Attack modes
Every Hashcat run takes an -a attack mode:
-a 0— straight wordlist-a 1— combination (word1 + word2)-a 3— mask attack (templated brute-force)-a 6— wordlist + mask (hybrid)-a 7— mask + wordlist (hybrid, reversed)
Hashcat
tips & tricks.
Hashcat is the GPU-accelerated counterpart to John the Ripper. It is fast — up to 100x faster than CPU-only JtR on fast hashes — but slightly fiddlier to configure.
Common mode numbers
Hashcat identifies hash formats by number (-m). A few of the most useful:
| -m | Format |
|---|---|
| 0 | MD5 |
| 100 | SHA-1 |
| 1400 | SHA-256 |
| 1700 | SHA-512 |
| 1000 | NTLM |
| 3200 | bcrypt |
| 9400–9600 | Office 2007 / 2010 / 2013 |
| 13600 | WinZip (AES) |
| 13000 | RAR5 |
Example: wordlist + rules
hashcat -a 0 -m 0 hash.txt rockyou.txt -r rules/best64.rule
The best64.rule file ships with Hashcat and applies a curated 64 common transformations to every candidate.
Example: mask attack
Mask attacks are brute-force with a template. Charset tokens: ?l lowercase, ?u upper, ?d digit, ?s symbol, ?a all.
hashcat -a 3 -m 1400 hash.txt ?u?l?l?l?l?l?d?d
That searches Passwo12, Summer25, and 2.6 billion similar candidates.
Status and resume
Press s during a run for status. Press p to pause, r to resume, q to quit. Hashcat writes a .restore file to resume later:
hashcat --session=run1 -a 0 -m 0 hash.txt rockyou.txt # interrupt, then: hashcat --session=run1 --restore
Related
Prefer CPU-only tooling with broad format support? See our John the Ripper tutorial.