Learn How To Crack Passwords With Hashcat

DZone 's Guide to

Learn How To Crack Passwords With Hashcat

This tutorial will guide you how to install Hashcat and also crack any password hashed in MD5, MD4, SHA1, SHA3 and other hash functioning techniques with examples and practice questions.

· Security Zone ·
Free Resource

Hashcat claims to be the world’s fastest CPU and GPU password “recovery” tool. It is cross-platform, and available on Windows, macOS and Linux.

It supports a large variety of hashing algorithms, including LM Hash, NT hash, MD4, MD5, SHA-1, and 2 and many, many more. (Currently, it supports 237 different hash types)

The Basics

There are 4 arguments in the command used to crack the password. Below is the breakdown of the command.



.\hashcat -m 0 -a 0 .\crackme.txt .\rockyou.txt

-m(or --hash-type)

  1. For example, MD5, SHA1, etc.
  2. In the example, we will use “-m 0” which is for MD5.

  • -a(or –attack-mode)
    1. Tells hash cat how to crack passwords.
    2. For example, using a dictionary of words, or brute-force, or the famous combination attack.
    3. In the example, we will use “-a 0” to use a dictionary attack.
  • [filename]
    1. Specifies the location of the file containing the hash(es) you intend to crack
    2. In the example I have used “.\crackme.txt.
  • [dictionary | mask | directory]
    1. Specifies the dictionary(wordlist), mask, or directory to be used.
    2. In the example, we will use “.\rockyou.txt”

Installation and Setup

Visit the website- https://hashcat.net/hashcat/ 

Download the binary version of the two given zip files and extract them.

Run cmd and cd to the directory where the hashcat is extracted. To copy the path just refer to the pic below.


When you are in the correct directory type the command to execute the hashcat.exe file. You will see the boilerplate of the command which is used as mentioned below.

Command boilerpate

Create a new text document inside the hashcat folder where your hashed passwords will be stored in my case its .\crackme.txt. Below is the list of test hashes that you can copy.













NOTE: Add at least 5 hashes to test with at a time. If not done, Hashcat ignores them and gives you a message that it is exhausted.

You can also generate your own hashes here: https://passwordsgenerator.net/md5-hash-generator/

Now a create a dictionary file. Hashcat gives a pre-made dictionary called example(DICT file) either use that or create your own dictionary files.

You can find one here: https://www.scrapmaker.com/data/wordlists/dictionaries/rockyou.txt

The Final Command

Open cmd and make sure you are in the correct directory.

For different attack modes and hashing algorithms supported by Hashcat, type the following command and it will give you list of information.

Information from hashcat --help

Wide Range of Hash Algorithms

Here we are using dictionary attack (-a 0) on MD5 hash(-m 0).

Snippet from windows cmd

Some of the cracked hashed passwords.

Now a brilliant in-built feature of Hashcat appends all the cracked passwords in a potfile which you can see in the directory.

Comment the actual passwords of the remaining used in the test example.

If you want more tutorials with combinator attacks and brute-force attacks let me know in the comments.

hashcat, hashcat tutorial, password cracking, security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}