Kali Linux

How to Use Hashcat in Kali Linux?

Kali Linux is well-liked in pen testing, ethical hacking, and security auditing Linux-based operating systems. It provides over 600 tools for testing and security purposes and Hashcat is one of them. Hashcat is a pre-install Kali Linux password cracking tool that permits ethical hackers to crack the password and also helps in recovering forgotten user passwords. It can crack even complex passwords in very little time.

This blog will demonstrate:

How to Install Hashcat in Kali Linux?

Hashcat is an ethical hacking tool that is used by cybersecurity professionals for password cracking. It uses brute force and many other hashing algorithms to crack hashes or convert hashes to passwords. For this purpose, it uses different types of attacking modes. Hashcat is preinstalled in Kali Linux. In case, if it is not installed on Kali, install it by following the below steps.

Step 1: Update Kali

First, update the Kali to the latest rolling release using the “apt update” command:

sudo apt update

Step 2: Install Hashcat

Now, install the hashcat package in Kali using the “apt install hashcat” command:

sudo apt install hashcat

Step 3: Check the Hashcat Manual

To check the hashing algorithm code or to choose hashcat’s attack modes, check its manual using the below command:

man hashcat

Attacking Mode

Here, you can see different attacking modes are available in the hashcat tool. A short description of these modes is as follows:

  • Straight: Try to crack the password from a provided word list.
  • Combination: Try to crack passwords by combining words from multiple wordlists.
  • Brute-force: It applies the brute force technique and tries each character from the provided charset.
  • Hybrid Wordlist + Mask: It combines wordlist and mask
  • Hybrid Mask + Wordlist: It also combines mask and wordlist.
  • Association Attack: It uses combinations of hints that are associated with a particular user password or field such as username, any personal information or file name:

Hash Types

The types of hashes that are required to be cracked are stated in Hash types. The code of the hash type is used to crack the hashed password:

How to Use Hashcat in Kali Linux?

Hashcat uses CPU and GPU crackers in Kali Linux that efficiently crack the password from provided hashes. If you are using Kali Linux on a virtual machine, you are unable to fully use GPU crackers. However, hashcat works fine with CPU mode as well. To use hashcat either on the Kali system or the Kali virtual machine, the user must have at least 4 to 8 GB of RAM.

Let’s try to understand the use of Hashcat for password hacking by taking an example of a WordPress Website. Let’s suppose the user forgets the admin account password and is now unable to access the website dashboard as shown below:

Now, we will use the hashcat tool to recover the WordPress website admin’s forgotten password. For proper demonstration, follow the below procedure.

Step 1: Get Hashed Password

Admin users definitely have access to the WordPress database. Let’s get the encrypted hashed passwords of website users from the database:

Step 2: Save the Hashed Password in the Text File

Next, save the password hashes into a text file. Here, we are creating the “hashpass.txt” file in the “Desktop” directory by using the nano editor:

sudo nano hashpass.txt

Save the password that is converted into hashes in the “hashpass.txt” file. For demonstration, we have saved three passwords that were already converted into hashed through the “MD5” hashing algorithm:

To save the file, press “CTRL+S” and to shut down the editor, use “CTRL+X”.

Step 3: Provide WordList Dictionary

Next, provide the wordlist dictionary from where the hashcat will try to match the hashes of words with the provided password hashes in the “hashpass.txt” file. For the demonstration, we will create our own wordlist that will contain 12 different passwords:

sudo nano passdic.txt

Here, we have saved different combinations of passwords in our “passdic.txt” wordlist. The user can also use Kali’s provided wordlist which is explained in below section:

Step 4: Crack the Password

Now, crack the password using the “hashcat -a <attack mode> -m <hash-type> <path-to-hashpass.txt> <path-to-wordlist>” command:

hashcat -a 0 -m 0 hashpass.txt passdic.txt

Here, “-a 0” means we have used “Straight attack mode” and “-m 0” means we are converting MD5 hashes into passwords. So, we will apply the “MD5” hashing algorithm to match the hashes of “hashpass.txt” to the provided wordlist (passdic.txt):

Here, you can see we have effectively cracked the website password from the provided password hashes:

Step 5: Verification

For verification, let’s try the admin password “admin@123” to access the WordPress website:

Here, you can see we have successfully recovered the forgotten password using Kali’s hashcat tool:

Bonus Tip: How to Use Kali’s Wordlists for Password Cracking

Kali Linux also provides a pre-installed Wordlist that will be used to crack different types of passwords. This wordlist contains millions of words and password combinations. To use Kali’s “rockyou.txt” wordlist for password cracking, follow the below steps.

Step 1: Open “wordlists” Directory

To open the “wordlists” directory, utilize the given command:

cd /usr/share/wordlists

Next, run the “ls” to view all files and directories of Kali’s “wordlists” directory. Here, different types of passwords or word lists are available. To track the normal or straight passwords such as user account passwords, you can use the “rockyou.txt” file:

Step 2: Unzip the “rockyou.txt.gz” File

To use the “rockyou.txt” file in the hashcat tool, first, unzip the file using the “gzip -d rockyou.txt.gz” command. This action may require “sudo” user rights:

sudo gzip -d rockyou.txt.gz

Step 3: Crack the Password

Now, use the hashcat command to crack the password.

hashcat -a 0 -m 0 hashpass.txt /usr/share/wordlists/rockyou.txt

Here, you can see this time we have used the “rockyou.txt” file instead of a personal wordlist:

In the above output, you can see the hashes are found but cannot be viewed. To view the hashes, simply add the “–show” option in the hashcat command:

hashcat -a 0 -m 0 hashpass.txt /usr/share/wordlists/rockyou.txt --show

We have elaborated on how to use hashcat in Kali Linux.


To use the hashcat tool in Kali Linux, first save the passwords that were converted in the hashes in the “.txt” text file. After that, match the password hashes with a wordlist text file such as Kali’s wordlist file “rockyou.txt” file. For this purpose, simply use the “hashcat -a <attack mode> -m <hash-type> <path-to-hashpass.txt> <path-to-wordlist>” command. This post has demonstrated the use of hashcat on Kali Linux.

About the author

Rafia Zafar

I am graduated in computer science. I am a junior technical author here and passionate about Programming and learning new technologies. I have worked in JAVA, HTML 5, CSS3, Bootstrap, and PHP.