Select Page

Password cracking is one of the common ways to illegally hack into a person’s secure information. Therefore, a tool is needed to defend the same.

That is the reason why Hashcat was introduced. It is a password cracker app to check the strength of your password.

Alternatively, it is also called a password recovery tool.

Here you have everything you need to know about Hashcat, what it is, how it works, how to use it, and examples.


What is Hashcat? What Is Used For?

Hashcat is a popular and effective password cracker widely used by both penetration testers and system administrators, as well as criminals and spies.

Cracking passwords is different from guessing a web login password, which generally only allows a small amount of guessing before locking your account. 

Instead, someone who has gained access to a system with encrypted passwords (“hashes”) will often try to crack those hashes to recover those passwords.

Passwords are no longer stored in plain text. Instead, passwords are encrypted using a one-way function called a hash. Calculating a password like “Password1” into a hash is very fast. A brute force attack to reverse the hash function and recover the password might be computationally unfeasible.

Fortunately or unfortunately, depending on your point of view, none of us will likely live that long, but there are plenty of ways to reverse a hash to recover the original password without resorting to a probably unsuccessful brute-force attack.

Hashcat converts the readable data to a hazy state (this is a random string of fixed size). Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols do. 

Hashcat uses precomputed dictionaries, rainbow tables, and even brute force methods to find an effective and efficient way to crack passwords.

Hashcat can be used on Kali Linux and is pre-installed on the system. It has the following characteristics:

  • It is multithreaded. 
  • It is multi-hash and multi-OS (native Linux, Windows, and OSX binaries). 
  • It is based on multiple algorithms (MD4, MD5, SHA1, DCC, NTLM, MySQL, etc.). 
  • All attack modes can be expanded by specialized rules. 
  • It is possible to automatically resume or limit sessions. They recognize the hashes retrieved from the output file at startup. 
  • You can load the salt list from the external file. This can be used as a brute-force attack variant. 
  • The number of threads can be configured and run based on the lowest priority. 
  • Supports hex-charset and hex-salt files. 
  • The 90+ algorithms can be implemented with performance and optimization in mind.

Password cracking has many legitimate uses, in addition to the obvious criminal and spying ones. A system administrator may want to preemptively check the strength of user passwords. If hashcat can crack them, so can an attacker.

Interaction penetration testers will often find themselves cracking stolen password hashes to move laterally within a network, or to escalate privileges to an administrator user. 

Since penetration testers work to find security holes on purpose, under contract, so that their clients can improve their security, this is also a legitimate use case.

The bottom line is that both illegal attackers and legitimate defenders use hashcat. 

The best way to prevent an attacker from using hashcat against you is to test your defenses first to make sure such an attack is unsuccessful.


How to Crack/Decipher Hashes with Hashcat in 2023

The easiest way to crack a hash is to first try to guess the password. Each intent is hashed and then compared to the actual hash value to see if they are equal, but the process can be time-consuming.

Dictionary and brute force attacks are the most common ways to guess passwords. These techniques use a file that contains words, phrases, common passwords, and other strings that are likely to be used as viable passwords.

It should be noted that there is no guaranteed way to prevent dictionary attacks or brute force attacks.

Other approaches used to crack passwords are:


  • Lookup Tables: Hashes are precomputed from a dictionary and then stored with their corresponding password in a lookup table structure.


  • Reverse Lookup Tables: This attack allows a cyber attacker to apply a dictionary or brute force attack to many hashes simultaneously without having to precompute a lookup table.


  • Rainbow tables: Rainbow tables are a time memory technique. They are similar to lookup tables, except they sacrifice hash cracking speed to make lookup tables smaller.


  • Salted hashing: With this technique, hashes are randomly assigned by adding or prepending a random string, called a salt. This applies to the password before the hash.


Cyberattacks will happen one way or another. Since Hashcat generally works on human psychology, the bottom line is to try to avoid the use of your personal information and to reset your password regularly.

Alternatively, it can always be prevented by implementing hashcat software to verify the strength of your password.

Hashcat has over 200 optimized hash options, which is why it is not only one of the fastest in the world but also one of the most advanced and up-to-date password recovery tools.

Since it supports multiple operating systems like Windows, Linux, OSX native binaries, and multiple algorithms, Hashcat has become very popular for cracking complex passwords.