Hashcat Advanced Tutorial: Masks, Rules, and GPU Optimization (2026)
Hashcat is the world's fastest password recovery tool, using GPU parallelism to test billions of candidate passwords per second. Where basic usage is straightforward — point it at hashes and a wordlist — intermediate and advanced usage requires understanding attack modes, rule syntax, mask charsets, and GPU optimization. These techniques are the difference between cracking a password in minutes versus running a job that would take centuries.
This tutorial covers practical techniques for penetration testers and security researchers working with authorized assessments. Always ensure you have explicit written authorization before attempting to crack any hashes.
Attack Mode Overview
Hashcat selects the candidate generation strategy with -a:
| Mode | Name | Description |
|---|---|---|
-a 0 | Straight (wordlist) | Try every word in a list, optionally with rules |
-a 1 | Combination | Combine pairs of words from two wordlists |
-a 3 | Mask | Generate candidates from a character mask |
-a 6 | Hybrid wordlist+mask | Each word from list + mask appended |
-a 7 | Hybrid mask+wordlist | Mask prepended + each word from list |
The hash type is selected with -m:
| Mode | Hash Type |
|---|---|
-m 0 | MD5 |
-m 100 | SHA1 |
-m 1000 | NTLM (Windows) |
-m 1800 | sha512crypt ($6$, Linux shadow) |
-m 3200 | bcrypt |
-m 13100 | Kerberoast (TGS-REP) |
-m 22000 | WPA2-PMKID / WPA2-EAPOL |
Wordlist Attacks (-a 0)
The most common attack mode. rockyou.txt (14 million entries) is the standard starting wordlist:
# Basic wordlist attack against NTLM hashes
hashcat -a 0 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
# Against MD5 hashes
hashcat -a 0 -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
# Show status while running
hashcat -a 0 -m 1000 hashes.txt rockyou.txt --status --status-timer 10
Large custom wordlists can be combined and deduplicated:
cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined.txt
hashcat -a 0 -m 1000 hashes.txt combined.txt
Rules: The Most Powerful Feature
Rules transform each word in a wordlist before testing it. A single rule can turn password into P@ssw0rd!, Password123, or drowssap. Rules multiply the effective coverage of a wordlist without the storage cost of pre-generating all variants.
Rule Syntax
Rules are one-character operations applied left to right:
| Rule | Effect | Example |
|---|---|---|
l | Lowercase all | Password → password |
u | Uppercase all | password → PASSWORD |
c | Capitalize first letter | password → Password |
r | Reverse | password → drowssap |
$1 | Append 1 | password → password1 |
^! | Prepend ! | password → !password |
$1$2$3 | Append 123 | password → password123 |
sa@ | Substitute a with @ | password → p@ssword |
se3 | Substitute e with 3 | password → passw0rd... |
D2 | Delete char at position 2 | password → pasword |
i2! | Insert ! at position 2 | password → pa!ssword |
Rules are stored in .rule files, one rule per line. Apply with -r:
# Apply the best64 ruleset (64 high-yield rules)
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Apply multiple rule files
hashcat -a 0 -m 1000 hashes.txt rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule \
-r /usr/share/hashcat/rules/toggles1.rule
OneRuleToRuleThemAll
The community-maintained OneRuleToRuleThemAll ruleset (~50,000 rules) consistently outperforms other rulesets on real-world corporate password dumps. It was generated by analyzing which rule combinations appear most frequently in known cracked passwords.
# Download
wget https://raw.githubusercontent.com/stealthsploit/OneRuleToRuleThemAll/main/OneRuleToRuleThemAll.rule
# Use it
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -r OneRuleToRuleThemAll.rule
This runs ~14 million words × ~50,000 rules = ~700 billion candidates. On a modern GPU running NTLM at 40 billion/second, it takes roughly 17 seconds. Against bcrypt it would take years — choose your attack based on what the hash can sustain.
Testing Rules Without Cracking
See what candidates a rule generates before committing to a full run:
# Show all candidates that would be generated
hashcat -a 0 -m 1000 example.hash wordlist.txt -r rules/best64.rule --stdout | head -50
# Test a rule string directly
echo "password" | hashcat --stdout -r <(echo "c $1")
# Output: Password1
Mask Attacks (-a 3)
Mask attacks enumerate all combinations of a character pattern. They are ideal when you know something about the password structure — length, character classes, or specific characters.
Charset Placeholders
| Placeholder | Characters |
|---|---|
?l | abcdefghijklmnopqrstuvwxyz |
?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
?d | 0123456789 |
?s | !@#$%^&*()-_+=... (special) |
?a | All of the above combined |
?1–?4 | Custom charsets you define |
Mask Examples
# All 8-char passwords: 1 uppercase + 5 lowercase + 2 digits
# Matches: Password12, Welcome01, Summer99...
hashcat -a 3 -m 1000 hashes.txt '?u?l?l?l?l?l?d?d'
# 6-digit PIN
hashcat -a 3 -m 0 hashes.txt '?d?d?d?d?d?d'
# 8-10 char all-lowercase
hashcat -a 3 -m 1000 hashes.txt --increment --increment-min 8 '?l?l?l?l?l?l?l?l?l?l'
# Custom charset: only vowels
hashcat -a 3 -m 1000 hashes.txt -1 'aeiouAEIOU' '?1?1?1?1?1?1'
# Common corporate pattern: word + 4 digits (use hybrid for this, see below)
The --increment flag runs the mask at all lengths from --increment-min up to the mask length, so you do not need separate runs for 8-char and 9-char variants.
Hybrid Attacks (-a 6 and -a 7)
Hybrid mode combines a wordlist with a mask. Mode 6 appends the mask to each word; mode 7 prepends.
# Wordlist + mask appended: "password" + "?d?d?d?d" → password0000..password9999
hashcat -a 6 -m 1000 hashes.txt rockyou.txt '?d?d?d?d'
# Wordlist + special char + digit: summer! → summer!0..summer!9
hashcat -a 6 -m 1000 hashes.txt rockyou.txt '?s?d'
# Mask prepended + wordlist: "?u?d" + "password" → A0password..Z9password
hashcat -a 7 -m 1000 hashes.txt '?u?d' rockyou.txt
# Common corporate pattern: capitalize + rockyou word + 2 digits + special
# Use a rule for this: c $1$2 $!
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -r <(echo 'c $1$2$!')
Hybrid mode -a 6 is extremely effective against corporate Windows hashes. Employees frequently take a memorable word and append digits to meet the "must include a number" policy.
WPA2 Cracking Workflow
WPA2 handshake cracking is a common authorized penetration testing task (for assessing your own Wi-Fi infrastructure):
Step 1: Capture with hcxdumptool
# Put interface in monitor mode
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up
# Capture PMKID and EAPOL handshakes
hcxdumptool -i wlan0 -o capture.pcapng --enable_status=1
Step 2: Convert to hashcat format
# Convert pcapng to hc22000 format
hcxpcapngtool -o hashes.hc22000 capture.pcapng
Step 3: Crack with hashcat
# Mode 22000 handles both PMKID and EAPOL
hashcat -a 0 -m 22000 hashes.hc22000 rockyou.txt -r rules/best64.rule
# If the SSID suggests a pattern (e.g. HomeNetwork followed by digits):
hashcat -a 6 -m 22000 hashes.hc22000 /tmp/ssid_wordlist.txt '?d?d?d?d'
GPU Optimization
Workload Profiles (-w)
# -w 1: Low (background, minimal impact on system)
# -w 2: Default
# -w 3: High (recommended for dedicated cracking rigs)
# -w 4: Nightmare (may cause desktop to freeze)
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -w 3
Device Selection (-d)
# List available devices
hashcat -I
# Use only GPU device 1
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -d 1
# Use multiple GPUs
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -d 1,2
# Use CPU only (much slower, for testing)
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -d 3
Temperature Monitoring
GPU temperature matters for sustained cracking. Monitor with:
# Built-in hardware monitor (shown during run)
hashcat -a 0 -m 1000 hashes.txt rockyou.txt
# Disable HW monitoring if it causes issues
hashcat -a 0 -m 1000 hashes.txt rockyou.txt --hwmon-disable
# Check GPU temp independently
nvidia-smi --query-gpu=temperature.gpu --format=csv,noheader -l 5
Throttle the workload if temperatures exceed 85°C. Use -w 2 and ensure proper case airflow.
Session Management
Long-running attacks can be paused and resumed without losing progress:
# Start a session with a name
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -r OneRuleToRuleThemAll.rule \
--session mycrack
# Pause with Ctrl+C — hashcat saves progress automatically
# Resume
hashcat --session mycrack --restore
# Check session status
hashcat --session mycrack --restore --status
Session files are stored in ~/.local/share/hashcat/sessions/ (Linux) or the hashcat directory on Windows.
Viewing Cracked Passwords
Hashcat stores cracked hashes in the potfile (~/.local/share/hashcat/hashcat.potfile). To display results:
# Show all cracked hashes from current run
hashcat -m 1000 hashes.txt --show
# Show with username:hash format (if hashes file uses user:hash format)
hashcat -m 1000 hashes.txt --show --username
# Dump the potfile
cat ~/.local/share/hashcat/hashcat.potfile
The potfile persists between runs. Hashcat automatically skips hashes already in the potfile, so re-running with a different wordlist picks up where previous attacks left off.
Practical Attack Strategy
For a real engagement with NTLM hashes from an Active Directory dump:
- Quick wins first:
rockyou.txtwithbest64.rule(takes seconds, cracks 20–40% of corporate hashes) - Hybrid sweep:
rockyou.txt -a 6 '?d?d'androckyou.txt -a 6 '?d?d?d?d'(catches Password01, Summer2024) - OneRuleToRuleThemAll: Full run with the mega-ruleset overnight
- Mask attack on remaining:
--increment ?a?a?a?a?a?a?a?afor shorter passwords - Targeted custom wordlist: Company name, city, product names + rules
The ordering matters because potfile deduplication means you never waste time re-testing cracked hashes, and starting with the fastest techniques surfaces easy wins quickly.