Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
The reason for doing this and not to stick to the traditional Brute-Force is that we want to reduce the password candidate keyspace to a more efficient one.
Here is a single example. We want to crack the password: Julia1984
In traditional Brute-Force attack we require a charset that contains all upper-case letters, all lower-case letters and all digits (aka “mixalpha-numeric”). The Password length is 9, so we have to iterate through 62^9 (13.537.086.546.263.552) combinations. Lets say we crack with a rate of 100M/s, this requires more than 4 years to complete.
In Mask attack we know about humans and how they design passwords. The above password matches a simple but common pattern. A name and year appended to it. We can also configure the attack to try the upper-case letters only on the first position. It is very uncommon to see an upper-case letter only in the second or the third position. To make it short, with Mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations. With the same cracking rate of 100M/s, this requires just 40 minutes to complete.
There is none. One can argue that the above example is very specific but this does not matter. Even in Mask attack we can configure our mask to use exactly the same keyspace as the Brute-Force attack does. The thing is just that this cannot not work vice versa.
For each position of the generated password candidates we need to configure a placeholder. If a password we want to crack has the length 8, our mask must consist of 8 placeholders.
Optimized due its partially reverse algorithms, password candidates are generated in the following order:
aaaaaaaa aaaabaaa aaaacaaa . . . aaaaxzzz aaaayzzz aaaazzzz baaaaaaa baaabaaa baaacaaa . . . baaaxzzz baaayzzz baaazzzz . . . zzzzzzzz
NOTE: This shows that the first four letters are increased first and most often. The exact number however can vary, especially in a smaller keyspace, but it is fixed until a keyspace has been scanned completly.
NOTE: If you use oclHashcat-lite or oclHashcat-plus you can press “s” while cracking to see the progress. You also see a number of '*' chars in the “Plain.Text” section. The number of '*' chars tell us how many chars it actually uses in the current attack. Range can go from one to four.
All hashcat derivates have four commandline-parameters to configure four custom charsets.
--custom-charset1=CS --custom-charset2=CS --custom-charset3=CS --custom-charset4=CS
These commandline-parameters have four analogue shortcuts called -1, -2, -3 and -4.
The following commands all define the same custom charset that consists of the chars “abcdefghijklmnopqrstuvwxyz0123456789” (aka “lalpha-numeric”):
-1 abcdefghijklmnopqrstuvwxyz0123456789 -1 abcdefghijklmnopqrstuvwxyz?d -1 ?l0123456789 -1 ?l?d
The following command defines a charset that consists of the chars “0123456789abcdef”:
The following command defines a full 7-bit ascii charset (aka “mixalpha-numeric-all-space”):
The following commands creates the following password candidates:
command: ?l?l?l?l?l?l?l?l keyspace: aaaaaaaa - zzzzzzzz
command: -1 ?l?d ?1?1?1?1?1 keyspace: aaaaa - 99999
command: password?d keyspace: password0 - password9
command: -1 ?l?u ?1?l?l?l?l?l19?d?d keyspace: aaaaaa1900 - Zzzzzz1999
command: -1 ?dabcdef -2 ?l?u ?1?1?2?2?2?2?2 keyspace: 00aaaaa - ffZZZZZ
command: -a 3 -1 efghijklmnop ?1?1?1 keyspace: eee - ppp
A Mask attack is always specific to a password length. For example, if we use the mask ”?l?l?l?l?l?l?l?l” we can only crack a password of the length 8. But if the password we try to crack has the length 7 we will not find it. Thats why we have to repeat the attack several times, each time with one placeholder added to the mask. This is transparently automated by using the ”--increment” flag.
?l ?l?l ?l?l?l ?l?l?l?l ?l?l?l?l?l ?l?l?l?l?l?l ?l?l?l?l?l?l?l ?l?l?l?l?l?l?l?l
This can be done by some of the hashcat tools using the ”--hex-charset” flag.