LabEx
Log InJoin Free

Understand Hashcat Command Structure

Kali LinuxBeginner
Practice Now

Introduction

Hashcat is a powerful and versatile password recovery tool. To use it effectively, you must first understand its command-line structure. A single Hashcat command is composed of several key components that tell the program exactly what to crack and how to do it.

In this lab, you will learn the fundamental structure of a Hashcat command. We will build a complete, functional command piece by piece, covering the five essential components: the executable, the hash type, the attack mode, the input hash file, and the input wordlist. By the end, you will be able to construct basic Hashcat commands for dictionary-based attacks.

Identify the Core Components of a Hashcat Command

In this step, we will identify the basic syntax of a Hashcat command. Understanding this structure is the first step toward using the tool.

A typical Hashcat command follows this pattern:

hashcat [options] hashfile [wordlist/mask]

Let's break down these components:

  • hashcat: This is the name of the executable program itself.
  • [options]: These are flags that modify the program's behavior. The most critical options are -m for the hash type and -a for the attack mode, which we will cover in the next steps.
  • hashfile: This is the path to the file that contains the hash or hashes you want to crack.
  • [wordlist/mask]: This is the path to an input file, such as a wordlist for a dictionary attack, or a mask pattern for a brute-force attack.

To start, let's view the built-in help menu to get a feel for the tool. This command lists all available options and information.

Execute the following command in your terminal:

hashcat --help

You will see a long output detailing all of Hashcat's features. We will refer back to this information in the upcoming steps.

hashcat (v6.2.6) starting in help mode

Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

...
-a,  --attack-mode              | Num    | Attack-mode, see references below.
-m,  --hash-type                | Num    | Hash-type, see references below.
...

Now that we understand the basic structure, we can begin to build our command.

Specify the Hash Type with the -m Flag

In this step, you will learn how to specify the target hash type. Hashcat supports hundreds of different hashing algorithms, and you must tell it which one you are trying to crack. This is done using the -m flag followed by a numeric code.

Our lab environment has prepared a file named hashes.txt which contains an MD5 hash. To find the correct code for MD5, you can search through the hashcat --help output.

Use the grep command to filter the help text for "MD5":

hashcat --help | grep MD5

The output will show you all hash types related to MD5, along with their corresponding codes.

      0 | MD5                                            | Raw Hash, Salted and/or Iterated
   10 | md5($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
   20 | md5($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
...

As you can see, the code for a standard MD5 hash is 0. Now we can add this to our command. The command currently looks like this:

hashcat -m 0 ...

In the next step, we will specify the attack mode.

Specify the Attack Mode with the -a Flag

In this step, you will learn how to set the attack mode using the -a flag. The attack mode tells Hashcat which method to use for cracking the password.

Hashcat offers several attack modes, but the most common are:

  • 0: Straight (Dictionary attack) - Compares hashes against a list of words.
  • 1: Combination - Combines words from two different dictionaries.
  • 3: Brute-force (Mask attack) - Tries every possible combination of characters based on a defined pattern (mask).

For this lab, we will perform a Straight (dictionary) attack, so we will use attack mode 0. You can find the list of all attack modes in the help menu.

Let's use grep again to find the "Attack-Modes" section:

hashcat --help | grep "Attack-Modes" -A 10

The -A 10 flag tells grep to show the 10 lines after the match, giving you the full list.

- [ Attack-Modes ] -

  ## | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid dict + mask
  7 | Hybrid mask + dict

We have now identified our attack mode. Let's add it to our command, which now becomes:

hashcat -m 0 -a 0 ...

Next, we will provide the file containing the hash we want to crack.

Provide the Input Hash File

In this step, you will specify the input file that contains the hash to be cracked. This argument comes after the options.

The setup script for this lab has already created a file named hashes.txt in your current directory (~/project). This file contains a single MD5 hash.

Let's view the contents of this file using the cat command:

cat hashes.txt

You should see the following output:

5f4dcc3b5aa765d61d8327deb882cf99

This is the hash we will be cracking. To add it to our command, we simply place the filename after the options. Our command now looks like this:

hashcat -m 0 -a 0 hashes.txt ...

The final piece is to provide the wordlist for our dictionary attack.

Provide the Input Wordlist or Mask

In this final step, you will provide the last required component for our dictionary attack: the wordlist. A wordlist is a plain text file where each line is a potential password.

The lab environment includes a simple wordlist named wordlist.txt. Let's examine its contents:

cat wordlist.txt

The output will be:

test
hello
password
123456

This wordlist will be used by Hashcat to test against the hash. The wordlist file is the final argument in our command.

Now, let's assemble and run the complete command:

hashcat -m 0 -a 0 hashes.txt wordlist.txt

Hashcat will start. Since our hash and wordlist are very simple, it will finish almost instantly. The output will show the status of the cracking session.

...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: ...
Time.Estimated...: 0 secs (0.00ms)
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   496.9 kH/s (0.00ms) @ Accel:128 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 4/4 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: test -> 123456
Hardware.Mon.#1..: Util: 99%
...

The Status...........: Cracked line confirms success. To see the cracked password, you can run the same command again with the --show flag.

hashcat -m 0 -a 0 hashes.txt wordlist.txt --show

The output will clearly display the hash and its corresponding plaintext password:

5f4dcc3b5aa765d61d8327deb882cf99:password

Congratulations, you have successfully constructed and executed a complete Hashcat command!

Summary

In this lab, you learned the fundamental command structure of Hashcat by building a command from scratch. You have successfully cracked an MD5 hash using a dictionary attack.

You now understand the five core components of a basic Hashcat command:

  1. Executable: hashcat
  2. Hash Type: Specified with -m (e.g., -m 0 for MD5).
  3. Attack Mode: Specified with -a (e.g., -a 0 for a dictionary attack).
  4. Hash File: The file containing the target hashes (e.g., hashes.txt).
  5. Wordlist/Mask: The input for the attack (e.g., wordlist.txt).

The final command structure you learned is: hashcat -m <hash_type> -a <attack_mode> <hash_file> <wordlist>. This knowledge provides a solid foundation for exploring more advanced Hashcat features.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux