In a modern Active Directory environment, one weak password is the difference between a failed engagement and Domain Admin. Pass-the-Hash works for lateral movement, but cleartext credentials are what get you into the VPN, the SSO portal, the M365 tenant, and the cloud console. Hashes are not enough once the perimeter you’re trying to cross is a SAML form.
Reliable cracking is mostly an infrastructure problem with a statistics problem layered on top. Anyone can run rockyou.txt against a captured NTLM hash. The interesting question is what you do once that comes back empty, which on a moderately mature target is most of the time.
High-performance compute#
You are not going to crack effectively on a laptop CPU. The job is embarrassingly parallel and you need GPUs.
Hardware or cloud#
A dedicated rig pays for itself if you do this regularly, and the client’s hash material never leaves your premises. Cloud is right when you have a single engagement that needs burst capacity and you can document the chain of custody for the data.
- Dedicated rig. Four RTX 4090s on a stock benchmark do roughly 168 GH/s NTLM per card, ~675 GH/s combined. Overclocked builds and water cooling push higher, but stock is what you should plan against. That is enough to brute-force the full printable-ASCII keyspace through length 8 in a few hours.
- Cloud (AWS, Azure). An AWS
p3.16xlargegives you 8x Tesla V100s on demand. Expensive per hour, but useful when you need an answer before the report is due. The V100 is no longer remotely state-of-the-art for hashing; you are paying for “right now,” not raw speed. - Vast.ai and Tensordock. Cheap, community-supplied GPUs. Do not upload client hashes to them. You have no idea who else is on that host, what the storage retention is, or whether the operator is logging traffic. The OPSEC trade is not worth the price.
Hashcat tuning#
Hashcat is the standard tool. The defaults are conservative on purpose. To get useful speed, you have to push the workload profile and accept the consequences.
# Fast-hash run on a dedicated rig
hashcat -m 1000 -a 0 -w 4 -O --status hashes.txt wordlist.txt-m 1000: NTLM.-w 4: workload profile “Nightmare.” Hashcat literally labels it “headless”; your desktop will hang while it runs. Use this on the rig, not your laptop.-O: optimized kernels. Faster, but caps password length (commonly 32 chars on fast hashes; the limit varies per algorithm, checkdocs/limits.txt).--status: auto-prints status. Without it you stare at a blank screen and wonder if it’s still alive.
Hashcat 7.x is the current line as of mid-2026. If you’re running anything older than v6.2, upgrade. There are real performance and rule-engine improvements between major versions.
Past rockyou: targeted wordlist generation#
If the target is CorpFinance LLC and their domain policy forces a 14-char minimum with complexity, rockyou.txt will return nothing. On a target like that the wordlist is doing the work; the GPU is just consuming it.
Contextual scraping with CeWL#
CeWL crawls a target website and extracts words long enough to be useful. The output is the raw material for everything that follows.
cewl https://www.corpfinance.com -d 2 -m 5 -w corp_base.txt-d 2: crawl depth.-m 5: minimum word length.
Marketing pages, leadership bios, press releases: all of it ends up as candidate base words. Product names. Internal initiative names. The CEO’s last name. The city the HQ is in. People reach for what’s in front of them when they pick a password, and a public-facing marketing site is what’s in front of a lot of them all day.
Rules#
Rules are where targeted attacks earn their keep. Humans follow patterns. They capitalize the first letter, they append a year, they swap an a for a 4, they end with !. A 20-line rule file applied to a 5,000-word company-specific dictionary will outperform a 100-million-line wordlist run raw.
Hashcat’s best64.rule (in the rules/ directory) is the standard starting point. Build on top of it. A workable “enterprise” rule for a 2026 target looks something like:
- Capitalize first letter.
- Append a current or recent year: 2023, 2024, 2025, 2026.
- Append a symbol:
!,@,#,$. - Apply a leetspeak substitution on common letters.
Hybrid attacks#
Instead of static rules, you can append a brute-force mask to every word in a wordlist. This is hybrid mode (-a 6 for wordlist+mask, -a 7 for mask+wordlist), and it’s the right choice when you know the structure but not the suffix.
# [word] + [4 digits] + [1 symbol] e.g. "Welcome2023!"
hashcat -a 6 -m 1000 hashes.txt wordlist.txt ?d?d?d?d?sThe mask runs inside Hashcat. There is no separate maskprocessor invocation needed for this. You would only reach for mp64 standalone if you wanted to generate a candidate file for some other tool to consume.
PRINCE for passphrases#
PRINCE (PRobability INfinite Chained Elements) chains dictionary words together to generate longer candidates. If your dictionary has apple and orange, PRINCE produces appleorange, orangeapple, appleorangeapple, and so on. This is what cracks the passphrase-style policies that have become more common since NIST 800-63B started recommending length over complexity.
pp64.bin < wordlist.txt | hashcat -m 1000 hashes.txtTune the chain length (--pw-min, --pw-max) to match the target policy. If the minimum is 14 chars, do not waste cycles generating 8-char candidates.
Hash types and strategy#
Different hash algorithms call for different attack ordering. The fast ones reward brute force; the slow ones punish it.
NTLM (Windows local/domain hashes, mode 1000)#
Very fast. On a 4-card 4090 rig, full keyspace through 8 chars is a few hours. Strategy: brute force length 1–8 (?a?a?a?a?a?a?a?a), then targeted wordlists + rules for anything longer. Pure brute force at length 10+ is a waste even on good hardware.
NetNTLMv2 (mode 5600)#
Moderate speed. These come off the wire via Responder, Inveigh, or ntlmrelayx capture. Brute forcing complex passwords here is not practical. Go straight to dictionary attacks with aggressive rules, and pivot to relay attacks if cracking stalls.
Kerberoasting (TGS-REP RC4, mode 13100)#
Slow, and the target population is service accounts. Service accounts are often named after what they do, and their passwords often reference the service: SQLService2019, BackupAdmin!, that pattern. Build a service-themed wordlist (SQL, Backup, Web, App, IIS, SVN, Jenkins, vendor names) and run rules against it before you reach for brute force.
If the realm runs AES-only, you’re looking at mode 19700 instead, and it’s slower again.
Operational security#
Two things matter and both are about handling client material responsibly.
- Sanitization. Hashes are credential material until proven otherwise. The rig that processes them should not be a general-use workstation. Air-gapped is ideal; a firewall-isolated VLAN with no outbound internet is acceptable. Do not pull hashes onto your daily-driver laptop.
- Cleanup. Hashcat writes cracked passwords to
hashcat.potfileby default. After the engagement closes, purge the potfile, the input hash files, and any wordlists derived from client content. The potfile in particular is dangerous. It’s a plaintext credential dump, exactly what you were hired to find and then asked to make go away.
Workflow#
The cheap attacks first, the expensive ones last:
- Top-1k common passwords against the full hash list. Catches the low-hanging fruit in seconds.
rockyou.txt+best64.rule. Standard baseline.- CeWL-derived company wordlist + custom enterprise rules. This is where the engagement is usually won.
- PRINCE chains for passphrase policies.
- Hybrid masks (
-a 6) for known structures. - Pure brute force for short fast hashes and as a last resort for everything else.
Throwing compute at a wall without first working the wordlist is the most common mistake I see on engagements. The card count almost never explains why one operator cracks more than another. What explains it is whether they bothered to build a wordlist tuned to the target before they started spending watts on it.
