.\" Hey, EMACS: -*- nroff -*- .\" (C) Copyright 2016 Daniel Echeverry , .\" .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH Hashcat 1 "February 20 2020" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME hashcat \- Advanced CPU-based password recovery utility .SH SYNOPSIS .B hashcat .RI [ options ] " hashfile " [mask|wordfiles|directories] .br .SH DESCRIPTION Hashcat is the world’s fastest CPU-based password recovery tool. While it's not as fast as its GPU counterpart oclHashcat, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches. Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool, Examples of hashcat supported hashing algorithms are Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX. .PP .\" TeX users may be more comfortable with the \fB\fP and .\" \fI\fP escape sequences to invode bold face and italics, .\" respectively. .SH OPTIONS .TP .B \-h, \-\-help Show summary of options. .TP .B \-V, \-\-version Show version of program. .TP .B \-m, \-\-hash\-type=NUM Hash-type, see references below .TP .B \-a, \-\-attack\-mode=NUM Attack-mode, see references below .TP .B \-\-quiet Suppress output .TP .B \-\-force Ignore warnings .TP .B \-\-stdin\-timeout\-abort Abort if there is no input from stdin for X seconds .TP .B \-\-machine\-readable Display the status view in a machine-readable format .TP .B \-\-keep\-guessing Keep guessing the hash after it has been cracked .TP .B \-\-self\-test\-disable Disable self\-test functionality on startup .TP .B \-\-loopback Add new plains to induct directory .TP .B \-b, \-\-benchmark Run benchmark .TP .B \-\-hex\-salt Assume salt is given in hex .TP .B \-\-hex\-charset Assume charset is given in hex .TP .B \-\-hex\-wordlist Assume words in wordlist are given in hex .TP .B \-\-runtime=NUM Abort session after NUM seconds of runtime .TP .B \-\-status Enable automatic update of the status-screen .TP .B \-\-status\-timer=NUM Seconds between status-screen update .TP .B \-o, \-\-outfile=FILE Define outfile for recovered hash .TP .B \-\-outfile\-format=NUM Define outfile-format for recovered hash, see references below .TP .B \-\-outfile\-autohex\-disable Disable the use of $HEX[] in output plains .TP .B \-p, \-\-separator=CHAR Define separator char for hashlists/outfile .TP .B \-\-show Show cracked passwords only (see \-\-username) .TP .B \-\-left Show uncracked passwords only (see \-\-username) .TP .B \-\-username Enable ignoring of usernames in hashfile (Recommended: also use \-\-show) .TP .B \-\-remove Enable remove of hash once it is cracked .TP .B \-\-stdout Stdout mode .TP .B \-\-potfile\-disable Do not write potfile .TP .B \-\-debug\-mode=NUM Defines the debug mode (hybrid only by using rules), see references below .TP .B \-\-debug\-file=FILE Output file for debugging rules (see \-\-debug\-mode) .TP .B \-c, \-\-segment\-size=NUM Size in MB to cache from the wordfile .TP .B \-r, \-\-rules\-file=FILE Rules-file use: \-r 1.rule .TP .B \-g, \-\-generate\-rules=NUM Generate NUM random rules .TP .B \-\-generate\-rules\-func\-min=NUM Force NUM functions per random rule min .TP .B \-\-generate\-rules\-func\-max=NUM Force NUM functions per random rule max .TP .B \-\-generate\-rules\-seed=NUM Force RNG seed to NUM .TP .B \-1, \-\-custom\-charset1=CS User-defined charsets example \-\-custom\-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef \-1 mycharset.hcchr : sets charset ?1 to chars contained in file .TP .B \-2, \-\-custom\-charset2=CS User-defined charsets example \-\-custom\-charset2=?dabcdef : sets charset ?2 to 0123456789abcdef \-2 mycharset.hcchr : sets charset ?2 to chars con$ .TP .B \-3, \-\-custom\-charset3=CS User-defined charsets example \-\-custom\-charset3=?dabcdef : sets charset ?3 to 0123456789abcdef \-3 mycharset.hcchr : sets charset ?3 to chars con$ .TP .B \-4, \-\-custom\-charset4=CS User-defined charsets example \-\-custom\-charset4=?dabcdef : sets charset ?4 to 0123456789abcdef \-4 mycharset.hcchr : sets charset ?4 to chars con$ .TP .B \-\-increment Enable increment mode .TP .B \-\-increment\-min=NUM Start incrementing at NUM .TP .B \-\-increment\-max=NUM Stop incrementing at NUM .TP .B \-\-markov\-hcstat2 Specify hcstat2 file to use .TP .B \-\-markov\-disable Disables markov\-chains, emulates classic brute\-force .TP .B \-\-markov\-classic Enables classic markov\-chains, no per\-position .TP .B \-t, \-\-markov\-threshold Threshold X when to stop accepting new markov\-chains .TP .B \-\-session=STR Define specific session name .TP .B \-\-restore Restore session from --session .TP .B \-\-restore\-disable Do not write restore file .TP .B \-\-restore\-file\-path=FILE Specific path to restore file .TP .B \-\-outfile\-check\-timer=NUM Sets seconds between outfile checks to X .TP .B \-\-wordlist\-autohex\-disable Disable the conversion of $HEX[] from the wordlist .TP .B \-\-remove\-timer=NUM Update input hash file each X seconds .TP .B \-\-potfile\-path=FILE Specific path to potfile .TP .B \-\-encoding\-from=CODE Force internal wordlist encoding from X .TP .B \-\-encoding\-to=CODE Force internal wordlist encoding to X .TP .B \-\-induction\-dir=DIR Specify the induction directory to use for loopback .TP .B \-\-outfile\-check\-dir=DIR Specify the outfile directory to monitor for plains .TP .B \-\-logfile\-disable Disable the logfile .TP .B \-\-hccapx\-message\-pair=NUM Load only message pairs from hccapx matching X .TP .B \-\-nonce\-error\-corrections=NUM The BF size range to replace AP's nonce last bytes .TP .B \-\-keyboard\-layout\-mapping=FILE Keyboard layout mapping table for special hash\-modes .TP .B \-\-truecrypt\-keyfiles=FILE Keyfiles to use, separated with commas .TP .B \-\-veracrypt\-keyfiles=FILE Keyfiles to use, separated with commas .TP .B \-\-veracrypt\-pim=NUM VeraCrypt personal iterations multiplier .TP .B \-\-benchmark\-all Run benchmark of all hash\-modes .TP .B \-\-speed\-only Return expected speed of the attack, then quit .TP .B \-\-progress\-only Return ideal progress step size and time to process .TP .B \-\-bitmap\-min=NUM Sets minimum bits allowed for bitmaps to X .TP .B \-\-bitmap\-max=NUM Sets maximum bits allowed for bitmaps to X .TP .B \-\-cpu\-affinity=STR Locks to CPU devices, separated with commas .TP .B \-\-example\-hashes Show an example hash for each hash-mode .TP .B \-I, \-\-opencl\-info Show info about detected OpenCL platforms/devices .TP .B \-\-opencl\-platforms=STR OpenCL platforms to use, separated with commas .TP .B \-d, \-\-opencl\-devices=STR OpenCL devices to use, separated with commas .TP .B \-D, \-\-opencl\-device\-types=STR OpenCL device\-types to use, separated with commas .TP .B \-\-opencl\-vector\-width=NUM Manually override OpenCL vector\-width to X .TP .B \-O, \-\-optimized\-kernel\-enable Enable optimized kernels (limits password length) .TP .B \-w, \-\-workload\-profile=NUM Enable a specific workload profile, see pool below .TP .B \-n, \-\-kernel\-accel=NUM Manual workload tuning, set outerloop step size to X .TP .B \-u, \-\-kernel\-loops=NUM Manual workload tuning, set innerloop step size to X .TP .B \-T, \-\-kernel\-threads=NUM Manual workload tuning, set thread count to X .TP .B \-\-spin\-damp=NUM Use CPU for device synchronization, in percent .TP .B \-\-hwmon\-disable Disable temperature and fanspeed reads and triggers .TP .B \-\-hwmon\-temp\-abort=NUM Abort if temperature reaches X degrees Celsius .TP .B \-\-scrypt\-tmto=NUM Manually override TMTO value for scrypt to X .TP .B \-s, \-\-skip=NUM Skip X words from the start .TP .B \-l, \-\-limit=NUM Limit X words from the start + skipped words .TP .B \-\-keyspace Show keyspace base:mod values and quit .TP .B \-j, \-\-rule\-left RULE Single rule applied to each word from left wordlist .TP .B \-k, \-\-rule\-right RULE Single rule applied to each word from right wordlist .TP .B \-S, \-\-slow\-candidates Enable slower (but advanced) candidate generators .TP .B \-\-brain\-server Enable brain server .TP .B \-z, \-\-brain\-client Enable brain client, activates -S .TP .B \-\-brain\-client\-features=NUM Define brain client features, see below .TP .B \-\-brain\-host=STR Brain server host (IP or domain) .TP .B \-\-brain\-port=PORT Brain server port .TP .B \-\-brain\-password=STR Brain server authentication password .TP .B \-\-brain\-session=HEX Overrides automatically calculated brain session .TP .B \-\-brain\-session\-whitelist=HEX Allow given sessions only, separated with commas .SH Permutation attack\-mode options .PP .PP .SH Outfile formats .PP 1 = hash[:salt] .br 2 = plain .br 3 = hash[:salt]:plain .br 4 = hex_plain .br 5 = hash[:salt]:hex_plain .br 6 = plain:hex_plain .br 7 = hash[:salt]:plain:hex_plain .br 8 = crackpos .br 9 = hash[:salt]:crack_pos .br 10 = plain:crack_pos .br 11 = hash[:salt]:plain:crack_pos .br 12 = hex_plain:crack_pos .br 13 = hash[:salt]:hex_plain:crack_pos .br 14 = plain:hex_plain:crack_pos .br 15 = hash[:salt]:plain:hex_plain:crack_pos .SH Debug mode output formats (for hybrid mode only, by using rules) .PP 1 = save finding rule .br 2 = save original word .br 3 = save original word and finding rule .br 4 = save original word, finding rule and modified plain .SH Built-in charsets .PP ?l = abcdefghijklmnopqrstuvwxyz .br ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ .br ?d = 0123456789 .br ?h = 0123456789abcdef .br ?H = 0123456789ABCDEF .br ?s = !"#$%&'()*+,\-./:;<=>?@[\]^_`{|}~ .br ?a = ?l?u?d?s .br ?b = 0x00 \- 0xff .SH Attack mode .PP 0 = Straight .br 1 = Combination .br 3 = Brute\-force .br 6 = Hybrid Wordlist + Mask .br 7 = Hybrid Mask + Wordlist .SH Hash types .PP 0 = MD5 .br 10 = md5($pass.$salt) .br 20 = md5($salt.$pass) .br 30 = md5(unicode($pass).$salt) .br 40 = md5($salt.unicode($pass)) .br 50 = HMAC\-MD5 (key = $pass) .br 60 = HMAC\-MD5 (key = $salt) .br 100 = SHA1 .br 110 = sha1($pass.$salt) .br 120 = sha1($salt.$pass) .br 130 = sha1(unicode($pass).$salt) .br 140 = sha1($salt.unicode($pass)) .br 150 = HMAC\-SHA1 (key = $pass) .br 160 = HMAC\-SHA1 (key = $salt) .br 200 = MySQL323 .br 300 = MySQL4.1/MySQL5 .br 400 = phpass, MD5(Wordpress), MD5(phpBB3), MD5(Joomla) .br 500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco\-IOS MD5 .br 900 = MD4 .br 1000 = NTLM .br 1100 = Domain Cached Credentials (DCC), MS Cache .br 1400 = SHA256 .br 1410 = sha256($pass.$salt) .br 1420 = sha256($salt.$pass) .br 1430 = sha256(unicode($pass).$salt) .br 1431 = base64(sha256(unicode($pass))) .br 1440 = sha256($salt.unicode($pass)) .br 1450 = HMAC\-SHA256 (key = $pass) .br 1460 = HMAC\-SHA256 (key = $salt) .br 1600 = md5apr1, MD5(APR), Apache MD5 .br 1700 = SHA512 .br 1710 = sha512($pass.$salt) .br 1720 = sha512($salt.$pass) .br 1730 = sha512(unicode($pass).$salt) .br 1740 = sha512($salt.unicode($pass)) .br 1750 = HMAC\-SHA512 (key = $pass) .br 1760 = HMAC\-SHA512 (key = $salt) .br 1800 = SHA\-512(Unix) .br 2400 = Cisco\-PIX MD5 .br 2410 = Cisco\-ASA MD5 .br 2500 = WPA/WPA2 .br 2600 = Double MD5 .br 3200 = bcrypt, Blowfish(OpenBSD) .br 3300 = MD5(Sun) .br 3500 = md5(md5(md5($pass))) .br 3610 = md5(md5($salt).$pass) .br 3710 = md5($salt.md5($pass)) .br 3720 = md5($pass.md5($salt)) .br 3800 = md5($salt.$pass.$salt) .br 3910 = md5(md5($pass).md5($salt)) .br 4010 = md5($salt.md5($salt.$pass)) .br 4110 = md5($salt.md5($pass.$salt)) .br 4210 = md5($username.0.$pass) .br 4300 = md5(strtoupper(md5($pass))) .br 4400 = md5(sha1($pass)) .br 4500 = Double SHA1 .br 4600 = sha1(sha1(sha1($pass))) .br 4700 = sha1(md5($pass)) .br 4800 = MD5(Chap), iSCSI CHAP authentication .br 4900 = sha1($salt.$pass.$salt) .br 5000 = SHA\-3(Keccak) .br 5100 = Half MD5 .br 5200 = Password Safe SHA-256 .br 5300 = IKE\-PSK MD5 .br 5400 = IKE\-PSK SHA1 .br 5500 = NetNTLMv1\-VANILLA / NetNTLMv1\-ESS .br 5600 = NetNTLMv2 .br 5700 = Cisco\-IOS SHA256 .br 5800 = Android PIN .br 6300 = AIX {smd5} .br 6400 = AIX {ssha256} .br 6500 = AIX {ssha512} .br 6700 = AIX {ssha1} .br 6900 = GOST, GOST R 34.11\-94 .br 7000 = Fortigate (FortiOS) .br 7100 = OS X v10.8+ .br 7200 = GRUB 2 .br 7300 = IPMI2 RAKP HMAC\-SHA1 .br 7400 = sha256crypt, SHA256(Unix) .br 7900 = Drupal7 .br 8400 = WBB3, Woltlab Burning Board 3 .br 8900 = scrypt .br 9200 = Cisco $8$ .br 9300 = Cisco $9$ .br 9800 = Radmin2 .br 10000 = Django (PBKDF2\-SHA256) .br 10200 = Cram MD5 .br 10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA\-1 .br 11000 = PrestaShop .br 11100 = PostgreSQL Challenge\-Response Authentication (MD5) .br 11200 = MySQL Challenge\-Response Authentication (SHA1) .br 11400 = SIP digest authentication (MD5) .br 99999 = Plaintext .SH Specific hash type .PP 11 = Joomla < 2.5.18 .br 12 = PostgreSQL .br 21 = osCommerce, xt:Commerce .br 23 = Skype .br 101 = nsldap, SHA\-1(Base64), Netscape LDAP SHA .br 111 = nsldaps, SSHA\-1(Base64), Netscape LDAP SSHA .br 112 = Oracle S: Type (Oracle 11+) .br 121 = SMF > v1.1 .br 122 = OS X v10.4, v10.5, v10.6 .br 123 = EPi .br 124 = Django (SHA\-1) .br 131 = MSSQL(2000) .br 132 = MSSQL(2005) .br 133 = PeopleSoft .br 141 = EPiServer 6.x < v4 .br 1421 = hMailServer .br 1441 = EPiServer 6.x > v4 .br 1711 = SSHA-512(Base64), LDAP {SSHA512} .br 1722 = OS X v10.7 .br 1731 = MSSQL(2012 & 2014) .br 2611 = vBulletin < v3.8.5 .br 2612 = PHPS .br 2711 = vBulletin > v3.8.5 .br 2811 = IPB2+, MyBB1.2+ .br 3711 = Mediawiki B type .br 3721 = WebEdition CMS .br 7600 = Redmine Project Management Web App .PP .SH AUTHOR hashcat was written by Jens Steube .PP This manual page was written by Daniel Echeverry , for the Debian project (and may be used by others).