Hashcat supports masks in mode 3 (-a 3), which defines a particular keyspace to search in by specifing the charset of each character in the password.
For example, the mask ?u?l?l?l?l?l?l?l?d defines a keyspace where all passwords are of the form 1 uppercase followed by 7 lowercase followed by 1 digit, totalling to 9 characters. The mask can also include literal strings, e.g. Password?d?s.
Mask syntax:
? | Charset
--+----------
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xffCustom Charset
You can define your own charset in the hashcat command and use it in the mask:
hashcat -a 3 -m 1000 ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1where -1 ?d?s defines ?1 to be a custom charset
Multiple Masks
It is also possible to use multiple masks together to account for different possible lengths of the password. Simply save the masks in a file and replace the mask in the command with the filename.
For example:
hashcat.exe -a 3 -m 1000 ntlm.txt example.hcmaskwhere example.hcmask contains:
?d?s,Password?u?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?l?l?1Note that commas separate custom charsets and the actual mask at the end.