Skip to content
Learni
View all tutorials
Sécurité Informatique

How to Use Hashcat in Pentesting in 2026

12 minBEGINNER
HashcatPentestingSécuritéCracking hashes
Lire en français

Introduction

Hashcat is a powerful open-source tool for recovering passwords from cryptographic hashes, used in pentesting to evaluate password strength. In 2026, with advanced GPU support (NVIDIA/AMD), it excels at brute-force, dictionary, and mask attacks. Important: this tool is strictly for legal uses like testing your own systems, authorized audits, or personal password recovery. Cracking without permission is illegal. This beginner tutorial guides you from installation to basic attacks, with concrete examples on Linux. You'll learn to generate test hashes and crack them in minutes, simulating real security scenarios. Prepare your GPU for optimal performance!

Prerequisites

  • Linux system (Ubuntu 24.04+ recommended) or Windows with WSL2
  • NVIDIA/AMD GPU with CUDA/ROCm drivers installed
  • Basic terminal knowledge
  • Disk space: 1 GB for Hashcat and wordlists
  • Ethics: Use only on your own hashes or with written authorization

Install Hashcat

install-hashcat.sh
#!/bin/bash
# Update the system
sudo apt update && sudo apt upgrade -y

# Install GPU dependencies (for NVIDIA CUDA)
sudo apt install -y nvidia-cuda-toolkit

# Install Hashcat from official repositories
sudo apt install -y hashcat

# Verify installation
hashcat --version
hashcat --benchmark

This command installs Hashcat and its GPU dependencies in one go. The benchmark tests your hardware: expect MH/s (millions of hashes/second) on GPU. Avoid unofficial binaries for security.

Prepare Test Hashes

Before cracking, create simple MD5 hashes for testing. We'll use 'password' (hash: 5f4dcc3b5aa765d61d8327deb882cf99) and '123456' (hash: e10adc3949ba59abbe56e057f20f883e). These examples mimic compromised databases.

Generate Hashes File

generate-hashes.sh
#!/bin/bash
echo -e "user1:5f4dcc3b5aa765d61d8327deb882cf99\nuser2:e10adc3949ba59abbe56e057f20f883e" > hashes.txt

# Verify the file
echo "Hashes generated:"
cat hashes.txt

# Identify Hashcat mode (MD5)
hashcat --example-hashes | grep md5

This script creates a 'hashes.txt' file in Hashcat format (user:hash). Use MD5 (-m 0) for these simple tests. Pitfall: always specify the correct mode (-m), or Hashcat fails silently.

Brute-Force Attack

bruteforce.sh
#!/bin/bash
hashcat -m 0 -a 3 hashes.txt '?a?a?a?a?a?a' --force

# Explanation of options:
# -m 0: MD5
# -a 3: Brute-force (mask)
# ?a?a?a?a?a?a: 6 alphanumeric characters (?a = a-zA-Z0-9!@ etc.)

# Expected result: Recovered in ~1s for 'password'

The brute-force attack tests all combos of 6 characters (?a). For 'password' (8 chars), adjust to '?a?a?a?a?a?a?a?a'. Use GPU with -O for optimization; monitor VRAM to avoid crashes.

Dictionary Attacks

Dictionaries are faster than brute-force. RockYou is a standard with 14M leaked passwords.

Download Wordlist and Crack

dictionary-attack.sh
#!/bin/bash
# Download rockyou (famous wordlist)
wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt -O rockyou.txt

# Dictionary attack on MD5
hashcat -m 0 hashes.txt rockyou.txt -O

# Show results
hashcat -m 0 hashes.txt rockyou.txt --show

Rockyou.txt contains common words. -O enables GPU optimization. --show lists successful cracks like 'user1:password'. Pitfall: compressed wordlists (.gz) need gunzip first.

Attack with Rules

rules-attack.sh
#!/bin/bash
# Built-in Hashcat rules for variations (append/prepend digits)
hashcat -m 0 hashes.txt rockyou.txt -r rules/dive.rule -O

# Simple custom rule: append '123'
echo ':123' > myrule.rule
hashcat -m 0 hashes.txt rockyou.txt -r myrule.rule

# Results
hashcat -m 0 hashes.txt --show

Rules (-r) transform words (e.g., 'pass' -> 'pass123'). 'dive.rule' is great for beginners. Combine with GPU to scale; always test on known hashes.

Hybrid Mask Attack

hybrid-attack.sh
#!/bin/bash
# Hybrid: dictionary + mask (?d = digit)
hashcat -m 0 -a 6 hashes.txt rockyou.txt ?d?d?d --increment

# Pure mask for 4-digit PIN
hashcat -m 0 -a 3 hashes.txt '?d?d?d?d' -O

# Real-time status
hashcat -m 0 -a 3 hashes.txt '?d?d?d?d' --status

-a 6 = hybrid dict + mask. ?d?d?d tests 000-999. --increment starts small for efficiency. Ideal for predictable passwords like 'qwerty123'.

Best Practices

  • Always ethical: Document authorization before any test.
  • Use GPU/CPU hybrid with --opencl-device-types 1,2.
  • Save sessions: hashcat --session=myattack --restore.
  • Test common hash modes (-m 0 MD5, 100 SHA1, 500 MySQL).
  • Monitor GPU temperature with nvidia-smi.

Common Errors to Avoid

  • Forget GPU drivers: hashcat falls back to CPU-only (x100 slower).
  • Wrong -m mode: check with hashcat -I --example-hashes.
  • Corrupted wordlist: test with hashcat wordlist.txt.
  • No output: use --show or -o cracked.txt.

Next Steps

Master advanced attacks (PrinceAttack, Combinator). Resources: Official Hashcat Docs, Hashcat Wiki. Pro training: Learni Group Pentesting. Try on CTFs like HackTheBox.