hashcat

advanced
password
recovery

hashcat oclHashcat Forums Wiki Trac Tools

Events

Recent changes

Mask Attack
Description
Try all combinations from a given keyspace just like in BruteForce attack, but more specific.

Advantage over Brute-Force

The reason for doing this and not to stick to the traditional
Brute-Force is that we want to reduce the password candidate
keyspace to a more efficient one.

Login

Sitemap

Table of Contents
Mask Attack
Description
Advantage over Brute-Force
Disadvantage compared to BruteForce
Masks
Output
Built-in charsets
Custom charsets
Examples
Example
Password length increment
Hashcat charset files
Hashcat mask files
Example
Charsets in hex
Supported by

Here is a single example. We want to crack the password: Julia1984

In traditional Brute-Force attack we require a charset that contains all upper-case letters, all
lower-case letters and all digits (aka mixalpha-numeric). The Password length is 9, so we have
to iterate through 62^9 (13.537.086.546.263.552) combinations. Lets say we crack with a rate of
100M/s, this requires more than 4 years to complete.
In Mask attack we know about humans and how they design passwords. The above password
matches a simple but common pattern. A name and year appended to it. We can also congure
the attack to try the upper-case letters only on the rst position. It is very uncommon to see an
upper-case letter only in the second or the third position. To make it short, with Mask attack we
can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations. With
the same cracking rate of 100M/s, this requires just 40 minutes to complete.

Disadvantage compared to Brute-Force

There is none. One can argue that the above example is very specic but this does not matter.
Even in mask attack we can congure our mask to use exactly the same keyspace as the BruteForce attack does. The thing is just that this cannot work vice versa.

Masks
For each position of the generated password candidates we need to congure a placeholder. If a
password we want to crack has the length 8, our mask must consist of 8 placeholders.
A mask is a simple string that congures the keyspace of the password candidate engine
using placeholders.
A placeholder can be either a custom charset variable, a built-in charset variable or a static
letter.
A variable is indicated by the ? letter followed by one of the built-in charset (l, u, d, s, a) or
one of the custom charset variable names (1, 2, 3, 4).
A static letter is not indicated by a letter. An exception is if we want the static letter ?
itself, which must be written as ??.

Output
Optimized due its partially reverse algorithms, password candidates are generated in the
following order:
aaaaaaaa
aaaabaaa
aaaacaaa
.
.
.
aaaaxzzz
aaaayzzz
aaaazzzz
baaaaaaa
baaabaaa
baaacaaa
.
.
.
baaaxzzz
baaayzzz
baaazzzz
.
.
.
zzzzzzzz
NOTE: This shows that the rst four letters are increased rst and most often. The exact number
however can vary, especially in a smaller keyspace, but it is xed until a keyspace has been
scanned completly.
NOTE: If you use oclHashcat you can press s while cracking to see the progress. You also see a
number of '*' chars in the Plain.Text section. The number of '*' chars tell us how many chars it
actually uses in the current attack. Range can go from one to four.

Built-in charsets
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = space!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

Custom charsets
All hashcat derivates have four commandline-parameters to configure four custom charsets.
--custom-charset1=CS
--custom-charset2=CS
--custom-charset3=CS
--custom-charset4=CS
These commandline-parameters have four analogue shortcuts called -1, -2, -3 and -4. You can
specify the chars directly on the command line or use a so-called hashcat charset le (plain text
le with .hcchr extension which contains the chars/digits to be used on the 1st line of the le).
See examples below:

Examples

The following commands all dene the same custom charset that consists of the chars
abcdefghijklmnopqrstuvwxyz0123456789 (aka lalpha-numeric):
-1
-1
-1
-1
-1

abcdefghijklmnopqrstuvwxyz0123456789
abcdefghijklmnopqrstuvwxyz?d
?l0123456789
?l?d
loweralpha_numeric.hcchr # file that contains all digits + chars (abcdefghijklmnopqrst

The following command defines a charset that consists of the chars 0123456789abcdef:
-1 ?dabcdef
The following command defines a full 7-bit ascii charset (aka mixalpha-numeric-all-space):
-1 ?l?d?s?u
The following command sets the first custom charset (-1) to russian language specific chars:
-1 charsets/special/Russian/ru_ISO-8859-5-special.hcchr

Example
The following commands creates the following password candidates:
command: -a 3 ?l?l?l?l?l?l?l?l
keyspace: aaaaaaaa - zzzzzzzz
command: -a 3 -1 ?l?d ?1?1?1?1?1
keyspace: aaaaa - 99999
command: -a 3 password?d
keyspace: password0 - password9
command: -a 3 -1 ?l?u ?1?l?l?l?l?l19?d?d
keyspace: aaaaaa1900 - Zzzzzz1999
command: -a 3 -1 ?dabcdef -2 ?l?u ?1?1?2?2?2?2?2
keyspace: 00aaaaa - ffZZZZZ
command: -a 3 -1 efghijklmnop ?1?1?1
keyspace: eee - ppp

Password length increment

A Mask attack is always specic to a password length. For example, if we use the mask ?l?l?l?l?
l?l?l?l we can only crack a password of the length 8. But if the password we try to crack has the
length 7 we will not nd it. Thats why we have to repeat the attack several times, each time with
one placeholder added to the mask. This is transparently automated by using the --increment
flag.
?l
?l?l
?l?l?l
?l?l?l?l
?l?l?l?l?l
?l?l?l?l?l?l

?l?l?l?l?l?l
?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l

Hashcat charset files

Hashcat charsets les (le extension: .hcchr) are a convenient way to reuse charsets, dene
custom charsets and use the language-specific charsets shipped by hashcat.
These les can be used together with the custom-charsetN= (or -1, -2, -3 and -4) parameter.
Instead of providing all the charset directly on command line, the support for .hcchr les allows
one to specify the path to the file:
-1 charsets/standard/German/de_cp1252.hcchr
It is important that .hcchr les are created with language specic le encodings (e.g. cp1252, ISO8859-15 etc). For examples of content and encoding of .hcchr les, see the examples shipped
with hashcat (e.g. [HASHCATROOT]/charsets/standard/Italian/).
Hint: use iconv and similar tools to convert the les to a language specic le encoding (if for
instance created as UTF-8 file).

Hashcat mask files

Hashcat mask les (le extension: .hcmask) are les which contain custom charsets (optional)
and masks (e.g. ?1?1?1?1?d?d) line-by-line. The advantage of using .hcmask files, which are plain
text les, is that those les allow the hashcat user to have a set of predened and well-working
masks stored within a le (or several e.g. password policy specic les) where the lines
contained in the hcmask le could for instance be sorted by increasing runtime and/or likelihood
of matches*.
The general format of 1 single line in the .hcmask file is as follows:
[?1],[?2],[?3],[?4],[mask]
where the placeholders are as follows:
[?1] the 1st custom charset (custom-charset1 or -1) will be set to this value, optional
[?2] the 2nd custom charset (custom-charset2 or -2) will be set to this value, optional
[?3] the 3rd custom charset (custom-charset3 or -3) will be set to this value, optional
[?4] the 4th custom charset (custom-charset4 or -4) will be set to this value, optional
[mask] the mask which should (but does not need) to use the custom-charset dened by [?
1], [?2], [?3] or [?4] and can use any additional predened charset (?d, ?l, ?u, ?s, ?a) and
can contain fixed chars too (example value: pass?1?d?d?2?l?l)
* see the PACK program and some example hcmask les shipped by hashcat (in the masks/
folder).
You supply the .hcmask le just where you would normally place the single mask on the
command line. Like this:
-a 3 hash.txt mask_file.hcmask

Other not so important syntax available in .hcmask files:

- with # you can comment a line (it won't be used), with \# you can use a # in the custom
charsets or mask
- \, means that the comma should be used literally (not a separator between ?1, ?2, ?3, ?4 or
mask)
Notes: .hcmask les can be used together with -i (increment) parameter for brute-force mode. if
[mask] contains ?1,?2,?3 or ?4 references without those being set via [?1], [?2], [?3], [?4], there

[mask] contains ?1,?2,?3 or ?4 references without those being set via [?1], [?2], [?3], [?4], there
might be unexpected outcomes. Therefore, this should be avoided if possible.
If for instance [?2] was not set because not needed, the comma that would be normally following
[?2] should also be omitted. See examples below:

Example
The following example.hcmask le contains some valid example lines which show how to use
this feature:
?d?l,test?1?1?1
abcdef,0123,ABC,789,?3?3?3?1?1?1?1?2?2?4?4?4?4
company?d?d?d?d?d
?l?l?l?l?d?d?d?d?d?d

Charsets in hex
This can be done by some of the hashcat tools using the --hex-charset flag.
hashcat: Supported.
oclHashcat: Supported.
maskprocessor: Supported.

Supported by
This attack is currently supported by:
hashcat
oclHashcat
maskprocessor
Note: mask files are currently only supported by oclHashcat
Back to top