How to Perform a Mask Attack Using hashcat


Author William Hurer-Mackay

Date 26 September 2016

In this tutorial we will show you how to perform a mask attack in hashcat.

We will specify masks containing specific ranges using the command line and with hashcat mask files.

To demonstrate, we will perform a mask attack on a MD5 hash of the password “Mask101”.

This guide is demonstrated using the Kali Linux operating system by Offensive Security. Some commands may differ on other systems but the process is the same.

What Is a Mask Attack?

Mask attacks are similar to brute-force attacks given they try all combinations from a set of characters. With brute-force attacks, all possible characters that exist are tried. Mask attacks are more specific as the set of characters you try is reduced based on information you know.

For example, if you know the last character in a password is a number, you can configure your mask to only try numbers at the end. Using traditional brute-force attacks, you would still be forced to try characters that are not numbers.

This matters because the total combination of characters to exhaust with a masking attack is smaller.

For example, if we take the following password:

Mask101

It has a length of 7 characters and for each one, it could be upper-case (26 potential characters), lower-case (26 potential characters), a symbol (33 potential characters) or a number (10 potential characters), we’d have to try a total number of 95^7 (69,833,728,698,375) combinations.

Now suppose we know the last three characters are numbers.  This would drastically reduce the potential keyspace as no passwords with any letter or symbol in the last three spaces would need to be tried.

Of course you need to make sure your information on the password is correct, otherwise your mask may not generate the password. Using masking you can also create masks to exploit password habits. For example, a common habit is for passwords to start with a capital if at least one is required.

Another example where masking can be applied is that if default passwords schemes use a known set of characters. A lot of home router’s have default password generation algorithms and information about their keyspace can be found online.

Creating an MD5 Hashed Password To Use

To start, we need to generate the hash. On my system running Kali Linux, I can run the following command to generate a file containing the hashed word:

echo -n "Mask101" | md5sum | tr -d " -" > hash

This command is explained in a previous blog post but to summarise it creates an MD5 hash of whatever text is echoed and stores it in a file called hash.

If that doesn’t work on your system you can run this command to store the hashed password in a file:

echo -n "bde14596c16536af673ce451f25b2a94" > hash

Understanding the hashcat parameters

So now that we have the hash we want to perform our mask attack on, we will now define our mask.

To speed up the process of the cracking, we are going to base this attack on us knowing the last three characters are numbers and the first one is also a capital letter. Knowing this, as already explained will reduce the number of combinations needed to try even more.

From the output of “hashcat –help” we’ll use the following information to perform our mask attack:

* General:

  -m,  --hash-type=NUM               Hash-type, see references below

  -a,  --attack-mode=NUM             Attack-mode, see references below


* Hash types:

     0 = MD5


* Attack modes:

    0 = Straight

    1 = Combination

    2 = Toggle-Case

    3 = Brute-force

    4 = Permutation

    5 = Table-Lookup

    8 = Prince

Based on the above the start of our command looks like the following:

hashcat –m 0 –a 3

So far we are specifying our hash as MD5 (-m 0) and our attack mode as a brute-force (-a 3).

Note that although this method isn’t regarded as a proper brute-force attack, it has replaced the brute-forcing function in hashcat. This is because it’s possible to perform a traditional brute-force attack if the mask specifies every possible character to try.

Below are the mask commands from “hashcat –help”

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz

   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ

   ?d = 0123456789

   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

   ?a = ?l?u?d?s

   ?b = 0x00 - 0xff



* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets

  -2,  --custom-charset2=CS          Example:

  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef

  -4,  --custom-charset4=CS          -2 mycharset.hcchr : sets charset ?2 to chars contained in file

We can see that the built-in charsets can be used to specify a useful range of characters. However, in our case, we need to be more specific. To do this, we will create a custom charset which makes our next portion of the command like so:

-1 ?u -2 ?u?l?d -3 ?d

Here we are creating three different character sets. The “?” followed by either “l”, “u”, “d’ characters are used to access the built-in charsets available (see “hashcat –help” output above for more details).

This means our custom charsets -1,-2 and -3 are equal to:

CharsetContains the charcters
-1ABCDEFGHIJKLMNOPQRSTUVWXYZ
-2abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
-30123456789

Now that they are defined, we need to specify for every character which charset to use. For example, we know in our password that the first character is uppercase. So for the first character we want to use the character set “-1”.

To specify the character sets for all eight characters of the password in command form, we would do the following:

?1?2?2?2?3?3?3

Putting this all together, the full command that will run our masking attack looks like:

# hashcat -m 0 -a 3 -1 ?u -2 -?l?u?d -3 ?d  hash ?1?2?2?2?3?3?3

The word “hash” refers to the file we created earlier containing the hashed password.

Running the Mask Attack

After running the command, the attack will start and you should get output similar to the following:

# hashcat -m 0 -a 3 -1 ?u -2 -?l?u?d -3 ?d  hash ?1?2?2?2?3?3?3

Initializing hashcat v2.00 with 2 threads and 32mb segment-size...


Added hashes from file hash: 1 (1 salts)

Activating quick-digest mode for single-hash


[s]tatus [p]ause [r]esume [b]ypass [q]uit => s


Input.Mode: Mask (?1?2?2?2?3?3?3) [7]

Index.....: 0/1 (segment), 4094064000 (words), 0 (bytes)

Recovered.: 0/1 hashes, 0/1 salts

Speed/sec.: - plains, 14.42M words

Progress..: 47377768/4094064000 (1.16%)

Running...: 00:00:00:04

Estimated.: 00:00:04:40





[s]tatus [p]ause [r]esume [b]ypass [q]uit => s


Input.Mode: Mask (?1?2?2?2?3?3?3) [7]

Index.....: 0/1 (segment), 4094064000 (words), 0 (bytes)

Recovered.: 0/1 hashes, 0/1 salts

Speed/sec.: - plains, 17.06M words

Progress..: 521838776/4094064000 (12.75%)

Running...: 00:00:00:31

Estimated.: 00:00:03:29




[s]tatus [p]ause [r]esume [b]ypass [q]uit => s



Input.Mode: Mask (?1?2?2?2?3?3?3) [7]

Index.....: 0/1 (segment), 4094064000 (words), 0 (bytes)

Recovered.: 0/1 hashes, 0/1 salts

Speed/sec.: - plains, 17.08M words

Progress..: 532491852/4094064000 (13.01%)

Running...: 00:00:00:31

Estimated.: 00:00:03:28



**bde14596c16536af673ce451f25b2a94:Mask101** 



All hashes have been recovered



Input.Mode: Mask (?1?2?2?2?3?3?3) [7]

Index.....: 0/1 (segment), 4094064000 (words), 0 (bytes)

Recovered.: 1/1 hashes, 1/1 salts

Speed/sec.: - plains, 17.57M words

Progress..: 811969976/4094064000 (19.83%)

Running...: 00:00:00:46

Estimated.: 00:00:03:06





Started: Fri Jul 15 05:39:14 2016

Stopped: Fri Jul 15 05:40:00 2016

From the above output, we can see the password hash was recovered.

In this attack another assumption we made is that the user has not used any symbols in their password, making the attack much faster. The attack is also based on the assumption the password is seven characters long.

The –increment Argument

A useful option to know about is “–increment”. If you take the mask “?l?l?l?l?l?l?l” it will only try passwords of that length. To cycle through all the possible combinations from one to seven, the “–increment argument” can be used.

This essentially means adding “–increment” will go through all combinations like so:

?l

?l?l

?l?l?l

?l?l?l?l

?l?l?l?l?l

?l?l?l?l?l?l?l

In the case of our attack, this would make the mask we tried look like the following:

?1

?1?2

?1?2?2

?1?2?2?2

?1?2?2?2?3

?1?2?2?2?3?3

?1?2?2?2?3?3?3

Hashcat Mask Files

Consider the following scenario for creating a password masking attack:

  • Length between five and eight characters
  • Always starts with a capital letter
  • Always ends with a number
  • The characters in the middle are either lower or upper case

With what we’ve learned, can we express the above conditions to hashcat to exhaust the keyspace above?

The answer is No. For instance we can’t tell hashcat that character seven in a password of length seven is a number, yet character seven in an eight character password is an alpha.

This is where mask files come in. With Mask files you can specify multiple masking options, point hashcat to the file and all the attacks will be run.

For a single entry in a mask file, the following structure is used:

charset1,charset2,charset3,charset4,mask

It’s important to highlight that the charset parameters are optional. So it’s possible to create entries in the following format:

charset1,charset2,charset3,charset4,mask
charset1,charset2,mask
mask

To meet the previous scenario, we can create a mask file containing the following:

?u,?u?l,?d,?1?2?2?2?3
?u,?u?l,?d,?1?2?2?2?2?3
?u,?u?l,?d,?1?2?2?2?2?2?3

Mask files have the file extension of “.hcmask” and can be used from the command line like below:

# hashcat -m 0 -a 3 hash masks.hcmask

Summary

In this guide we have covered how to perform a mask attack using hashcat. A command line mask attack has been demonstrated and a mask file attack. The advantages of mask files has also been highlighted and the use of the “–increment” option has been explained.

Mask Attack Challenge

Now that you’ve been through a step-by-step demonstration and seen an example of a mask file, it’s time to put your new skills to the test!

With the MD5 hash below:

dd269f112e8c9e21f5ed9e52f9645dc4

And using the following information about the password:

  • Between five and nine characters long
  • Contains a symbol
  • Contains a capital letter
  • Doesn’t contain any numbers

Your challenge is to create an appropriate mask file and break the hash.

Based on the information above, these are the types of questions you should consider:

  • Where could the symbol likely be located?
  • Where could the capital letter likely be located?

If you were making a password, where would you most likely put them?

Also consider what the other characters could be based on the information supplied.

It’s worth noting that this one will take longer to crack than the example, however it shouldn’t take a massive amount of time. Each hint combined forms part of the bigger picture for this challenge. If you take all of them into account, you will be able to crack the hash.

Share:

About The Author

William Hurer-Mackay

Will is a Computer Networks Engineering graduate of the University of Northampton who is undertaking 4ARMED’s Security Tester internship programme aimed at bringing new recruits into the cyber security sector.


Related Articles