Linux cli command hashcat
8 minute read
NAME 🖥️ hashcat 🖥️
Advanced CPU-based password recovery utility
SYNOPSIS
hashcat [options]* hashfile *[mask|wordfiles|directories]
DESCRIPTION
Hashcat is the world’s fastest CPU-based password recovery tool.
While it’s not as fast as its GPU counterpart oclHashcat, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.
Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool, Examples of hashcat supported hashing algorithms are Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX.
OPTIONS
-h, –help
Show summary of options.
-V, –version
Show version of program.
-m, –hash-type=NUM
Hash-type, see references below
-a, –attack-mode=NUM
Attack-mode, see references below
–quiet
Suppress output
–force
Ignore warnings
–stdin-timeout-abort
Abort if there is no input from stdin for X seconds
–machine-readable
Display the status view in a machine-readable format
–keep-guessing
Keep guessing the hash after it has been cracked
–self-test-disable
Disable self-test functionality on startup
–loopback
Add new plains to induct directory
-b, –benchmark
Run benchmark
–hex-salt
Assume salt is given in hex
–hex-charset
Assume charset is given in hex
–hex-wordlist
Assume words in wordlist are given in hex
–runtime=NUM
Abort session after NUM seconds of runtime
–status
Enable automatic update of the status-screen
–status-timer=NUM
Seconds between status-screen update
-o, –outfile=FILE
Define outfile for recovered hash
–outfile-format=NUM
Define outfile-format for recovered hash, see references below
–outfile-autohex-disable
Disable the use of $HEX[] in output plains
-p, –separator=CHAR
Define separator char for hashlists/outfile
–show
Show cracked passwords only (see –username)
–left
Show uncracked passwords only (see –username)
–username
Enable ignoring of usernames in hashfile (Recommended: also use –show)
–remove
Enable remove of hash once it is cracked
–stdout
Stdout mode
–potfile-disable
Do not write potfile
–debug-mode=NUM
Defines the debug mode (hybrid only by using rules), see references below
–debug-file=FILE
Output file for debugging rules (see –debug-mode)
-c, –segment-size=NUM
Size in MB to cache from the wordfile
-r, –rules-file=FILE
Rules-file use: -r 1.rule
-g, –generate-rules=NUM
Generate NUM random rules
–generate-rules-func-min=NUM
Force NUM functions per random rule min
–generate-rules-func-max=NUM
Force NUM functions per random rule max
–generate-rules-seed=NUM
Force RNG seed to NUM
-1, –custom-charset1=CS
User-defined charsets example –custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef -1 mycharset.hcchr : sets charset ?1 to chars contained in file
-2, –custom-charset2=CS
User-defined charsets example –custom-charset2=?dabcdef : sets charset ?2 to 0123456789abcdef -2 mycharset.hcchr : sets charset ?2 to chars con$
-3, –custom-charset3=CS
User-defined charsets example –custom-charset3=?dabcdef : sets charset ?3 to 0123456789abcdef -3 mycharset.hcchr : sets charset ?3 to chars con$
-4, –custom-charset4=CS
User-defined charsets example –custom-charset4=?dabcdef : sets charset ?4 to 0123456789abcdef -4 mycharset.hcchr : sets charset ?4 to chars con$
–increment
Enable increment mode
–increment-min=NUM
Start incrementing at NUM
–increment-max=NUM
Stop incrementing at NUM
–markov-hcstat2
Specify hcstat2 file to use
–markov-disable
Disables markov-chains, emulates classic brute-force
–markov-classic
Enables classic markov-chains, no per-position
-t, –markov-threshold
Threshold X when to stop accepting new markov-chains
–session=STR
Define specific session name
–restore
Restore session from –session
–restore-disable
Do not write restore file
–restore-file-path=FILE
Specific path to restore file
–outfile-check-timer=NUM
Sets seconds between outfile checks to X
–wordlist-autohex-disable
Disable the conversion of $HEX[] from the wordlist
–remove-timer=NUM
Update input hash file each X seconds
–potfile-path=FILE
Specific path to potfile
–encoding-from=CODE
Force internal wordlist encoding from X
–encoding-to=CODE
Force internal wordlist encoding to X
–induction-dir=DIR
Specify the induction directory to use for loopback
–outfile-check-dir=DIR
Specify the outfile directory to monitor for plains
–logfile-disable
Disable the logfile
–hccapx-message-pair=NUM
Load only message pairs from hccapx matching X
–nonce-error-corrections=NUM
The BF size range to replace AP’s nonce last bytes
–keyboard-layout-mapping=FILE
Keyboard layout mapping table for special hash-modes
–truecrypt-keyfiles=FILE
Keyfiles to use, separated with commas
–veracrypt-keyfiles=FILE
Keyfiles to use, separated with commas
–veracrypt-pim=NUM
VeraCrypt personal iterations multiplier
–benchmark-all
Run benchmark of all hash-modes
–speed-only
Return expected speed of the attack, then quit
–progress-only
Return ideal progress step size and time to process
–bitmap-min=NUM
Sets minimum bits allowed for bitmaps to X
–bitmap-max=NUM
Sets maximum bits allowed for bitmaps to X
–cpu-affinity=STR
Locks to CPU devices, separated with commas
–example-hashes
Show an example hash for each hash-mode
-I, –opencl-info
Show info about detected OpenCL platforms/devices
–opencl-platforms=STR
OpenCL platforms to use, separated with commas
-d, –opencl-devices=STR
OpenCL devices to use, separated with commas
-D, –opencl-device-types=STR
OpenCL device-types to use, separated with commas
–opencl-vector-width=NUM
Manually override OpenCL vector-width to X
-O, –optimized-kernel-enable
Enable optimized kernels (limits password length)
-w, –workload-profile=NUM
Enable a specific workload profile, see pool below
-n, –kernel-accel=NUM
Manual workload tuning, set outerloop step size to X
-u, –kernel-loops=NUM
Manual workload tuning, set innerloop step size to X
-T, –kernel-threads=NUM
Manual workload tuning, set thread count to X
–spin-damp=NUM
Use CPU for device synchronization, in percent
–hwmon-disable
Disable temperature and fanspeed reads and triggers
–hwmon-temp-abort=NUM
Abort if temperature reaches X degrees Celsius
–scrypt-tmto=NUM
Manually override TMTO value for scrypt to X
-s, –skip=NUM
Skip X words from the start
-l, –limit=NUM
Limit X words from the start + skipped words
–keyspace
Show keyspace base:mod values and quit
-j, –rule-left RULE
Single rule applied to each word from left wordlist
-k, –rule-right RULE
Single rule applied to each word from right wordlist
-S, –slow-candidates
Enable slower (but advanced) candidate generators
–brain-server
Enable brain server
-z, –brain-client
Enable brain client, activates -S
–brain-client-features=NUM
Define brain client features, see below
–brain-host=STR
Brain server host (IP or domain)
–brain-port=PORT
Brain server port
–brain-password=STR
Brain server authentication password
–brain-session=HEX
Overrides automatically calculated brain session
–brain-session-whitelist=HEX
Allow given sessions only, separated with commas
Permutation attack-mode options
Outfile formats
1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
8 = crackpos
9 = hash[:salt]:crack_pos
10 = plain:crack_pos
11 = hash[:salt]:plain:crack_pos
12 = hex_plain:crack_pos
13 = hash[:salt]:hex_plain:crack_pos
14 = plain:hex_plain:crack_pos
15 = hash[:salt]:plain:hex_plain:crack_pos
Debug mode output formats (for hybrid mode only, by using rules)
1 = save finding rule
2 = save original word
3 = save original word and finding rule
4 = save original word, finding rule and modified plain
Built-in charsets
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = !"#$%&’()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
Attack mode
0 = Straight
1 = Combination
3 = Brute-force
6 = Hybrid Wordlist + Mask
7 = Hybrid Mask + Wordlist
Hash types
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)
200 = MySQL323
300 = MySQL4.1/MySQL5
400 = phpass, MD5(Wordpress), MD5(phpBB3), MD5(Joomla)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials (DCC), MS Cache
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1430 = sha256(unicode($pass).$salt)
1431 = base64(sha256(unicode($pass)))
1440 = sha256($salt.unicode($pass))
1450 = HMAC-SHA256 (key = $pass)
1460 = HMAC-SHA256 (key = $salt)
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1730 = sha512(unicode($pass).$salt)
1740 = sha512($salt.unicode($pass))
1750 = HMAC-SHA512 (key = $pass)
1760 = HMAC-SHA512 (key = $salt)
1800 = SHA-512(Unix)
2400 = Cisco-PIX MD5
2410 = Cisco-ASA MD5
2500 = WPA/WPA2
2600 = Double MD5
3200 = bcrypt, Blowfish(OpenBSD)
3300 = MD5(Sun)
3500 = md5(md5(md5($pass)))
3610 = md5(md5($salt).$pass)
3710 = md5($salt.md5($pass))
3720 = md5($pass.md5($salt))
3800 = md5($salt.$pass.$salt)
3910 = md5(md5($pass).md5($salt))
4010 = md5($salt.md5($salt.$pass))
4110 = md5($salt.md5($pass.$salt))
4210 = md5($username.0.$pass)
4300 = md5(strtoupper(md5($pass)))
4400 = md5(sha1($pass))
4500 = Double SHA1
4600 = sha1(sha1(sha1($pass)))
4700 = sha1(md5($pass))
4800 = MD5(Chap), iSCSI CHAP authentication
4900 = sha1($salt.$pass.$salt)
5000 = SHA-3(Keccak)
5100 = Half MD5
5200 = Password Safe SHA-256
5300 = IKE-PSK MD5
5400 = IKE-PSK SHA1
5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS
5600 = NetNTLMv2
5700 = Cisco-IOS SHA256
5800 = Android PIN
6300 = AIX {smd5}
6400 = AIX {ssha256}
6500 = AIX {ssha512}
6700 = AIX {ssha1}
6900 = GOST, GOST R 34.11-94
7000 = Fortigate (FortiOS)
7100 = OS X v10.8+
7200 = GRUB 2
7300 = IPMI2 RAKP HMAC-SHA1
7400 = sha256crypt, SHA256(Unix)
7900 = Drupal7
8400 = WBB3, Woltlab Burning Board 3
8900 = scrypt
9200 = Cisco $8$
9300 = Cisco $9$
9800 = Radmin2
10000 = Django (PBKDF2-SHA256)
10200 = Cram MD5
10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1
11000 = PrestaShop
11100 = PostgreSQL Challenge-Response Authentication (MD5)
11200 = MySQL Challenge-Response Authentication (SHA1)
11400 = SIP digest authentication (MD5)
99999 = Plaintext
Specific hash type
11 = Joomla < 2.5.18
12 = PostgreSQL
21 = osCommerce, xt:Commerce
23 = Skype
101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
112 = Oracle S: Type (Oracle 11+)
121 = SMF > v1.1
122 = OS X v10.4, v10.5, v10.6
123 = EPi
124 = Django (SHA-1)
131 = MSSQL(2000)
132 = MSSQL(2005)
133 = PeopleSoft
141 = EPiServer 6.x < v4
1421 = hMailServer
1441 = EPiServer 6.x > v4
1711 = SSHA-512(Base64), LDAP {SSHA512}
1722 = OS X v10.7
1731 = MSSQL(2012 & 2014)
2611 = vBulletin < v3.8.5
2612 = PHPS
2711 = vBulletin > v3.8.5
2811 = IPB2+, MyBB1.2+
3711 = Mediawiki B type
3721 = WebEdition CMS
7600 = Redmine Project Management Web App
AUTHOR
hashcat was written by Jens Steube <[email protected]>
This manual page was written by Daniel Echeverry <[email protected]>, for the Debian project (and may be used by others).
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.