Hashcat supports masks in mode 3 (-a 3), which defines a particular keyspace to search in by specifing the charset of each character in the password.

For example, the mask ?u?l?l?l?l?l?l?l?d defines a keyspace where all passwords are of the form 1 uppercase followed by 7 lowercase followed by 1 digit, totalling to 9 characters. The mask can also include literal strings, e.g. Password?d?s.

Mask syntax:

? | Charset
--+----------
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

Custom Charset

You can define your own charset in the hashcat command and use it in the mask:

hashcat -a 3 -m 1000 ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1

where -1 ?d?s defines ?1 to be a custom charset

Multiple Masks

It is also possible to use multiple masks together to account for different possible lengths of the password. Simply save the masks in a file and replace the mask in the command with the filename.

For example:

hashcat.exe -a 3 -m 1000 ntlm.txt example.hcmask

where example.hcmask contains:

?d?s,Password?u?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?l?1
?d?s,Password?u?l?l?l?l?l?l?l?l?1

Note that commas separate custom charsets and the actual mask at the end.