Introduction
Welcome to this lab on performing a mask attack with Hashcat. Hashcat is a powerful and versatile password recovery tool, widely used in cybersecurity for testing password strength and recovering lost passwords.
A standard brute-force attack attempts to guess a password by trying every possible combination of characters, which can be incredibly slow. A mask attack is a more intelligent and efficient type of brute-force attack. It is used when you have some information about the password's structure, such as its length or the types of characters used in specific positions (e.g., "starts with a capital letter, ends with two numbers").
In this lab, you will learn how to define a password's structure using a mask and use Hashcat to crack a sample SHA1 hash, demonstrating the power and efficiency of this targeted approach.
Understand the Concept of a Mask Attack
In this step, you will learn the fundamental concept of a mask attack. As mentioned in the introduction, this attack is a specialized form of a brute-force attack.
Imagine you need to crack a password, but you have a few clues:
- You know the password is exactly 6 characters long.
- You know the first character is an uppercase letter.
- You know the last two characters are digits.
A standard brute-force attack would waste time trying combinations like "aaaaaa" or "123456". A mask attack, however, allows you to define a "mask" or template that tells the cracking tool to only try combinations that fit your known pattern. For the example above, the mask would specify [Uppercase Letter][Any][Any][Any][Digit][Digit].
This dramatically reduces the number of possibilities, making the cracking process significantly faster and more efficient. In the next step, you will learn the specific syntax Hashcat uses to create these powerful masks. This step is purely conceptual, and no commands are needed.
Learn Built-in Character Sets like ?l ?u ?d ?s
In this step, you will learn about Hashcat's built-in character sets, which are the building blocks of a mask.
Hashcat uses special placeholders, called "charsets," to define the type of character at each position in a password mask. These are the most common built-in charsets:
?l: Represents all lowercase letters (athroughz).?u: Represents all uppercase letters (AthroughZ).?d: Represents all digits (0through9).?s: Represents all standard special characters (e.g.,!@#$%^&*).?a: Represents all of the above (?l?u?d?s).
For example, if we know a password is 4 characters long and consists of an uppercase letter, followed by two lowercase letters, and then a digit, the mask would be ?u?l?l?d. This would generate candidates like Pass9, Word1, Test0, etc.
You can see these definitions in Hashcat's help menu. Run the following command in your terminal to view the help information related to masks:
hashcat --help | grep "?l"
You will see a section that lists the built-in character sets, which confirms the information above.
?l | abcdefghijklmnopqrstuvwxyz | Lowercase letters
Create a Sample SHA1 Hash of a Known Pattern
In this step, you will create a target SHA1 hash for a password that we will crack in the upcoming steps. To perform a password attack, we first need a hash to attack.
Let's choose a password that fits a clear pattern: LabX99!. This password has the following structure:
- 1st character: Uppercase letter (
L) - 2nd character: Lowercase letter (
a) - 3rd character: Lowercase letter (
b) - 4th character: Uppercase letter (
X) - 5th character: Digit (
9) - 6th character: Digit (
9) - 7th character: Special character (
!)
First, let's generate the SHA1 hash for this password. The -n flag in the echo command is very important, as it prevents a newline character from being added to the string, which would change the resulting hash.
Execute this command in your terminal:
echo -n "LabX99!" | sha1sum
The output will be the SHA1 hash followed by a dash:
0e6cc6531a1a5545942a38a9339571934219c5b0 -
Now, save this hash into a file named target_hash.txt. This file will be the input for Hashcat.
echo "0e6cc6531a1a5545942a38a9339571934219c5b0" > target_hash.txt
You can verify the file was created correctly with cat target_hash.txt.
Construct a Mask Attack Command for a Fixed-Length Password
In this step, you will construct the full Hashcat command to perform the mask attack based on the information we have.
A Hashcat command for a mask attack has several key components:
-m <mode>: This flag specifies the hash type. Each hash algorithm (like MD5, SHA1, bcrypt) has a unique mode number.-a <attack_mode>: This flag sets the attack mode. For a mask attack, the mode is always3.hash_file: The path to the file containing the hash(es) to crack.mask: The mask pattern defining the password structure.
First, we need to find the correct mode for SHA1. You can find this by searching Hashcat's help output:
hashcat --help | grep "SHA1"
You will see a list of hash types. The mode for a standard SHA1 hash is 100.
100 | SHA1 | Raw Hash
Next, let's create the mask for our password, LabX99!. Based on the structure we identified and the charsets we learned:
L->?uab->?l?lX->?u99->?d?d!->?s
Combining these, our final mask is ?u?l?l?u?d?d?s.
Now we can assemble the full command. We will also add the --force flag, which tells Hashcat to run even if it detects a non-optimal environment (like running on a CPU in a VM), which is necessary for this lab.
The final command structure is: hashcat -m 100 -a 3 target_hash.txt ?u?l?l?u?d?d?s --force. We will execute this in the next step.
Run the Mask Attack and Verify the Result
In this step, you will execute the mask attack command and verify that Hashcat successfully cracks the password.
You have already constructed the command. Now, run it in your terminal to start the attack:
hashcat -m 100 -a 3 target_hash.txt ?u?l?l?u?d?d?s --force
Hashcat will start. It may show some warnings, which are safe to ignore because we used --force. The attack will begin, and since our mask is very specific, it should finish almost instantly. The output will show the session status, and you should see the final status as Cracked.
...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 0e6cc6531a1a5545942a38a9339571934219c5b0
Time.Started.....: ...
Time.Estimated...: 0 secs (0.00ms)
Guess.Mask.......: ?u?l?l?u?d?d?s [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 192.9 kH/s (0.01ms) @ Accel:128 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 11881376/11881376 (100.00%)
Rejected.........: 0/11881376 (0.00%)
Restore.Point....: 456976/456976 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1
Candidates.#1....: LuvX98! -> LuvX99#
Hardware.Mon.#1..: Temp: 46c
...
Once a password is cracked, Hashcat saves it to a file called a "potfile" (hashcat.potfile). To view the cracked password, you can use the --show flag with the original command arguments.
Run this command to display the result:
hashcat -m 100 target_hash.txt --show
The output will show the hash and the cracked plain-text password, separated by a colon:
0e6cc6531a1a5545942a38a9339571934219c5b0:LabX99!
Congratulations, you have successfully executed a mask attack!
Summary
In this lab, you successfully performed a brute-force mask attack using Hashcat.
You have learned how to:
- Understand the core concept of a mask attack as a targeted brute-force method.
- Use Hashcat's built-in character sets (
?l,?u,?d,?s) to define a password's structure. - Generate a SHA1 hash for a target password.
- Construct a complete Hashcat command with the correct hash mode, attack mode, and mask.
- Execute the attack and view the cracked password using the
--showoption.
Mask attacks are a fundamental technique in password cracking and security auditing. They demonstrate how even a small amount of information about a password's pattern can drastically reduce the time and effort needed to break it.
