Hashcat is an open-source, GPU-accelerated password recovery tool that takes hashed credentials and attempts to recover the plaintext through dictionary, brute-force, rule-based, and hybrid attacks. It is the leading tool of its type and is used routinely on penetration tests to evaluate the strength of password policies and to test recovered hashes against the same wordlists attackers use.
How Hashcat works
Given a list of hashes and an attack specification, Hashcat generates candidate plaintexts, hashes each candidate, and compares the result against the targets. When a candidate matches, the plaintext is recovered. GPU acceleration moves the heavy hashing work onto graphics cards, which can perform billions of operations per second for fast hash algorithms (NTLM, MD5) and millions per second for slow ones (bcrypt, Argon2).
Supported hash types
Hashcat supports several hundred hash algorithms, including NTLM and NetNTLMv2 (Windows), bcrypt, scrypt, Argon2, PBKDF2, SHA-1 and SHA-2 family, MD5, Cisco IOS hashes, JWT signing keys, password manager vaults, and encrypted file formats such as Office documents, PDFs, and KeePass databases. The full list is in the official Hashcat documentation.
Attack modes
Dictionary attack (-a 0) tries each word in a wordlist as the candidate.
Brute-force (-a 3) walks through every combination matching a mask such as ?u?l?l?l?l?d?d.
Rule-based attack (-a 0 with -r) applies transformations to each dictionary word (capitalising, appending digits, leet-speak substitutions) to multiply coverage without explicitly listing every variant.
Hybrid attack (-a 6 or -a 7) combines a dictionary with a brute-force mask, useful for “word + four digits” patterns.
Use in penetration testing
Testers commonly recover NTLM hashes from a compromised Active Directory environment (via tools such as secretsdump or DCSync) and run Hashcat against them to measure how many passwords can be cracked, with what speed, and what patterns recur. The results inform recommendations about password policy length, dictionary screening, and the case for moving to multi-factor authentication. The same approach applies to web application hashes, archive files, and document encryption.
Related terms
See also: John the Ripper, brute force attack, and Kali Linux.
Leave a Reply