How to use .hcmask files in Hashcat for the most flexible character replacement

A rule-based attack is the flexible generation and filtering of password candidates.

Despite all its capabilities, this attack is not omnipotent. Consider the following example.

There is a word

seesaw

and ones need to replace the character “s” with the character “$”. For example, in John the Ripper you can try to use the “ss$” rule, but it only returns “$ee$aw” while the expected result is:

seesaw
$eesaw
see$aw
$ee$aw

And ones also need to replace other characters in a similar way.

This task implies that when performing a replacement, the program must know about previous replacements, and this is in conflict with the way dictionaries are processed in a rule-based attack, when each line is processed independently of previous and subsequent ones. Therefore, this task is hardly solvable with the help of a Rule-based attack.

However, we can make sure that when generating dictionaries based on the mask, we get something like what we need:

maskprocessor -1 s$ ?1ee?1aw
seesaw
see$aw
$eesaw
$ee$aw

But what if the replacement of a variable number of characters, or the replacement of a character needs to be performed in different positions, needs to be performed not in one word, but in the whole dictionary?

This problem is quite solvable with the help of programming. Algorithm example:

  • get the number of characters in the word to replace
  • if there is only one character to replace, then we output two words – one with a replacement and original one
  • if there are two characters to replace, then we output four words – without replacement, with the replacement of the first character, with the replacement of the second character, with the replacement of both characters
  • if there are three characters to replace, then we display eight combinations – …
  • etc.

This algorithm can be formalized as a function, the arguments of which should be: 1) the character to be replaced; 2) the character to be replaced with. It is enough to write the function code once and use it any number of times. This can be done even with PHP.

But do not rush to fall into sadness – you can do without programming. Using things like:

1. Masks

2. Files with masks

The algorithm is the following:

1. We convert the dictionary into a set of masks with the parameters we need.

2. Generating a new dictionary based on the mask file

For example, there is a list of words d1.txt with the following content:

seesaw
samuelsonmarian
samuelspence
samuelspevak
samuelsrie
samuelss
samuelsstarr
SAMUELSTERNA
samuelstevens
samuelsux1
samuels-x
samuelt**
samuelta.
samueltad
samueltan
samueltanner
samueltapia2
samueltas21
samuel+teadoro
samuelteall
samuelteama
samuel te amo
samuel,te,amo
samuelteamo
SAMUELTEAMO
samuelteamo21
SAMUELTEAMOMUCHO
samueltequiero
samuelthane99

The task is to replace the character "s" with the character "$" in all possible combinations, so that, for example, from the word “seesaw” it turns out

seesaw
$eesaw
see$aw
$ee$aw

We start by generating a mask file. In this command, the lines of the d1.txt file that contain the characters “s” are replaced by “?1”, the result is saved to the masks.hcmask file:

cat d1.txt | sed 's/s/\?1/g' > masks.hcmask

As you already understood, we got a set of masks. For example, “seesaw” became “?1ee?1aw”.

The format of .hcmask files is as follows:

CUSTOM-CHARSET1,CUSTOM-CHARSET2,CUSTOM-CHARSET3,CUSTOM-CHARSET4,MASK

In my simple example, I will use only one custom character set, so the final format of the masks.hcmask file will be:

CUSTOM-CHARSET1,MASK

Adding a prefix to each line of a file can be done with the following command:

sed -i -e 's/^/PREFIX/' FILE

In my case, the user character set is “s$”, that is, in place of “?1” I need to insert “s” or “$”. Then the command is:

sed -i -e 's/^/s$,/' masks.hcmask

Now the content of the masks.hcmask file is:

s$,?1ee?1aw
s$,?1amuel?1onmarian
s$,?1amuel?1pence
s$,?1amuel?1pevak
s$,?1amuel?1rie
s$,?1amuel?1?1
s$,?1amuel?1?1tarr
s$,SAMUELSTERNA
s$,?1amuel?1teven?1
s$,?1amuel?1ux1
s$,?1amuel?1-x
s$,?1amuelt**
s$,?1amuelta.
s$,?1amueltad
s$,?1amueltan
s$,?1amueltanner
s$,?1amueltapia2
s$,?1amuelta?121
s$,?1amuel+teadoro
s$,?1amuelteall
s$,?1amuelteama
s$,?1amuel te amo
s$,?1amuel,te,amo
s$,?1amuelteamo
s$,SAMUELTEAMO
s$,?1amuelteamo21
s$,SAMUELTEAMOMUCHO
s$,?1amueltequiero
s$,?1amuelthane99

Now, in Hashcat, I start generating dictionaries based on the masks.hcmask file with masks:

hashcat -a 3 --stdout masks.hcmask

We got the desired result with all possible variants for replacing a character in different positions. Beginning of output data:

seesaw
$eesaw
see$aw
$ee$aw
samuelsonmarian
$amuelsonmarian
samuel$onmarian
$amuel$onmarian
samuelspence
$amuelspence
samuel$pence
$amuel$pence
samuelspevak
$amuelspevak
samuel$pevak
$amuel$pevak
samuelsrie
$amuelsrie
samuel$rie
$amuel$rie
samuelss
$amuelss
samuel$$
$amuel$$
samuels$
$amuels$
samuel$s
$amuel$s
samuelsstarr
$amuelsstarr
samuel$$tarr
$amuel$$tarr
samuels$tarr
$amuels$tarr
samuel$starr
$amuel$starr
…………………….
…………………….
…………………….

Up to four custom character sets can be used at a time, that is, up to four characters can be replaced in this way. If you need to replace more characters, then the actions according to a similar algorithm can be repeated as many times as necessary.

Recommended for you:

One Comment to How to use .hcmask files in Hashcat for the most flexible character replacement

  1. BJ says:

    Great article!

Leave a Reply

Your email address will not be published.