Narrowing brute force

[chararray]

I'm using hashcat against a bcrypt hash. With the method i'm using this will take years on my 3070 but I see a way to massively reduce this time I just don't know how to do it. I'm running: 

hashcat.exe -m 3200 -a 3 -o cracked.txt hash.txt -w 4 -1 ?u?l -2 ?l?u! ` ?1?l?l?l?2?2 --increment --increment-min 6 --increment-max 6 ` ?1?1?l?l?l?2?2 --increment --increment-min 7 --increment-max 7 ` ?1?l?l?l?l?2?2?2 --increment --increment-min 8 --increment-max 8 ` ?1?l?l?l?l?l?2?2?2  --increment --increment-min 9 --increment-max 9 ` ?1?l?l?l?l?l?2?2?2?2 --increment --increment-min 10 --increment-max 10 ` ?1?l?l?l?l?l?l?2?2?2?2 --increment-min 11 --increment-max 11 ` ?1?l?l?l?l?l?l?l?2?2?2?2 --increment --increment-min 12 --increment-max 12

But I know that it has to include at least one uppercase, one number, and one special character (most likely !). How can I restrict attempts that make up the bulk of my attack that look like "kfpevin". I obviously don't know the exact positions but it seems intuitive that there'd be a way to block attempts that don't fill a criteria. Otherwise will I have to make a script to do this myself? 

Any other tips for dehashing a bcrypt is helpful. I get about 1500-1600 H/s.

[slyexe]

You're completely right, you can diminish your attack significantly. Take a look at https://github.com/iphelix/pack. However, a single card attempting to crack anything over 6 characters you will most likely never accomplish in this lifetime. That is a issue with bcrypt is to prevent it from being bruteforced.

Either try remembering as much of the password as possible, create a wordlist and play with rules. Otherwise, you're looking at renting/purchasing more hashing power which will be expensive.

[Snoopy]

despite the fact, that this isnt a simple task you have 2 options i think

1. writing a script and feeding hashcat per pipe. you will see that generating and checking for your 3 restrictions will slow down the whole process, thats why hashcat doesnt work this way

2. i think the best approach would be sticking to plain lower letters and using rules to modify these words + because of  a real slow hash consider using hashcat the brain to do the work of rejecting passes allready tested (i think it should be impossible to forge a ruleset not generating doubles when it comes to this way)

you have to generate rulesets for every specific lenght, lets gimme a hint, you are starting with length 6 in your example

you need at one special char ! and one number plus any number of uppercase (you can use maskprocessor or haschat with option stdout (use latest beta for that) to help you, or just do it by hand and use combinator from hahscat utils for combinig

so lets start with replacing position 0-5 with ! (i use maskprocessor and uses a ending space just for better readablitiy in the textfiles)
mp64 -1 012345 "o?1! " > exmark.txt
file (6 rules) will be:
o0!
...
o5!

similar for digits (beware the new cli) -> (output 60 rules)
mp64 -1 012345 "o?1?d " > digits.txt

now whe combine exmark with digits
combine exmark.txt digits.txt > ex-dig.txt (360 rules, but there are now many rules like o0! o05 OR o5! o54 which are not wanted, because they just overwrite the exmark again with a number you can clean them by hand)

the fun begins with toggling, you will need all possibilites for toggling from just 1 char, to 2, 3 and 4 and each of them has to be combined with the cleaned ex-digit.txt and copied into a final rulesset for your lenght 6, due to the fact that this toggling is very specific, i would do it by hand (but you have to think of all combinations yourself length one and two is quite simple tho)

and this is the work just for lenght 6 ..., the good part is, lenght 7 needs new rules because of the new length

UPDATE:
the above is for one exclamation mark and one number, want more digits? then you will have to generatre again, more rules for 2, 3, 4 numbers