hashcat

hashcat is the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.

Usage

Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

Options

Options Short / Long | Type | Description | Example ==============================+==+==================================================+===================== -m, —hash-type | Num | Hash-type, references below (otherwise autodetect) | -m 1000 -a, —attack-mode | Num | Attack-mode, see references below | -a 3 -V, —version | | Print version | -h, —help | | Print help. Use -hh to show all supported hash-modes | -h or -hh —quiet | | Suppress output | —hex-charset | | Assume charset is given in hex | —hex-salt | | Assume salt is given in hex | —hex-wordlist | | Assume words in wordlist are given in hex | —force | | Ignore warnings | —deprecated-check-disable | | Enable deprecated plugins | —status | | Enable automatic update of the status screen | —status-json | | Enable JSON format for status output | —status-timer | Num | Sets seconds between status screen updates to X | —status-timer=1 —stdin-timeout-abort | Num | Abort if there is no input from stdin for X seconds | —stdin-timeout-abort=300 —machine-readable | | Display the status view in a machine-readable format | —keep-guessing | | Keep guessing the hash after it has been cracked | —self-test-disable | | Disable self-test functionality on startup | —loopback | | Add new plains to induct directory | —markov-hcstat2 | File | Specify hcstat2 file to use | —markov-hcstat2=my.hcstat2 —markov-disable | | Disables markov-chains, emulates classic brute-force | —markov-classic | | Enables classic markov-chains, no per-position | —markov-inverse | | Enables inverse markov-chains, no per-position | -t, —markov-threshold | Num | Threshold X when to stop accepting new markov-chains | -t 50 —metal-compiler-runtime | Num | Abort Metal kernel build after X seconds of runtime | —metal-compiler-runtime=180 —runtime | Num | Abort session after X seconds of runtime | —runtime=10 —session | Str | Define specific session name | —session=mysession —restore | | Restore session from —session | —restore-disable | | Do not write restore file | —restore-file-path | File | Specific path to restore file | —restore-file-path=x.restore -o, —outfile | File | Define outfile for recovered hash | -o outfile.txt —outfile-format | Str | Outfile format to use, separated with commas | —outfile-format=1,3 —outfile-json | | Force JSON format in outfile format | —outfile-autohex-disable | | Disable the use of $H EX [] in o u tp u tpl ain s ∣ - - o u t f i l e - c h ec k - t im er ∣ N u m ∣ S e t sseco n d s b e tw ee n o u t f i l ec h ec k s t o X ∣ - - o u t f i l e - c h ec k - t im er = 30 - - w or d l i s t - a u t o h e x - d i s ab l e ∣∣ D i s ab l e t h eco n v ers i o n o f$ HEX[] from the wordlist | -p, —separator | Char | Separator char for hashlists and outfile | -p : —stdout | | Do not crack a hash, instead print candidates only | —show | | Compare hashlist with potfile; show cracked hashes | —left | | Compare hashlist with potfile; show uncracked hashes | —username | | Enable ignoring of usernames in hashfile | —dynamic-x | | Ignore $d y nami c_{X}$ prefix in hashes | —remove | | Enable removal of hashes once they are cracked | —remove-timer | Num | Update input hash file each X seconds | —remove-timer=30 —potfile-disable | | Do not write potfile | —potfile-path | File | Specific path to potfile | —potfile-path=my.pot —encoding-from | Code | Force internal wordlist encoding from X | —encoding-from=iso-8859-15 —encoding-to | Code | Force internal wordlist encoding to X | —encoding-to=utf-32le —debug-mode | Num | Defines the debug mode (hybrid only by using rules) | —debug-mode=4 —debug-file | File | Output file for debugging rules | —debug-file=good.log —induction-dir | Dir | Specify the induction directory to use for loopback | —induction=inducts —outfile-check-dir | Dir | Specify the directory to monitor 3rd party outfiles | —outfile-check-dir=x —logfile-disable | | Disable the logfile | —hccapx-message-pair | Num | Load only message pairs from hccapx matching X | —hccapx-message-pair=2 —nonce-error-corrections | Num | The BF size range to replace AP’s nonce last bytes | —nonce-error-corrections=16 —keyboard-layout-mapping | File | Keyboard layout mapping table for special hash-modes | —keyb=german.hckmap —truecrypt-keyfiles | File | Keyfiles to use, separated with commas | —truecrypt-keyf=x.png —veracrypt-keyfiles | File | Keyfiles to use, separated with commas | —veracrypt-keyf=x.txt —veracrypt-pim-start | Num | VeraCrypt personal iterations multiplier start | —veracrypt-pim-start=450 —veracrypt-pim-stop | Num | VeraCrypt personal iterations multiplier stop | —veracrypt-pim-stop=500 -b, —benchmark | | Run benchmark of selected hash-modes | —benchmark-all | | Run benchmark of all hash-modes (requires -b) | —benchmark-min | | Set benchmark min hash-mode (requires -b) | —benchmark-min=100 —benchmark-max | | Set benchmark max hash-mode (requires -b) | —benchmark-max=1000 —speed-only | | Return expected speed of the attack, then quit | —progress-only | | Return ideal progress step size and time to process | -c, —segment-size | Num | Sets size in MB to cache from the wordfile to X | -c 32 —bitmap-min | Num | Sets minimum bits allowed for bitmaps to X | —bitmap-min=24 —bitmap-max | Num | Sets maximum bits allowed for bitmaps to X | —bitmap-max=24 —bridge-parameter1 | Str | Sets the generic parameter 1 for a Bridge | —bridge-parameter2 | Str | Sets the generic parameter 2 for a Bridge | —bridge-parameter3 | Str | Sets the generic parameter 3 for a Bridge | —bridge-parameter4 | Str | Sets the generic parameter 4 for a Bridge | —cpu-affinity | Str | Locks to CPU devices, separated with commas | —cpu-affinity=1,2,3 —hook-threads | Num | Sets number of threads for a hook (per compute unit) | —hook-threads=8 -H, —hash-info | | Show information for each hash-mode | -H or -HH —example-hashes | | Alias of —hash-info | —backend-ignore-cuda | | Do not try to open CUDA interface on startup | —backend-ignore-hip | | Do not try to open HIP interface on startup | —backend-ignore-metal | | Do not try to open Metal interface on startup | —backend-ignore-opencl | | Do not try to open OpenCL interface on startup | -I, —backend-info | | Show system/environment/backend API info | -I or -II -d, —backend-devices | Str | Backend devices to use, separated with commas | -d 1 -Y, —backend-devices-virtmulti| Num | Spawn X virtual instances on a real device | -Y 8 -R, —backend-devices-virthost | Num | Sets the real device to create virtual instances | -R 1 —backend-devices-keepfree | Num | Keep specified percentage of device memory free | —backend-devices-keepfree=5 -D, —opencl-device-types | Str | OpenCL device-types to use, separated with commas | -D 1 -O, —optimized-kernel-enable | | Enable optimized kernels (limits password length) | -M, —multiply-accel-disable | | Disable multiply kernel-accel with processor count | -w, —workload-profile | Num | Enable a specific workload profile, see pool below | -w 3 -n, —kernel-accel | Num | Manual workload tuning, set outerloop step size to X | -n 64 -u, —kernel-loops | Num | Manual workload tuning, set innerloop step size to X | -u 256 -T, —kernel-threads | Num | Manual workload tuning, set thread count to X | -T 64 —backend-vector-width | Num | Manually override backend vector-width to X | —backend-vector-width=4 —spin-damp | Num | Use CPU for device synchronization, in percent | —spin-damp=10 —hwmon-disable | | Disable temperature and fanspeed reads and triggers | —hwmon-temp-abort | Num | Abort if temperature reaches X degrees Celsius | —hwmon-temp-abort=100 —scrypt-tmto | Num | Manually override TMTO value for scrypt to X | —scrypt-tmto=3 -s, —skip | Num | Skip X words from the start | -s 1000000 -l, —limit | Num | Limit X words from the start + skipped words | -l 1000000 —keyspace | | Show keyspace base:mod values and quit | —total-candidates | | Show total candidate count (base*mod) and quit | -j, —rule-left | Rule | Single rule applied to each word from left wordlist | -j ‘c’ -k, —rule-right | Rule | Single rule applied to each word from right wordlist | -k ’^-’ -r, —rules-file | File | Multiple rules applied to each word from wordlists | -r rules/best64.rule -g, —generate-rules | Num | Generate X random rules | -g 10000 —generate-rules-func-min | Num | Force min X functions per rule | —generate-rules-func-max | Num | Force max X functions per rule | —generate-rules-func-sel | Str | Pool of rule operators valid for random rule engine | —generate-rules-func-sel=ioTlc —generate-rules-seed | Num | Force RNG seed set to X | -1, —custom-charset1 | CS | User-defined charset ?1 | -1 ?l?d?u -2, —custom-charset2 | CS | User-defined charset ?2 | -2 ?l?d?s -3, —custom-charset3 | CS | User-defined charset ?3 | -4, —custom-charset4 | CS | User-defined charset ?4 | -5, —custom-charset5 | CS | User-defined charset ?5 | -6, —custom-charset6 | CS | User-defined charset ?6 | -7, —custom-charset7 | CS | User-defined charset ?7 | -8, —custom-charset8 | CS | User-defined charset ?8 | —identify | | Shows all supported algorithms for input hashes | —identify my.hash -i, —increment | | Enable mask increment mode | -ii,—increment-inverse | | Increment from right-to-left | —increment-min | Num | Start mask incrementing at X | —increment-min=4 —increment-max | Num | Stop mask incrementing at X | —increment-max=8 -S, —slow-candidates | | Enable slower (but advanced) candidate generators | —bypass-delay | Num | Seconds delay between checking bypass threshold | —bypass-delay=5 —bypass-threshold | Num | Minimum amount of founds to avoid being bypassed | —bypass-threshold=5 —brain-server | | Enable brain server | —brain-server-timer | Num | Update the brain server dump each X seconds (min:60) | —brain-server-timer=300 -z, —brain-client | | Enable brain client, activates -S | —brain-client-features | Num | Define brain client features, see below | —brain-client-features=3 —brain-host | Str | Brain server host (IP or domain) | —brain-host=127.0.0.1 —brain-port | Port | Brain server port | —brain-port=13743 —brain-password | Str | Brain server authentication password | —brain-password=bZfhCvGUSjRq —brain-session | Hex | Overrides automatically calculated brain session | —brain-session=0x2ae611db —brain-session-whitelist | Hex | Allow given sessions only, separated with commas | —brain-session-whitelist=0x2ae611db —color-cracked | | Enables color output for cracked hashes |

Hash Modes

Use -hh to show all supported Hash Modes

Outfile Formats

| Format

Attack Modes

| Mode

Built-in Charsets

? | Charset =+======= l | abcdefghijklmnopqrstuvwxyz [a-z] u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z] d | 0123456789 [0-9] h | 0123456789abcdef [0-9a-f] H | 0123456789ABCDEF [0-9A-F] s | !”#$%&’()*+,-./:;⇐>?@[]^_`{|}~ a | ?l?u?d?s b | 0x00 - 0xff

OpenCL Device Types

| Device Type

=+=========== 1 | CPU 2 | GPU 3 | FPGA, DSP, Co-Processor

Workload Profiles

| Performance | Runtime | Power Consumption | Desktop Impact

=+=========+=====+===============+=============== 1 | Low | 2 ms | Low | Minimal 2 | Default | 12 ms | Economic | Noticeable 3 | High | 96 ms | High | Unresponsive 4 | Nightmare | 480 ms | Insane | Headless

Basic Examples

Knowledge Base

Explorer

hashcat

hashcat

Usage

Options

Hash Modes

Outfile Formats

| Format

Attack Modes

| Mode

Built-in Charsets

OpenCL Device Types

| Device Type

Workload Profiles

| Performance | Runtime | Power Consumption | Desktop Impact

Basic Examples

Graph View

Table of Contents

Backlinks