Cracking Password Hashes using Hashcat (Crackstation Wordlist)

Cracking Password Hashes using Hashcat (Crackstation Wordlist)

Welcome to HackingVision, in this tutorial we will demonstrate how to crack password hashes in Kali Linux with the Crackstation Wordlists.


In this tutorial, we are using GTX 1080 8GB and Ryzen 5 1600 CPU in this tutorial you can use whatever NVIDIA GPU that you like. By using both CPU and GPU in Hashcat we can obtain better password hash rates this allows us to crack password hashes faster and more conveniently than we typically could than just using a CPU.

If you’re using a GPU make sure you have the NVIDIA drivers for your GPU installed. If you don’t have access to any NVIDIA GPU a strong CPU is recommended the wordlist we are going to be using is 15 GiB uncompressed Hashcat will take a little while longer if your de-hashing passwords hashes without a GPU. Hash rates will depend on the speed of your computer’s CPU the faster your CPU the better, If you have a fast GPU you will be able to crack passwords much quicker. There are many factors that come into play when it comes to password cracking such as the size of the wordlist, the size of the target hash file and the speed of your CPU or GPU. For example, Dehashing passwords for certain hashing algorithms can be slower than other hashing algorithms. If you are cracking a lot of large password hash lists an SSD is recommended in this guide we are using a standard 1TB HDD currently all of my SSD’s are occupied by other operating systems.

If you have limited bandwidth we can use a Smaller Wordlist that is 684MiB uncompressed but does not include as many passwords or alternatively we can use a wordlist that is included by default in Kali Linux.

Installing NVIDIA GPU Drivers in Kali Linux


In this tutorial, we will be de-hashing SHA1 hashes. You can use sha1-online to encrypt SHA1 password hashes. Let’s create some hashes to test with Hashcat.

Create some password hashes using sha1-online and save the password hashes hashed by sha1-online into a text file. I will hash 20 passwords and save them in a text file. Create your own password hash list or you can use the password hashes below. I will be using the nano text editor in this tutorial.

Open up a terminal and enter the command. This command will create a new text document called sha1.txt enter your password hashes add each hash byline. You can copy the password hashes below if you don’t want to hash your own password hashes.

nano sha1.txt

Once you have finished adding your password hashes in nano you can write the file by using keys CTRL+O after changes have been written use CTRL+X to exit the nano text editor.

The passwords that we hashed should be the following when decrypted let’s see if Hashcat can find any of our password hashes.


Download Wordlist

Download Wordlists:

In this tutorial, we will be using Crackstation.txt.gz wordlist. You can choose whatever wordlist you want to use you don’t have to use the crackstation ones that we have included in this tutorial to use Hashcat. We recommend these wordlists as they include lots of leaked real human passwords if you don’t know what the Crackstation wordlists are there the results of Crackstation cracking LinkedIn’s and eHarmony’s password hash leaks with the list.

The wordlist we use using in this tutorial is 4.2GB Compressed and 15 GiB uncompressed ( if you have limited bandwidth use Crackstation Smaller Wordlist (Human Passwords Only) that is 247MiB compressed and 684MiB uncompressed.

Default wordlists in Kali Linux are stored in /usr/share/wordlists

Uncompressing Crackstation Wordlist

To uncompress .txt.gz files we can use gunzip install gzip by opening a terminal and entering the following command. gunzip will uncompress wordlists within the same directory as it’s run from.

apt-get install gzip

Now that gzip is installed we can uncompress the wordlists we downloaded from Crackstaion using the following command.

gunzip crackstation.txt.gz

To uncompress the smaller real human wordlist from crackstation you can use the following command.

gunzip crackstation-human-only.txt.gz

Now that we have uncompressed the Crackstation wordlists we can now use them in Hashcat.


Its time to run Hashcat against our target SHA1 hashes. Let’s see what hashes we can dehash.

Open a terminal

cd into the directory that your hash list is stored in edit the following command -m 100 is hash type SHA1 add the location of your hash list and wordlist.

My hash list is called sha1.txt the output of my passwords.txt file is the same directory as sha1.txt I am using the crackstation wordlist from /usr/share/wordlists/crackstation.txt that I copied to /usr/share/wordlists/ earlier. Your downloaded wordlist is most likely stored and uncompressed in Downloads, in that case, we would add /Downloads/crackstation.txt make sure that you use using the uncompressed wordlist and not the compressed .txt.gz version.

hashcat -m 100 sha1.txt -o passwords.txt /usr/share/wordlists/crackstation.txt
hashcat -m 100 sha1.txt -o passwords.txt /Downloads/crackstation.txt
Command Breakdown -m = hash type SHA1 hashes.txt (your target hashes file goes here) -o passwords.txt = output directory of cracked passwords /usr/share/wordlists/crackstation.txt (Add the path to your wordlist here)

Hashcat found 12/20 password hashes that we gave it using the crackstation.txt wordlist.

Let’s see what passwords Hashcat was able to crack. We can list the contents of the passwords.txt file containing the passwords that Hashcat was able to de-hash using the cat command in Linux.

From the directory that your passwords.txt file is saved in use the following command to list the password words that Hashcat was able to recover. cat is a standard Unix utility that reads files sequentially, writing them to standard output.

cat passwords.txt