Error. this hash is not supported yet

error. this hash is not supported yet

Why the image's hash and certificate are not allowed Generally, this error occurs while trying to install Linux CentOS on a virtual machine. Get-CimInstance: A general error occurred that is not covered by a get the hardware hash, we need to contact windows support to get. Hashcat reports "Status: Cracked", but did not print the hash value, and the outfile is empty. What happened?

Error. this hash is not supported yet - remarkable


This means for instance that the hash file comes before the word list, directory or mask. Swapping these parameters, e.g. hash file after the mask, is not supported.

If this is not the syntax error you have experience, please have a closer look at the --help output and search the wiki for more details about the syntax.

hashcat unpacks to 1GB or more, do I really need all the files?

It depends on your system, but usually you do not need all the files within the extracted hashcat folder. The most space is taken from the precompiled kernel files. There's is a kernel for each GPU type. When hashcat starts up it queries model from your GPU and loads the corresponding kernel for it. This ensures maximum performance.

Depending on if you have a Nvidia or AMD system, the bitness is also important. For NVidia systems there are kernels for 32 bit and 64 bit. So if you use a 64 bit system you don't need the 32 bit kernels at all and you can safely remove them.

But there is more. It's unlikely that you have all GPU types in a single system. You can safely remove those kernel files which correspond to GPUs that you do not have in your system. To find out which GPU you have, you can run:

$ ./hashcat.bin 00000000000000000000000000000000 ... Device #1: Kernel ./kernels/4318/m00000_a0.sm_52.64.ptx Device #2: Kernel ./kernels/4318/m00000_a0.sm_50.64.ptx Device #3: Kernel ./kernels/4318/m00000_a0.sm_21.64.ptx ...

On this system I have 3 graphic cards installed. One uses sm_21, one uses sm_50 and one uses sm_52. So I can safely remove all kernel that do not match this list (but only those with sm_xx within the file name for NVidia).

On AMD systems it's a bit different. They are distinguished by either VLIW1, VLIW4 and VLIW5. Basically you can say that all GCN (hd7970, R9 cards) cards are VLIW1. VLIW4 is for the 6xxx series and VLIW5 for the 5xxx series. That means, for example, you can typically remove all VLIW4 and VLIW5 kernel if you only have a hd7970 in your system (but only remove those kernels which have the VLIWx within the file name for AMD).

What does "Status: Exhausted" mean?

Exhausted simply means hashcat has tried every possible password combination in the attack you have provided, and failed to crack 100% of all hashes given. In other words, hashcat has finished doing everything you told it to do – it has exhausted its search to crack the hashes. You should run hashcat again with a different attack/word list/mask etc.

What is a hashcat mask file?

A hashcat mask file is a set of masks stored in a single plain text file with extension .hcmask.

The format of the lines is defined here: hashcat mask file

Each line of a .hcmask file could contain this information (the order of the fields is exactly as mentioned here):

  • --custom-charset1 (short -1, optional): define a custom char set which you can reference in the mask with ?1

  • --custom-charset2 (short -2, optional): define a custom char set which you can reference in the mask with ?2

  • --custom-charset3 (short -3, optional): define a custom char set which you can reference in the mask with ?3

  • --custom-charset4 (short -4, optional): define a custom char set which you can reference in the mask with ?4

  • mask (required): specify the mask

Each and every field mentioned above is separated by a comma (“,”, without quotes). If an optional field is not specified, the comma does not need and can't be written down, hence if you only want to specify a mask (without the optional custom char sets), the lines should look like this:

?u?l?l?l?l?s ?u?l?l?l?l?l?s ?l?l?l?l?l ?l?l?l?l?l?s

Note: all the custom char sets were not set here (-1, -2, -3, -4), nor used (?1, ?2, ?3, ?4), hence we only have 1 single field (and hence no commas).

On the other hand, if you for instance only need --custom-charset1 (or short -1), your lines would look something like this:

?l?d,?l?l?l?l?1 ?l?u,?1?1?1?1?1?1

Note: here the --custom-charset1 would be set to ?l?d with the first hashcat mask file line and to ?l?u with the second line (those 2 lines are independent). Also note that when the --custom-charset1 (or short -1) field was set, it should also be used within the mask with ?1. The opposite is also true, when you use a custom char set within the mask (?1) you should also set the --custom-charset1 (or short -1) field to a valid value.

If 2 custom char sets are needed, you would use something like this:


Note: here we set --custom-charset1 (or short -1) to ?l?d and --custom-charset2 (or short -2) to ?u?l and then use those custom char sets within the mask.

… and so on and so forth (up to the 4 supported custom char sets).

There are 4 important syntax rules:

  • if you use \, the comma will be seen by *hashcat as a literal character, i.e. the backward slash escapes the comma (which would otherwise be seen as a separator between the different fields: -1, -2, -3, -4 and the mask)

  • if you use # at the beginning of the line, the line will be treated as a comment and hence ignored

  • if you use \# at the beginning of the line, the # will be used literally as a character (since the backward slash escapes the # which otherwise would be seen as a comment)

  • if you want to use a question mark (“?”, without quotes) within your mask or within your custom charsets, you need to escape it with an additional question mark, i.e. ?? means that the question mark is used as a literal symbol

You can use .hcmask files as simple as this:

$ ./hashcat.bin -m 0 -a 3 md5_hash.txt my.hcmask

In other words, you simply specify the path to the .hcmask file at the position in the command line where you normally would use the single mask.

What exactly is a weak hash?

The weak hash detection is a special feature of hashcat. The goal of this feature is to notice if there is a hash whose plaintext is empty, that means a 0-length password. Typically when you just hit enter. We call it a weak-hash check even if it should have been called weak-password check but there are simply too many weak-passwords.

However, if your hashlist contains millions of salts we have to run a kernel for each salt. If you want to check for empty passwords for that many salts you will have a very long initialization/startup time by running hashcat. To work around this problem there is a parameter called "--weak-hash-threshold". With it you can set a maximum number of salts for which weak hashes should be checked on start. The default is set to 100, that means if you use a hashlist with 101 unique salts it will not try to do a weak-hash check at all. Note we are talking about unique salts not unique hashes. Cracking unsalted hashes results in 1 unique salt (an empty one). That means if you set it to 0 you are disabling it completely, also for the unsalted hashes.

What is a potfile?

The potfile stores which hashes were already cracked, and thus won't be cracked again.

The reason for this is that otherwise e.g. the output file (--outfile, -o) could contain the same and identical hash output again and again (if different attack types lead to the same password candidates which do match).

It also has an enormous effect on cracking salted hashes. If hashcat notices that all hashes which are bound to a specific salt are cracked, it's safe to not generate new guesses for this specific salt anymore. This means, for example, if you have 2 hashes with different salts and one is cracked, the speed is doubled. Now if you restart the session for any reason the potfile marks the one cracked hash as cracked and so the salt is marked as cracked. You startup with doubled guessing speed.

You can disable potfile support completely by using --potfile-disable. However we strongly recommend leaving it enabled. If you have a large list of salted hashes for example and you do not use --remove and for whatever reason you have to restart this cracking session all your bonus guessing speed is loss.

Note that using a potfile is very different from the idea which you have in mind when you are used to use --remove. Having a hashlist with only uncracked hashes is fine, but with potfile you can do the same if you use the --left switch. For example, if your cracking session is finished and you want to have a left list, you simply run:

$ ./hashcat.bin --left -o leftlist.txt -m 0 hash.txt

Now you have both, the original list and the left list.

It's also safe to copy (or append) the data from one potfile to another.

The potfile is stored in hashcat's profile folder with the name “hashcat.potfile”. You can override this path by using the --potfile-path parameter.

How can I identify the hash type?

There is no concrete method for identifying a hash algorithm using the hash alone.

Some hashes have signatures which give a strong indication of which algorithm was used, such as “$1$” for md5crypt. Usually you can rely on this information; however, this method of identification is not bullet-proof! For example, consider an algorithm such as crypt(sha256(pass), “$1$”).

For hashes which have no signature, it is virtually impossible to distinguish which algorithm was used. A string of 32 hex characters could be LM, NTLM, MD4, MD5, double MD5, triple md5, md5(sha512(pass)), so on and so forth. There is literally an infinite number of possibilities for what the algorithm may be!

Tools which claim to be able to identify hashes simply use regular expressions to match the hash against common patterns. This method is extremely unreliable and often yields incorrect results. It is best to avoid using such tools.

A much better way to identify the hash algorithm would be to understand the origin of the hashes (e.g. operating system, COTS application, web application, etc.) and make an educated guess at what the hash algorithm might be. Or better yet, use the source!

For some example hashes see the example hashes wiki page.

Hashcat reports "Status: Cracked", but did not print the hash value, and the outfile is empty. What happened?

If you see the line “INFO: removed X hashes found in pot file”, where X could be any number greater than 0, it means that you had already cracked the target hash during a previous run of this session. The hash will not be cracked again for the following reasons:

  • you already cracked the hash, hence cracking the same hash would be a waste of resources;

  • the potfile has already all the information to be able to show the password (use --show);

  • potfile support wasn't disabled, thus a check for every hash in your hash file (or the one hash in the command line) will be performed. If it was found in the .potfile, it will be marked as already cracked and will not be loaded by hashcat

The reason for not showing/storing the same crack is that it is a waste of resources to crack a single hash more than once and hashcat assumes that if it was already cracked, the user did already “see” the password. The potfile-reading feature (at startup) will check if some hashes within the hash list were already cracked and marked them as “already cracked” without trying to crack them again and again.

It is possible to show all the cracks with --show and this will show every previous cracks (stored within the .potfile). The path to the .potfile can be specified by the --potfile-path command line argument. This way it is possible that you use different .potfile files for each and every different hash list (the default name is “hashcat.potfile”).

It is possible to avoid the warning and the storage of all cracks by using --potfile-disable.

How can I show previously cracked passwords, and output them in a specific format (e.g. email:password)?

To accomplish this, you need to use the --show switch.

--show is always used after the hashes have been cracked; therefore, you only need (and should not specify more than) these command line arguments:

  • --show (required)

  • the hash type (optional, i.e. -m 0 is the default one)

  • the path to the pot file (--potfile-path, optional): specify a specific input .potfile (containing previous cracks)

  • user name (--username, optional): tell *hashcat that the hash file has user names / email addresses in the first field of each and every line

  • the output file (--outfile, -o, optional): file to store the output

  • the output format (--outfile-format, see --help for the possible values, optional): changes the way the output is shown, e.g. password only, password in hexadeximal, don't show hash etc

  • quiet mode (--quiet, optional): enables the quiet mode (does not show any extra info)

  • the original hash file (required): this needs to be the unmodified hash list, --remove does modify / delete hashes from the hash file


$ ./hashcat.bin -m 0 --show -o formatted_output.txt --outfile-format 2 original_MD5_hashes.txt

Note: You do not need – and should not specify – any mask, dictionary, wordlist directory, etc.

An example how this 2-fold process would look like is shown below:

1. crack the hashes:

$ ./hashcat.bin -m 0 --username --potfile-path md5.potfile original_MD5_hashes.txt rockyou.txt

2. output the hashes to a file with --show:

$ ./hashcat.bin -m 0 --username --potfile-path md5.potfile --show -o formatted_output.txt --outfile-format 2 original_MD5_hashes.txt

What is a keyspace?

Keyspace is the term used to refer to the number of possible combinations for a specified attack. In hashcat, it has a special meaning that is not exactly the same as the usual meaning. The output of --keyspace is designed to be used to distribute cracking, i.e. you can use the value from --keyspace and divide it into x chunks (best would be if the chunk size depends on the performance of your individual nodes if they are different) and use the -s/-l parameters for distributed cracking.

To tell devices which candidates to generate on GPU, hashcat keeps track of some of the candidates on the host. To do this, there are two loops: a loop that runs on the host (the “base loop”), and a loop that runs on the device (the “mod(ifier) loop.”)

To work between multiple compute nodes, hashcat must divide up and distribute portions of the base loop. This is where --keyspace, -s, and -l come into play. --keyspace reports the size of the base loop that executes on the host so that we know how to divide up the work. -s and -l control the start/stop positions of the base loop.

In other words, hashcat's --keyspace is specifically designed to optimize distribution of work, and is not a literal representation of the total possible keyspace for a given attack.

The keyspace is calculated according to the following formulas for each program:

hashcat legacy

  • -a 0 – number of words in wordlist

  • -a 0 + rules – number of words in wordlist multiplied by number of rules in rule file

  • -a 1 – number of words in wordlist multiplied by 2

  • -a 1 + rules – number of words in left_wordlist multiplied by number of words in right_wordlist multiplied by number of rules in rule file

  • -a 3 – multiply the number of possible characters in each mask position together

  • -a 5 – number of words in wordlist multiplied by number of entries in table

  • -a 8 – it's complicated


  • -a 0 – number of words in wordlist

  • -a 0 + rules – number of words in wordlist

  • -a 1 – number of words of the larger word list out of the 2 word lists specified (left_wordlist, right_wordlist)

  • -a 3 – multiply the number of possible characters in each mask position for the base loop mask, excluding the mod loop mask – please just use --keyspace switch ;)

  • -a 6 – number of words in wordlist (the left part, the dictionary, is most significant)

  • -a 7 – multiply the number of possible characters in each mask position (the left part, the mask, is most significant)

  • -a 9 – not really applicable, or “one” - only one candidate is applied to one hash

  • -a 9 + rules – not really applicable - basically just the number of rules in rule file

You can calculate the keyspace for a specific attack with the following syntax:

$ ./hashcat.bin -m 0 -a 0 example.dict -r rules/best64.rule --keyspace 129988

(Don't include the hashfile!)

See also this forum post.

How to deal with special non-latin characters (chinese, arabic, etc...) ?

Various languages use different character encodings. It may seem overwhelming that there are many different encoding types, many languages, and many different characters that exist. What you need to know when it comes to encoding is that most, if not all, hashing algorithms do not care about encoding at all. Hash algorithms just work with the single bytes a password is composed of. That means if you input a password that contains, for example, a German umlaut, this can result in multiple different hashes of the same unsalted algorithm. To further illustrate this, you will see three different hashes depending on whether you have used ISO-8859-1, utf-8 or utf-16.

There's no built-in character conversation in hashcat, but this doesn't mean you can not crack them:

So you need to solve this problem outside of hashcat / hashcat legacy. An easy solution would be to simply convert your wordlists with iconv:

$ iconv -f utf-8 -t iso-8859-1 < rockyou.txt xargs -0 rm -rf

  • Reboot

  • For Linux only: apt-get install ocl-icd-libopencl1 opencl-headers clinfo

  • Install the driver recommended on If it says *exact* it means exact.

    • For AMD GPUs on Linux, see ROCm instructions here.

  • Reboot

  • For Linux only: rm -rf ~/.hashcat/kernels

  • Reinstall hashcat, choose:

  • For Linux only: try to run “clinfo” first in your terminal

  • Try to run hashcat --benchmark

  • What does the cuModuleLoad() 209 error mean?

    Official SDK ErrorCode: CUDA_ERROR_NO_BINARY_FOR_GPU = 209

    This error can simply mean that the version of the driver that you have installed is too old:

    However, it can also be worse than just that. The 209 error means that there was no precompiled kernel found in an existing precompiled kernel container file (the ones that end with .ptx). This sometimes happens with new GPUs that are not yet supported by hashcat.

    • Solution: Please update your ForceWare driver to the latest one (not the recommended one)

    If the problem still exist:

    • Solution: Open an issue on github. We will add support for your GPU with the next release.

    What does the cuModuleLoad() 301 error mean?

    Official SDK ErrorCode: CUDA_ERROR_FILE_NOT_FOUND = 301

    You've unpacked the hashcat.7z archive using the command “7z e”. This destroys the directory structure.

    • Solution: Please use the x flag to decompress 7z archives. For example: “7z x”

    NVidia added a completely new ShaderModel which is not yet support by hashcat.

    • Solution: Please update your ForceWare driver to the latest one (not the recommended one)

    If the problem still exist:

    • Solution: Open an issue on github. We will add your GPU with the next release.

    What does the clGetPlatformIDs() -64 error mean?

    This is the typical error message you get when you're AMD driver installation is faulty. You need to reinstall the recommended driver (while making sure that there is no older driver libs conflicting with it).

    What does the clGetPlatformIDs() -1001 error mean?

    This is the typical error message you get when your AMD driver installation is faulty. You need to reinstall the recommended driver.

    What does the clGetDeviceIDs() -1 Error error message mean?

    Receiving this error means that hashcat could not detect any capable GPUs in your system. If you are positive that you have capable GPUs you can try the following suggestions to fix your system:

    • #define CL_DEVICE_NOT_FOUND -1

    • Are you logged in as the user who has opened the X session?

    • Did you use “export DISPLAY=:0”?

    • Do you have X Authority and/or disable X11 ACLs with “xhost +”?

    • Is your display manager configured correctly? (gdm example config: )

    • Did you use the recommended driver (for the hashcat version you use) mentioned on the download page? I may have the wrong driver installed, what should I do?

    What does the clBuildProgram() -11 error mean?

    Official SDK ErrorCode: CL_BUILD_PROGRAM_FAILURE -11

    This means you are using an incompatible driver version. Sometimes the structure inside the .llvmir archive changes. This is something the developers of hashcat have no influence on. This structure is dictated by the driver.

    What does the clCreateBuffer() -61 error mean?

    Official SDK ErrorCode: CL_INVALID_BUFFER_SIZE -61

    This is the typical “Out-Of-Memory” Error, and is not driver related. Note that this refers to your GPU memory, not host memory. Also note that there is a maximum allocation size which is typically only 256MB. That means even if your GPU has 4GB ram, hashcat is allowed only to allocate 256MB per buffer.


    • Reduce -n

    • Reduce -w

    • Reduce number of hashes

    What does the clEnqueueCopyBuffer() -30 error mean?

    Official SDK ErrorCode: CL_INVALID_VALUE -30

    This is not a driver related error. This error occurs mostly in cases where you are using too many rules. You can adjust the following parameters to reduce your total rule count:

    • decrease -g value

    • decrease number of -r stacks

    What does the cuStreamSynchronize() 702 error mean?

    This is the same error type as OpenCL -30 Error. It is not a driver related error. This error occurs mostly in cases where you are using too many rules. You can adjust the following parameters to reduce your total rule count:

    • decrease -g value

    • decrease number of -r stacks

    What does the error: FanSpeed_Get(): -5 mean?

    Official ADL SDK ErrorCode: ADL_ERR_INVALID_ADL_IDX -5

    The most likely reason of this problem is that hashcat could not perfectly map the found and supported OpenCL devices to the devices that the ADL (AMD Display Library) did find. The main problem here is that ADL and OpenCL do use some different means to describe/priorize/sort/name/identify the different devices.

    hashcat does some fuzzy matching to try matching those devices with the best accuracy possible, but still sometimes this fails. It could, for instance, fail when you have a multi-GPU setup where some devices are identical (same model/make etc), and you specify -d 1/-d 2.

    There is little hashcat can do to avoid this problem since the bus id and device id are sometimes the same (reported by OpenCL), even if we are dealing with 2 “different” (but similar) GPUs.

    A possible workaround is to set the fan manually to 100% and use --gpu-temp-disable flag in hashcat.

    What does the ADL_Overdrive5_Temperature_Get(): -1 error mean?

    Official ADL SDK ErrorCode: ADL_ERR -1

    The most likely reason for this problem is that hashcat could not perfectly map the found and supported OpenCL devices to the devices that the ADL (AMD Display Library) did find. ADL and OpenCL do use some different means to describe/priorize/sort/name/identify the different devices, which can contribute to this problem.

    hashcat does some fuzzy matching, due to the lack of a unique and consistent way to identify the devices, to try to match those devices with the best accuracy possible, but still sometimes this fails. It could, for instance, fail when you have a multi-GPU setup where some devices are identical (same model/make etc), and you specify -d 1/-d 2.

    There is little hashcat can do to avoid this problem since the bus id and device id are sometimes the same (reported by OpenCL), even if we are dealing with 2 “different” (but similar) GPUs.

    In this particular case, hashcat fails to get the temperature of the GPU which uses overdrive 5. This could be because the mapping somehow failed and the device is an overdrive 6 GPU instead or something similar.

    A possible workaround is to set the fan manually to 100% and use the --gpu-temp-disable flag in hashcat.

    I got this error message: undefined symbol: nvmlInit_v2 Error, what does it mean?

    This is simple. You are using a version of the Nvidia ForceWare driver that is way too old. It is time to update!

    What does the clEnqueueNDRangeKernel() : -4 : CL_MEM_OBJECT_ALLOCATION_FAILURE error mean?

    This is a typical error with AMD GPUs when using the packaged driver (*.deb package) as “/usr/lib/” is exchanged by the package.


    • completely purge fglrx

    • apt-get install --reinstall ocl-icd-libopencl1

    • service xdm stop

    • install driver (not package version: e.g.

    • reboot

    • service xdm stop

    • amdconfig --initial -f --adapter=all

    • reboot

    How can I use old hashcat/oclHashcat versions?

    We really encourage you to always use the latest and greatest version of hashcat. In general, it comes with several improvements, problem fixes, new features, better GPU support etc. In our opinion, there is only one valid reason to use older versions of hashcat: when AMD/NVidia dropped support for your graphics card and hashcat developers decided that it is more appropriate to support the newer generation cards (and hence support/optimize code for the more recent driver versions) instead of keeping support for no-longer supported GPUs.

    I see only the usage, it seems to be a syntax error. What should I do?

    First of all, look closely at the usage (see the Usage: line at the beginning of the --help output). It should say something like this:

    For hashcat:

    Usage: hashcat [options]... hash

    Hyper-V Boot Error: The Image’s Hash and Certificate Are not Allowed

    The Hyper-V Boot Error: ‘The Image’s Hash and Certificate Are not Allowed’ occurs while trying to install Linux CentOS on a virtual machine running on a Hyper-V server.

    Here at Bobcares, we have seen several such Hyper-V-related errors as part of our Server Management Services for web hosts and online service providers.

    Today we’ll take a look at the causes for this error and see the fix.


    Why the image’s hash and certificate are not allowed

    Generally, this error occurs while trying to install Linux CentOS on a virtual machine running on a Hyper-V server.

    The main reason for this error to occur is that the Hyper-V by default uses UEFI with Secure Boot mode enabled for its Generation 2 virtual machines.

    Secure Boot prevents the boot from an untrusted Linux bootloader in the ISO file. Thus this error occurs. For instance, the error appears as below.

    the image’s hash and certificate are not allowed


    How we resolve the error ‘image’s hash and certificate are not allowed’

    Now let’s take a look at the steps our Support Engineers follow to resolve this error.

    First, to start the installation, we disable Secure Boot in the virtual machine settings (Settings >> Security >> uncheck the option Enable Secure Boot).

    Or else we can leave Secure Boot enabled. But we prefer using Microsoft UEFI Certificate Authority template instead of Microsoft Windows. Because according to Microsoft, this template allows you to run Linux distros in the Secure Boot compatibility mode.

    Then we restart the VM and boot it again from the CentOS installation ISO image or another Linux distribution.


    In the same way, we manage the Secure Boot and templates setting of VM using PowerShell. We run the below command to get the current VM firmware settings.

    Here is the command we use to disable Secure Boot mode for the VM:

    Finally, in order to change the bootloader certificate validation template to the one compatible with most Linux distros:

    [Need any further assistance in fixing Hyper-V errors? – We are here to help you]



    In short, this error occurs while trying to install Linux CentOS on a virtual machine running on a Hyper-V server. Today, we saw the solution provided by our Support Engineers.


    Never again lose customers to poor server speed! Let us help you.

    Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.


    var google_conversion_label = "owonCMyG5nEQ0aD71QM";



    The Laravel facade provides secure Bcrypt and Argon2 hashing for storing user passwords. If you are using one of the Laravel application starter kits, Bcrypt will be used for registration and authentication by default.

    Bcrypt is a great choice for hashing passwords because its "work factor" is adjustable, which means that the time it takes to generate a hash can be increased as hardware power increases. When hashing passwords, slow is good. The longer an algorithm takes to hash a password, the longer it takes malicious users to generate "rainbow tables" of all possible string hash values that may be used in brute force attacks against applications.


    The default hashing driver for your application is configured in your application's configuration file. There are currently several supported drivers: Bcrypt and Argon2 (Argon2i and Argon2id variants).

    Basic Usage

    Hashing Passwords

    You may hash a password by calling the method on the facade:

    Adjusting The Bcrypt Work Factor

    If you are using the Bcrypt algorithm, the method allows you to manage the work factor of the algorithm using the option; however, the default work factor managed by Laravel is acceptable for most applications:

    Adjusting The Argon2 Work Factor

    If you are using the Argon2 algorithm, the method allows you to manage the work factor of the algorithm using the , , and options; however, the default values managed by Laravel are acceptable for most applications:

    For more information on these options, please refer to the official PHP documentation regarding Argon hashing.

    Verifying That A Password Matches A Hash

    The method provided by the facade allows you to verify that a given plain-text string corresponds to a given hash:

    Determining If A Password Needs To Be Rehashed

    The method provided by the facade allows you to determine if the work factor used by the hasher has changed since the password was hashed. Some applications choose to perform this check during the application's authentication process:

    md5sum d8e8fca2dc0f896fd7cb4cb0031ba249 - $ echo -n test ./hashcat.bin -m 2500 test.hccapx
    • Use princeprocessor. Same processes over a pipe:

    $ ./pp64.bin wordlist.txt ./hashcat.bin -m 0 -w 3 test.md5 -r rules/rockyou-30000.rule

    I have a half-known password. I know the first 4 letters, can hashcat get the rest of the password?

    Yeah that actually works, thanks to the mask attack! To understand how to make use of this information you really need to read and understand the mask-attack basics. So please read this article first: Mask Attack

    Now that you've read the Mask Attack article it's easy to explain. For example consider that you know that the first 4 chars of the password are “Pass” and you know that there's like 3 or 4 or 5 more letters following from which you do not know if they are letters, digits or symbols you can do the following mask:

    Pass?a?a?a?a?a -i

    To understand how this works with the incremental, please also read this article:

    I do not know the password length, how can I increment the length of the password candidates?

    Why are there two different hash-modes for Vbulletin?

    There are actually two different hash-modes for Vbulletin. Somewhere between version v3 and v4 they've changed the default salt-length from 3 characters to 30 characters. From a high-level programming language view this has no impact but from our low-level view this is really a difference. That's because of the block-modes used in many hashes, even in that case.

    Vbulletin uses a scheme that is simply written like this: md5(md5(pass).salt)

    So it first computes the md5 hash of the password itself and then it concatinates it with the salt. Since the software rely on PHP and the md5 function in PHP returns by default a ascii hex repesentation we have a total length in the final md5() transformation of length 32 + 30 = 62.

    The problem here is that 62 > 55 and 55 is the maximum buffer for a single md5 transformation call. What we actually need to do now, from low-level perspective, is to compute the hash using the buffer of 62 and then compute another md5 with a buffer nearly empty. That's RFC. That means for Vbulletin v3 we have to compute 2x md5 calls and for v4 we need 3x md5 calls while the scheme itself stayed untouched. In other words, from GPU kernel view this is a completely different algorithm and that's why they are two different hash-modes.

    How much faster is cracking on Linux compared to a Windows operating system?

    Not at all and that's true for both hashcat and hashcat legacy. Even the GPU drivers are equally good or bad (depends on how you see it).

    IOW, if you feel comfortable with Windows and all you want to do is to crack hashes you can stick to Windows.

    How can I perform a benchmark?

    If you want to find out the maximum performance of your setup under ideal conditions (single hash brute force), you can use the built-in benchmark mode.

    $ ./hashcat.bin -m 0 -b hashcat (v6.1.1) starting in benchmark-mode... ... Speed.#*.........: 15904.5 MH/s ...

    This mode is simply a brute force attack with a big-enough mask to create enough workload for your GPUs against a single hash of a single hash-type. It just generates a random, uncrackable hash for you on-the-fly of a specific hash-type. So this is basically the same as running:

    $ ./hashcat.bin -m 0 00000000000000000000000000000000 -w 3 -a 3 ?b?b?b?b?b?b?b ... Speed.#*.........: 15907.4 MH/s ...

    Please note the actual cracking performance will vary depending on attack type, number of hashes, number of salts, keyspace, and how frequently hashes are being cracked.

    The parameters you should consider when starting a benchmark are:

    • --benchmark (short -b, required): tell hashcat that it should perform a benchmark

    • --hash-type (short -m, default is to benchmark several important algorithms, optional): tell hashcat which hash types should be benchmarked

    • --benchmark-mode (default value is 1, value 0 means that you can tune with -u -n, optional): set the benchmark mode

    This means, that for instance a command as simple as this:

    $ ./hashcat.bin -b

    will give you a list of benchmark results for the most common hash types available in hashcat (with performance tuning, --benchmark-mode 1).

    My desktop lags too much, anything I can do to avoid it?

    In order to give the GPU more breathing room to handle the desktop you can set a lower (“-w 1”) workload profile:

    -w, --workload-profile=NUM Enable a specific workload profile, see references below * Workload Profile: 1 = Reduced performance profile (low latency desktop) 2 = Default performance profile 3 = Tuned performance profile (high latency desktop)$ ./hashcat.bin -m 0 -a 3 -w 1 example0.hash ?a?a?a?a?a?a?a?a?a?a

    However, be aware that this also will decrease your speed.

    Is the 64 bit version faster than the 32 bit version?

    • For hashcat legacy, yes. That is because the hashes are computed on CPU (and your CPU has most likely a 64 bit architecture).

    • For hashcat (by only using your GPUs), no. You can however allocate more memory and that might help with other problems.

    Generally you should use the 64 bit versions as these are the ones the developer use, too.

    What is it that you call "GPU power"?

    The GPU power is simply the amount of base-words (per GPU) which are computed in parallel per kernel invocation. Basically, it's just a number: S * T * N * V

    • S = Shader. You can see the number of shaders of your GPU on startup. For example, 32 on hd7970

    • T = 64 for AMD, 256 for NV

    • N = -n value, typically 256 if you use -w 3

    • V = vector-size, depends on hash-type. Typically 1, 2 or 4

    How to create more work for full speed?

    (short URL:

    This is a really important topic when working with Hashcat. Let me explain how Hashcat works internally, and why this is so important to understand.

    GPUs are not magic superfast compute devices that are thousands of times faster than CPUs – actually, GPUs are quite slow and dumb compared to CPUs. If they weren't, we wouldn't even use CPUs anymore; CPUs would simply be replaced with GPU architectures. What makes GPUs fast is the fact that there are thousands of slow, dumb cores (shaders.) This means that in order to make full use of a GPU, we have to parallelize the workload so that each of those slow, dumb cores have enough work to do. Password cracking is what is known as an “embarrassingly parallel problem” so it is easy to parallelize, but we still have to structure the attack (both internally and externally) to make it amenable to acceleration.

    For most hash algorithms (with the exception of very slow hash algorithms), it is not sufficient to simply send the GPU a list of password candidates to hash. Generating candidates on the host computer and transferring them to the GPU for hashing is an order of magnitude slower than just hashing on the host directly, due to PCI-e bandwidth and host-device transfer latency (the PCI-e copy process takes longer than the actual hashing process.) To solve this problem, we need some sort of workload amplifier to ensure there's enough work available for our GPUs. In the case of password cracking, generating password candidates on the GPU provides precisely the sort of amplification we need. In Hashcat, we accomplish this by splitting attacks up into two loops: a “base loop”, and a “mod(ifier) loop.” The base loop is executed on the host computer and contains the initial password candidates (the “base words.”) The mod loop is executed on the GPU, and generates the final password candidates from the base words on the GPU directly. The mod loop is our amplifier – this is the source of our GPU acceleration.

    What happens in the mod loop depends on the attack mode. For brute force, a portion of the mask is calculated in the base loop, while the remaining portion of the mask is calculated in the mod loop. For straight mode, words from the wordlist comprise the base loop, while rules are applied in the mod loop (the on-GPU rule engine that executes in the mod loop is our amplifier.) For hybrid modes, words from the wordlist comprise the base loop, while the brute force mask is processed in the mod loop (generating each mask and appending it to base words is our amplifier.)

    Without the amplifier, there is no GPU acceleration for fast hashes. If the base or mod loop keyspace is too small, you will not get full GPU acceleration. So the trick is providing enough work for full GPU acceleration, while not providing too much work that the job will never complete.

    More work for fast hashes

    As should be clear from the above, supplying more work for fast hashes is about *executing more of what you're doing on the GPUs*. There are a few ways to do this:

    * Use wordlist+rules. A few rules can help, but a few thousand can be the sweet spot. Test on your setup to find the combination that is more efficient for your attack. For straight mode against fast hashes, your wordlist should have at least 10 million words and you should supply at least 1000 rules.

    * Use masks. Masks execute on GPU, so mask-based attacks (including hybrid attacks) are useful here - but note that, much like rules, using too few can slow down your attack.

    More work for slow hashes

    Now, we mentioned above that this advice is for most hash algorithms, with the exception of very slow hash algorithms. Slow hash algorithms use some variety of compute-hardening techniques to make the hash computation more resource-intensive and more time-consuming. For slow hash algorithms, we do not need (nor oftentimes do we want) an amplifier to keep the GPU busy, as the GPU will be busy enough with computing the hashes. Using attacks without amplifiers often provide the best efficiency.

    Because we are very limited in the number of guesses we can make with slow hashes, you're often working with very small, highly targeted wordlists. However, sometimes this can have an inverse effect and result in a wordlist being too small to create enough parallelism for the GPU. There are two solutions for this:

    • Use rules, but not as an amplifier. Basically this means you feed Hashcat base words through a pipe:

    $ ./hashcat.bin --stdout wordlist.txt -r rules/best64.rule wordfiles ./hashcat.bin -m 2500 test.hccapx
    • Sometimes it can make sense to use maskprocessor. Note this should be used only for very small keyspaces!

    $ ./mp64.bin test?d?d?d?d?d?d sponge rockyou.txt.iso

    When using Brute Force, error. this hash is not supported yet, if you're fine to stick to ISO/codepage encodings there are special hashcat charsets that can be found in the charset/ folder:

    . ./special ./special/Slovak ./special/Slovak/sk_cp1250-special.hcchr ./special/Slovak/sk_ISO-8859-2-special.hcchr . etc

    Note: hashcat charset files (.hcchr) can be used like any other custom charsets (--custom-charset1, --custom-charset2, --custom-charset3, --custom-charset4).

    But cisco pppoe port error, nowadays a lot of sources use utf-8. This makes things a bit more complicated.

    Here's a nice blog-post of how to deal with utf-8 and utf-16 with hashcat legacy and hashcat:

    Most of this is about using --hex-charset or --hex-salt were you can define everything in hex. In the end, all character encodings will fall to this.

    Unfortunately there is no bullet-proofed way to know if a specific hash (or hash list) uses a specific encoding. The most straight-forward way would be to just try and crack some hashes with the encoding you think is most likely. But this could fail of course when you try with a very “different” encoding. To see if hashcat does indeed run the correct password candidates you want it to run, you can just create some example hashes and try to crack them with for instance a Dictionary-Attack or with a mask attack by using .hcchr files or --hex-charset.

    Why should I use a mask attack? I just want to "brute" these hashes!

    Read Mask attack. A mask attack is a modern and more advanced form of “brute force”.

    It can fully replace brute force, error. this hash is not supported yet, and at the same time mask attacks are more flexible and more capable than traditional brute force attacks.

    The general options you should consider/need are:

    1. --increment (optional): specifies that the length of the password candidates shouldn't be fixed, but increase in length

    2. --increment-min (optional): the minimum length for --increment (if --increment is used but --increment-min was not set, it defaults to 1)

    3. --increment-max (optional): the maximum length for --increment (if --increment is used but --increment-max was not set, it defaults to the length specified by the mask, see #4)

    4. --custom-charset1 (-1), --custom-charset2 (-2), --custom-charset3 (-3), --custom-charset4 (-4) (all optional): you can define custom charsets e.g. all lower letters together with all upper letters, plus all digits: --custom-charset1 ?u?l?d (Attention: this is just the definition of a custom charset, you need to use these custom charset definitions within the mask)

    5. mask (required): specifies the charsets (could be built-in or custom ones) and implicitly also the maximum length of the password candidates. If --increment option is not used, it specifies the fixed length (because min and max length would be set to the length implied directly from the mask length itself)

    An example command would therefore look something like this:

    $ ./hashcat.bin -m 0 -a 3 --increment --increment-min 4 --increment-max 6 hash.txt ?a?a?a?a?a?a?a?a

    Explanation: print designjet 800 error 86 01 -m 0: we set the hash type to MD5 (see Example hashes)

  • -a 3: set the attack mode to mask attack (see Mask attack)

  • --increment: enable incremental mode (see #1 above)

  • --increment-min 4: set the minimum length of the password candidates to 4 (in this case)

  • --increment-max 6: set the maximum length of the password candidates to 6 (in this case)

  • ?a?a?a?a?a?a?a?a: the mask is a 8 character long string of the built-in charset ?a (“all”, which includes lower and upper case characters, digits and special characters)

  • Note that even if the mask is of length 8 in this particular example the passwords candidates are limited by --increment-min and --increment-max and hence are of length 4 to 6.

    If --increment-max 6 was not specified, the maximum length would be implicitly set to 8 since the mask itself is of length 8.

    I do not know the password length, how can I increment the length of the password candidates?

    You can use --increment (or short -i), --increment-min and --increment-max.

    Make sure that the mask (which should always be set, is required) is at least the same length of the --increment-max value or the maximum password candidate length you want to try (if --increment-max was not specified).
    By the way, the value for --increment-max should also not be greater than the length of the mask, i.e. the main limiting factor is the mask length, after that --increment-max, if specified, will further limit the length of the password candidates.

    • Examples of correct commands:

    ./hashcat.bin -m 0 -a 3 -1 ?d?l --increment --increment-min 5 md5_hash.txt ?1?1?1?1?1?1?1?1

    Note: the limiting length is set by the mask (?1?1?1?1?1?1?1?1). Therefore you can think of this command as if there was an automatically added --increment-max 8. This means you do not need to specify --increment-max 8 if it can be automatically determinate by the mask length.

    ./hashcat.bin -m 0 -a 3 -i --increment-min 2 --increment-max 6 md5_hash.txt ?a?a?a?a?a?a?a?a

    Note: here --increment-max was indeed set to a value less than the mask length. This makes sense in some cases were you do not want to change the mask itself, i.e. leave the 8 position long mask as it was (?a?a?a?a?a?a?a?a), error. this hash is not supported yet.

    ./hashcat.bin -m 0 -a 3 -i --increment-min 6 --increment-max 8 md5_hash.txt ?a?a?a?a?a?a?a?a

    Note: it is even possible to set the --increment-max value to the same length of the mask even if the --increment-max value would be implied anyway by the mask length.

    ./hashcat.bin -m 0 -a 3 -i --increment-max 6 md5_hash.txt ?l?l?l?l?l?l?l?l?l?l

    Note: also --increment-min must not necessarily be set, if skipped it will start with length 1 (and if --weak-hash-threshold 0 was not set it will even start with length 0).

    • Examples of incorrect commands and reasons why they are incorrect:

    Attention: these are commands that should not be used, they do not work (there only purpose is to show you what is not accepted)

    ./hashcat.bin -m 0 -a 3 --increment --increment-max 8 md5_hash.txt ?a

    Note: this is the most common user error, i.e. the user did not understand that the winning limiting factor is always the mask length (here length 1). Even if --increment-max 8 was specified, the mask is too short and therefore hashcat can't increment that mask. The reason why is simple: mask attack is a per-position attack, error. this hash is not supported yet, each position can have its own charset. There is a strict requirement that the user specifies the charset for each position. If the custom or built-in charset was not specified for the (next) position, hashcat can not know what should be use as a charset and hence stops at the position where it was still clear what charset should be used (in this example it is length 1). The decision to stop and to refrain to imply charsets is made by the developers on purpose because otherwise (if hashcat would silently and magically determine a “next implied charset”) there could be strange errors and unexpected behavior.

    ./hashcat.bin -m 0 -a 3 --increment --increment-min 2 --increment-max 3 md5_hash.txt ?a

    Note: also here the value of --increment-max is not within the length of the mask. In addition, also --increment-min is incorrect here because its value is outside of the bounds too.

    ./hashcat.bin -m 0 -a 3 --increment --increment-min 6 --increment-max 10 md5_hash.txt ?a?a?a?a?a?a?a?a

    Note: always make sure that the length of the mask (in this case ?a?a?a?a?a?a?a?a) is long enough, in this case it must be at least of length 10 (it is ?a?a?a?a?a?a?a?a?a?a).

    ./hashcat.bin -m 0 -a 3 --increment --increment-min 4 --increment-max 3 md5_hash.txt ?a?a?a?a?a?a?a?a

    Note: the value of --increment-min must always be less or equal to the value of --increment-max. This is not satisfied here since 4 > 3.

    For more details about mask attack see Why should I use a mask attack? I just want to "brute" these hashes!

    I want to optimize my Brute-Force attack by ordering letters by frequency in a custom charset. How to do it? Does it make sense?

    That's clever, however note that hashcat uses markov-chain like optimizations which are (in theory) more efficient. You need to disable this feature to force hashcat to accept your special ordering. This can be done using --markov-disable parameter.

    I want to use rules, but there are three different parameters. When do I use -r, -j and -k?

    For the majority of times using “-r rulefile” is the one you want. It is used in a straight attack -a0 to manipulate a dictionary and will load one or more rule files containing multiple rulesets.

    If you are using combinator or hybrid attacks you can use -j and -k to manipulate either the left or the right side of the input.

    For example a combinator attack that toggles the first character of every input from the leftside.txt:

    $ ./hashcat.bin -a 1 example0.hash leftside.txt rigthside.txt -j T0

    How does one use several rules at once?

    Firstly, we need to distinguish 2 different cases:

    1. the rules you want to use should be applied: independently from each other, not chained/concatenated, but applied one after the other

    2. the rules you want to use should be applied: together as if they were (previously) combined with combinator.bin, e.g. all rules from the first .rule file are combined with all rules from the second .rule file

    For case number 1 you can just “cat” the individual files

    Note: it would be better to use some kind of duplicate removal instead, e.g. sort -u, but note also that sort -u does not necessarily remove all duplicates since the rule syntax allows for extra spaces and furthermore a set of 2 different rules may lead to similar or identical plains in some or all situations because it is possible that combination of different rules could be considered as identical even if they are not identical when comparing the rule “text”/strings.

    The following description will deal only with case number 2 (the rules should be chained, applied at the same time).

    hashcat allows for rule stacking. This can easily be achieved just by appending more rule files to your attack.

    Note: hashcat legacy does not support error. this hash is not supported yet. Only a single -r parameter is permitted.

    $ ./hashcat.bin -a 0 -m 0 -r rules/best64.rule -r rules/toggles2.rule hashlist.txt dict.txt

    Note: depending on the rules themselves, error. this hash is not supported yet, the order of the different -r arguments might be very important. You may need to double-check which -r parameter is the first one on the command line (this will be applied first), which should be the second one (this will be applied next), etc …

    OK, there is a hybrid attack for append mask and prepend mask, but what if I want to use both at the same time?

    To do this, you can use the rule-stacking feature of hashcat: How does one use several rules at once?

    For example, if you want to do odbc on error perl like ?d?dword?d?d, that is two digits both appended and prepended you can do the following:

    $ ./hashcat.bin hash.txt wordlist.txt -r rules/hybrid/append_d.rule -r rules/hybrid/append_d.rule -r rules/hybrid/prepend_d.rule -r rules/hybrid/prepend_d.rule

    Such rules exist for all the common charsets.

    You can easily create your own hybrid rules using maskproessor: rules_with_maskprocessor

    When I use --increment in hybrid attack how does that work?

    Given an attack

    $ ./hashcat.bin -a 6 example0.hash example.dict ?a?a?a?a?a --increment

    Hashcat iterates through the given mask until the full length is reached.

    Input.Left.: File (example.dict) Input.Right.: Mask (?a) [1] Hash.Target.: File (example0.hash)Input.Left.: File (example.dict) Input.Right.: Mask (?a?a) [2] Hash.Target.: File (example0.hash)Input.Left.: File (example.dict) Input.Right.: Mask (?a?a?a) [3] Hash.Target.: File (example0.hash)Input.Left.: File (example.dict) Input.Right.: Mask (?a?a?a?a) [4] Hash.Target.: File (example0.hash)Input.Left.: File (example.dict) Input.Right.: Mask (?a?a?a?a?a) [5] Hash.Target.: File (example0.hash)

    For more details about mask attack see Why should I use a mask attack? I just want to "brute" these hashes!

    How to use multiple dictionaries?

    If you use hashcat with a Dictionary attack (-a 0) you can specify several dictionaries on the command line like this:

    $ ./hashcat.bin -m 0 -a 0 hash.txt dict1.txt dict2.txt dict3.txt

    This list of wordlist is currently only allowed with -a 0 parameter. Note that this also works with so-called globbing (of error. this hash is not supported yet parameters and in this case paths/file names), since your operating system/the shell expands the command lines to (among others) full file paths:

    $ ./hashcat.bin -m 0 -a 0 hash.txt ./my_files/*.dict

    Furthermore, if you want to specify a directory directly instead, you could simply specify the path to the directory on the command line:

    $ ./hashcat.bin -m 0 -a 0 hash.txt wordlists

    Note: sometimes it makes sense to do some preparation of the input you want to use for hashcat (outside error. this hash is not supported yet hashcat). For instance, it sometimes makes sense to sort and unique the words across several dictionaries if you think there might be several “duplicates”:

    $ sort -u -o dict_sorted_uniqued.txt wordlists/*

    hashcat utils might also come handy to do some preparation of your wordlists (for instance the splitlen utility etc)

    Why are there 5 different toggle rules in the rules/ folder?

    You often hear the following: A great and simple way to make your password harder to crack is to use upper-case characters. This means you flip at least two characters of your password to upper-case. But note: don't flip them all. Try to find some balance between password length and number of upper-case characters.

    We can exploit this behavior leading to an extreme optimized version of the original Toggle-case attack by generating only all these password candidates that have two to five characters flipped to upper-case. The real strong passwords have this balance, they will not exceed this rule. So we don't need to check them.

    This can be done by specialized rules and since hashcat and hashcat legacy support rule-files, error. this hash is not supported yet can do toggle-attacks that way too.

    See rules/toggle[12345].rule

    Depending on the rule-name they include all possible toggle-case switches of the plaintext positions 1 to 15 of either 1, 2, 3, 4 or five 5 characters at once.

    When I run an attack with -a 3 and I do not specifying a mask, I see it working but what is it doing?

    The reason why there is no (syntax) error shown when you didn't specify any mask, is that hashcat/hashcat legacy have some default values for masks, custom charsets etc. This sometimes comes in very handy since the default values were chosen very wisely and do help some new users to get started very quickly.

    On the other hand, sometimes this “feature” of having some default values might confuse some users. For instance, the default mask, for good reasons, isn't set to a mask consisting of the built-in charsets ?a or even ?b which some users might expect, but instead it is an optimized mask which should (in general) crack many hashes without covering a way too large keyspace (see the default values page for the current default mask).

    This also implies that when you don't specify a mask explicitly, it could happen (and is very likely) that you do not crack some hashes which you might expect to be cracked immediately/easily (because of the reduced keyspace of the default mask). Therefore, we encourage you that you always should specify a mask explicitly to avoid confusion.

    If you still do not know how to do so, please read Why should I use a mask attack? I just want to "brute" these hashes!

    How does one use the new prince attack mode with hashcat legacy?

    Luckily, with latest version of hashcat legacy the attack-mode is built-in. You can simply use it using the -a 8 selection. Do not forget to name a wordlist, like rockyou.txt or so, error. this hash is not supported yet.

    For hashcat you need to use a pipe and the princeprocessor (standalone binary) from here:

    Then your simply pipe like this for slow hashes:

    $ ./pp64.bin rockyou.txt hccapxfile [dictionary md5sum d8e8fca2dc0f896fd7cb4cb0031ba249 - $ echo -n test error. this hash is not supported yet


    Leave a Comment