Hashcat supports masks in mode 3 (-a 3
), which defines a particular keyspace to search in by specifing the charset of each character in the password.
For example, the mask ?u?l?l?l?l?l?l?l?d
defines a keyspace where all passwords are of the form 1 uppercase followed by 7 lowercase followed by 1 digit, totalling to 9 characters. The mask can also include literal strings, e.g. Password?d?s
.
Mask syntax:
? | Charset
--+----------
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
Custom Charset
You can define your own charset in the hashcat command and use it in the mask:
hashcat -a 3 -m 1000 ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
where -1 ?d?s
defines ?1
to be a custom charset
Multiple Masks
It is also possible to use multiple masks together to account for different possible lengths of the password. Simply save the masks in a file and replace the mask in the command with the filename.
For example:
hashcat.exe -a 3 -m 1000 ntlm.txt example.hcmask
where example.hcmask
contains:
?d?s,Password?u?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?l?l?1
Note that commas separate custom charsets and the actual mask at the end.