Hashcat
World's fastest password cracker
World's first and only in-kernel rule engine

Feature:
Free
Open-Source (MIT License)
Multi-OS (Linux, Windows and OSX)

Refer
https://hashcat.net/hashcat/

...

Main parameter

-a: Attack Modes
0 = Straight
1 = Combination
2 = Toggle case
3 = Brute Force
ps:
https://hashcat.net/wiki/doku.php?id=combinator_attack
https://hashcat.net/wiki/doku.php?id=toggle_case_attack

-m : Hash Type
0 = MD5
50 = HMAC-MD5
1000 = NTLM
1400 = sha256

...

Straight attack
The dictionary attack, or "straight mode," is a very simple attack mode. It is also known as a "Wordlist attack".

hashcat -a 0 -m < hash type> < hash_encrypt_file > < password directory file>

...

password directory file
in Network
https://samsclass.info/123/proj10/500_passwords.txt

in KALI
gzip -d /usr/share/wordlists/rockyou.txt.gz
Rockyou contains 14 million unique passwords.

refer
https://uwnthesis.wordpress.com/2013/08/07/kali-how-to-crack-passwords-using-hashcat/

.....

brute-force attack
Tries all combinations from a given Keyspace. It is the easiest of all the attacks.

hashcat -m 0 -a 3 --increment [other parameter] < hash_encrypt_file> < mask>

-i --increment (optional):
specifies that the length of the password candidates shouldn't be fixed, but increase in length

mask (required):/brute-force Built-in charsets
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

other parameter
--increment-min 4: set the minimum length of the password candidates to 4 (in this case)
--increment-max 6: set the maximum length of the password candidates to 6 (in this case)

ex:
if md5(123456) is e10adc3949ba59abbe56e057f20f883e
# echo e10adc3949ba59abbe56e057f20f883e > hash.txt
# hashcat -m 0 -a 3 -i hash.txt ?d?d?d?d?d?d
...omit...
e10adc3949ba59abbe56e057f20f883e:123456
All hashes have been recovered
Input.Mode: Mask (?d?d?d?d?d?d) [6]
Index.....: 0/1 (segment), 1000000 (words), 0 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 662.08k words
Progress..: 654324/1000000 (65.43%)
Running...: 00:00:00:01
Estimated.: --:--:--:--

ex:
if md5(123456) is e10adc3949ba59abbe56e057f20f883e
# echo e10adc3949ba59abbe56e057f20f883e > hash.txt
#hashcat -n 2 -m 0 -a 3 --pw-min 9 hash.txt ?d?d?d?d?d?d?d?d?d
ps:
-n = 2 threads
-pw-min 9 = minimal 9 digitals

refer
https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#why_should_i_use_a_mask_attack_i_just_want_to_brute_these_hashes