appending numbers to combo attack
#1
Hi! I want to crack a password in the format of word1+word2 +3 digit number.

I got hashcat up and running on my gaming PC and got it to do a combination attack with the 2 word lists using this code....

hashcat64.exe -m 2500 -a 1 test.hccapx word1.txt word2.txt

But I can't seem to get the 3 digits onto the end. I tried using the -k but all the rules it can use seem to change text or add a stationary digit, but I need it to cycle through 0-9 for all three digits on the end. I also tried making a wordlist in crunch of the 3 digits but I wasn't able to make hashcat use 3 wordlists in the combination attack. 

Is there a way to pipe in the last three digits? I really appreciate the help Smile
#2
doing such an attack has become rather complicated since hashcat dropped support for fifos and the lack of support for stdin on mode a6/a7 and lack of support for rules on mode a1.

Easiest way is using combinator from hashcat utils, pipe that to hashcat and use rules to append the numbers.

Code:
combinator word1.txt word2.txt | hashcat -m2500 -r append_digit.rule -r append_digit.rule -r append_digit.rule test.hccapx

where append_digit.rule contains rules for appending one digit (ten in total)
#3
I agree with undeath (like always ?) ... and would like to suggest that depending on how small your word lists are etc, you could also think of an alternative like this:
1. first precompute and store a modified 2nd word list: combine the second word list word2 with the digits already combined
2. run -a 1 with word1 and word2_combined_with_3_digits

you could for instance use "hashcat --stdout -a 6 -o word2_combined_with_3_digits word2 ?d?d?d" to combine the dictionary file word2 with 3 digits.
Of course an approach like this only makes sense if:
1. the word list word2 is not too huge (but a too huge word list would anyways be a problem of infeasibility for -a 1 attacks)
2. the storage is not too much of a problem (fast I/O) etc
3. the resulting speed is acceptable

The speed of course depends also a lot on your GPU/CPU setup and most importantly on the hash mode (in your case it is -m 2500 = WPA/WPA2).
A small advantage of this pre-computation approach is that the ETA would be more accurate and the status display of hashcat will show more info (because no pipe is involved in this case).... but of course for most users the speed is more important than just some displayed values.
#4
Huge thanks to both Undeath and Philsmd! I'm still pretty new to hashcat so I had a hard time changing the syntax from Undeath's code to work in Windows, but Philsmd's technique worked perfectly for me because my second list was actually not that big. You guys are awesome!