hi there.
mp64 produces password candidates, not masks. so for a mask of length 10 you would want to pipe (|) the output from mp64 directly into hashcat instead of writing to a file. -q 2 should limit 2 in a row, not -q 3. Also, the -r 2 parameter will reduce the keyspace a LOT more, because it limits the occurances of each character.
Applying -r 2 on a mask of length 10 seems to be slow though, so why not first produce all candidates for length 5, like this:
./mp64.bin -q 2 -r 2 -1 ?u?d "?1?1?1?1?1" -o tmp2.txt
or
./mp64.bin -q 3 -r 3 -1 ?u?d "?1?1?1?1?1" -o tmp3.txt
and then use a combination attack -a 1 to append two length 5 candidates to produce candidates of length 10. could look something like this:
./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp2.txt tmp2.txt
or:
./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp3.txt tmp3.txt
tmp2.txt would be ~261 MB and
tmp3.txt would be ~344 MB ...
p.s. since you are doing WPA2 which is a slow hash, the discussed keyspace reduction most likely still won't do the trick for you. especially if you can only do 150 kH/s ... you really want to find out more details about the exact router model and further reduce the keyspace (e.g. possibly the vendor calculated the password from the mac address or so ... some routers don't use 1 and I and 0 and O because of readability. some have fixed parts, like the first two characters being model specific or such). good luck!
mp64 produces password candidates, not masks. so for a mask of length 10 you would want to pipe (|) the output from mp64 directly into hashcat instead of writing to a file. -q 2 should limit 2 in a row, not -q 3. Also, the -r 2 parameter will reduce the keyspace a LOT more, because it limits the occurances of each character.
Applying -r 2 on a mask of length 10 seems to be slow though, so why not first produce all candidates for length 5, like this:
./mp64.bin -q 2 -r 2 -1 ?u?d "?1?1?1?1?1" -o tmp2.txt
or
./mp64.bin -q 3 -r 3 -1 ?u?d "?1?1?1?1?1" -o tmp3.txt
and then use a combination attack -a 1 to append two length 5 candidates to produce candidates of length 10. could look something like this:
./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp2.txt tmp2.txt
or:
./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp3.txt tmp3.txt
tmp2.txt would be ~261 MB and
tmp3.txt would be ~344 MB ...
p.s. since you are doing WPA2 which is a slow hash, the discussed keyspace reduction most likely still won't do the trick for you. especially if you can only do 150 kH/s ... you really want to find out more details about the exact router model and further reduce the keyspace (e.g. possibly the vendor calculated the password from the mac address or so ... some routers don't use 1 and I and 0 and O because of readability. some have fixed parts, like the first two characters being model specific or such). good luck!