Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
84 views17 pages

Hashcat 2025 - Bruteforcing Advanced

Uploaded by

binary.rookie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
84 views17 pages

Hashcat 2025 - Bruteforcing Advanced

Uploaded by

binary.rookie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Brute-Force more advanced

Hashcat cracking more advanced mask attack

Requirements:
• A Windows 11 PC
• Running a Kali Linux VM
• A GPU with an OpenCL Runtime or CUDA support
• Installed drivers as per instructions on previous video:
https://youtu.be/b5zQ6xTQGfY?si=z5oT5PMf1KgmYEPV
Advice for cracking Passwords with Hashcat

Practical advice for cracking passwords with Hashcat:


• Mask attacks gets expensive really quickly and shouldn’t be your go to attack method.
• In upcoming videos in this course we’ll show you how to crack passwords with
dictionary attacks, combinator attacks, hybrid attacks and association attacks.
Hashcat built-in charsets

1. Built-in character sets in Hashcat

Built-in charsets

?l abcdefghijklmnopqrstuvwxyz

?u ABCDEFGHIJKLMNOPQRSTUVWXYZ

?d 0123456789

?h 0123456789abcdef

?H 0123456789ABCDEF

?s «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

?a ?l?u?d?s

?b 0x00 - 0xff
Custom charsets

2. Hashcat has up to 4 commandline-parameters to setup custom charsets.

4 commandline-parameter charsets Shortcuts

--custom-charset1=CS -1

--custom-charset2=CS -2

--custom-charset3=CS -3

--custom-charset4=CS -4
Defining a custom charsets

3. Let’s define a custom charset -1 for all alphanumeric characters. This mask contains 9
characters, starts with a custom charset which contains all alphanumeric characters
(including special characters), and then 8 digits.

hashcat -a 3 -m 22000 hash.hc22000 -1 ?l?u?d?s ?1?d?d?d?d?d?d?d?d

Let’s define another custom charset. This creates a charset that contains “abcdef” for
the custom charset held under -1 and the “ghijkl” for the charset held under -2. So you
have any character from “abcdef” in the first position, then 8 digits, followed by any
character from “ghijkl”.
hashcat -a 3 -m 22000 hash.hc22000 -1 abcdef -2 ghijkl ?1?d?d?d?d?d?d?d?2
Static charsets

4. Hashcat has up to 4 commandline-parameters to setup custom charsets.


Password Length Increment

1. A potential issue with cracking a password using a mask such as:


ishashcat
that it will-aonly
3 -m 22000 hash.hc22000 ?a?a?a?a?a?a?a?a?a?a
is that this command only attempts to crack passwords that are exactly 10 characters
in length. If the real password is 9 characters or fewer, it will not be tested and therefore
won’t be cracked. To address this, you need to use Hashcat’s increment feature (e.g., --
increment or -i), which allows you to try shorter lengths as well.
Password Length Increment

2. You can use the increment flag as follows:


hashcat -a 3 -m 22000 hash.hc22000 --increment ?a?a?a?a?a?a?a?a?a?a
With this command, Hashcat will first try a single character (?a), then two characters
(?a?a), then three, and so on, up to ten characters in this example, until it finds the
correct password or exhausts all possibilities.
Password Length Increment

3. You can use the --increment-min flag and --increment-max flags like this:
hashcat -a 3 -m 22000 hash.hc22000 --increment-min 3 –increment-max 8 ?a?a?a?a?a?a?a?a?a?a

With this command, Hashcat will only attempt password lengths from 3 characters up
to 8 characters. It will skip lengths below 3 and above 8, thereby focusing on that
specific range.
Password Length Increment
4. Why Use --increment-max with a Larger Mask Instead of Just Limiting Mask Size?
• Same End Result (If You Know the Max Length)
If you know for certain that your password is at most 8 characters, simply using eight ?a placeholders (like
?a?a?a?a?a?a?a?a) with --increment-min 3 achieves the same result as using ten ?a placeholders plus --
increment-min 3 --increment-max 8. In both cases, Hashcat will only attempt lengths from 3 to 8.
• Flexibility (If You’re Unsure About Max Length)
Defining a mask with 10 (or more) placeholders and then applying --increment-max 8 offers the advantage of easy
reconfiguration. If you suspect the password might be 9 or 10 characters long later, you only need to adjust the --
increment-max value, rather than editing the actual mask. This makes it simpler to experiment or adjust your
cracking parameters.
• Performance Considerations
Typically, there’s no significant performance penalty for using a larger mask with an --increment-max limit instead of
a strictly sized mask. Hashcat will skip any lengths beyond the --increment-max value, so extra placeholders aren’t
actively used once you exceed that limit.
Password Length Increment

5. Important Note About Mask Length


The overall length of the mask itself is a hard limit for Hashcat. No matter what you set
for --increment-min or --increment-max, Hashcat will not exceed the length of the mask.
For example, if you only specify a 4-character mask (?a?a?a?a), then specifying
--increment-min 5 has no effect because the mask is not long enough to reach 5
characters.
Password Length Increment

hashcat -a 3 -m 22000 hash.hc22000 --increment-min 3 --increment-max 8 ?a?a?a?a?a?a?a?a?a?a

951 952 953 954 955 956 957 958 959 9510

You will need add up 953 + 954 + 955 + 956 + 957 + 958 =
6,704,780,954,508,000

Hashcat will attempt exactly 6,704,780,954,508,000 different candidates,


covering all strings from length 3 up to length 8, each character drawn from 95
possible printable ASCII characters.

If a computer was hypothetically hashing at 100M/s it would take ~2 years to


crack.
Mask Files

1. Hashcat’s developers have already included mask files, which you can find in the
directory where Hashcat is extracted. In my example, that directory is C:\hashcat-
6.2.6\masks.
Mask Files

2. You can see in the hashcat-default.hcmask file that there are three custom defined groups.
There first custom charset is ?l (lowercase letters), followed by ?d (digits), followed by ?u
(uppercase letters). There are two other custom charsets, and then there are 15 characters
in the mask.
Mask Files

3. To run a mask file you can use the following command, where you just add the mask
location at the end of the command
hashcat -a 3 -m 22000 hash.hc22000 ./masks/hashcat-default.hcmask
Get more information

1. Website: https://www.youtube.com/davidbombal
2. Website: https://www.hashcat.com/hashcat
3. Website: https://hashcat.net/wiki/doku.php?id=mask_attack
4. Website: https://hashcat.net/wiki/doku.php?id=example_hashes

You might also like