hashcat Forum Support hashcat v
Hashcat mask help with hybrid mode

Threaded Mode
Hashcat mask help with hybrid mode
odinnwisdom Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Jul 2025
#1
07-21-2025, 11:04 AM
Hi everyone, I'm trying to crack multiple PMKID hashes using hashcat. All passwords are 10-digit mobile numbers that start with specific 3-digit prefixes, and follow a consistent pattern:
  • The first 3 digits are one of: 050, 051, 055, 070, 077, 010, 099
  • The fourth digit is between 2 and 9 (never 0 or 1)
  • The remaining digits are between 0–9

I created a prefixes.txt file with the following content:
050
051
055
070
077
010
099
Then I used this command:
Code:
hashcat -a 6 -m 22000 pmkid_hash.22000 prefixes.txt --custom-charset1=23456789 ?1?d?d?d?d?d?d
This works, but it's extremely slow — only around 1,000 H/s, while I usually get ~85–95K H/s with my older GPU.
After digging the forum, I found out I should use it like this:
Code:
hashcat -a 6 prefixes.txt --custom-charset1=23456789 ?1?d?d?d?d?d?d --stdout | hashcat -m 22000 pmkid_hash.22000
This method is much faster, but:
  • I can't see the status menu (pause, resume, checkpoint, etc.)
  • No ETA or total hashes are shown — only how many have hashes been tried is shown
  • I know I can calculate ETA manually (56 million per hash), but having checkpoint support is important

Thanks!
Find
Reply
DanielG Offline
Pentester
***
Posts: 210
Threads: 0
Joined: Nov 2017
#2
07-21-2025, 03:13 PM
creating a file with all the passwords would only be around 616 megabytes large. Something easily handled by hashcat in normal '-a 0' mode. This is also I think the fastest way performance wise. Perfaps first create that file and try it then?
Find
Reply
odinnwisdom Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Jul 2025
#3
07-22-2025, 02:14 PM
(07-21-2025, 03:13 PM)DanielG Wrote: creating a file with all the passwords would only be around 616 megabytes large. Something easily handled by hashcat in normal '-a 0' mode. This is also I think the fastest way performance wise. Perfaps first create that file and try it then?

Oh, that's actually making sense, thanks! I don't know why I didn't think about it, maybe because I was asleep Smile
Find
Reply
ahmadleo Offline
Junior Member
**
Posts: 2
Threads: 0
Joined: Oct 2024
#4
07-24-2025, 10:31 AM (This post was last modified: 07-25-2025, 01:08 AM by Chick3nman.)
To crack PMKID hashes using Hashcat with your custom mobile number pattern, you're on the right track by identifying valid prefixes and structuring your logic. Since your passwords are 10-digit numbers starting with a known 3-digit prefix and a specific range for the 4th digit, brute-forcing with masks is the most efficient way.
Find
Reply