You should read the wiki entry on Mask Attack.
In particular, you want custom charsets and the examples. First, you define up to four custom character sets, -1 through -4.
Then, you put your mask together. For each character position, you can use
- a fixed character (19, in the first example, is a literal)
- a standard charset, like ?a or ?l
- a custom charset, like ?1 or ?2
command: -a 3 -1 ?l?u ?1?l?l?l?l?l19?d?d
keyspace: aaaaaa1900 - Zzzzzz1999
Or, with two of them (you can use up to four)
command: -a 3 -1 ?dabcdef -2 ?l?u ?1?1?2?2?2?2?2
keyspace: 00aaaaa - ffZZZZZ
Note that once you get much beyond 8, you need to use very restrictive masks (i.e. checking for date and phone number patterns), and then you need to start using rules-based dictionary attacks; start with common dictionaries and the rulesets that came with Hashcat, like Best64.