The part where hashcat does a ton of heavy lifting.

In the last post, I discussed how some simple character conversion and inferences about human behavior revealed some harrowing elements of how humans create and use passwords.

In this post, I’ll be diving into how this information can be leveraged technically. The goal is to use the information gathered about password patterns previously to give hashcat something better to work with when there are no more wordlists to use. Perhaps brute-forcing can be a little more useful.

Based on the most popular masks from previous data gathering, the following 10 masks represented the most common password patterns:

# of Occurrences Mask
687991 ?l?l?l?l?l?l?l?l
601152 ?l?l?l?l?l?l
585013 ?l?l?l?l?l?l?l
516830 ?l?l?l?l?l?l?l?l?l
487429 ?d?d?d?d?d?d?d
478196 ?d?d?d?d?d?d?d?d?d?d
428296 ?d?d?d?d?d?d?d?d
420318 ?l?l?l?l?l?l?d?d
416939 ?l?l?l?l?l?l?l?l?l?l
390529 ?d?d?d?d?d?d

I also mentioned before that hashcat is the tool I prefer for every password I crack (John The Ripper deserves an honorable mention, though hashcat’s granularity makes it a winner in my book). Hashcat uses masks (seen above in the right column) to determine how to pursue brute-forcing. By limiting character types to certain positions, there’s a better chance of cracking the password, and in less time.

Brute-forcing is an almost entirely blind process. Knowing how the password is constructed is a rare luxury. But since the above patterns can be extrapolated from actual leaked passwords, we can infer something about the humans who create passwords, which might be all we need.

Increments for Fun and Profit

Back to hashcat. There’s a magnificent, built-in feature called “incrementing”. It allows the user to specify a mask of a certain length while still testing every shorter version of the mask prior.

For example, if I tell hashcat to crack an MD5 hash that I think is made of only lowercase letters, but I’m not sure how many characters the password is, I don’t want to waste time with ten-character masks when I might only need a six-character mask.

This is where incrementing comes in. By specifying ten lowercase letters (?l?l?l?l?l?l?l?l?l?l) with the -i switch, I can try all lengths leading up to ten:

hashcat -m 0 -a 3 hash.txt ?l?l?l?l?l?l?l?l?l?l -i

What hashcat procedurally tests:


...and so on, until:


Using increments, I have effectively tried all combinations of lowercase letters from one character through ten. You may have noticed that the first four masks (and the ninth) in the table at the top of this post are only comprised of lowercase letters. In fact, the longest one is ten characters.

This means we can attempt to crack passwords matching five of the most common password patterns with a single command.

Digits are no different. The same method applies and takes care of four of the other ten patterns:

hashcat -m 0 -a 3 hash.txt ?d?d?d?d?d?d?d?d?d?d -i

By using increments, we’ve effectively taken care of 4,592,375 possible real passwords in two commands which, if you’re familiar with Linux, can be easily scripted. And to jog your memory from Part 1:

The exact percentage of passwords from the rockyou.txt list that can be cracked with one of 100 masks is 78.33% (rounded up to the hundredths). That’s 11,236,434 passwords that can be cracked with the top 100 masks (.068%) out of 146,579 unique masks derived from the original ~14 million unique passwords I used in my sample.

– Me

Now for the ultimate question: if 100 unique patterns accounted for 78% of the passwords, but we can increment masks, how many masks are actually necessary?

Min-Maxing Cracking

As it turns out, you can cut the list by quite a bit. All of those masks using all of one character type (we’ll call them homogeneous masks from now on, and there were about 27 of them) can be incremented into single masks. They are:


Unfortunately, this leaves us with 73 heterogeneous masks that look like this:


…and so on.

This is where hashcat’s capabilities (as far as I understand them) break down. There’s no good way to increment through patterns of one to seven digits with two uppercase letters at the end, at least not for our purposes. The increment feature of hashcat alone can’t do it.

This is suboptimal, though it does not mean that we are stuck with 73 unique masks that we have to deal with after we’ve exhausted our three golden masks.

What’s Next

In the next post, I’ll be examining custom masks that we can specify ourselves as well as some that hashcat ships with to make our lives a bit easier. In addition, I’ll be discussing hashcat rules and rule files that may assist us further, especially when it comes to accounting for more varied character usage in passwords.

The goal in the end is to reduce the number of possible masks that we need to use during brute-forcing and, if even only a tiny bit, increase our chances of cracking that hash and getting a password.

Let’s Get Started

Are you interested in the services of a red team? Not sure where to start with penetration testing? Allow one of our world-class consultants to guide you by contacting us!

Also, if you’d like to know more about what goes on during a risk3sixty penetration test, check out our whitepaper, Pillars of Pentesting: A Guide to the Risk3sixty Attack Strategy.