Understanding Hashcat
Hashcat is a tool used by computer experts to test if passwords are safe. It guesses passwords extremely fast to see if a system is easy to break into.
Why do we need it?
If you want to know if your house is safe, you hire someone to try and pick the lock. Hashcat is the tool experts use to pick the digital locks on passwords.
What is a "Hash"?
Computers do not save your real password. That would be unsafe. Instead, they use a math trick to turn your password into a messy pile of letters and numbers. This messy pile is called a Hash.
Your Password
The Hash (Saved)
The One-Way Rule
You cannot turn a Hash back into a password. It is a one-way street. The only way to find the password is to guess a word, turn it into a hash, and see if it matches the saved hash. Hashcat is simply a very fast guesser.
How does it know what lock it is?
Before Hashcat can pick a lock, it needs to know what brand the lock is. Different math tricks create hashes of different sizes and shapes.
Experts look at the length of the messy letters to guess the lock type. Once they know the type, they tell Hashcat exactly how to attack it.
Making it Harder: Adding "Salt"
If everyone uses the password "apple", the hash will always look exactly the same. To fix this, computers add random extra letters to your password before mixing it. This is called "Salt".
Salt means Hashcat cannot use shortcuts. It forces Hashcat to do the hard math all over again for every single user.
Why is Hashcat so fast?
The CPU (Brain)
The main brain of your computer is very smart, but it only has a few "hands" to do work. It guesses one password at a time. It is like a smart professor taking a math test.
The GPU (Video Card)
Video cards are used for playing games. They have thousands of tiny "hands". Hashcat uses the video card to guess thousands of passwords at the exact same time. It is like an army of 10,000 workers.
What does a cracking computer look like?
Experts do not use laptops. They build custom machines called "Cracking Rigs". These look like giant, noisy metal boxes.
- Up to 8 huge video cards in one box.
- Massive fans because it gets very hot.
- Uses as much electricity as a small oven.
Teamwork: Connecting Computers
Sometimes, one cracking computer is not enough. Experts connect many computers together over the internet. One "Boss" computer hands out pieces of the dictionary to all the "Worker" computers. They all use Hashcat at the same time to finish the job faster.
Worker 1
The Boss Server
Manages the work
Worker 2
How Hashcat Guesses: Basic Plans
Hashcat does not just guess randomly. It has smart plans, called "Attack Modes", to find the right password.
1. The Dictionary
It tries a massive list of common words. People are lazy and often use simple words.
> 123456
> monkey
> admin
2. Brute Force
It tries every single combination of letters and numbers. This takes a long time, but it never misses.
> aaab
> aaac
> ...
3. Rule Changes
It takes a normal word and adds rules, like making the first letter big, or adding numbers at the end.
> Apple
> apple123
> @pple!
Advanced Plans
4. The Mask Attack
If you know a password starts with "Admin" and ends with exactly 3 numbers, Hashcat won't waste time guessing letters. It only guesses the missing pieces.
5. Combinator Attack
It takes two different books of words and mashes them together. Useful when people use two simple words as one long password.
Red
Car
Where do the guesses come from?
Experts do not type the dictionaries themselves.
Over the years, many websites have been hacked. Hackers stole real passwords and put them in giant text files on the internet. Experts use these exact files to test systems.
rockyou.txt
The most famous dictionary file. It contains over 14 million real passwords that people actually used.
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
qwerty
How Rules "Mutate" Words
Hashcat is smart enough to know that people try to be tricky. It uses "Rules files" to change letters automatically. It translates normal words into hacker language (Leetspeak).
The Speed of Hashcat
With a strong computer, Hashcat can make billions of guesses in a single second. This makes it perfect for large, heavy jobs.
The Locks It Can Open
Different systems use different math rules (Algorithms) to make hashes. Hashcat knows how to speak almost all of them.
MD5
An older, very fast lock. It is weak today, and Hashcat can crack these instantly.
SHA-256
A modern, strong lock used by many websites and even Bitcoin.
NTLM
The lock that Microsoft Windows computers use to save user passwords.
WPA2
The lock used on your home Wi-Fi internet connection.
The Math of Time
Why does length matter? Every single letter you add multiplies the time it takes Hashcat to guess. Look at what happens to Hashcat's speed as passwords get longer.
8 Letters
Cracked Instantly
10 Letters
Takes a few Hours
15+ Letters
Takes Millions of Years
Why Good People Use It
Security Auditing
Companies hire "good hackers" to test their systems. These experts take the list of company hashes and run Hashcat.
If Hashcat can guess an employee's password quickly, it means the password was too weak. The company then tells the employee to change it before a "bad hacker" can do the exact same thing.
What it looks like in action
# -m 0 : Tells Hashcat the lock type is MD5.
# -a 0 : Tells Hashcat to use the Dictionary attack mode.
# secret_hashes.txt : The file containing the messy hashes.
# rockyou.txt : The giant book of common passwords to guess.
How to stop Hashcat
Hashcat is powerful, but it has one big weakness: Time. If you make a password long enough, even the fastest computers would take millions of years to guess it.
Bad Passwords
Short words with simple numbers are cracked in less than a second.
- dog123
- Password!
- admin2023
Good Passwords
Use a "Passphrase". Combine random, long words. Hashcat hates length.
- > BlueCoffeeJumpingCar
- > AngryPlanetGuitarTree
- > 17HappyDogsRunningFast!
The Golden Rule of Security
Only test what you own.
Using Hashcat to break into systems you do not own is illegal and unethical. It is a crime.
Professionals always have a signed paper from a company giving them permission to test the company's passwords. Never use these tools on systems without written permission.