Hashcat GPU Password Cracking: Complete Setup Guide

ByHackerXone Team
Hashcat GPU Password Cracking: Complete Setup Guide — HackerXone

During the 2024 RockYou2024 leak, researchers found that billions of plaintext passwords could be cracked from their hashes in minutes — not hours — using modern GPU-accelerated tools. Hashcat is the tool professionals reach for first. This guide gets you from zero to cracking real hashes with GPU power, covering setup, attack modes, and what the output actually tells you.

Installing Hashcat and Verifying GPU Access

Hashcat is a fast, open-source password recovery tool that offloads hash computation to your GPU instead of your CPU — making it orders of magnitude faster for brute-force and dictionary attacks.

On a Debian-based system with an NVIDIA card, install the driver and Hashcat together:

sudo apt update
sudo apt install -y hashcat nvidia-driver-535
hashcat -I

The -I flag lists every OpenCL and CUDA device Hashcat detects. You should see output like this:

OpenCL Info:
============

OpenCL Platform #1
  Name...: NVIDIA CUDA
  Vendor.: NVIDIA Corporation

  Backend Device #1
    Name...........: NVIDIA GeForce RTX 4070
    Processors.....: 36
    Clock..........: 2475 MHz
    Memory.Total...: 12288 MB

If your GPU appears here, you are ready. If you only see a CPU listed, your driver installation failed — reinstall the NVIDIA driver and rerun. A missing GPU means Hashcat falls back to CPU mode, which is roughly 100x slower for most hash types. That difference matters when you are working against a deadline on a pentest engagement.

Dictionary Attack Against an NTLM Hash Dump

Suppose you have recovered a credential dump from a domain controller on an internal assessment of corp-dc01.example.internal (192.0.2.10). Secretsdump pulled the following NTLM hash for user jmartinez:

jmartinez:1104:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

The hash you care about is the NT portion: 8846f7eaee8fb117ad06bdd830b7586c. Save it to a file called ntlm.txt, then run a dictionary attack using the classic rockyou wordlist:

hashcat -m 1000 -a 0 ntlm.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.2.6) starting...

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497

8846f7eaee8fb117ad06bdd830b7586c:Password1

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Time.Started.....: Mon Jun 30 09:14:22 2026
Time.Estimated...: 0 secs
Speed.#1.........: 18621.4 MH/s (17.34ms)
Guesses.Mask.....: N/A
Progress.........: 14344391/14344391 (100.00%)
Restore.Point....: 0/14344391 (0.00%)

The hash cracked to Password1 in under two seconds. Speed shows 18.6 billion hashes per second — that is what GPU acceleration looks like against NTLM. The next step in an engagement: test that credential with crackmapexec smb 192.0.2.10 -u jmartinez -p 'Password1' and check for lateral movement opportunities across the subnet.

Rule-Based Attack for Complex Passwords

Wordlists fail against passwords like S3cur!ty2026. This is where Hashcat rules shine. Rules are small transformation scripts — they capitalize letters, append numbers, substitute characters — massively expanding a wordlist without storing billions of extra words.

Hashcat ships with the best64.rule ruleset, which covers the most common human password mutations. Run a rule-based attack against a bcrypt hash recovered from a web app database on webapp01.example.internal (192.0.2.25):

hashcat -m 3200 -a 0 bcrypt.txt /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule --status --status-timer=10

Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Speed.#1.........:     3217 H/s (8.94ms)
Progress.........: 32170/916001024 (0.00%)
Time.Estimated...: 3 days, 14 hours

Notice the speed drop — 3,217 hashes per second versus 18 billion for NTLM. Bcrypt is intentionally slow. That estimated time of 3+ days is the algorithm working as designed. At this point, a professional narrows the wordlist: pull the target company name, product names, and city from LinkedIn, build a custom wordlist with cewl, and re-run. Targeted wordlists beat generic ones against bcrypt every time.

The --status-timer=10 flag prints a live progress update every 10 seconds — essential for long jobs so you can kill and adjust strategy early rather than waiting hours for a miss.

What To Do Now

Pull the example.hashes file bundled with every Hashcat installation (ls /usr/share/hashcat/examples/) and crack the MD5 example hashes with hashcat -m 0 -a 0 /usr/share/hashcat/examples/example.MD5 /usr/share/wordlists/rockyou.txt. Watch the speed counter, confirm your GPU is engaged, and then try the same hashes in CPU-only mode with --opencl-device-types 1 to see the real performance gap. That single comparison will permanently change how you think about password storage policies.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *