Hashcat in Kali Linux cracks password hashes by testing millions of candidate strings per second against your target file. If you’re learning how to use hashcat in kali linux, you are about to discover one of the most powerful password recovery tools available. This guide walks you through installation, basic commands, attack modes, and real-world examples so you can start cracking hashes right away.
Hashcat is a GPU-accelerated password recovery tool that supports over 300 hash types. It comes pre-installed in most Kali Linux versions, but you may need to update it. The tool works by taking a hash file and a wordlist or mask, then generating candidate passwords to compare against the hash. When a match is found, the original password is revealed.
Before you begin, make sure your system has a compatible GPU (NVIDIA or AMD) and the proper drivers installed. Hashcat can also run on CPU, but it’s much slower. For this guide, we assume you have Kali Linux running on a machine with a dedicated graphics card.
Prerequisites And Installation
Open a terminal in Kali Linux and check if Hashcat is already installed by typing hashcat --version. If you see a version number, you are ready. If not, install it with sudo apt update && sudo apt install hashcat -y. For the latest version, download it from the official website or use sudo apt install hashcat -y after updating your repositories.
You also need a target hash file. For practice, create a simple MD5 hash of a password using echo -n "password123" | md5sum | cut -d' ' -f1 > hash.txt. This creates a file named hash.txt containing the MD5 hash. You can also download sample hash files from online repositories.
Make sure your GPU drivers are installed. For NVIDIA, run nvidia-smi to verify. For AMD, use rocminfo or clinfo. If you see your GPU listed, you are good to go.
How To Use Hashcat In Kali Linux
Basic Command Structure
The basic syntax for Hashcat is: hashcat -m [hash_type] -a [attack_mode] [hash_file] [wordlist]. The -m flag specifies the hash type (e.g., 0 for MD5, 1000 for NTLM). The -a flag sets the attack mode: 0 for dictionary, 3 for brute force, 6 for hybrid, etc. The hash file contains the target hashes, and the wordlist is a text file with candidate passwords.
For example, to crack an MD5 hash using a dictionary attack: hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt. This tells Hashcat to use mode 0 (MD5), attack mode 0 (dictionary), read from hash.txt, and use the rockyou.txt wordlist.
Hashcat outputs cracked passwords to the terminal and saves them in a potfile (~/.hashcat/hashcat.potfile). To view cracked hashes, use hashcat --show -m 0 hash.txt.
Common Hash Types And Their Modes
- MD5: mode 0
- SHA1: mode 100
- SHA256: mode 1400
- NTLM (Windows): mode 1000
- bcrypt: mode 3200
- sha512crypt (Linux shadow): mode 1800
You can list all supported hash types with hashcat --help or check the official documentation. Always verify the hash type before cracking, as using the wrong mode will not produce results.
Attack Modes Explained
Dictionary Attack (Mode 0)
This is the simplest attack. You provide a wordlist, and Hashcat tries each word as a password. It works well for common passwords. Use it with -a 0. Example: hashcat -m 0 -a 0 hash.txt wordlist.txt.
Brute Force Attack (Mode 3)
Brute force tries every possible combination of characters. Use a mask to define the character set and length. For example, -a 3 ?l?l?l?l?l?l?l?l tries all 8-letter lowercase passwords. This is slow for long passwords but exhaustive.
Hybrid Attack (Mode 6 and 7)
Hybrid attacks combine a dictionary word with a mask. Mode 6 appends a mask to each word (e.g., “password123”). Mode 7 prepends a mask. Use -a 6 for append, -a 7 for prepend. Example: hashcat -m 0 -a 6 hash.txt wordlist.txt ?d?d?d tries each word with three digits appended.
Rule-Based Attack (Mode 0 with Rules)
Rules modify words from a dictionary, like capitalizing, adding numbers, or reversing. Use the -r flag with a rule file. Kali includes rule files in /usr/share/hashcat/rules/. Example: hashcat -m 0 -a 0 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule.
Using Masks For Brute Force
Masks define character sets. Common placeholders: ?l for lowercase, ?u for uppercase, ?d for digits, ?s for symbols, ?a for all. You can also create custom sets with -1. For example, hashcat -m 0 -a 3 hash.txt ?l?l?l?d?d tries 3 lowercase letters followed by 2 digits.
To crack an 8-character password with mixed case and digits: hashcat -m 0 -a 3 hash.txt ?u?l?l?l?d?d?d?d. Adjust the mask based on your target’s complexity.
Performance Optimization
Hashcat uses GPU power. Monitor performance with --status flag. Use --workload-profile to adjust GPU usage (1=low, 4=high). For example, hashcat -m 0 -a 0 hash.txt wordlist.txt --workload-profile 3. You can also limit GPU temperature with --gpu-temp-abort.
If you have multiple GPUs, use -d 1,2 to select specific devices. Check device IDs with hashcat -I. Using all GPUs speeds up cracking significantly.
Cracking Linux Shadow Hashes
Linux shadow files contain SHA-512 hashes (mode 1800). First, combine the username and hash from /etc/shadow into a file. Format: username:$6$salt$hash. Then run: hashcat -m 1800 -a 0 shadow.txt /usr/share/wordlists/rockyou.txt. This cracks user passwords from the system.
Be careful: only crack hashes you own or have permission to test. Unauthorized cracking is illegal.
Cracking Windows NTLM Hashes
Windows stores NTLM hashes (mode 1000). Extract them using tools like secretsdump.py from Impacket. Save the hashes in a file (e.g., ntlm.txt). Then crack with: hashcat -m 1000 -a 0 ntlm.txt wordlist.txt. NTLM hashes are fast to crack because they lack salting.
Using Potfile And Showing Results
Hashcat automatically saves cracked passwords to the potfile. To view them, use hashcat --show -m 0 hash.txt. This shows only cracked hashes. To see all hashes including uncracked, use --left flag.
You can also export results with --outfile or -o. Example: hashcat -m 0 -a 0 hash.txt wordlist.txt -o cracked.txt. This saves cracked passwords to cracked.txt.
Common Errors And Fixes
- “No devices found”: Install GPU drivers or use CPU mode with
--force(slower). - “Hash mode not supported”: Check the hash type with
hashcat --example-hashes. - “Separator unmatched”: Ensure hash file format is correct (hash:password or just hash).
- “Out of memory”: Reduce workload profile or use smaller wordlists.
Real-World Example: Cracking A Wi-Fi WPA2 Handshake
Hashcat can crack WPA2 handshakes (mode 22000). First, capture a handshake using airodump-ng and aireplay-ng. Convert the .cap file to .hccapx using cap2hccapx tool. Then crack: hashcat -m 22000 -a 0 handshake.hccapx wordlist.txt. This recovers the Wi-Fi password.
For WPA2, use a good wordlist like rockyou.txt or create a custom one based on the target network.
Using Hashcat With Rules
Rules transform dictionary words. Kali includes many rule files in /usr/share/hashcat/rules/. Popular ones: best64.rule, d3ad0ne.rule, OneRuleToRuleThemAll.rule. Apply with -r. Example: hashcat -m 0 -a 0 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule.
Rules can add numbers, capitalize letters, or substitute characters (e.g., “password” becomes “P@ssw0rd”). This increases success rate without expanding the wordlist size.
Advanced: Mask Attack With Custom Character Sets
Define custom character sets with -1, -2, etc. For example, -1 ?l?u creates a set of lowercase and uppercase letters. Then use it in the mask: hashcat -m 0 -a 3 hash.txt ?1?1?1?d?d. This tries all combinations of 3 letters (upper/lower) followed by 2 digits.
You can also use incremental mode with --increment to try increasing lengths. Example: hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l?l?l --increment --increment-min 4 tries lengths 4 to 8.
Benchmarking Your System
Run a benchmark to see how fast your GPU cracks different hash types: hashcat -b. This tests all hash modes. To test a specific mode, use hashcat -b -m 0. Use the results to estimate cracking time for your target.
Benchmarking helps you choose the best attack mode and wordlist size for your hardware.
Ethical Considerations
Only use Hashcat on systems you own or have explicit permission to test. Cracking passwords without authorization is illegal and unethical. Always obtain written consent before testing. Hashcat is a tool for security professionals and researchers, not for malicious use.
Troubleshooting Tips
- If Hashcat crashes, update your GPU drivers.
- For large wordlists, use
--optimized-kernel-enableto speed up. - Use
--forceif you get warnings about outdated drivers (but expect slower performance). - Check hash format: some tools output hashes with colons or spaces. Clean them before cracking.
Frequently Asked Questions
What Is The Best Wordlist For Hashcat In Kali Linux?
The rockyou.txt wordlist (located at /usr/share/wordlists/rockyou.txt) is a good start. It contains millions of common passwords. For specific targets, create custom wordlists based on the user’s information.
Can Hashcat Crack Salted Hashes?
Yes, Hashcat supports salted hashes. The hash file must include the salt in the correct format (e.g., hash:salt). Use the appropriate mode for the hash type (e.g., mode 1800 for Linux shadow with salt).
Why Is My GPU Not Detected By Hashcat?
Install the latest GPU drivers. For NVIDIA, install nvidia-driver. For AMD, install rocm-opencl-runtime. Then reboot. If still not detected, use hashcat -I to list devices. You may need to run Hashcat with --force for CPU-only mode.
How Do I Crack A Hash Without A Wordlist?
Use brute force attack (mode 3) with a mask. Define the character set and length. For short passwords (up to 6-7 characters), this is feasible. For longer passwords, it becomes exponentially slower. Consider using rules with a small wordlist first.
What Does “Exhausted” Mean In Hashcat Output?
“Exhausted” means Hashcat has tried all candidates from the wordlist or mask without finding a match. You need a larger wordlist, different rules, or a different attack mode. Check the potfile to see if any hashes were cracked.
Hashcat is a versatile tool for password recovery and security auditing. By mastering its commands and attack modes, you can efficiently test password strength and recover lost credentials. Practice with sample hashes, experiment with different wordlists and rules, and always stay within legal boundaries. With time, you will become proficient at using Hashcat in Kali Linux for your security assessments.