Mask Attack

Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.

The reason for doing this and not to stick to the traditional Brute-Force is that we want to reduce the password candidate keyspace to a more efficient one.

Here is a single example. We want to crack the password: Julia1984

In traditional Brute-Force attack we require a charset that contains all upper-case letters, all lower-case letters and all digits (aka “mixalpha-numeric”). The Password length is 9, so we have to iterate through 62^9 (13.537.086.546.263.552) combinations. Lets say we crack with a rate of 100M/s, this requires more than 4 years to complete.

In Mask attack we know about humans and how they design passwords. The above password matches a simple but common pattern. A name and year appended to it. We can also configure the attack to try the upper-case letters only on the first position. It is very uncommon to see an upper-case letter only in the second or the third position. To make it short, with Mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations. With the same cracking rate of 100M/s, this requires just 40 minutes to complete.

There is none. One can argue that the above example is very specific but this does not matter. Even in mask attack we can configure our mask to use exactly the same keyspace as the Brute-Force attack does. The thing is just that this cannot work vice versa.

Note that masks are split into two parts internally to give hashcat something to work as an amplifier to overcome PCI-E bottleneck.

For each position of the generated password candidates we need to configure a placeholder. If a password we want to crack has the length 8, our mask must consist of 8 placeholders.

• A mask is a simple string that configures the keyspace of the password candidate engine using placeholders.
• A placeholder can be either a custom charset variable, a built-in charset variable or a static letter.
• A variable is indicated by the ? letter followed by one of the built-in charset (l, u, d, s, a) or one of the custom charset variable names (1, 2, 3, 4).
• A static letter is not indicated by a letter. An exception is if we want the static letter ? itself, which must be written as ??.

Optimized due its partially reverse algorithms, password candidates are generated in the following order:

aaaaaaaa
aaaabaaa
aaaacaaa
.
.
.
aaaaxzzz
aaaayzzz
aaaazzzz
baaaaaaa
baaabaaa
baaacaaa
.
.
.
baaaxzzz
baaayzzz
baaazzzz
.
.
.
zzzzzzzz

NOTE: This shows that the first four letters are increased first and most often. The exact number however can vary, especially in a smaller keyspace, but it is fixed until a keyspace has been scanned completly.

• ?l = abcdefghijklmnopqrstuvwxyz
• ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
• ?d = 0123456789
• ?h = 0123456789abcdef
• ?H = 0123456789ABCDEF
• ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
• ?a = ?l?u?d?s
• ?b = 0x00 - 0xff

All hashcat versions have four commandline-parameters to configure four custom charsets.

--custom-charset1=CS
--custom-charset2=CS
--custom-charset3=CS
--custom-charset4=CS

These commandline-parameters have four analogue shortcuts called -1, -2, -3 and -4. You can specify the chars directly on the command line or use a so-called hashcat charset file (plain text file with .hcchr extension which contains the chars/digits to be used on the 1st line of the file). See examples below:

The following commands all define the same custom charset that consists of the chars “abcdefghijklmnopqrstuvwxyz0123456789” (aka “lalpha-numeric”):

-1 abcdefghijklmnopqrstuvwxyz0123456789
-1 abcdefghijklmnopqrstuvwxyz?d
-1 ?l0123456789
-1 ?l?d
-1 loweralpha_numeric.hcchr # file that contains all digits + chars (abcdefghijklmnopqrstuvwxyz0123456789)

The following command defines a charset that consists of the chars “0123456789abcdef”:

-1 ?dabcdef

The following command defines a full 7-bit ascii charset (aka “mixalpha-numeric-all-space”):

-1 ?l?d?s?u

The following command sets the first custom charset (-1) to russian language specific chars:

-1 charsets/special/Russian/ru_ISO-8859-5-special.hcchr

If -a 3 is requested without specifying a mask, the following default mask is used:

?1?2?2?2?2?2?2?3?3?3?3?d?d?d?d

… where the custom character sets are:

1 - ?l?d?u (lowercase, digits, and uppercase)
2 - ?l?d (lowercase and digits)
3 - ?l?d*!$@_ (lowercase, digits, and five selected special characters)

This mask is also available as a masks file in the ./masks/ directory,, as hashcat-default.hcmask.

The following commands creates the following password candidates:

command: -a 3 ?l?l?l?l?l?l?l?l
keyspace: aaaaaaaa - zzzzzzzz

command: -a 3 -1 ?l?d ?1?1?1?1?1
keyspace: aaaaa - 99999

command: -a 3 password?d
keyspace: password0 - password9

command: -a 3 -1 ?l?u ?1?l?l?l?l?l19?d?d
keyspace: aaaaaa1900 - Zzzzzz1999

command: -a 3 -1 ?dabcdef -2 ?l?u ?1?1?2?2?2?2?2
keyspace: 00aaaaa - ffZZZZZ

command: -a 3 -1 efghijklmnop ?1?1?1
keyspace: eee - ppp

A mask attack is always specific to a target password length. For example, if we use the mask ?l?l?l?l?l?l?l?l we can only crack a password of length 8, and if the target password is length 7, this mask will not find it. That's why we have to repeat the attack several times, each time with one placeholder added to the mask:

?l
?l?l
?l?l?l
?l?l?l?l
?l?l?l?l?l
?l?l?l?l?l?l
?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l

To automate this, you can use the --increment flag. This flag will automatically use just the first placeholder, then the first two, then the first three, etc. You can also customize the starting and ending lengths with the --increment-min and --increment-maxflags.

Note: the length of the mask itself is also a limiting factor for hashcat. Masks will not increment beyond their own length. For example, if a mask is only of length 4, --increment won't increment beyond length 4, --increment-min of 5 would have no effect, etc.

Hashcat charsets files (file extension: .hcchr) are a convenient way to reuse charsets, define custom charsets and use the language-specific charsets shipped by hashcat.

These files can be used together with the --custom-charsetN= (or -1, -2, -3 and -4) parameter. Instead of providing all the charset directly on command line, the support for .hcchr files allows one to specify the path to the file:

-1 charsets/standard/German/de_cp1252.hcchr

It is important that .hcchr files are created with language specific file encodings (e.g. cp1252, ISO-8859-15 etc). For examples of content and encoding of .hcchr files, see the examples shipped with hashcat (e.g. [HASHCATROOT]/charsets/standard/Italian/).

Hint: use iconv and similar tools to convert the files to a language specific file encoding (if for instance created as UTF-8 file).

Hashcat mask files (file extension: .hcmask) are files which contain custom charsets (optional) and masks (e.g. ?1?1?1?1?d?d) line-by-line. The advantage of using .hcmask files, which are plain text files, is that those files allow the hashcat user to have a set of predefined and well-working masks stored within a file (or several e.g. password policy specific files) where the lines contained in the hcmask file could for instance be sorted by increasing runtime and/or likelihood of matches*.

The general format of 1 single line in the .hcmask file is as follows:

[?1,][?2,][?3,][?4,]mask

where the placeholders are as follows:

• [?1] the 1st custom charset (--custom-charset1 or -1) will be set to this value, optional
• [?2] the 2nd custom charset (--custom-charset2 or -2) will be set to this value, optional
• [?3] the 3rd custom charset (--custom-charset3 or -3) will be set to this value, optional
• [?4] the 4th custom charset (--custom-charset4 or -4) will be set to this value, optional
• [mask] the mask which should (but does not need) to use the custom-charset defined by [?1], [?2], [?3] or [?4] and can use any additional predefined charset (?l, ?u, ?d, ?h, ?H, ?s, ?a, ?b) and can contain fixed chars too (example value: pass?1?d?d?2?l?l)

* see the PACK program and some example hcmask files shipped by hashcat (in the masks/ folder).


You supply the .hcmask file just where you would normally place the single mask on the command line, like so:

-a 3 hash.txt mask_file.hcmask

Other less-important syntax available in .hcmask files:

• with # you can comment a line (it won't be used), with \# you can use a # at the beginning of the line (either within the custom charsets or, if no custom charset is used, within the mask)
  
• \, means that the comma should be used literally (not a separator between ?1, ?2, ?3, ?4 or mask)
  
• ?? within the mask or custom charsets means that the question mark should be used as a literal character (otherwise if only a single question mark was used it would be interpreted as the beginning of a reference to a custom charset or built-in charset)
  

Notes:

• .hcmask files can be used together with -i (increment) parameter for brute-force mode.
• It is not allowed for a [mask] to contain ?1,?2,?3 or ?4 references without those being set via [?1], [?2], [?3], [?4]. This will result in an error message. If you want to use a custom charset for your masks you must define it within the same line of the hcmask file by using the [?1], [?2], [?3], [?4] fields.
  
• If for instance [?2] was not set because not needed, the comma that would be normally following [?2] must also be omitted. See examples below.

The following .hcmask file contains some valid example lines which show how to use this feature:

?d?l,test?1?1?1
abcdef,0123,ABC,789,?3?3?3?1?1?1?1?2?2?4?4?4?4
company?d?d?d?d?d
?l?l?l?l?d?d?d?d?d?d
?u?l,?s?d,?1?a?a?a?a?2

Note: also see FAQ: What is a hashcat mask file?

This can be done by some of the hashcat tools using the “--hex-charset” flag.