Skip to main content
  1. Posts/

Advanced Maskcat Cracking Guide

·5 mins
passwords hashcat hashcracking

Introduction #

Often I need to make transformations or modifications to wordlists or rules when cracking hashes. Over time, this need resulted in tools, and much of this functionality ended up in maskcat.

As more and more of my attack methodology started to use this tool, I thought I would share some ways maskcat has helped buff my workflows.

Generate Candidates>

Generate Candidates #

In the token swapping post, I discussed how the token swapping attack works and how I use it to generate candidates, but, I have not talked about how I apply them to hash cracking.

One of the first things I do, after obtaining a decent amount of founds is use maskcat to perform a token swap and generate a new wordlist:

$ cat founds.lst | maskcat mutate 8 >> mutate.lst
$ usort mutate.lst

This could also be sped up by opening multiple processes and/or self-containing in a loop:

$ for i in {1..100}; do cat founds.lst | shuf | maskcat mutate 8 >> mutate.lst; done;

I normally do this in ranges of 3-12, unless there is clear evidence not to. This method of candidate generation is great because it takes very little source material into several gigabytes with little effort.

Another thing I sometimes do with candidate generation is mix together the founds and other popular wordlists that I know will have similar patterns:

$ cat founds.lst rockyou.txt | shuf | maskcat mutate 8 >> mutate.lst

After collecting a lot of candidates, I will uniquely sort the file and try to limit the final size by the target algorithm speed, to ensure any further attacks will complete in a realistic time.

Filtering Down Generated Candidates>

Filtering Down Generated Candidates #

So now that we have a lot of candidates, the next thing we can do is use them. If the algorithm is fast, generally you can just point and go and generate more on the fly while it is running. However, there are times when you can generate far more candidates than you can use. This is when mask filtering comes in to help.

$ cat mutate.lst | maskcat match target.hcmask > mask-mutate.lst

This reduces overall size, lets you enumerate patterns faster, and allows the usage of more rules. Generally, when doing this I use the most common masks from the found hashes or most popular masks.

$ cat potfile | awk -F ':' '{print $NF}' | maskcat > f.tmp
$ mode f.tmp | head
  86472 ?l?l?l?d?d?d?d?d?d:9:2:138
  65678 ?l?l?d?d?d?d?d?d:8:2:112
  33214 ?d?d?d?d?d?d?l?l:8:2:112
  15691 ?d?d?d?d?d?d?l?l?l:9:2:138
  14038 ?l?l?l?d?d?d?d:7:2:118
  12515 ?l?l?l?l?d?d?d?d?d?d:10:2:164
   8938 ?l?l?d?d?d?d?d?d?d?d:10:2:132
   8065 ?l?l?l?d?d?d?d?d?d?d?d:11:2:158
   7049 ?l?l?l?l?l?l?d?d?d?d:10:2:196
   6159 ?d?d?d?d?d?d?l:7:2:86

You can also use rli.bin to create multiple wordlists from the top masks to target specific patterns:

$ cat mutate.lst | maskcat match 5target.hcmask > top5mask-mutate.lst
$ cat mutate.lst | maskcat match 10target.hcmask > top10mask-mutate.lst
$ rli.bin top10mask-mutate.lst rli-top10mask-mutate.lst top5mask-mutate.lst

This will create different candidate banks that can then be used for different attacks. You can also create optimized rules for each wordlist if more patterns are found.

“Found” Rounds>

“Found” Rounds #

Another great part about candidate generation is that you can repeatedly use it to find and enumerate patterns. After attacks, you can rotate potfiles or examine founds for regeneration to focus on enumerating specific patterns:

$ cat potfile | awk -F ':' '{print $NF}' > founds1.lst
$ cat founds1.lst | maskcat > masks.tmp
$ mode masks.tmp | head
$ cat founds1.lst | shuf | maskcat mutate 5 > mutate2.lst
$ cat mutate2.lst | maskcat match topmasks.tmp > foundround.lst
Wordlist Expansion>

Wordlist Expansion #

So, if we can use maskcat to generate new candidates, what if we use it to create new wordlists? From testing, this works pretty well depending on the quality of input data. One of my favorite examples is mutating rockyou.txt to several gigabytes and then using it for attacks:

$ cat rockyou.txt | shuf | maskcat mutate 8 >> rockyou-mutate.lst
$ cat rockyou.txt | shuf | maskcat mutate 7 >> rockyou-mutate.lst
$ cat rockyou.txt | shuf | maskcat mutate 6 >> rockyou-mutate.lst
$ cat rockyou.txt | shuf | maskcat mutate 5 >> rockyou-mutate.lst
$ usort rockyou-mutate.lst
Multi-byte Expansion>

Multi-byte Expansion #

One limitation of maskcat (at this time) is that it does not support multibyte characters in several of the masks resulting in inconsistent handling. The good news is that this can be worked around with ruleprocessorY ( GitHub), which can be used to create new multi-byte character wordlists with multi-byte rules.

# find all non-ASCII
$ grep -P '[^\x00-\x7F]' founds.lst
$ ruleprocessorY -w mutate.lst -r multibyte.rule

Application #

Hopefully, this has shown several ways that maskcat could be used to enhance your password-cracking methodologies. I often find it at the center of a lot of unique data-oriented attacks and has been a reliable tool when cracking.


Reference #

The following are aliases referenced above:

# unqiue sort file

usort() {
	if [[ $# -ne 1 ]]; then
		echo 'unique sort file inplace'
		echo 'EXAMPLE: usort <FILE>'
		LC_ALL=C sort -u $1 -T ./ -o $1
# get most common item in file

mode() {
	if [[ $# -ne 1 ]]; then
		echo 'find the most common item in file'
		echo 'EXAMPLE: mode <FILE>'
		LC_ALL=C sort -T ./ $1 | uniq -c | LC_ALL=C sort -T ./ -rn