How To Perform a Combinator Attack Using Hashcat

In this tutorial we will show you how to perform a combinator attack using hashcat.

For demonstration purposes, we will be using the MD5 password hashes from the Battlefield Heroes leak in 2013. The password hashes can be obtained here.

The commands used in this tutorial were run using the Kali Linux operating system by Offensive Security. In other environments the commands may be different however, the procedure will be the same.

What is a Combinator Attack?

A combinator attack works by taking words from one or two wordlists and joining them together to try as a password. For example, if wordlist one contained the following:


And wordlist two contained:


A combinator attack will try the following:


Although you will get combinations that make no sense, such as “slowbuilding” and “fastbuilding”. You will get a lot of joined words which do make sense and could potentially be someone’s password. Also, just because some of the joins don’t make sense, it doesn’t mean you should assume someone wouldn’t choose it as a password.

It’s also important to mention with this attack that the words in wordlist one will not be tried with wordlist two in reverse order. For example, “carfast’, “truckfast” etc.

With a single wordlist, the combinator attack will combine each word with itself and every other in the list.

For example, a combinator attack using a single wordlist such as:


Would produce:


Performing A Combinator Attack

As previously mentioned, the hashes can be downloaded from the link provided at the top of the page. To demonstrate the different attacks, the following wordlists will be used:

  • 1,000 most common US English words (available here)
  • 500 worst passwords (available here)

Using The CPU Version of Hashcat

From what we could find, the CPU version of hashcat seems to only work with one dictionary at a time (even if you specify two at the command line). If your hashcat installation uses your CPU for cracking, you will have to make a compromise to perform the attack.

If your version of hashcat utilises your GPU, you can skip to the next section.

For CPU hashcat users, you will have to merge your two wordlists into one file and store it on your disk. Within the hashcat-utils suite there is a tool called combinator that will do this for you.

To merge wordlists with the combinator utility, you can use the following command:

# /usr/share/hashcat-utils/combinator.bin 500-worst-passwords.txt 1-1000.txt > combined_wordlist.txt

Now our file combined_wordlist contains the joined words from 1-1000.txt and 500-worst-passwords.txt.

To make sure the command has worked, you can check the word count of the file like so:

# wc combined_wordlist.txt
 500000  500000 5913000 combined_wordlist.txt

Combinator Attack with Two Wordlists Using a GPU

Using the GPU version of hashcat, you can perform a combinator attack with the following command:

# hashcat –m 0 –a 1 bfield.hash 500-worst-passwords.txt 1-1000.txt
Command Meaning
-m 0 Indicates to hashcat we are cracking MD5 hashes.
-a 1 Combination attack mode.
bfield.hash The hashed MD5 passwords.
500-worst-passwords.txt The 500 worst passwords wordlist.
1-1000.txt The 1000 most common US English words wordlist.

You should see the an output similar to below:


Session.Name...: hashcat
Status.........: Exhausted
Input.Left.....: File (500-worst-passwords.txt)
Input.Right....: File (1-1000.txt)
Hash.Target....: File (bfield.hash)
Hash.Type......: MD5
Time.Started...: Mon Jul 25 11:57:35 2016 (4 secs)
Speed.Dev.#1...:   116.5 kH/s (0.97ms)
Recovered......: 1167/423623 (0.28%) Digests, 0/1 (0.00%) Salts
Recovered/Time.: CUR:N/A,N/A,N/A AVG:16240.79,974447.44,23386738.00 (Min,Hour,Day)
Progress.......: 500000/500000 (100.00%)
Rejected.......: 0/500000 (0.00%)

Started: Mon Jul 25 11:57:35 2016
Stopped: Mon Jul 25 11:57:42 2016

Combinator Attack with Two Wordlists Using a CPU

Here we’ll run the attack with our merged wordlist, the same output as above should be produced:

# hashcat -m 0 bfield.hash combined_wordlist.txt
Command Meaning
-m 0 Indicates to hashcat we are cracking MD5 hashes.
bfield.hash The hashed MD5 passwords.
combined_wordlist.txt The merged wordlist.


The output produced should be similar to:

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Dict (combined_wordlist.txt)
Index.....: 1/1 (segment), 500000 (words), 5913000 (bytes)
Recovered.: 1167/548686 hashes, 0/1 salts
Speed/sec.: 746.72k plains, 746.72k words
Progress..: 500000/500000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Mon Jul 25 07:09:43 2016           
Stopped: Mon Jul 25 07:09:44 2016

In this case, we didn’t tell hashcat to perform a combinator attack (-a 1). This is because we had already merged our wordlists beforehand. Instead we used the default “straight mode” which uses our single dictionary of combined words.

Combinator Attack with One Wordlist (CPU or GPU)

To combine each entry in a wordlist with every other, one a time, the following command can be run:

# hashcat –m 0 –a 1 bfield.hash 1-1000.txt

The parameters mean the following:

Command Meaning
-m 0 Indicates to hashcat we are cracking MD5 hashes.
-a 1 Combination attack mode.
bfield.hash The hashed MD5 passwords.
1-1000.txt The 1000 most common US English words wordlist.


The output produced should look like:

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Dict (1-1000.txt)
Index.....: 1/1 (segment), 1000 (words), 5840 (bytes)
Recovered.: 3167/548686 hashes, 0/1 salts
Speed/sec.: 906.39k plains, 906 words
Progress..: 1000/1000 (100.00%)
Running...: 00:00:00:01
Estimated.: --:--:--:--

Started: Mon Jul 25 08:02:12 2016           
Stopped: Mon Jul 25 08:02:14 2016

When You May Want to Perform a Combinator Attack

As shown above, running the previous attacks allowed cracking of some passwords that are unlikely to be in a common password dictionary. From our comparison we found the passwords “moongame”, “fulltool” and “doublebrown” as examples of this.

The table below gives some insight into the number of passwords cracked with the combinator using different wordlists. The far right column shows the number of passwords that were cracked only using that wordlist.

Wordlist Total Number of Combinations Passwords Cracked Number of Cracked Passwords Not Found in the Other Lists
1-1000.txt 1,000,000 3167 492
500-worst-passwords.txt 250,000 949 162


500,000 1167 181
rockyou.txt (normal dictionary run) 14,442,063 119693 116610

From the table you can see that each wordlist was able to crack some passwords that others couldn’t. A normal dictionary attack using the rockyou wordlist was added to the table to show that other attacks will give better results when run first. If there are still password hashes to be cracked after a dictionary, you could then try a combinator attack.

A specific example of where you may use this attack could be if a default password generation procedure is a random phrase of words. Overall though, we believe most situations will call for a different method of cracking, such as mask, or rule-based dictionary attacks.


In this article we have explained in a step-by-step procedure how to perform a combinator attack using hashcat. Due to limitations in the CPU version of hashcat, we have also provided a workaround that enables CPU version users to run a combinator attack. The commands for the GPU version have also been demonstrated.

To finish, we've tried to highlight the use cases of a combinator attack and show that in some cases it can potentially crack hashes that other methods can't.


Author image

William Hurer-Mackay

Will is a Computer Networks Engineering graduate of the University of Northampton who is undertaking 4ARMED's Security Tester internship programme aimed at bringing new recruits into the cyber security sector.

Related Blog Articles