LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is Hashcat, and what makes it the de-facto standard password cracker?

Hashcat is the world's most popular password cracker — open source, GPU-accelerated, supports 300+ hash types and every modern attack mode.

Why it dominates (as of 2026):

  • GPU acceleration — billions of hashes/sec on consumer hardware
  • 300+ algorithms — MD5, SHA-2/3, NTLM, bcrypt, WPA, BitLocker, MS Office, PDF, KeePass, …
  • Multiple attack modes:
    • -a 0 — Wordlist (dictionary)
    • -a 1 — Combinator (concatenate two wordlists)
    • -a 3 — Brute force / mask
    • -a 6/7 — Hybrid (wordlist + mask)
    • -a 9 — Association attack (per-target hints)
  • Rules engine — modify wordlists with custom rules
  • Open source, free — used by everyone from CTF players to NSA

Basic usage:

# Crack NTLM hashes with rockyou.txt wordlist
hashcat -m 1000 -a 0 hashes.txt rockyou.txt

# Brute force 8-char lowercase NTLM
hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l?l?l?l?l

# Hybrid: wordlist + 4 digits appended
hashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?d?d

Mode codes (-m):

  • 0 = MD5
  • 100 = SHA-1
  • 1000 = NTLM
  • 1400 = SHA-256
  • 3200 = bcrypt
  • 22000 = WPA-PBKDF2 (WiFi)

Real-world performance (RTX 4090):

  • NTLM: ~290 GH/s
  • MD5: ~165 GH/s
  • bcrypt cost 5: ~200 KH/s (note the K — million× slower)

Who uses it:

  • Pentesters — testing client password strength after engagements
  • Sysadmins — auditing their own user passwords
  • Cybercriminals — cracking dumped hashes (sadly)
  • Researchers — measuring password landscape

Defensive insight:

If your password storage falls to Hashcat in a reasonable time, it's not strong enough. Test by hashing your own passwords and seeing how long Hashcat takes — that's how attackers measure their odds.

Tool URL: https://hashcat.net/hashcat/ — official site with example_hashes for each mode.

Tip: Hashcat is the offensive equivalent of running fire drills — pentest teams use it to prove that "strong" password policies aren't actually strong.

Go deeper:

From Quiz: INTROL / Password Cracking | Updated: Jul 05, 2026