Hashcat Word lists and Rules
Recommended General Large Word lists
| Word List | Link |
|---|---|
AllInOne | |
Rockyou2021 | |
Weakpass_3a | |
Top2Billion-probable-v2 |
Recommended General Medium Word lists
| Word List | Link |
|---|---|
hk_hlm_founds | |
RP4 | |
Ignis | |
Top29Million-probable-v2 | |
SkullSecurityComp |
Specific Word lists
| Word List | Use case | Link |
|---|---|---|
Kerberoast_pws | SPN cracking | |
weakpass_3w | 8-24 characters | |
weakpass_3p | Contains only printable characters |
Word list from cracked hashes
Locate pot-file
Place the cracked hash passwords into its own word list.
Word list from website scraping
Recommended Rules
NSA Rules
Github: https://github.com/NSAKEY/nsa-rules
OneRuleToRuleThemAllStill
An updated and improved variation of the popular OneRuleToRuleThemAll rule set. This updated rule set should provide the same effective crackrate as OneRule with a reduction in total cracking time.
Blog Post: https://in.security/2023/01/10/oneruletorulethemstill-new-and-improved/
Github: https://github.com/stealthsploit/OneRuleToRuleThemStill
Unic0rn28 Hashcat Rules
Github: https://github.com/Unic0rn28/hashcat-rules
Brute Force Mask
Reviewing cracked passwords
Hashcat can display credentials in [Username]:[Password] format. Adjust the command below to match the correct method for the hashfile and the --outfile-format value to whichever looks best. For NTLM and Secretsdump the command below should work fine.
Last updated
