TechEarl

How to Crack NTLM Hashes with Hashcat

NTLM is the hash behind Windows and Active Directory passwords, and it is fast and unsalted, which is why a password audit cracks weak ones in seconds. I cover the hashcat command, where the hashes come from, realistic crack times, and the NetNTLMv2 distinction. Tested on hashcat 7.1.2.

Ishan Karunaratne⏱️ 7 min readUpdated
Share thisCopied
Where Windows NTLM hashes come from, why they fall fast, the optimal hashcat attack (-m 1000), realistic crack times on modern GPUs, and how NTLM differs from NetNTLMv2.

NTLM is the hash that protects Windows and Active Directory passwords, and from an attacker's chair it has a fatal flaw: it is fast and unsalted. There is no work factor, no per-user salt, nothing to slow a GPU down. That is why an Active Directory password audit, the legitimate exercise of cracking a domain's own hashes to find weak passwords, clears the easy ones in seconds and is one of the most reliable wins in security work. This is how it is done. Tested on hashcat 7.1.2.

TL;DR

NTLM is hashcat mode -m 1000. An NTLM hash is a 32-character hex string, identical in appearance to MD5, so you tell them apart by source: NTLM comes from Windows (a SAM hive, an NTDS.dit domain database, a credential-dumping tool). Because NTLM is fast and unsalted, a single modern GPU tries hundreds of billions of guesses per second, so the attack order is a wordlist, then rules, then masks, and even full eight-character brute force is on the table. Do not confuse NTLM (-m 1000, a stored hash) with NetNTLMv2 (-m 5600, a network-captured challenge-response); they are different things with different modes.

Where NTLM hashes come from

You crack NTLM during an authorised Active Directory assessment or password audit. The hashes are extracted from:

  • The local SAM hive on a Windows host (local account hashes).
  • The domain controller's NTDS.dit database (every domain account), typically via a tool like secretsdump or ntdsutil against a system you are authorised to test.
  • A live process with mimikatz or similar, in a sanctioned engagement.

They usually arrive in pwdump format, username:RID:LMhash:NThash:::, with the NT hash in the fourth field. hashcat reads that directly with --username, or you cut out just the NT hashes.

Identify it

An NTLM hash looks exactly like MD5: 32 hexadecimal characters, no prefix, no salt.

text
8846f7eaee8fb117ad06bdd830b7586c

There is no way to tell NTLM and MD5 apart by looking; the difference is where it came from. A Windows credential dump is NTLM (-m 1000); a web app database is most likely MD5 (-m 0). When you genuinely cannot tell, crack with both modes. More on this in identifying a hash type.

Crack it

Put the NT hashes in a file (one per line, or pwdump lines with --username) and run a wordlist:

bash
echo '8846f7eaee8fb117ad06bdd830b7586c' > ntlm.hash
hashcat -m 1000 -a 0 ntlm.hash rockyou.txt

It cracks immediately:

text
8846f7eaee8fb117ad06bdd830b7586c:password

Status...........: Cracked
Hash.Mode........: 1000 (NTLM)

The high-yield real attack, as always, is a wordlist with rules:

bash
# pwdump format straight from secretsdump, with rules
hashcat -m 1000 -a 0 --username ntds.txt rockyou.txt -r rules/best66.rule

Because NTLM is so fast, you can afford to keep going past wordlists into mask attacks for known password policies, and even full eight-character brute force is realistic on good hardware.

Realistic crack times

This is where NTLM's speed becomes visceral. A single modern GPU (an RTX 4090) benchmarks NTLM at roughly 290 billion guesses per second. At that rate:

  • A weak or reused password: cracked the instant a wordlist run starts.
  • An eight-character all-lowercase password (26^8, ~200 billion): about a second.
  • A full eight-character mixed-case-plus-digits-plus-symbol space: within reach in hours to days on a multi-GPU rig.

This is the entire argument for why fast unsalted hashes are unacceptable for passwords, and why bcrypt or Argon2 (ten million times slower to attack) exist. For full per-GPU numbers, see the hashcat benchmark deep dive.

NTLM is not NetNTLMv2 (a common mix-up)

Two different things share the "NTLM" name:

Whathashcat -mWhere it comes from
NTLM1000A stored hash (SAM, NTDS.dit). The password hash at rest.
NetNTLMv15500A network challenge-response (legacy, weak).
NetNTLMv25600A network challenge-response, captured with a tool like Responder.

If you captured authentication traffic off the wire (Responder, an SMB relay), you have NetNTLMv2 (-m 5600), not NTLM. It cracks the same way (wordlist plus rules) but it is salted by the challenge, so it is slower than raw NTLM and there is no pass-the-hash shortcut from it.

The defender's takeaway

NTLM's weakness is structural, not a bug you can patch: it is unsalted and fast, so any leaked NTLM set is an offline cracking buffet for weak passwords. The realistic defences are about the passwords, not the hash:

  • Enforce length (long passphrases defeat the masks and brute force that fast hashes enable). A strength policy helps.
  • Run your own AD password audits with exactly this technique, so you find the weak passwords before an attacker does.
  • For anything you control the storage of, never use a fast unsalted hash; use bcrypt or Argon2.

Where to go next

Sources

Authoritative references this article was fact-checked against.

Tagsntlmpassword crackinghashcatmode 1000active directory

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

Why MD5 falls in seconds, the optimal hashcat attack (-m 0), salted MD5 variants, the truth about MD5 decrypt sites, and why no app should store passwords as MD5.
Security

How to Crack an MD5 Hash with Hashcat

MD5 is the easy case: fast, unsalted, and broken for passwords, which makes it the perfect place to learn cracking. I cover the hashcat command, salted MD5 variants, why MD5 decrypt sites are not what they claim, and why MD5 has no business storing a password. Tested on hashcat 7.1.2.

Capture the handshake or PMKID with hcxdumptool, convert with hcxpcapngtool, crack with hashcat -m 22000 and a wordlist, realistic expectations, and why WPA3 changes the game.
Security

How to Crack a WPA/WPA2 Wi-Fi Password with Hashcat

How to recover your own WPA/WPA2 Wi-Fi password: capture the handshake or PMKID, convert it to the hashcat 22000 format, and crack it with a wordlist. I cover the full toolchain, realistic expectations for this slow hash, and why WPA3 resists the whole approach. Lab use only. Tested on hashcat 7.1.2.

Crack bcrypt with hashcat -m 3200, understand why it is thousands of times slower than MD5, what the cost factor does to crack time, and the only attack that makes sense.
Security

How to Crack a bcrypt Hash (and Why It's So Slow)

bcrypt is the hash you mostly cannot crack, and that is the point. I cover the hashcat command (-m 3200), why bcrypt is deliberately glacial, how the cost factor multiplies crack time, realistic GPU expectations, and the only attack worth running against it. Tested on hashcat 7.1.2.