How to Use Hashcat: The Complete Guide (with Real Examples)

hashcat is the fastest password recovery tool in existence and the one I reach for first. It runs your GPU flat out, supports several hundred hash types, and has the most capable attack engine of any cracker. It is also a command-line tool with a hundred-plus flags, which makes the first hour intimidating. This guide gets you from a clean install to a real crack you can read off the screen, then shows you the handful of flags that do ninety percent of the work. Every command here was run on hashcat 7.1.2.

TL;DR

A hashcat command is always the same shape: hashcat -m <hash-mode> -a <attack-mode> <hashfile> <wordlist-or-mask> [options]. The two numbers you must get right are -m (which algorithm, e.g. 0 = MD5, 1000 = NTLM, 3200 = bcrypt) and -a (which attack, 0 = dictionary, 3 = mask/brute force). Put your hash in a file, point hashcat at a wordlist, and read the cracked password with --show. Start with -a 0 and rockyou.txt; that single command cracks more than every fancy technique combined. The full flag reference, with fill-in-your-values fields, is the hashcat cheat sheet.

Install hashcat

hashcat ships as a single self-contained binary. You need a working GPU driver (NVIDIA CUDA, AMD ROCm, or Apple Metal) for real speed, though it will run on CPU for learning.

# macOS (Homebrew)
brew install hashcat

# Debian / Ubuntu
sudo apt install hashcat

# Arch
sudo pacman -S hashcat

# Fedora
sudo dnf install hashcat

On Windows, download the 7-zip archive from hashcat.net, extract it, and run hashcat.exe from a terminal in that folder. Confirm it works and check your version:

hashcat --version
# v7.1.2

Then verify hashcat can see your hardware. This also tells you whether you are about to crack on GPU (fast) or CPU (slow):

hashcat -I        # list compute devices and backends
hashcat -b -m 0   # quick benchmark of MD5, a sanity check on raw speed

The anatomy of a hashcat command

Internalise this one line and the tool stops being mysterious:

hashcat -m <hash-mode> -a <attack-mode> <hashes> <wordlist-or-mask> [options]

• -m <hash-mode> tells hashcat which algorithm produced the hash. It is a number. 0 is MD5, 1000 is NTLM, 3200 is bcrypt, 22000 is WPA. There are several hundred; identifying the hash is how you find the right one, and hashcat 7 can even guess it for you with --identify.
• -a <attack-mode> tells hashcat how to generate guesses. 0 reads a wordlist, 3 walks a mask, 6/7 are hybrids. See the attack modes.
• <hashes> is the file containing the hash (or hashes, one per line).
• <wordlist-or-mask> is the input the attack consumes: a wordlist file for -a 0, a mask string for -a 3.
• [options] are the tuning flags: workload, optimised kernels, output file, and so on.

The attack modes

hashcat names its attack modes by number. This is the menu:

The art of choosing between them, and the keyspace maths behind why a wordlist beats brute force almost every time, is in dictionary vs brute force vs mask vs hybrid. The short version: start with -a 0, then add rules, then go to hybrids and masks.

Your first crack

Let us crack a real hash. Generate an MD5 of the word hashcat and drop it in a file (on macOS use md5, on Linux md5sum):

echo -n "hashcat" | md5sum | cut -d' ' -f1 > target.hash
cat target.hash
# 8743b52063cd84097a65d1633f5c74f5

Now point hashcat at it with a small wordlist (here a four-word list; in practice this would be rockyou.txt):

printf 'password\n123456\nhashcat\nletmein\n' > words.txt
hashcat -m 0 -a 0 target.hash words.txt

hashcat runs, and when it finds the match it prints the cracked line and a status block:

8743b52063cd84097a65d1633f5c74f5:hashcat

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 8743b52063cd84097a65d1633f5c74f5
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)

Status: Cracked and the hash:plaintext line are what you are after. That is the whole loop. Everything else in hashcat is a variation on this: a bigger wordlist, a different -m, an added rules file, a mask instead of a wordlist.

Reading the status screen

While a real crack runs, hashcat shows a live status block. Press s to refresh it, p to pause, q to quit (state is saved, you can resume). The lines that matter:

• Status : Running, Paused, Cracked, Exhausted (tried everything, found nothing), or Quit.
• Speed.#* : guesses per second per device. This is your throughput.
• Progress : how far through the keyspace you are, and the estimated total.
• Time.Estimated : when hashcat expects to finish the current attack. For a slow hash with a big mask this will read in years, which is your cue to pick a smarter attack.
• Recovered : how many of the loaded hashes are cracked so far.

If Time.Estimated is absurd, stop and rethink the attack rather than waiting. That number is the single best feedback hashcat gives you.

Hash modes: the -m you need

The -m number is the most common thing to get wrong. A few you will use constantly:

The complete list lives in hashcat --example-hashes (it prints an example hash and the mode number for every one of the several hundred supported types). When you are not sure what you are holding, read how to identify a hash type.

Getting your results back

hashcat writes every crack to a potfile (~/.local/share/hashcat/hashcat.potfile by default) so you never lose a result and never re-crack the same hash. To print what you have cracked for a given file:

hashcat -m 0 target.hash --show
# 8743b52063cd84097a65d1633f5c74f5:hashcat

To write cracked passwords to a file of your own, add --outfile cracked.txt --outfile-format 2 (format 2 is plaintext only). To run a clean experiment that ignores and does not pollute the potfile, add --potfile-disable.

The speed flags that matter

You can crack for months without touching most of hashcat's flags, but four are worth knowing on day one:

• -O (optimised kernels): much faster, but caps the maximum password length (usually to 31 or fewer, mode-dependent). Use it for fast hashes and short passwords; drop it when you need long candidates.
• -w 3 (workload profile): 1 is gentle on a desktop you are using, 3 is high, 4 ("nightmare") is for a headless cracking box. Default is 2.
• -D 1 / -D 2: force CPU or GPU. Handy when hashcat picks the wrong device.
• -S: slower-candidate mode that helps for very slow hashes like bcrypt.

The full treatment, including kernel tuning and reading benchmarks, is in speed up hashcat.

Common recipes

The commands you will actually paste, with the parts to swap in bold conceptually:

# Dictionary attack (your default first move)
hashcat -m 0 -a 0 hashes.txt rockyou.txt

# Dictionary + rules (the highest-yield real attack)
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best66.rule

# Mask attack: exactly 8 chars, upper + lower + digits
hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?d?d?d

# Hybrid: wordlist with a 3-digit suffix (password123 patterns)
hashcat -m 0 -a 6 hashes.txt rockyou.txt ?d?d?d

# Show what you have cracked
hashcat -m 0 hashes.txt --show

Keep the hashcat cheat sheet open; it has every flag with fields you fill in and copy.

Where to go next

• The hashcat cheat sheet for the fill-in-your-values command reference.
• The attack modes and the rules engine, where most real cracks come from.
• Going after real targets: NTLM, bcrypt, WPA2.
• The big-picture map: how password cracking works.
• Need file-format coverage instead? John the Ripper is the other half of the toolkit.