Last updated: March 2026
Hashcat Wordlist Attack Tutorial: Crack Passwords with rockyou.txt (2026)
A Hashcat wordlist attack (-a 0) tests every entry in a password list against your captured hash. To crack an MD5 hash with rockyou.txt, run: hashcat -m 0 -a 0 <hash> /usr/share/wordlists/rockyou.txt. Hashcat uses your GPU by default, reaching speeds over 100 GH/s on modern cards — making it the fastest offline cracking method available.
Legal disclaimer: Only crack hashes from systems you own or have explicit written authorization to test. Unauthorized password cracking is illegal under the CFAA and equivalent laws worldwide.
What You Will Learn
- Installing and verifying Hashcat on Kali Linux
- Downloading and preparing rockyou.txt
- Understanding attack mode
-a 0(dictionary/wordlist) - Hash mode
-mvalues for MD5, NTLM, WPA2, and more - Running attacks with real command examples and expected output
- Performance optimization tips
Step 1: Install and Verify Hashcat
On Kali Linux, Hashcat is installed by default. Verify it is present and working:
hashcat --version
Expected output:
v6.2.6
If not installed, install it:
sudo apt update && sudo apt install hashcat
Verify your GPU is detected by Hashcat:
hashcat -I
Example output for an NVIDIA card:
OpenCL Info:
============
OpenCL Platform #1
Vendor..: NVIDIA Corporation
Name....: NVIDIA CUDA
Version.: OpenCL 3.0 CUDA 12.4.0
Backend Device #1 (Alias: #1)
Type...: GPU
Vendor.: NVIDIA Corporation
Name...: NVIDIA GeForce RTX 4090
Version: OpenCL 3.0 CUDA 12.4.0
Processors......: 128
Clock...........: 2520 MHz
Memory.Total....: 24564 MB
Memory.Free.....: 23000 MB
If no GPU appears, check that CUDA drivers are installed (nvidia-smi) or that OpenCL is available for AMD (rocm-smi).
Step 2: Prepare rockyou.txt
rockyou.txt is included with Kali Linux at /usr/share/wordlists/rockyou.txt.gz. It contains approximately 14.3 million real-world passwords leaked from the RockYou.com breach.
Check if it is already decompressed:
ls -lh /usr/share/wordlists/rockyou.txt
If you see only the .gz file, decompress it:
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
Verify the wordlist:
wc -l /usr/share/wordlists/rockyou.txt
# Output: 14344391 /usr/share/wordlists/rockyou.txt
head -5 /usr/share/wordlists/rockyou.txt
# Output:
# 123456
# 12345
# 123456789
# password
# iloveyou
Step 3: Understand the Core Syntax
hashcat [options] <hash or hashfile> <wordlist>
Key flags:
- -m <number> — Hash type (see table below)
- -a 0 — Attack mode: dictionary (wordlist)
- -o output.txt — Save cracked passwords to file
- --show — Display previously cracked hashes from the potfile
- -O — Optimized kernels (10-20% speed boost, slight length restriction)
- -w 3 — Workload profile (1=low, 4=highest performance)
Step 4: Common Hash Modes (-m)
| Mode | Hash Type | Example Use Case |
|---|---|---|
| 0 | MD5 | Web app databases, older systems |
| 100 | SHA1 | Legacy web applications |
| 1000 | NTLM | Windows Active Directory, SAM database |
| 1400 | SHA-256 | Modern web applications |
| 1800 | sha512crypt ($6$) | Linux /etc/shadow |
| 3200 | bcrypt ($2*$) | Modern web app password storage |
| 22000 | WPA-PBKDF2-PMKID+EAPOL | WiFi WPA2/WPA3 handshakes |
| 13100 | Kerberos 5 TGS | Active Directory Kerberoasting |
To search for a hash type:
hashcat --help | grep -i ntlm
Step 5: Crack an MD5 Hash
Single Hash on Command Line
hashcat -m 0 -a 0 5f4dcc3b5aa765d61d8327deb882cf99 /usr/share/wordlists/rockyou.txt
Expected output:
hashcat (v6.2.6) starting...
OpenCL API (OpenCL 3.0 CUDA 12.4.0) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: NVIDIA GeForce RTX 4090, 23000/24564 MB, 128MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimized Engine Push-Back Disabled: Workload tuning disabled (use --force to override)
Host memory required for this attack: 773 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344391
5f4dcc3b5aa765d61d8327deb882cf99:password
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Thu Mar 26 10:00:01 2026 (0 secs)
Time.Estimated...: Thu Mar 26 10:00:01 2026 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Speed.#1.........: 164.1 GH/s (4.12ms) @ Accel:512 Loops:1024 Thr:512 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 458752/14344391 (3.20%)
Rejected.........: 0/458752 (0.00%)
Restore.Point....: 0/14344391 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> zxczxc123
Hardware.Mon.#1..: Temp: 58c Util: 93% Core:2535MHz Mem:10501MHz Bus:16
The cracked result appears as <hash>:<plaintext>: 5f4dcc3b5aa765d61d8327deb882cf99:password.
Multiple Hashes from a File
Create a file hashes.txt with one hash per line:
5f4dcc3b5aa765d61d8327deb882cf99
e10adc3949ba59abbe56e057f20f883e
25d55ad283aa400af464c76d713c07ad
Run:
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
View results:
cat cracked.txt
# 5f4dcc3b5aa765d61d8327deb882cf99:password
# e10adc3949ba59abbe56e057f20f883e:123456
# 25d55ad283aa400af464c76d713c07ad:12345678
Step 6: Crack NTLM Hashes (Windows)
NTLM hashes (mode 1000) are used in Windows environments. They can be extracted from the SAM database or captured via NTLM relay attacks.
# Single NTLM hash
hashcat -m 1000 -a 0 b4b9b02e6f09a9bd760f388b67351e2b /usr/share/wordlists/rockyou.txt
# NTLM hashes from a file with optimized kernels
hashcat -m 1000 -a 0 -O ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
NTLM is extremely fast to crack — an RTX 4090 achieves ~288 GH/s on NTLM (mode 1000). Even complex 8-character passwords can fall within seconds on a strong GPU. See the GPU benchmark table for full speed data.
Step 7: Crack WPA2 Handshakes
WPA2 cracking requires a captured handshake file in .hc22000 format (converted from .cap using hcxtools).
Convert .cap to .hc22000
# Install hcxtools if needed
sudo apt install hcxtools
# Convert capture file
hcxpcapngtool -o capture.hc22000 capture-01.cap
Crack the Handshake
hashcat -m 22000 -a 0 capture.hc22000 /usr/share/wordlists/rockyou.txt
WPA2 (PBKDF2 with 4096 iterations) is much slower than MD5 or NTLM — typically 2,600 kH/s on an RTX 4090 compared to 164 GH/s for MD5. This is by design; the PBKDF2 key stretching intentionally slows cracking.
# Add optimized kernels for ~15% speed boost
hashcat -m 22000 -a 0 -O capture.hc22000 /usr/share/wordlists/rockyou.txt
Step 8: Review Cracked Results
Hashcat stores cracked hashes in a potfile at ~/.local/share/hashcat/hashcat.potfile. To show all previously cracked hashes:
hashcat -m 0 hashes.txt --show
To show results with usernames (if your hash file has user:hash format):
hashcat -m 1000 ntlm_hashes.txt --show --username
Performance Tips
1. Use Optimized Kernels
hashcat -m 0 -a 0 -O hashes.txt /usr/share/wordlists/rockyou.txt
The -O flag enables optimized kernels that are 10-20% faster. The trade-off is a maximum password length limit (typically 32 characters), which is acceptable for most real-world attacks.
2. Set Workload Profile
# Profile 3 (high) — good balance of performance and system responsiveness
hashcat -m 0 -a 0 -w 3 hashes.txt /usr/share/wordlists/rockyou.txt
# Profile 4 (nightmare) — maximum GPU utilization, system may be slow
hashcat -m 0 -a 0 -w 4 hashes.txt /usr/share/wordlists/rockyou.txt
3. Combine Wordlist with Rules
A wordlist attack alone tests only exact matches. Adding rules dramatically expands coverage:
# Use best64.rule — tests 64 common mutations per word
hashcat -m 0 -a 0 -r /usr/share/hashcat/rules/best64.rule hashes.txt /usr/share/wordlists/rockyou.txt
For a full guide to rule-based attacks, see Hashcat Rule-Based Attacks.
4. Monitor Temperature
Keep GPU temperature below 85°C during extended sessions:
# In a separate terminal, monitor GPU stats
watch -n 1 nvidia-smi
5. Restore an Interrupted Session
If you stop a session, restore it with:
hashcat --restore --session mysession
Or name your session from the start:
hashcat -m 0 -a 0 --session mysession hashes.txt /usr/share/wordlists/rockyou.txt
FAQ
Q: How long does it take to crack a password with rockyou.txt? A: rockyou.txt has ~14.3 million entries. At 164 GH/s (RTX 4090, MD5), the entire list completes in under 1 millisecond. For WPA2 at 2,600 kH/s, rockyou.txt takes about 5.5 seconds. If the password is not in rockyou.txt, consider rules or a larger wordlist.
Q: What is the difference between -a 0 and -a 3?
A: -a 0 tests words from a file (dictionary attack). -a 3 generates every combination matching a mask pattern (brute-force). Dictionary attacks are faster for common passwords; brute-force is more thorough but exponentially slower as length increases.
Q: Hashcat says "No hashes loaded" — what is wrong?
A: The hash format is likely wrong. Ensure your hash file contains only the raw hash (no extra spaces or headers). Also confirm the -m mode matches the actual hash type. Use hashid or hash-identifier to detect the format if unsure.
Q: Can Hashcat use multiple GPUs?
A: Yes. Hashcat automatically uses all detected OpenCL/CUDA devices. To specify devices: hashcat -d 1,2 ... where numbers correspond to the device IDs shown in hashcat -I.