Need help with building mask

I am trying to recover ms access 2010 encrypted database password. I have tried with dictionary but no luck.

I usually keep 8 to 20 char alpha numeric with special char password. Unfortunately, i am not able to recall the password.

I have generated the hash from access database, and I am going to try brute force with min 8 length with increment of 1, however how do i specify the correct mask.

I tried this wiki

For example, if we use the mask “?l?l?l?l?l?l?l?l” we can only crack a password of the length 8.

but this appears to be only for lowercase

can someone help me with building the mask which can try alpha numeric with special char

You're not going to be happy trying to BF >= 8 characters full ascii charset. Try dict+rules if you haven't.
Actually, I am referring to this post which states we can spin cloud instance p2.16xlarge and give it try, which will considerably speed up the processing. In his example it went down from 4 days to 1 min.

I will try both dict+rules and brute force. can you help me with the examples for both?

(08-22-2019, 10:38 PM)singhn Wrote: In his example it went down from 4 days to 1 min.

He also lied and said it 8 lower case characters, but his hashcat output only shows 6....
Guess.Mask.......: ?l?l?l?l?l?l [6]

So, realistically, 8+ characters will take a MUCH longer timeframe. Without knowing any part of the password, you're digging yourself into a LONG wait for potentially nothing as a result using bruteforce. 

As previously mentioned, you can accomplish a lot more using wordlist and rules in a much shorter time frame. 

Check out for some good sources of wordlist. Then a good start would be to use the best64.rule with any of those wordlist. 

Heres the example hash output for an 6 ASCII character attempt on a 1070 GTX. 

Session..........: hashcat
Status...........: Running
Hash.Type........: MS Office 2010
Hash.Target......: $office$*2010*100000*128*16*77233201017277788267221...993557
Time.Started.....: Thu Aug 22 18:09:18 2019 (0 secs)
Time.Estimated...: Sat Jul 25 17:04:02 2020 (337 days, 22 hours)
Guess.Mask.......: ?a?a?a?a?a?a [6]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    25175 H/s (7.55ms) @ Accel:64 Loops:32 Thr:1024 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0/735091890625 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/7737809375 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:96-128
Candidates.#1....: sarier -> s# -19
Hardware.Mon.#1..: Temp: 38c Fan: 26% Util: 38% Core:1594MHz Mem:4104MHz Bus:16

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>
Thanks slyexe, basically, i interchange the some chars with numbers and some with special for example, E with 3, o with 0, i with !, but not all, just some. I do tend to use other special chars as well not just !. here is an example of one of my passwords H3lL0_w0rLD-2oo7!! but that's simpler one, i did use longer password on the access db.

If you can guide me with how can i create a rule set which can possible crack 8 to 24 alpha numeric with special char password, I can spin up p2.16xlarge instance, and see the estimates.

Hi Folks,

any examples how can i achieve my objective?
Your passwords are unnecessarily complex, a password such as myaccesspasswordispassword is stronger you dont need special chars