Hashcat
What is Hashcat?
HashcatAn open-source, GPU-accelerated password-recovery tool that cracks hundreds of hash and authentication algorithms using dictionary, rule, mask, and hybrid attacks.
Hashcat is the most widely used password-recovery tool, written by Jens Steube (atom) and developed as an open-source project. It runs on CPUs and GPUs via OpenCL/CUDA, supports more than 300 hash modes (NTLM, bcrypt, scrypt, Kerberos AS-REP, WPA2, KeePass, etc.), and offers wordlist, rule-based, brute-force, mask, hybrid, and association attacks. Penetration testers and red teams use it to crack stolen hashes during engagements, while defenders use it to audit password strength, validate KDF parameters, and benchmark detection of offline cracking attempts. Cracking hashes obtained without authorization or relating to third-party users may violate computer-misuse and privacy laws.
● Examples
- 01
Running hashcat -m 1000 against extracted NTLM hashes with a rockyou+rules wordlist.
- 02
Auditing internal password policy by replaying captured corporate hashes in a sandboxed cracking rig.
● Frequently asked questions
What is Hashcat?
An open-source, GPU-accelerated password-recovery tool that cracks hundreds of hash and authentication algorithms using dictionary, rule, mask, and hybrid attacks. It belongs to the Defense & Operations category of cybersecurity.
What does Hashcat mean?
An open-source, GPU-accelerated password-recovery tool that cracks hundreds of hash and authentication algorithms using dictionary, rule, mask, and hybrid attacks.
How does Hashcat work?
Hashcat is the most widely used password-recovery tool, written by Jens Steube (atom) and developed as an open-source project. It runs on CPUs and GPUs via OpenCL/CUDA, supports more than 300 hash modes (NTLM, bcrypt, scrypt, Kerberos AS-REP, WPA2, KeePass, etc.), and offers wordlist, rule-based, brute-force, mask, hybrid, and association attacks. Penetration testers and red teams use it to crack stolen hashes during engagements, while defenders use it to audit password strength, validate KDF parameters, and benchmark detection of offline cracking attempts. Cracking hashes obtained without authorization or relating to third-party users may violate computer-misuse and privacy laws.
How do you defend against Hashcat?
Defences for Hashcat typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Hashcat?
Common alternative names include: oclHashcat.
● Related terms
- attacks№ 130
Brute Force Attack
An attack that systematically tries every possible value — typically passwords, PINs, or keys — until the correct one is found.
- attacks№ 316
Dictionary Attack
A targeted password-guessing attack that tries entries from a precompiled list of likely words, leaked passwords, and rule-mutated variations.
- attacks№ 899
Rainbow Table Attack
A precomputation attack that uses chains of hash and reduction functions stored in a compact table to invert unsalted password hashes much faster than brute force.
- identity-access№ 795
Password
A secret string of characters that a user supplies to prove identity to a system, traditionally the dominant single-factor authentication mechanism.
- cryptography№ 247
Cryptographic Hash Function
A deterministic one-way function that maps arbitrary-length input to a fixed-length digest, designed to be collision-, preimage-, and second-preimage-resistant.
- cryptography№ 586
Key Derivation Function (KDF)
A cryptographic function that derives one or more strong cryptographic keys from a secret input such as a password, shared secret or master key.
● See also
- № 583Kerberoasting