Hashcat is the world’s fastest CPU-based password recovery tool.

While it's not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

Current version is 0.44.

• Homepage: http://hashcat.net/hashcat/
• Manual: http://hashcat.net/files/hashcat_user_manual.pdf Outdated!
• Support Forum: http://hashcat.net/forum/forum-20.html

Hashcat was written somewhere in the middle of 2009. Yes, there were already close-to-perfect working tools supporting rule-based attacks like “PasswordsPro”, “John The Ripper”. However for some unknown reason, both of them did not support multi-threading. That was the only reason to write Hashcat: To make use of the multiple cores of modern CPUs.

Granted, that was not 100% correct. John the Ripper already supported MPI using a patch, but at that time it worked only for Brute-Force attack. There was no solution available to crack plain MD5 which supports MPI using rule-based attacks.

Hashcat, from its first version, v0.01, was called “atomcrack”. This version was very poor, but at least the MD5 kernel was written in assembler utilizing SSE2 instructions and of course it was multi-threaded. It was a simple dictionary cracker, nothing more. But it was fast. Really fast. Some guys from the scene become interested in it and after one week there were around 10 beta testers. Everything worked fine and so requests for more algorithm types, a rule-engine for mutation of dictionaries, a windows version and different attack modes were added. These developments took around half a year, and were completely non-public.

Then, with version 0.29, “atomcrack” was renamed to “Dr. Hash”. Then with the release of version 0.30 to “hashcat”.

The first official hashcat release was v0.30, released on 24.12.2009.

Starting with hashcat release v0.40, released on 05.08.2012, binaries for Mac OSX are added.

hashcat, advanced password recovery

Usage: hashcat [options] hashfile [mask|wordfiles|directories]

=======
Options
=======

* General:

  -m,  --hash-type=NUM               Hash-type, see references below
  -a,  --attack-mode=NUM             Attack-mode, see references below
  -V,  --version                     Print version
  -h,  --help                        Print help
       --eula                        Print EULA
       --expire                      Print expiration date
       --quiet                       Suppress output

* Misc:

       --hex-salt                    Assume salt is given in hex
       --hex-charset                 Assume charset is given in hex

* Files:

  -p,  --seperator=CHAR              Define seperator char for hashlists/outfile
  -o,  --output-file=FILE            output-file for recovered hashes
       --output-format=NUM           0 = hash:pass
                                     1 = hash:hex_pass
                                     2 = hash:pass:hex_pass
       --remove                      Enable remove of hash once it is cracked
       --stdout                      stdout mode
       --disable-potfile             do not write potfile
       --debug-file=FILE             debug-file
       --debug-mode=NUM              1 = save finding rule (hybrid only)
                                     2 = save original word (hybrid only)
  -e,  --salt-file=FILE              salts-file for unsalted hashlists

* Resources:

  -c,  --segment-size=NUM            Size in MB to cache from the wordfile
  -n,  --threads=NUM                 number of threads
  -s,  --words-skip=NUM              skip number of words (for resume)
  -l,  --words-limit=NUM             limit number of words (for distributed)

* Rules:

  -r,  --rules-file=FILE             Rules-file use: -r 1.rule
  -g,  --generate-rules=NUM          Generate NUM random rules
       --generate-rules-func-min=NUM Force NUM functions per random rule min
       --generate-rules-func-max=NUM Force NUM functions per random rule max

* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets
  -2,  --custom-charset2=CS          Example:
  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef
  -4,  --custom-charset4=CS          Sets charset ?1 to 0123456789abcdef

* Toggle-Case attack-mode specific:

       --toggle-min=NUM              number of alphas in dictionary minimum
       --toggle-max=NUM              number of alphas in dictionary maximum

* Mask-attack attack-mode specific:

       --pw-min=NUM                  Password-length minimum
       --pw-max=NUM                  Password-length maximum

* Permutation attack-mode specific:

       --perm-min=NUM                Filter words shorter than NUM
       --perm-max=NUM                Filter words larger than NUM

* Table-Lookup attack-mode specific:

  -t,  --table-file=FILE             table file
       --table-min=NUM               number of chars in dictionary minimum
       --table-max=NUM               number of chars in dictionary maximum

==========
References
==========

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz
   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
   ?d = 0123456789
   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
   ?a = ?l?u?d?s
   ?h = 8 bit characters from 0xc0 - 0xff
   ?D = 8 bit characters from german alphabet
   ?F = 8 bit characters from french alphabet
   ?R = 8 bit characters from russian alphabet

* Attack modes:

    0 = Straight
    1 = Combination
    2 = Toggle-Case
    3 = Brute-force
    4 = Permutation
    5 = Table-Lookup

* Hash types:

    0 = MD5
   10 = md5($pass.$salt)
   20 = md5($salt.$pass)
   50 = HMAC-MD5 (key = $pass)
   60 = HMAC-MD5 (key = $salt)
  100 = SHA1
  110 = sha1($pass.$salt)
  120 = sha1($salt.$pass)
  150 = HMAC-SHA1 (key = $pass)
  160 = HMAC-SHA1 (key = $salt)
  200 = MySQL
  300 = MySQL4.1/MySQL5
  400 = phpass, MD5(Wordpress), MD5(phpBB3)
  500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
  800 = SHA-1(Django)
  900 = MD4
 1000 = NTLM
 1100 = Domain Cached Credentials, mscash
 1400 = SHA256
 1410 = sha256($pass.$salt)
 1420 = sha256($salt.$pass)
 1450 = HMAC-SHA256 (key = $pass)
 1460 = HMAC-SHA256 (key = $salt)
 1600 = md5apr1, MD5(APR), Apache MD5
 1700 = SHA512
 1710 = sha512($pass.$salt)
 1720 = sha512($salt.$pass)
 1750 = HMAC-SHA512 (key = $pass)
 1760 = HMAC-SHA512 (key = $salt)
 1800 = SHA-512(Unix)
 2600 = Double MD5
 3300 = MD5(Sun)
 3500 = md5(md5(md5($pass)))
 3610 = md5(md5($salt).$pass)
 3710 = md5($salt.md5($pass))
 3720 = md5($pass.md5($salt))
 3810 = md5($salt.$pass.$salt)
 3910 = md5(md5($pass).md5($salt))
 4010 = md5($salt.md5($salt.$pass))
 4110 = md5($salt.md5($pass.$salt))
 4210 = md5($username.0.$pass)
 4300 = md5(strtoupper(md5($pass)))
 4400 = md5(sha1($pass))
 4500 = sha1(sha1($pass))
 4600 = sha1(sha1(sha1($pass)))
 4700 = sha1(md5($pass))
 4800 = MD5(Chap)
 5000 = SHA-3(Keccak)
 5100 = Half MD5
 5200 = Password Safe SHA-256
 5300 = IKE-PSK MD5
 5400 = IKE-PSK SHA1
 5500 = NetNTLMv1
 5600 = NetNTLMv2

* Specific hash types:

  101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
  111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
  121 = SMF > v1.1
  122 = OS X v10.4, v10.5, v10.6
  131 = MSSQL
  141 = EPiServer 6.x
 1722 = OS X v10.7
 1731 = MSSQL 2012
 2611 = vBulletin < v3.8.5
 2711 = vBulletin > v3.8.5
 2811 = IPB2+, MyBB1.2+
 3721 = WebEdition CMS

NOTE: A value “0” or “NULL” can mean undefined, unlimited or all.

TBD Change supported algo list and values

• + Indicates that the --hex-charset flag is automatically enabled.
• - Indicates that the --hex-salt flag is automatically enabled.
• * Indicates that the salt/username is part of the plaintext and thus its length have to be subtracted from the maximum length.

• Combinator attack
• Dictionary attack
• Mask attack
• Permutation attack
• Rule-based attack
• Table-Lookup attack
• Toggle-Case attack

• Hybrid attack, see Using rules to emulate hybrid attack

Please reference the homepage to get latest benchmarks.

• None

• None