{"id":582,"date":"2022-07-26T06:32:40","date_gmt":"2022-07-26T04:32:40","guid":{"rendered":"https:\/\/infosecscout.com\/?p=582"},"modified":"2023-11-22T13:00:08","modified_gmt":"2023-11-22T12:00:08","slug":"use-mask-attack-with-hashcat","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/","title":{"rendered":"How To Use Mask Attack With Hashcat &#8211; A complete guide"},"content":{"rendered":"\n<p>Hashcat is a free and fast password cracker available on any platform (Linux, Windows, macOS). I talk a lot about this tool on this website, and today we&#8217;ll focus on one of the most popular feature you can use with Hashcat: the mask attack. <\/p>\n\n\n\n<p><strong>Hashcat can use several attacks. Mask attacks is the number 3 (-a 3) and should be followed with the key space of the password you are looking to crack (ex: ?l?l?l for a three characters password in lowercase). The full command looks like: <em>hashcat &lt;hashes&gt; -m 0 -a 3 &lt;key space&gt;<\/em>.<\/strong><\/p>\n\n\n\n<p>Don&#8217;t worry if you are new to this vocabulary, I&#8217;ll explain everything in this article. Just <a href=\"https:\/\/infosecscout.com\/install-hashcat-on-windows\/\" data-type=\"post\" data-id=\"570\" target=\"_blank\" rel=\"noreferrer noopener\">make sure you have Hashcat installed on your computer<\/a>, and read the following to know everything about mask attacks with Hashcat.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#What_is_a_mask_attack_in_Hashcat\" title=\"What is a mask attack in Hashcat\">What is a mask attack in Hashcat<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#How_to_use_mask_attack_with_Hashcat\" title=\"How to use mask attack with Hashcat\">How to use mask attack with Hashcat<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#Theory\" title=\"Theory\">Theory<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#Charsets\" title=\"Charsets\">Charsets<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#Custom_charsets\" title=\"Custom charsets\">Custom charsets<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#Examples\" title=\"Examples\">Examples<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#Using_mask_files_with_Hashcat\" title=\"Using mask files with Hashcat\">Using mask files with Hashcat<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#Use_built-in_mask_files\" title=\"Use built-in mask files\">Use built-in mask files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/infosecscout.com\/use-mask-attack-with-hashcat\/#Create_your_own_files\" title=\"Create your own files\">Create your own files<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_a_mask_attack_in_Hashcat\"><\/span>What is a mask attack in Hashcat<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Mask attack is a built-in feature in Hashcat, allowing to try all combinations in a specific key space (a set of possible passwords formats). Most people are using similar passwords formats, making it a faster solution than brute force on completely random characters.<\/strong><\/p>\n\n\n\n<p>For example, if you know that most users have an 8 characters password (because of a minimum number of character set in the system), and most of them will end their password with their birth year, you can guess that many passwords might look like &#8220;mike1990&#8221; or &#8220;jordan85&#8221;.<\/p>\n\n\n\n<p>In this case, we can try these two formats (4 letters + 4 numbers, 6 letters + 2 numbers)  before using brute force on random formats. Hashcat can do this for you. You can even specify if you are testing all letters or just the lowercase ones.<\/p>\n\n\n\n<p>The less possibility you use in your mask, the faster it will be to find the corresponding matches.<\/p>\n\n\n\n<p>But instead of being two long on the theory, let&#8217;s start directly the practice. I&#8217;ll explain how this strategy works with Hashcat and give you a few examples.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_use_mask_attack_with_Hashcat\"><\/span>How to use mask attack with Hashcat<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Theory\"><\/span>Theory<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Before using mask attack with Hashcat, there are a few concepts you need to understand.<\/p>\n\n\n\n<p>First, the hashcat command syntax looks like this:<br><code>hashcat &lt;options&gt; &lt;hashes&gt; &lt;mask&gt;<\/code><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"778\" height=\"51\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/hashcat-syntax.jpg\" alt=\"\" class=\"wp-image-591\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/hashcat-syntax.jpg 778w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/hashcat-syntax-300x20.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/hashcat-syntax-768x50.jpg 768w\" sizes=\"(max-width: 778px) 100vw, 778px\" \/><\/figure><\/div>\n\n\n<p>The main options include the algorithm you are testing (0 is MD5 for example), and the attack you want to try (mask attack is 3). So, your command will start with something like:<br><code>hashcat -m 0 -a 3 &lt;hashes&gt; &lt;mask&gt;<\/code><\/p>\n\n\n\n<p>The &lt;hashes&gt; parameter can either be one specific MD5 hash (5f4dcc3b5aa765d61d8327deb882cf99 is &#8220;password&#8221; for example) or a file containing different hashes.<\/p>\n\n\n\n<p>The&lt;mask&gt; parameter is the format you want to try (the key space), or a file containing a list of key spaces (I will talk about this at the end). The key space tells the length of the password you are trying to crack, and the charsets used in the plain text password (lowercase, uppercase, numbers, special characters, etc.).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Charsets\"><\/span>Charsets<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Hashcat include a number of built-in charsets that you can use directly in the mask attack command:<\/p>\n\n\n\n<ul><li><strong>?l = abcdefghijklmnopqrstuvwxyz<\/strong><\/li><li><strong>?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ<\/strong><\/li><li><strong>?d = 0123456789<\/strong><\/li><li><strong>?h = 0123456789abcdef<\/strong><\/li><li><strong>?H = 0123456789ABCDEF<\/strong><\/li><li><strong>?s = \u00abspace\u00bb!&#8221;#$%&amp;'()*+,-.\/:;&lt;=>?@[]^_`{|}~<\/strong><\/li><li><strong>?a = ?l?u?d?s<\/strong><\/li><li><strong>?b = 0x00 &#8211; 0xff<\/strong><\/li><\/ul>\n\n\n\n<p>Knowing this, a first basic example for mask attack in Hashcat can look like this:<br><code>hashcat -m 0 -a 3 5f4dcc3b5aa765d61d8327deb882cf99 ?l?l?l?l?d?d?d?d<\/code><\/p>\n\n\n\n<p>In this case, I&#8217;m testing all the possibilities for a password starting with 4 letters in lowercase, followed by 4 digits. This won&#8217;t find a match, as my MD5 hash is the encrypted version of the word &#8220;password&#8221;. But you get the idea.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Custom_charsets\"><\/span>Custom charsets<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>It is possible to create custom charsets with Hashcat, in case the built-in charsets don&#8217;t fit your needs. You can use 4 custom charsets by using 4 shortcuts (-1, -2, -3 and -4).<\/strong><\/p>\n\n\n\n<p>Here is an example:<br><code>hashcat -m 0 -a 3 -1 abcdefghijklmnopqrstuvwxyz0123456789 &lt;hash&gt; ?1?1?1?1<\/code><\/p>\n\n\n\n<p>In this example, I create a new charset including lowercase letters and digits, and try to crack the password by testing 4 characters words using this charset.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Examples\"><\/span>Examples<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>You can then combine these different charsets to do exactly what you want, here are a few examples:<\/p>\n\n\n\n<ul><li><strong>Passwords containing 8 digits:<br><\/strong><code>hashcat -m 0 -a 3 &lt;hash> ?d?d?d?d?d?d?d?d<\/code><\/li><li><strong>Passwords in lowercase letters, ending with two digits:<br><\/strong><code>hashcat -m 0 -a 3 &lt;hash> ?l?l?l?l?l?l?d?d<\/code><\/li><li><strong>Passwords composed of 5 letters (lowercase and uppercase): <br><\/strong><code>hashcat -m 0 -a 3 -1 ?l?u &lt;hash> ?1?1?1?1?1<\/code><\/li><\/ul>\n\n\n\n<p>They are random examples, but I hope you get the idea. You can always <a href=\"https:\/\/hashcat.net\/wiki\/doku.php?id=mask_attack\" target=\"_blank\" rel=\"noreferrer noopener\">refer to the official documentation<\/a> now that you know the basics of mask attack with Hashcat.<\/p>\n\n\n\n<p>And if you want to try to crack the word &#8220;password&#8221; I give you letter, you&#8217;ll need to try an 8 characters with lowercase only, so something like:<br><code>hashcat -m 0 -a 3 5f4dcc3b5aa765d61d8327deb882cf99 ?l?l?l?l?l?l?l?l<\/code><br>Giving you this result after a few seconds:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"583\" height=\"252\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/cracked-password.jpg\" alt=\"\" class=\"wp-image-584\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/cracked-password.jpg 583w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/cracked-password-300x130.jpg 300w\" sizes=\"(max-width: 583px) 100vw, 583px\" \/><\/figure><\/div>\n\n\n<p>Each matching password cracked will be shown in the command output. The process will stop once all hashes have been cracked (you can replace the hash in the command line by the name of a file containing all hashes, one per line):<br><code>hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Using_mask_files_with_Hashcat\"><\/span>Using mask files with Hashcat<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In general, you won&#8217;t know the exact mask for a set of hashes you want to crack. But you can guess what the best chances are. Most people are using the same kind of passwords formats.<\/p>\n\n\n\n<p>As I explained previously, you have more chances to find short passwords starting in lowercase and ending with a few digits, maybe one special character, than 20 characters long passwords with 10 special characters in them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Use_built-in_mask_files\"><\/span>Use built-in mask files<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"805\" height=\"449\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-folder.jpg\" alt=\"\" class=\"wp-image-586\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-folder.jpg 805w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-folder-300x167.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-folder-768x428.jpg 768w\" sizes=\"(max-width: 805px) 100vw, 805px\" \/><\/figure><\/div>\n\n\n<p><strong>When you install Hashcat, a folder named &#8220;masks&#8221; is created in the main directory, including a few mask files you can use for mask attacks. These files are created with the most common passwords formats found in major leaks.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"789\" height=\"287\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-files.jpg\" alt=\"\" class=\"wp-image-587\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-files.jpg 789w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-files-300x109.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/masks-files-768x279.jpg 768w\" sizes=\"(max-width: 789px) 100vw, 789px\" \/><\/figure>\n\n\n\n<p>You can for example try the file rockyou-1-60.hcmask. Rock You is probably one of the major password leak, and several files have been created for you in this folder. You can use this file with the command:<br><code>hashcat -m 0 -a 3 hashes.txt masks\\rockyou-1-60.hcmask<\/code><\/p>\n\n\n\n<p>It will test all the masks contained in this file one by one and print the corresponding matches found in your hashes.txt file:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"485\" height=\"246\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/rockyou-masks.jpg\" alt=\"\" class=\"wp-image-588\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/rockyou-masks.jpg 485w, https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/rockyou-masks-300x152.jpg 300w\" sizes=\"(max-width: 485px) 100vw, 485px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Create_your_own_files\"><\/span>Create your own files<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>An alternative is to create your own files, following the same format (one key space per line). This is often the fastest way to crack passwords when you have a few insights about the passwords formats.<\/strong><\/p>\n\n\n\n<p>Create the file under the masks folder (or anywhere else really), put a few key spaces you want to try in it, and run the same command, just changing the file name.<\/p>\n\n\n\n<p>Default files are good, but won&#8217;t necessarily fit the info you already have. For example, RockYou try a lot of short passwords. If you have a list of passwords that you know are at least 10 characters long, you&#8217;ll lose a ton of time testing shorter ones, while there is no need to.<\/p>\n\n\n\n<p>Want to know more about hashcat? Read my other articles on the topic:<\/p>\n\n\n\n<ul><li><a href=\"https:\/\/infosecscout.com\/hashcat-tutorial-decrypt-md5\/\" data-type=\"post\" data-id=\"193\">How to Install and Use Hashcat to Decrypt MD5? (Tutorial)<\/a><\/li><li><a href=\"https:\/\/infosecscout.com\/install-hashcat-on-windows\/\" data-type=\"post\" data-id=\"570\">How To Install Hashcat on Windows<\/a><\/li><li><a href=\"https:\/\/infosecscout.com\/install-hashcat-on-ubuntu\/\" data-type=\"post\" data-id=\"558\">How To Install Hashcat On Ubuntu<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Hashcat is a free and fast password cracker available on any platform (Linux, Windows, macOS). I talk a lot about this tool on this website, and today we&#8217;ll focus on one of the most popular feature you can use with Hashcat: the mask attack. Hashcat can use several attacks. Mask attacks is the number 3&#8230;<\/p>\n","protected":false},"author":1,"featured_media":590,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[15],"tags":[],"taxonomy_info":{"category":[{"value":15,"label":"Hacking"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/07\/mask-attack-hashcat-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":0,"category_info":[{"term_id":15,"name":"Hacking","slug":"hacking","term_group":0,"term_taxonomy_id":15,"taxonomy":"category","description":"Ready to level up? Our Hacking Guides have you covered with step-by-step instructions on using tools like Hashcat. It's hacking made simple and fun!","parent":0,"count":15,"filter":"raw","cat_ID":15,"category_count":15,"category_description":"Ready to level up? Our Hacking Guides have you covered with step-by-step instructions on using tools like Hashcat. It's hacking made simple and fun!","cat_name":"Hacking","category_nicename":"hacking","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/582"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=582"}],"version-history":[{"count":6,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/582\/revisions"}],"predecessor-version":[{"id":594,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/582\/revisions\/594"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/590"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}