPE: SHA1
HASH: b89eaac7e61417341b710b727768294d0e6a277b
PASS: hashcat

MODE: 1000
TYPE: NTLM
HASH: b4b9b02e6f09a9bd760f388b67351e2b
PASS: Password1

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Rule-Based Testing And Session Safety

Intermediate
Command
hashcat -m 1000 -a 0 ntlm_hashes.txt wordlist.txt -r rules/best64.rule --session ntlm-audit --status
Example Output
hashcat (v6.2.6) starting...
Session..........: hashcat
Status...........: Running
Hash.Mode........: 0 (MD5)
Hash.Target......: hashes.txt
Speed.#1.........: 1823.3 MH/s
Recovered........: 1/3 (33.33%) Digests
Progress.........: 1500000/14344385 (10.46%)
Rejected.........: 0/1500000

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Defensive Reporting Workspace

Advanced
Command
mkdir -p password-audit/{inputs,outputs,notes}
Example Output
# no output — directory created successfully

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

command-anatomy-and-expert-usage

Each card explains what the command is for, what can go wrong, and what the output means. Syntax is easy to look up; knowing which command to reach for — and what to ignore in the output — is the skill worth building.

Hash Identification And Baseline Audit (Lab)

Beginner
Command
hashcat --example-hashes | head -n 40
Command Anatomy
  • $Base command: hashcat
  • $Primary arguments/options: --example-hashes | head -n 40
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Quick evidence extraction from logs or command output.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
MODE: 0
TYPE: MD5
HASH: 8743b52063cd84097a65d1633f5c74f5
PASS: hashcat

MODE: 100
TYPE: SHA1
HASH: b89eaac7e61417341b710b727768294d0e6a277b
PASS: hashcat

MODE: 1000
TYPE: NTLM
HASH: b4b9b02e6f09a9bd760f388b67351e2b
PASS: Password1

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Hash Identification And Baseline Audit (Lab)

Beginner
Command
hashcat -m 0 -a 0 hashes.txt wordlist.txt --username --status
Command Anatomy
  • $Base command: hashcat
  • $Primary arguments/options: -m 0 -a 0 hashes.txt
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
hashcat (v6.2.6) starting...
Session..........: hashcat
Status...........: Running
Hash.Mode........: 0 (MD5)
Hash.Target......: hashes.txt
Speed.#1.........: 1823.3 MH/s
Recovered........: 1/3 (33.33%) Digests
Progress.........: 1500000/14344385 (10.46%)
Rejected.........: 0/1500000

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Hash Identification And Baseline Audit (Lab)

Beginner
Command
hashcat --show -m 0 hashes.txt
Command Anatomy
  • $Base command: hashcat
  • $Primary arguments/options: --show -m 0 hashes.txt
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
8743b52063cd84097a65d1633f5c74f5:hashcat
# 1 hash cracked, 2 left

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rule-Based Testing And Session Safety

Intermediate
Command
hashcat -m 1000 -a 0 ntlm_hashes.txt wordlist.txt -r rules/best64.rule --session ntlm-audit --status
Command Anatomy
  • $Base command: hashcat
  • $Primary arguments/options: -m 1000 -a 0 ntlm_hashes.txt
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
hashcat (v6.2.6) starting...
Session..........: hashcat
Status...........: Running
Hash.Mode........: 0 (MD5)
Hash.Target......: hashes.txt
Speed.#1.........: 1823.3 MH/s
Recovered........: 1/3 (33.33%) Digests
Progress.........: 1500000/14344385 (10.46%)
Rejected.........: 0/1500000

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rule-Based Testing And Session Safety

Intermediate
Command
hashcat --restore --session ntlm-audit
Command Anatomy
  • $Base command: hashcat
  • $Primary arguments/options: --restore --session ntlm-audit
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
hashcat (v6.2.6) starting in restore mode...
Restoring session: ntlm-audit
Status...........: Running
Recovered........: 2/5 (40.00%) Digests
Progress.........: 1200000/5000000 (24.00%)

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rule-Based Testing And Session Safety

Intermediate
Command
hashcat --show -m 1000 ntlm_hashes.txt > recovered.txt
Command Anatomy
  • $Base command: hashcat
  • $Primary arguments/options: --show -m 1000 ntlm_hashes.txt >
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
b4b9b02e6f09a9bd760f388b67351e2b:Password1
ad3b435b51404eeaad3b435b51404ee0:admin123
# 2 hashes cracked — review with account owners and update policy

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Defensive Reporting Workspace

Advanced
Command
mkdir -p password-audit/{inputs,outputs,notes}
Command Anatomy
  • $Base command: mkdir
  • $Primary arguments/options: -p password-audit/{inputs,outputs,notes}
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
# no output — directory created successfully

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Defensive Reporting Workspace

Advanced
Command
printf "account,hash_type,result,criticality,action\n" > password-audit/notes/findings.csv
Command Anatomy
  • $Base command: printf
  • $Primary arguments/options: "account,hash_type,result,criticality,action\n" > password-audit/notes/findings.csv
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
account  hash_type  result  criticality  action

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Defensive Reporting Workspace

Advanced
Command
column -s, -t password-audit/notes/findings.csv
Command Anatomy
  • $Base command: column
  • $Primary arguments/options: -s, -t password-audit/notes/findings.csv
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
account  hash_type  result  criticality  action

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Hash Identification And Baseline Audit (Lab)

hashcat --example-hashes | head -n 40
hashcat -m 0 -a 0 hashes.txt wordlist.txt --username --status
hashcat --show -m 0 hashes.txt

Rule-Based Testing And Session Safety

hashcat -m 1000 -a 0 ntlm_hashes.txt wordlist.txt -r rules/best64.rule --session ntlm-audit --status
hashcat --restore --session ntlm-audit
hashcat --show -m 1000 ntlm_hashes.txt > recovered.txt

Defensive Reporting Workspace

mkdir -p password-audit/{inputs,outputs,notes}
printf "account,hash_type,result,criticality,action\n" > password-audit/notes/findings.csv
column -s, -t password-audit/notes/findings.csv

defensive-use-cases

  • $Authorized password policy validation: test whether a policy produces passwords that resist realistic attacks.
  • $Post-breach credential risk assessment using hash sets from a compromised system or directory.
  • $Legacy system migration planning where the password storage algorithm and current strength are unknown.
  • $Security awareness training with controlled examples that show what weak passwords look like to a GPU.

common-mistakes

  • $Selecting the wrong hash mode and treating a "nothing recovered" result as evidence of strong passwords.
  • $Running an audit without strict controls over recovered credentials, hash files, and session data.
  • $Reporting raw crack counts without sorting by account criticality or tying results to remediation actions.
  • $Using organizational wordlist patterns without explicit authorization in the audit scope.

expert-habits-for-free-self-study

Free teaching resource. The loop that makes analysts better: ask a precise question, collect evidence, read it carefully, validate against a second source, document what you found, and repeat with a harder question.

  • $Pick the least disruptive command that can still answer the question — then run that one first.
  • $Before you look at output, write one sentence stating what you expect to see.
  • $Mark each output field as 'observed' or 'inferred by tool' before acting on it.
  • $Save the exact command with flags and target — not a paraphrase — so another analyst can run the same thing.
  • $During a quiet period, capture what normal output looks like from key hosts; store those samples where you can find them during an incident.
  • $When you escalate, include the command output, the timestamp, and one sentence on why it matters — not just 'looks suspicious'.

knowledge-check

  • ?What question is this tool best suited to answer first?
  • ?What permissions or scope approvals are needed before using it?
  • ?Which second evidence source should you pair with it for higher confidence?
  • ?What does normal output look like for your environment?

teaching-answer-guide

Show teaching hints
  • #Start from the tool’s role and the scenario you are investigating.
  • #Never rely on one tool alone for high-confidence incident decisions.
  • #Document normal output patterns during calm periods so anomalies are easier to spot.
  • #Prefer lab validation for new commands, rules, or scans before production use.

practice-plan

# Create a small set of test hashes with known passwords and practice identifying the correct hash mode for each.
# Run a short audit — wordlist only, then rules — and write down exactly what the test proved and what it did not.
# Practice save/restore and output handling so the workflow is reproducible and auditable.
# Draft a remediation report template that maps each recovered credential type to a specific action.
<- previous tool OpenVAS / Greenbone CE -> next tool Cain & Abel