Mask/Charset - Try 1 More Character?

[l008com]

I'm trying to bruteforce a slow hash using the following charset:

Code:

?l?u?d!@

So 0-9, a-z ,A-Z, plus the symbols ! and @
I'm using the mask:

Code:

?1?1?1?1?1

Let's say I finish that and find nothing. Then my client comes back to me and says

you know, there might have been a question mark in there too

Is there a way I can do a charset/mask combo that will basically test the full bruteforce charset of 5 characters of [0-9a-zA-Z!@?]{5} *BUT* only the ones in there that include a question mark. At least one question mark is required, but in any position. Is that something you can do, or would I have to use a script to make my own filtered wordlist and then just feed the wordlist into hashcat? 

Note that I don't want to re-try everything with ?l?u?d!@? and ?1?!?!?!?! because it is a slow hash and that will take several extra days.

[DanielG]

make a mask file and fill it with:

?l?u?d!@,???1?1?1?1
?l?u?d!@,?1???1?1?1
?l?u?d!@,?1?1???1?1
?l?u?d!@,?1?1?1???1
?l?u?d!@,?1?1?1?1??

that way you are checking every option where questionmark is in first position, then second position, then third, etc.
please note that because a questionmark is a special char you need to specify it in the mask as ?? (see the wiki for more info).

If you want more than 1 question mark you will need to append the list with those permutations and positions.

[l008com]

Interesting. Although I'd need a lot more than that for all the possible combinations of ?? and ?1
?????1?1?1 etc etc. It's a lot but it's finite.

[DanielG]

In total it is also less than the whole [0-9a-zA-Z!@?]{5}

[l008com]

Actually on second though, this is a hard list to make, coming up with every 5 character string made up of A and B that has at least one A and at least one B in it. Is there an easier way to come up with this?

[DanielG]

It's binary counting where 0 = ?? and 1 = ?1 whereby avoiding 11111 (which you already brute-forced) and 00000 (5 question marks). This means there are only (2^5 - 2 =) 30 lines.

Here are those 30 lines:

Code:

?l?u?d!@,?????????1
?l?u?d!@,???????1??
?l?u?d!@,???????1?1
?l?u?d!@,?????1????
?l?u?d!@,?????1???1
?l?u?d!@,?????1?1??
?l?u?d!@,?????1?1?1
?l?u?d!@,???1??????
?l?u?d!@,???1?????1
?l?u?d!@,???1???1??
?l?u?d!@,???1???1?1
?l?u?d!@,???1?1????
?l?u?d!@,???1?1???1
?l?u?d!@,???1?1?1??
?l?u?d!@,???1?1?1?1
?l?u?d!@,?1????????
?l?u?d!@,?1???????1
?l?u?d!@,?1?????1??
?l?u?d!@,?1?????1?1
?l?u?d!@,?1???1????
?l?u?d!@,?1???1???1
?l?u?d!@,?1???1?1??
?l?u?d!@,?1???1?1?1
?l?u?d!@,?1?1??????
?l?u?d!@,?1?1?????1
?l?u?d!@,?1?1???1??
?l?u?d!@,?1?1???1?1
?l?u?d!@,?1?1?1????
?l?u?d!@,?1?1?1???1
?l?u?d!@,?1?1?1?1??