Hashcat Cheat Sheet: Build the Command, Copy, Crack
Set your hash file, wordlist, hash mode, and mask once at the top, and every command below fills in with your values, ready to copy and run. Then the full flag reference grouped by task, the mask charset table, and the common -m modes. Tested on hashcat 7.1.2.
This is the hashcat reference I actually keep open while cracking. Set your hash file, wordlist, mode, and mask once at the top, and every command below rewrites itself with your values so you can copy and run it. Under that is the full flag reference grouped by what you are trying to do, the mask charset table, and the common -m modes. New to the tool? Start with how to use hashcat. Everything here was verified on hashcat 7.1.2.
Set these once. Every command below picks up your values, and clearing a field drops it from the commands so you can copy exactly what you mean to run. Hash mode and mask are searchable: type to filter, or pick from the list. Hash mode covers all 581 of hashcat’s modes; for a mask, type your own or choose a common one.
Hash mode (-m)
Mask
Wordlists
hashcat reads several dictionaries in order. Add as many as you like.
Rule files
Each rule file becomes its own -r. A bare name resolves under rules/; a path is used as-is.
Dictionary attack (your default first move). Hash every word in the wordlist:
bash
hashcat -m 0 -a 0 hashes.txtrockyou.txt -w 3
Dictionary + rules (the highest-yield real attack). Mutate each word with a rules file. Add more than one rule file and each becomes its own -r; clear them all and the -r drops away:
bash
hashcat -m 0 -a 0 hashes.txtrockyou.txt -r rules/best66.rule -w 3
Mask attack (smart brute force). Try every string matching the mask. Turn on --increment above to also try shorter lengths:
bash
hashcat -m 0 -a 3 hashes.txt '?u?l?l?l?l?d?d?d' -w 3
Hybrid: wordlist + mask (the password123 pattern, a word then your mask as a suffix):
bash
hashcat -m 0 -a 6 hashes.txtrockyou.txt '?u?l?l?l?l?d?d?d' -w 3
Hybrid: mask + wordlist (your mask as a brute-forced prefix, then a word):
bash
hashcat -m 0 -a 7 hashes.txt '?u?l?l?l?l?d?d?d' rockyou.txt -w 3
Combination attack (every word in your first list joined to every word in the second). Add a second wordlist above to use a different right-hand list:
bash
hashcat -m 0 -a 1 hashes.txtrockyou.txtrockyou.txt -w 3
Show what you have cracked (read results from the potfile):
bash
hashcat -m 0hashes.txt --show
Benchmark this hash mode (raw speed on your hardware):
hashcat -m <mode> -a <attack> <hashfile> <wordlist-or-mask> [options]. The two numbers that matter most are -m (which algorithm) and -a (which attack). Set your values in the panel above and the commands fill themselves in.
Run hashcat --identify hashes.txt to have hashcat guess, or hashcat --example-hashes to browse every mode with an example. See how to identify a hash type for the full method.
Use -w 3 (high) on a machine dedicated to cracking, -w 4 on a headless rig you do not touch, and -w 1 on a desktop you are actively using so it stays responsive. Default is -w 2.
Start with --session=name, and if it stops, resume with hashcat --session=name --restore. hashcat checkpoints the keyspace position, so you continue where you left off rather than starting over.
Sources
Authoritative references this article was fact-checked against.
Software Systems Architect · Senior Software Engineer · Engineering Leadership
Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.
A scannable SSH reference: ssh-keygen, ssh-copy-id, port forwarding (-L, -R, -D), ProxyJump, ~/.ssh/config blocks, scp and rsync over SSH, with the Windows OpenSSH differences and PuTTY equivalents.
A scannable curl reference: GET, POST, PUT, DELETE; JSON and form bodies; basic, bearer, and digest auth; redirects, retries, timeouts; --resolve overrides, SOCKS proxies; with PowerShell Invoke-WebRequest equivalents.
A scannable find reference: search by name, size, time, type, perms; safe pipelines with -print0 and xargs -0; -exec and -execdir; plus the macOS BSD vs GNU find divergences and Windows PowerShell equivalents.