hashcat -m $TYPE -O $HASHFILE $WORDLIST

Here $TYPE is the hash type (check man hashcat), and -O requests that Hashcat use an optimized kernel (faster, but limited in the password length that can be cracked). Note that instead of $HASHFILE, a raw hash can be provided directly instead (the hash-identifier tool on Kali Linux can help narrow down the kind of hash being dealt with in these situations).

Some values of -m:

TypeHash
0md5
100sha1
900md4
1000Windows NTLM hashes
1400sha256
1800UNIX SHA-512 passwords ($6$)
3000LANMAN (Windows)
3200bcrypt
13100Kerberos 5 hashes (TGS-REP)
18200Kerberos 5 hashes (AS-REP)

There are also a large number of “Raw Hash, Salted and/or Iterated” modes that allow raw salted hashes (i.e., those not specific to a particular password type) to be processed; for these, specify the hashes as $HASH:$SALT.

Passwords are output as HASH:PLAINTEXT tuples.

Hashcat can accept the output of hashdump from Metasploit (use -m 1000), as well as raw hashes from /etc/shadow (assuming that they’re all the same type).

A “token length exception” means that the provided hash format is of the wrong length (probably because an additional character got accidentally added).

Combinator

The Hashcat combinator.bin utility combines two wordlists such that every entry of the first list is concatenated with every entry from the second list.

/usr/lib/hashcat-utils/combinator.bin \
	$WORDLIST1 $WORDLIST2 > $COMBINED_WORDLIST

Brute force password guessing

Hashcat can also produce lists for brute forcing using the -a 3 flag. If no hash is provided, then a simple list will be produced.

# Produce a list of 4-digit PINs
#
hashcat -a 3 ?d?d?d?d —stdout
 
# Crack an MD5 hash of a 4-digit PIN using brute-forcing
#
hashcat -a 3 -m 0 $MD5_HASH ?d?d?d?d

The hashcat --help command will display all available character sets (the d in the above example).