hashcat Forum Support hashcat v
custom wordlist & hmask

Threaded Mode
custom wordlist & hmask
hewer Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Jun 2023
#1
06-14-2023, 05:47 PM
hash (SSHA format like: {SSHA}4EBG6UG97gnFknr9A0CRqEQBQdFnQ1JlYTdsTg==)
mask.hcmask (content)
?d?d
?d?d?d
?d?d?d?d
?d?d?d?d?d
?d?d?l?l?d
wlist.txt (content)
Serverless
Innocu
GRANdeur
trackinG
Hotel
moTel

hashcat (command)
hashcat -m 111 hash -a 3 --force --stdout mask.hcmask wlist.txt

The stdout at run time shows:
91135507
44235507
56235507
...etc

Actually, according to the command options every single hashcat attempt should be something like:
Serverless91135507
...etc
In a nutshell every line of wlist.txt should be combined with an hmask entry
Is that possible? I mean I'd like to use a custom wordlist where to every single entry should be appended an hmask attempt
what's wrong with what I'm doing?
thanks in advance
Find
Reply
Snoopy Offline
Posting Freak
*****
Posts: 825
Threads: 15
Joined: Sep 2017
#2
06-14-2023, 06:50 PM (This post was last modified: 06-14-2023, 06:57 PM by Snoopy.)
first, NEVER EVER USE --force (this can lead to wrong hashcomputing and thus wrong passes -> total garbage)

for the rest:
attack mode 3 is plain bruteforce, so your wlist.txt is skipped without warning
you are looking for https://hashcat.net/wiki/doku.php?id=hybrid_attack
attack mode 6 and be aware of the right order for the options in attack mode 6 -> dict then mask/maskfile

last:
when using --stdout yout dont need to provide an hash just try
hashcat -a6 --stdout wlist.txt mask.hcmask
Find
Reply
aikiuslik Offline
Member
***
Posts: 72
Threads: 1
Joined: Apr 2023
#3
06-14-2023, 09:45 PM
serverless116 but stop posting hashes here.
Find
Reply
hewer Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Jun 2023
#4
06-15-2023, 12:11 AM
(06-14-2023, 09:45 PM)aikiuslik Wrote: serverless116 but stop posting hashes here.
that was just a test...anyway I'll stick to it thanks
Find
Reply
hewer Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Jun 2023
#5
06-15-2023, 12:13 AM
(06-14-2023, 06:50 PM)Snoopy Wrote: first, NEVER EVER USE --force (this can lead to wrong hashcomputing and thus wrong passes -> total garbage)

for the rest:
attack mode 3 is plain bruteforce, so your wlist.txt is skipped without warning
you are looking for https://hashcat.net/wiki/doku.php?id=hybrid_attack
attack mode 6 and be aware of the right order for the options in attack mode 6 -> dict then mask/maskfile

last:
when using --stdout yout dont need to provide an hash just try
hashcat -a6 --stdout wlist.txt mask.hcmask

many thanks
it works like a charm
a few questions:
if using --stdout specifying the hash name is somewhat useless...right?
-a6 can that option be applied to any type of hash? in this case it was SSHA (salt+passwd)..I mean ..earlier my comamnd was -m 111 because that was the
right flag for that type of hash
Find
Reply
Snoopy Offline
Posting Freak
*****
Posts: 825
Threads: 15
Joined: Sep 2017
#6
06-15-2023, 02:17 AM
Every attack mode can applied to every hashtype.

--stdout just for showing what kind of passwords will be generated, no need for a hash or attackmode
Find
Reply