This is the hashcat reference I actually keep open while cracking. Set your hash file, wordlist, mode, and mask once at the top, and every command below rewrites itself with your values so you can copy and run it. Under that is the full flag reference grouped by what you are trying to do, the mask charset table, and the common -m modes. New to the tool? Start with how to use hashcat . Everything here was verified on hashcat 7.1.2 .
Authorisation required
Use these techniques only on systems you own or have written authorisation to test. Unauthorised access to a computer system is a crime in nearly every jurisdiction (US: Computer Fraud and Abuse Act. UK: Computer Misuse Act 1990. EU: Directive 2013/40/EU). This article assumes a sanctioned engagement or a lab environment you control. If you do not have permission, do not run these commands against anything you find on the internet.
Reset Set these once. Every command on the page picks up your values. Hash mode is a select of the most common types; for anything else, run `hashcat --example-hashes` or `--identify`.
Dictionary attack (your default first move). Hash every word in the wordlist:
hashcat -m :mode -a 0 :hashfile :wordlist -w :workloadDictionary + rules (the highest-yield real attack). Mutate each word with a rules file :
hashcat -m :mode -a 0 :hashfile :wordlist -r rules/:rules -w :workloadMask attack (smart brute force). Try every string matching the mask :
hashcat -m :mode -a 3 :hashfile ':mask' -w :workloadHybrid: wordlist + mask (the password123 pattern, a word then a 3-digit suffix):
hashcat -m :mode -a 6 :hashfile :wordlist '?d?d?d' -w :workloadHybrid: mask + wordlist (a brute-forced prefix then a word):
hashcat -m :mode -a 7 :hashfile '?d?d?d' :wordlist -w :workloadCombination attack (every word in list A joined to every word in list B):
hashcat -m :mode -a 1 :hashfile :wordlist :wordlistShow what you have cracked (read results from the potfile):
hashcat -m :mode :hashfile --showBenchmark this hash mode (raw speed on your hardware):
Grouped by what you are actually doing. Copy and adapt.
Hashcat Flag Reference Every flag organised by task. Tested on hashcat 7.1.2.
Core / required -m 1000Hash mode. Which algorithm produced the hash. 0=MD5, 1000=NTLM, 3200=bcrypt, 22000=WPA. Run --example-hashes for the full list.
-a 0Attack mode. 0=dictionary, 1=combination, 3=mask, 6/7=hybrid, 9=association.
--identify hashes.txtHave hashcat guess the hash mode(s) for the input. New in hashcat 7.
--versionPrint the version. Always state it when reporting.
-IList compute devices and backends (is hashcat using your GPU?).
-b -m 0Benchmark a hash mode for raw speed on your hardware.
Hash & input hashes.txtFile of hashes, one per line. Pass as the first positional argument after the flags.
--usernameInput lines are username:hash. Strips the username before cracking.
-hhShow all supported hash-modes with names (-h is the short help).
--hex-saltSalt is given in hex.
--keep-guessingKeep cracking after a hash is found (collisions, plaintext variants).
Attack modes -a 0 wordlist.txtStraight / dictionary. Hash each line of the wordlist.
-a 1 left.txt right.txtCombination. Concatenate every word in left with every word in right.
-a 3 ?u?l?l?l?d?dMask / brute force. Try every string matching the mask.
-a 6 wordlist.txt ?d?d?dHybrid wordlist + mask. Append a brute-forced suffix to each word.
-a 7 ?d?d?d wordlist.txtHybrid mask + wordlist. Prepend a brute-forced prefix to each word.
-a 9Association. One candidate per hash from a per-user hint (username, old password).
Mask & charsets ?l ?u ?d ?s ?aBuilt-in charsets: lower, upper, digit, special, all. ?h/?H are hex.
-1 ?l?dDefine custom charset 1. Reference it in the mask as ?1. Up to -8.
--incrementIncrement mask length from 1 up to the mask length. Try short passwords first.
--increment-min 4 --increment-max 8Bound the incremented length range.
-a 3 password?d?d?dMasks can mix literals and tokens. Cracks password000..password999.
Rules & wordlist mangling -r rules/best66.ruleApply a rules file to mutate each wordlist word. best66 is the standard starting point.
-r rules/best66.rule -r rules/toggles1.ruleStack multiple rule files (rules are combined, multiplying candidates).
-j 'c'Single rule applied to the left wordlist (combination/hybrid).
-k '$1'Single rule applied to the right wordlist (combination/hybrid).
--loopbackFeed cracked passwords back as a wordlist (catches password reuse patterns).
Performance & tuning -w 3Workload profile. 1=low (desktop in use), 2=default, 3=high, 4=nightmare (headless).
-OOptimised kernels: much faster, but caps password length. Drop it for long candidates.
-D 1 / -D 2Force CPU (1) or GPU (2) device types.
-SSlower-candidate mode that helps for very slow hashes like bcrypt.
-d 1Use only device number 1 (multi-GPU selection).
--hwmon-temp-abort=90Abort if a device passes 90C. Sanity guard on a hot rig.
Output, session & resume --showPrint already-cracked hashes for the input file (reads the potfile).
--leftPrint the hashes still NOT cracked.
-o cracked.txtWrite cracked results to a file.
--outfile-format 2Output format: 2 is plaintext only. Combine with -o.
--potfile-disableDo not read or write the potfile (clean experiments).
--session=audit1Name the session so you can resume it.
--restoreResume an interrupted session by name.
Core / required -m 1000Hash mode. Which algorithm produced the hash. 0=MD5, 1000=NTLM, 3200=bcrypt, 22000=WPA. Run --example-hashes for the full list.
-a 0Attack mode. 0=dictionary, 1=combination, 3=mask, 6/7=hybrid, 9=association.
--identify hashes.txtHave hashcat guess the hash mode(s) for the input. New in hashcat 7.
--versionPrint the version. Always state it when reporting.
-IList compute devices and backends (is hashcat using your GPU?).
-b -m 0Benchmark a hash mode for raw speed on your hardware.
Mask & charsets ?l ?u ?d ?s ?aBuilt-in charsets: lower, upper, digit, special, all. ?h/?H are hex.
-1 ?l?dDefine custom charset 1. Reference it in the mask as ?1. Up to -8.
--incrementIncrement mask length from 1 up to the mask length. Try short passwords first.
--increment-min 4 --increment-max 8Bound the incremented length range.
-a 3 password?d?d?dMasks can mix literals and tokens. Cracks password000..password999.
Rules & wordlist mangling -r rules/best66.ruleApply a rules file to mutate each wordlist word. best66 is the standard starting point.
-r rules/best66.rule -r rules/toggles1.ruleStack multiple rule files (rules are combined, multiplying candidates).
-j 'c'Single rule applied to the left wordlist (combination/hybrid).
-k '$1'Single rule applied to the right wordlist (combination/hybrid).
--loopbackFeed cracked passwords back as a wordlist (catches password reuse patterns).
Output, session & resume --showPrint already-cracked hashes for the input file (reads the potfile).
--leftPrint the hashes still NOT cracked.
-o cracked.txtWrite cracked results to a file.
--outfile-format 2Output format: 2 is plaintext only. Combine with -o.
--potfile-disableDo not read or write the potfile (clean experiments).
--session=audit1Name the session so you can resume it.
--restoreResume an interrupted session by name.
Hash & input hashes.txtFile of hashes, one per line. Pass as the first positional argument after the flags.
--usernameInput lines are username:hash. Strips the username before cracking.
-hhShow all supported hash-modes with names (-h is the short help).
--hex-saltSalt is given in hex.
--keep-guessingKeep cracking after a hash is found (collisions, plaintext variants).
Attack modes -a 0 wordlist.txtStraight / dictionary. Hash each line of the wordlist.
-a 1 left.txt right.txtCombination. Concatenate every word in left with every word in right.
-a 3 ?u?l?l?l?d?dMask / brute force. Try every string matching the mask.
-a 6 wordlist.txt ?d?d?dHybrid wordlist + mask. Append a brute-forced suffix to each word.
-a 7 ?d?d?d wordlist.txtHybrid mask + wordlist. Prepend a brute-forced prefix to each word.
-a 9Association. One candidate per hash from a per-user hint (username, old password).
Performance & tuning -w 3Workload profile. 1=low (desktop in use), 2=default, 3=high, 4=nightmare (headless).
-OOptimised kernels: much faster, but caps password length. Drop it for long candidates.
-D 1 / -D 2Force CPU (1) or GPU (2) device types.
-SSlower-candidate mode that helps for very slow hashes like bcrypt.
-d 1Use only device number 1 (multi-GPU selection).
--hwmon-temp-abort=90Abort if a device passes 90C. Sanity guard on a hot rig.
Core / required -m 1000Hash mode. Which algorithm produced the hash. 0=MD5, 1000=NTLM, 3200=bcrypt, 22000=WPA. Run --example-hashes for the full list.
-a 0Attack mode. 0=dictionary, 1=combination, 3=mask, 6/7=hybrid, 9=association.
--identify hashes.txtHave hashcat guess the hash mode(s) for the input. New in hashcat 7.
--versionPrint the version. Always state it when reporting.
-IList compute devices and backends (is hashcat using your GPU?).
-b -m 0Benchmark a hash mode for raw speed on your hardware.
Mask & charsets ?l ?u ?d ?s ?aBuilt-in charsets: lower, upper, digit, special, all. ?h/?H are hex.
-1 ?l?dDefine custom charset 1. Reference it in the mask as ?1. Up to -8.
--incrementIncrement mask length from 1 up to the mask length. Try short passwords first.
--increment-min 4 --increment-max 8Bound the incremented length range.
-a 3 password?d?d?dMasks can mix literals and tokens. Cracks password000..password999.
Rules & wordlist mangling -r rules/best66.ruleApply a rules file to mutate each wordlist word. best66 is the standard starting point.
-r rules/best66.rule -r rules/toggles1.ruleStack multiple rule files (rules are combined, multiplying candidates).
-j 'c'Single rule applied to the left wordlist (combination/hybrid).
-k '$1'Single rule applied to the right wordlist (combination/hybrid).
--loopbackFeed cracked passwords back as a wordlist (catches password reuse patterns).
Output, session & resume --showPrint already-cracked hashes for the input file (reads the potfile).
--leftPrint the hashes still NOT cracked.
-o cracked.txtWrite cracked results to a file.
--outfile-format 2Output format: 2 is plaintext only. Combine with -o.
--potfile-disableDo not read or write the potfile (clean experiments).
--session=audit1Name the session so you can resume it.
--restoreResume an interrupted session by name.
Hash & input hashes.txtFile of hashes, one per line. Pass as the first positional argument after the flags.
--usernameInput lines are username:hash. Strips the username before cracking.
-hhShow all supported hash-modes with names (-h is the short help).
--hex-saltSalt is given in hex.
--keep-guessingKeep cracking after a hash is found (collisions, plaintext variants).
Attack modes -a 0 wordlist.txtStraight / dictionary. Hash each line of the wordlist.
-a 1 left.txt right.txtCombination. Concatenate every word in left with every word in right.
-a 3 ?u?l?l?l?d?dMask / brute force. Try every string matching the mask.
-a 6 wordlist.txt ?d?d?dHybrid wordlist + mask. Append a brute-forced suffix to each word.
-a 7 ?d?d?d wordlist.txtHybrid mask + wordlist. Prepend a brute-forced prefix to each word.
-a 9Association. One candidate per hash from a per-user hint (username, old password).
Performance & tuning -w 3Workload profile. 1=low (desktop in use), 2=default, 3=high, 4=nightmare (headless).
-OOptimised kernels: much faster, but caps password length. Drop it for long candidates.
-D 1 / -D 2Force CPU (1) or GPU (2) device types.
-SSlower-candidate mode that helps for very slow hashes like bcrypt.
-d 1Use only device number 1 (multi-GPU selection).
--hwmon-temp-abort=90Abort if a device passes 90C. Sanity guard on a hot rig.
A mask is a pattern, one token per character position. These are the built-in charsets, verified against hashcat --help:
Token Expands to Set ?labcdefghijklmnopqrstuvwxyzlowercase ?uABCDEFGHIJKLMNOPQRSTUVWXYZuppercase ?d0123456789digits ?h0123456789abcdeflowercase hex ?H0123456789ABCDEFuppercase hex ?sspace plus all keyboard punctuation (shown below) special ?a?l?u?d?sall printable ASCII ?bbyte 0x00 to 0xff every byte
The ?s special set, exactly as hashcat defines it (a leading space, then):
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ Custom charsets with -1 through -8, then reference them as ?1..?8:
Example Meaning -1 ?l?u ?1?1?1?1?1?1six chars, each a mixed-case letter -1 ?l?d -2 ?u ?2?1?1?1?1?d?done upper, four lower-or-digit, two digits password?d?d?dliteral password then 000 to 999 --increment ?a?a?a?a?a?a?a?aall-printable, length 1 up to 8
The full mask strategy, including keyspace maths, is in the hashcat mask attack .
A quick lookup for the modes you will reach for. The complete list is hashcat --example-hashes.
Algorithm -mSpeed Crack guide MD5 0 Fast Crack MD5 SHA-1 100 Fast SHA-256 1400 Fast NTLM 1000 Fast Crack NTLM NetNTLMv2 5600 Fast Kerberos AS-REP / TGS-REP 18200 / 13100 Fast md5crypt $1$ 500 Slow sha256crypt $5$ 7400 Slow sha512crypt $6$ (Linux) 1800 Slow bcrypt $2*$ 3200 Slow Crack bcrypt Argon2 (i/d/id) 34000 Slow WPA (PMKID+EAPOL) 22000 Slow Crack WPA2 KeePass 13400 Slow MS Office 2013 9600 Slow Crack files 7-Zip / RAR5 11600 / 13000 Slow Crack files
What is the basic hashcat command structure?
How do I find the right -m mode for my hash?
What is the best hashcat workload profile?
How do I resume an interrupted hashcat session?
