hashcat — Advanced GPU-Accelerated Password Recovery

Introduction

hashcat is an open-source password recovery tool that leverages GPU computing to crack password hashes at high speed. It is the standard tool used by penetration testers and security auditors to verify password strength across enterprise environments.

What hashcat Does

• Cracks 350+ hash types including MD5, SHA-256, bcrypt, NTLM, WPA, and Kerberos
• Leverages NVIDIA CUDA and OpenCL for GPU-accelerated cracking
• Supports dictionary, brute-force, combinator, rule-based, and hybrid attack modes
• Distributes workloads across multiple GPUs on a single machine
• Restores interrupted sessions automatically from checkpoint files

Architecture Overview

hashcat is written in C with OpenCL and CUDA kernels for GPU offloading. Each hash type has an optimized kernel that runs the cryptographic primitive on the GPU. The host CPU manages candidate generation, work distribution, and result checking. A session manager handles checkpointing for long-running attacks.

Self-Hosting & Configuration

• Download prebuilt binaries for Windows, Linux, or macOS from the releases page
• Requires GPU drivers with OpenCL or CUDA support installed
• Tune workload profiles with -w (1=low, 4=max GPU utilization)
• Use --session and --restore for resumable long-running attacks
• Create custom rule files to mutate wordlists for targeted cracking

Key Features

• GPU kernel optimizations for each hash type maximize throughput
• Rule engine with 50+ built-in transformation functions for wordlist mutation
• Brain server mode deduplicates work across distributed cracking sessions
• Automatic performance tuning based on available GPU hardware
• Supports cracking hashes extracted from password managers, disk encryption, and network protocols

Comparison with Similar Tools

• John the Ripper — versatile CPU-focused cracker with auto-detection, but slower on GPU workloads
• Ophcrack — rainbow-table-based Windows password cracker, limited to LM/NTLM
• Hydra — online brute-forcer for network services, not an offline hash cracker
• CrackStation — online lookup service, limited to precomputed tables

FAQ

Q: Is hashcat legal? A: hashcat is legal to use for recovering your own passwords or for authorized security audits. Using it against systems without permission is illegal.

Q: Which GPU gives the best performance? A: NVIDIA GPUs with CUDA generally perform best. High-end cards like the RTX 4090 achieve the highest hash rates for most algorithms.

Q: Can hashcat crack bcrypt? A: Yes, but bcrypt is designed to be slow. Expect significantly lower speeds compared to fast hashes like MD5 or NTLM.

Q: Does hashcat support distributed cracking? A: hashcat itself runs on one machine. For distribution, use the brain server mode or external tools like Hashtopolis to coordinate multiple nodes.

Sources

• https://github.com/hashcat/hashcat
• https://hashcat.net/hashcat/