🪴 Quartz 4.0

Hashcat

May 04, 20262 min read

⚡ Hashcat Quick Reference

hashcat

Hashcat is the world’s fastest password recovery utility. It supports a massive range of hashing algorithms and utilizes GPU acceleration to perform high-speed cracking. For Red Teamers, it is the primary tool for offline credential cracking once hashes are exfiltrated from SAM databases, AD NTDS.dit, or network captures.

🚀 Base Execution Command

The standard syntax for a dictionary attack:

# Usage: hashcat -m [MODE] [HASH_FILE] [WORDLIST]
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

📂 Most Used Hash Modes (Priority Lookup)

Active Directory & Windows

  • Mode 1000: NTLM (SAM Database, AD NTDS.dit, Mimikatz lsadump::lsa output)
  • Mode 5600: NetNTLMv2 (Captured via Responder, ntlmrelayx.py, or Inveigh)
  • Mode 13100: Kerberos 5, etype 23, TGS-REP (Used for Kerberoasting)
  • Mode 18200: Kerberos 5, etype 23, AS-REP (Used for AS-REPRoasting)
  • Mode 3000: HTTP Management (Apache MD5, IIS)

VPN & Network

  • Mode 5400: IKE-PSK (SHA1) - Traditional IPsec VPNs
  • Mode 25100: IKE-PSK (HMAC-SHA2-256) - Modern/Secure IPsec VPNs
  • Mode 22000: WPA-PBKDF2-PMKID/EAPOL (Modern WiFi cracking)
  • Mode 500: md5crypt, MD5 (Unix), Cisco-IOS - Cisco Type 5 Hash

Linux & System

  • Mode 1800: sha512crypt (Standard SHA-512 hashes in /etc/shadow)
  • Mode 500: md5crypt (Older MD5 hashes in /etc/shadow)
  • Mode 3200: bcrypt (Common in web app databases and modern Linux distros)

🛠️ Essential Optimization Flags

  • -a 0: Straight/Dictionary attack (Default)
  • -a 3: Brute-force attack (Uses masks)
  • —force: Ignore warnings (Useful in VMs without dedicated GPU drivers)
  • -O: Enable optimized kernels (Increases speed but limits password length)
  • -r: Apply a rule file (e.g., /usr/share/hashcat/rules/best64.rule) to mutate wordlists

🤖 Agent Integration (Add to claude.md)

Instruct the agent to check the hash format using hash-identifier or name-that-hash before starting hashcat. If the agent identifies an NTLM hash, it should prioritize Mode 1000. If it identifies a network capture, it should verify if it is NetNTLMv1 (Mode 5500) or v2 (Mode 5600) before running the command.

Graph View

Backlinks

  • No backlinks found