# Hashcat Cheatsheet

\
**MISC and tricks**

#### &#x20;`https://www.notsosecure.com/one-rule-to-rule-them-all/`  `# MAX POWER` `# force the CUDA GPU interface, optimize for <32 char passwords and set the workload to insane (-w 4).` `# It is supposed to make the computer unusable during the cracking process` `# Finnally, use both the GPU and CPU to handle the cracking` `--force -O -w 4 --opencl-device-types 1,2`<br>

**Wrapcat - Automating hashcat commands** \
`https://twitter.com/Haax9_/status/1340354639464722434?s=20`\
`https://github.com/Haax9/Wrapcat`\
\
`$ python wrapcat.py -m 1000 -f HASH_FILE.txt -p POT_FILE.txt --full --save`\
\
\
**Attack modes** \
`-a 0 # Straight : hash dict`\
`-a 1 # Combination : hash dict dict`\
`-a 3 # Bruteforce : hash mask`\
`-a 6 # Hybrid wordlist + mask : hash dict mask`\
`-a 7 # Hybrid mask + wordlist : hash mask dict`\
\
\
**Charsets** \
`?l # Lowercase a-z`\
`?u # Uppercase A-Z`\
`?d # Decimals`\
`?h # Hex using lowercase chars`\
`?H # Hex using uppercase chars`\
`?s # Special chars`\
`?a # All (l,u,d,s)`\
`?b # Binary`\
\
\
**Options**\
`-m # Hash type`\
`-a # Attack mode`\
`-r # Rules file`\
`-V # Version`\
`--status # Keep screen updated`\
`-b # Benchmark`\
`--runtime # Abort after X seconds`\
`--session [text] # Set session name`\
`--restore # Restore/Resume session`\
`-o filename # Output to filename`\
`--username # Ignore username field in a hash`\
`--potfile-disable # Ignore potfile and do not write`\
`--potfile-path # Set a potfile path`\
`-d # Specify an OpenCL Device`\
`-D # Specify an OpenCL Device Type`\
`-l # List OpenCL Devices & Types`\
`-O # Optimized Kernel, Passwords <32 chars`\
`-i # Increment (bruteforce)`\
`--increment-min # Start increment at X chars`\
`--increment-max # Stop increment at X chars`\
\
\
**Examples** \
`# Benchmark MD4 hashes`\
`hashcat -b -m 900`\
\
`# Create a hashcat session to hash Kerberos 5 tickets using wordlist`\
`hashcat -m 13100 -a 0 --session crackin1 hashes.txt wordlist.txt -o output.pot`\
\
`# Crack MD5 hashes using all char in 7 char passwords`\
`hashcat -m 0 -a 3 -i hashes.txt ?a?a?a?a?a?a?a -o output.pot`\
\
`# Crack SHA1 by using wordlist with 2 char at the end`\
`hashcat -m 100 -a 6 hashes.txt wordlist.txt ?a?a -o output.pot`\
\
`# Crack WinZip hash using mask (Summer2018!)`\
`hashcat -m 13600 -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d?d?d! -o output.pot`\
\
`# Crack MD5 hashes using dictionnary and rules`\
`hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rules`\
\
`# Crack MD5 using combinator function with 2 dictionnaries`\
`hashcat -a 1 -m 0 example0.hash example.dict example.dict`\
\
`# Cracking NTLM hashes`\
`hashcat64 -m 1000 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\hashsample.hash "d:\WORDLISTS\realuniq.lst" -r OneRuleToRuleThemAll.rule`\
\
`# Cracking hashes from kerberoasting`\
`hashcat64 -m 13100 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\krb5tgs.hash d:\WORDLISTSealhuman_phill.txt -r OneRuleToRuleThemAll.rule`\
\
`# You can use hashcat to perform combined attacks`\
`# For example by using wordlist + mask + rules`\
`hashcat -a 6 -m 0 prenoms.txt ?d?d?d?d -r rules/yourule.rule`\
\
`# Single rule used to uppercase first letter --> Marie2018`\
`hashcat -a 6 -m 0 prenoms.txt ?d?d?d?d -j 'c'`\
\
\
**Scenario - Cracking large files (eg NTDS.dit)** \
`# Start by making a specific potfile and cracked files (clean environment)`\
`# - domain_ntds.dit`\
`# - domain_ntds_potfile.pot`\
\
`# Goal is to run many different instances with different settings, so each one have`\
`# to be quite quick`\
\
`# You can generate wordlist using CeWL`\
`# It usually works pretty well`\
`cewl -d 5 -m 4 -w OUTFILE -v URL`\
`cewl -d 5 -m 4 -w OUTFILE -o -v URL`\
\
`# With some basic dictionnary cracking (use known wordlists)`\
`# rockyou, hibp, crackstation, richelieu, kaonashi, french and english`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 rockyou.txt --force -O`\
\
`# Then start to use wordlists + masks + simple rule`\
`# For special chars, you can use a custom charset : "?!%$&#-_@+=* "`\
`# Multiple tests, multiples masks and multiples wordlists (including generated ones)`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* '?d?d?d?d' -j c --increment --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?1' -j c --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?1' -j c --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?d?1' -j c --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?d?d?1' -j c --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?d?d?d?1' -j c --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 CEWL_WORDLIST.txt -1 .\charsets\custom.chr '?d?d?d?d?1' -j c --force -O`\
`.\hashcat64.exe ...`\
\
`# Same commands and behavior but using mask after the tested word (mode 7)`\
`.\hashcat64.exe -m 1000 hashs.txt -a 7 '?d?d?d?d' .\french\* -j c --increment --force -O`\
\
`# Then, wordlists + complex rules`\
`# Once again run against multiple wordlists (including generated ones)`\
`# Kaonashi and OneRuleToRuleThemAll can produce maaaaaassive cracking time`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 french.txt -r .rules\best64.rule --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 french.txt -r .rules\OneRuleToRuleThemAll.rule --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 french.txt -r .rules\best64.rule --force -O`\
`.\hashcat64.exe ...`\
\
`# Then smart bruteforce using masks (custom charset can be usefull too)`\
`# Can be quite long, depending on the mask. Many little tests with different masks`\
`# Knowing for example that password is min 8 char long, only 8+ masks`\
`# Play by incrementing or decrementing char vs decimal (you can also use specific charset to reduce time)`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?d?d?d?d' --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?d?d?d' --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?l?d?d' --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 -1 .\charset\custom '?u?l?l?l?l?l?d?1' --force -O`\
`.\hashcat64.exe ...`\
\
`# Then increment mask size and play again`\
`# Can be longer for 9 char and above.. Up to you to decide which masks and how long you wanna wait`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?d?d?d?d?d' --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?d?d?d?d' --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?l?d?d?d' --force -O`\
`.\hashcat64.exe ...`\
\
`# If you have few hashes and small/medium wordlist, you can use random rules`\
`# And make several loops`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 wl.txt -g 1000000 --force -O -w 3`\
\
`# You can use combination attacks`\
`# For example, combine different names, or combine names with dates.. Then apply masks`\
`# Directly using hashcat`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 1 wordlist1.txt wordlist2.txt --force -O`\
`# Or in memory feeding, it allows you to use rules but not masks`\
`.\combinator.exe wordlist1.txt wordlist2.txt | .\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 -rules .ules\best64.rule --force -O`\
`# Or create the wordlist before and use it`\
`.\combinator.exe wordlist1.txt wordlist2.txt`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 6 combinedwordlist.txt '?d?d?d?d' -j c --increment --force -O`\
\
`# Finally use your already cracked passwords to build a new wordlist`\
`.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot --show | %{$_.split(':')[1]} > cracked.txt`\
`.\hashcat64.exe -m 1000 hashs.txt -a 6 cracked.txt '?d?d?d?d' -j c --increment --force -O`\
`.\hashcat64.exe -m 1000 hashs.txt -a 0 cracked.txt -r .rules\OneRuleToRuleThemAll.rule --force -O`\
\
`# You can also checks the target in popular leaks to find some password`\
`# Then try reuse or rules on them`<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/pentesting/hashcat-cheatsheet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.