Hashcat: Breaking Hashes Without Making a Single Network Request

Series: The Community's Red Team

Post: 09 of 17

Tags: hashcat, hash cracking, offline cracking, NTLM, kerberoast, password attacks, tools

Read time: ~12 min

Prerequisites: Post 01 — Methodology Overview

You're inside a system. You ran a credential dump and came back with a file full of hashes. Or you captured NetNTLMv2 traffic with Responder. Or you grabbed Kerberos tickets with Impacket. The plaintext passwords are locked inside these strings of hex characters.

Hashcat's job is to unlock them.

Unlike Hydra or Medusa — which make live network requests and are limited by service response times and lockout policies — Hashcat works entirely offline. It takes your hash file, runs candidate passwords through the same hashing function that created them, and compares. If the output matches, the password is cracked. No network. No lockout risk. Just raw compute.

And modern hardware is fast at this. A single GPU can test hundreds of millions of MD5 candidates per second. NTLM is even faster. The only limit is your wordlist, your rules, and your hardware.

The Fundamental Concept: Why Hashing Is Breakable

Passwords aren't stored as plaintext. They're stored as hashes — the output of a one-way mathematical function. You can't reverse a hash directly. But you can take a candidate password, hash it with the same function, and check if the output matches. If it does, you've found the password.

Hashcat automates this process at GPU speed. The cracking itself is conceptually simple. The complexity is in knowing which hash function was used, which wordlists and rules to apply, and how to read the output.

Step 0: Identify the Hash Type

Before you crack anything, you need to know what you're looking at. Different hash functions produce different lengths and formats:

5f4dcc3b5aa765d61d8327deb882cf99          → MD5 (32 hex chars)
0a9f8ad8bf6b200451b03b88a673faf23         → SHA1 (40 hex chars)  
aad3b435b51404eeaad3b435b51404ee:31d6...  → NTLM (LM:NT format)
$6$rounds=5000$...                         → sha512crypt (Linux shadow)
$krb5tgs$23$*user*...*                    → Kerberoast TGS-REP
$krb5asrep$23$user@domain...              → AS-REP Roast hash
$NETNTLMv2$...                             → NetNTLMv2 (Responder capture)

Use a hash identification tool when you're not sure:

hashid <hash>
# or
hash-identifier
# or paste at https://hashes.com/en/tools/hash_identifier

These tools aren't perfect but they narrow it down. When in doubt, check the context — a hash from secretsdump output is almost certainly NTLM (mode 1000). A hash from a Linux /etc/shadow file starting with $6$ is sha512crypt (mode 1800).

Hash Mode Reference

You need to tell Hashcat which mode to use with -m. These are the ones you'll actually encounter:

Core Syntax

hashcat -m <mode> -a <attack_mode> <hash_file> <wordlist_or_mask>

The attack mode (-a) determines how Hashcat generates candidates:

Dictionary attack (-a 0) is where you start every time. Fall back to others if rockyou doesn't crack it.

The Standard Cracking Workflow

Follow this order for every hash you try to crack. Start cheap and fast, escalate to slow and thorough.

Step 1 — Dictionary attack with rockyou

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

rockyou.txt is 14 million passwords from a real breach. It cracks a significant percentage of weak passwords in seconds. Always start here.

Step 2 — Dictionary + best64 rules

If step 1 misses, apply mutation rules. Rules tell Hashcat to transform each word in the list — capitalize it, append numbers, substitute characters — massively expanding coverage without a larger wordlist:

hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

best64.rule applies 64 common transformations: Password becomes Password1, Password!, passw0rd, P@ssword, and many more. This catches the "I made it complex by adding a 1 and a !" crowd.

Step 3 — Larger rules

If best64 still misses:

hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule

These are more aggressive mutation sets that cover more edge cases. Slower but thorough.

Step 4 — Mask attack for known patterns

If the password follows a predictable pattern — a capital letter, 5 lowercase letters, 2 digits — use a mask:

# ?u=uppercase ?l=lowercase ?d=digit ?s=special ?a=all
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?d?d

# 8-char all-lowercase
hashcat -m 1000 -a 3 hashes.txt ?l?l?l?l?l?l?l?l

# Uppercase + 5 lowercase + digit + special
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?d?s

Masks are effective when you know something about the password policy — minimum length, required character types — but you don't have the password in a wordlist.

Step 5 — Custom OSINT wordlist

If nothing generic works and you know something about the target:

hashcat --force base.list -r custom.rule --stdout | sort -u > targeted.list
hashcat -m 1000 -a 0 hashes.txt targeted.list

Base the wordlist on the target: company name, city, pet names from their social media, sports teams, birthdays. This is a targeted attack against a specific person.

Cracking Windows NTLM Hashes

This is your most common use case after a SAM dump or secretsdump run.

NTLM hashes from secretsdump look like this:

administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

The format is username:RID:LM_hash:NT_hash:::. The NT hash is the fourth field — that's what you crack.

Extract just the NT hashes:

cut -d ':' -f 4 secretsdump_output.txt > nthashes.txt

Crack them:

hashcat -m 1000 -a 0 nthashes.txt rockyou.txt
hashcat -m 1000 -a 0 nthashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

If your hash file has the full username:hash format from some tools, use --username to skip the username prefix:

hashcat -m 1000 --username nthashes.txt rockyou.txt

Cracking NetNTLMv2 (Responder Captures)

When Responder captures authentication traffic or you trigger hash theft via MSSQL's xp_dirtree, you get NetNTLMv2 hashes. These are cracked with mode 5600:

hashcat -m 5600 -a 0 netntlmv2.txt rockyou.txt
hashcat -m 5600 -a 0 netntlmv2.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

NetNTLMv2 is harder to crack than plain NTLM because of the challenge-response structure, but rockyou + rules catches weak passwords reliably.

Cracking Kerberoast TGS Tickets

After running impacket-GetUserSPNs with -request, you get TGS-REP hashes starting with $krb5tgs$23$*. Mode 13100:

hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt
hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Service accounts often have weak or never-changed passwords set years ago. These crack surprisingly often.

Cracking AS-REP Roast Hashes

After running impacket-GetNPUsers against accounts with pre-auth disabled, you get AS-REP hashes starting with $krb5asrep$23$. Mode 18200:

hashcat -m 18200 -a 0 asrep.txt rockyou.txt
hashcat -m 18200 -a 0 asrep.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Cracking Linux Shadow File Hashes

After privilege escalation on Linux and reading /etc/shadow:

# SHA-512 Linux shadow ($6$)
hashcat -m 1800 -a 0 shadow.txt rockyou.txt

# MD5 Linux shadow ($1$)  
hashcat -m 500 -a 0 shadow.txt rockyou.txt

Linux shadow hashes are slow to crack due to key stretching. Let it run and use aggressive rules.

Performance Flags

VM environment

If you're running Hashcat in a VM without GPU passthrough:

hashcat -m 1000 --force hashes.txt rockyou.txt

--force bypasses the GPU warning. Cracking will be CPU-only and slower, but it works.

Workload profile

hashcat -m 1000 -w 3 hashes.txt rockyou.txt    # High performance
hashcat -m 1000 -w 4 hashes.txt rockyou.txt    # Maximum (may cause system slowdown)

-w 3 is the sweet spot on a dedicated cracking machine.

Optimized kernels

hashcat -m 1000 -O hashes.txt rockyou.txt

-O enables optimized kernels — faster but limits password length to 32 characters. Fine for most real-world passwords.

Checking Results

Show already-cracked hashes

hashcat -m 1000 hashes.txt --show

Hashcat stores all previously cracked hashes in a potfile (~/.hashcat/hashcat.potfile). --show reads from it without re-running the attack. Check this first before launching a new crack session — it might already be cracked.

Force a re-run (ignore potfile)

hashcat -m 1000 hashes.txt rockyou.txt --force --potfile-disable

Quick Reference

# Identify hash type
hashid <hash>

# NTLM — dictionary
hashcat -m 1000 -a 0 hashes.txt rockyou.txt

# NTLM — dictionary + rules
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# NTLM — mask attack
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?d?d

# NetNTLMv2 (Responder)
hashcat -m 5600 -a 0 netntlmv2.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Kerberoast TGS
hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt

# AS-REP Roast
hashcat -m 18200 -a 0 asrep.txt rockyou.txt

# Linux sha512crypt shadow
hashcat -m 1800 -a 0 shadow.txt rockyou.txt

# Extract NT hashes from secretsdump output
cut -d ':' -f 4 secretsdump.txt > nthashes.txt

# Show cracked results
hashcat -m 1000 hashes.txt --show

# VM mode (CPU only)
hashcat -m 1000 --force hashes.txt rockyou.txt

# High performance + optimized kernels
hashcat -m 1000 -w 3 -O hashes.txt rockyou.txt

What's Next

Hashcat handles hashes. Post 10 (John the Ripper) handles password-protected files — zip archives, SSH private keys, Office documents, PDFs — by converting them to crackable hash format first. John's *2john converter collection is what makes it indispensable alongside Hashcat rather than a replacement for it.

MeshForge — Training the Community's Red Team

They count on your ignorance. The exploit only works on the uninformed.