How to bruteforce?
#1
Exclamation 
Hey guys, i'd like to know how can i bruteforce using oclHashcat plus since i've already tried using a dictionary which is 5GB (30.000.000.000 words) and i only cracked 2 out of 7 hashes.

i've been using this syntax

cudaHashcat-64.exe -m 15 -o D:\finished.txt -r rules/best64.rule D:\hashlist.txt D:\dictionary.txt

So seeing as cracking with dictionary didn't work i'd like to know how to do it with bruteforce. Thank you!
#2
Using HC+ this is how i do it when i want to cover a range of characters in all possible combinations.

This example is to cover all possible 6-character-long words containing uppercased & lowercased alpha + digits, but if modified will do whatever you want.

1) Create/generate a wordlist with all possible 3-character-words (there are many tools out there to do this).

2) Copy this wordlist, rename it into a rule-file (for example "add3.rule") and open it up with ultraedit.

3) Switch to column-mode and insert a "$" ahead of each character like this:

aaa ---> $a$a$a
aab ---> $a$a$b
aac ---> $a$a$c
aad ---> $a$a$d

4) Save that rule. Run the wordlist with these rules and the output will be all possible combinations of uppercased/lowercased alpha + digits & 6 characters of lenght (3 in the wordlist and another 3 added by the rule).

Feel free to send me a pm if i need to explain better.
#3
(10-05-2011, 07:27 PM)Gajan Wrote: Using HC+ this is how i do it when i want to cover a range of characters in all possible combinations.

This example is to cover all possible 6-character-long words containing uppercased & lowercased alpha + digits, but if modified will do whatever you want.

1) Create/generate a wordlist with all possible 3-character-words (there are many tools out there to do this).

2) Copy this wordlist, rename it into a rule-file (for example "add3.rule") and open it up with ultraedit.

3) Switch to column-mode and insert a "$" ahead of each character like this:

aaa ---> $a$a$a
aab ---> $a$a$b
aac ---> $a$a$c
aad ---> $a$a$d

4) Save that rule. Run the wordlist with these rules and the output will be all possible combinations of uppercased/lowercased alpha + digits & 6 characters of lenght (3 in the wordlist and another 3 added by the rule).

Feel free to send me a pm if i need to explain better.


So i'd have the wordlist and rule file too?

What program can i use to create wordlists as you said?

How would i do it with 1-16 characters (lower.upper and symbols)

I'm using hashcat lite to bruteforce 1 hash at a time, is that good too?

Thanks!
#4
(10-05-2011, 06:41 PM)mormaii2 Wrote: Hey guys, i'd like to know how can i bruteforce using oclHashcat plus since i've already tried using a dictionary which is 5GB (30.000.000.000 words) and i only cracked 2 out of 7 hashes.

i've been using this syntax

cudaHashcat-64.exe -m 15 -o D:\finished.txt -r rules/best64.rule D:\hashlist.txt D:\dictionary.txt

So seeing as cracking with dictionary didn't work i'd like to know how to do it with bruteforce. Thank you!
There was already a topic about that. I'll write it up again.

You can pipe the maskprocessor's output to oclhashcat-plus.
E.G.:
Code:
mp64.exe -1 ?l?u?d?s ?1?1?1?1?1 | ./oclhashcat-plus64.exe -m 15 -o D:\finished.txt -r rules/best64.rule D:\hashlist.txt
This will bruteforce all lowercase (?l), uppercase (?u), digits (?d) and specials chars (?s) on a length 5 AND run best64.rule on it (makes BF length*64).
Code:
mp64.exe -1 ?l?u ?1?d?d?d?d | ./oclhashcat-plus64.exe -m 15 -o D:\finished.txt D:\hashlist.txt
This will bruteforce all combination starting by a letter (uppercase and lowercase) followed by 4 digits.

You can find MaskProcessor here: http://hashcat.net/files/maskprocessor-0.65.7z

That beeing said, I suggest NOT to bruteforce salted hashes. Especially when there is many of them. In your case i understand you have 5 hashes left : It is still a bad idea to bruteforce those but it is up to you.

one more thing: there's no point having a 5Gb dictionary full of crap(*)... You better use more (or differents) rules. best64.rule is good for a quick run and slow algos such as FreeBSD MD5, etc.
For example: the new T0XlC.rule set is really cool, try it on rockyou.txt or any other good dictionaries.
#5
(10-06-2011, 04:43 AM)San Wrote:
(10-05-2011, 06:41 PM)mormaii2 Wrote: Hey guys, i'd like to know how can i bruteforce using oclHashcat plus since i've already tried using a dictionary which is 5GB (30.000.000.000 words) and i only cracked 2 out of 7 hashes.

i've been using this syntax

cudaHashcat-64.exe -m 15 -o D:\finished.txt -r rules/best64.rule D:\hashlist.txt D:\dictionary.txt

So seeing as cracking with dictionary didn't work i'd like to know how to do it with bruteforce. Thank you!
There was already a topic about that. I'll write it up again.

You can pipe the maskprocessor's output to oclhashcat-plus.
E.G.:
Code:
maskprocessor.exe -1 ?l?u?d?s ?1?1?1?1 | ./oclhashcat-plus64.exe -m 15 -o D:\finished.txt -r rules/best64.rule D:\hashlist.txt
This will bruteforce all lowercase (?l), uppercase (?u), digits (?d) and specials chars (?s) on a length 4.

That beeing said, I suggest NOT to bruteforce salted hashes. Especially when there is many of them. In your case i understand you have 5 hashes left : It is still a bad idea to bruteforce those but it is up to you.

one more thing: there's no point having a 5Gb dictionary full of crap(*)... You better use more (or differents) rules. best64.rule is good for a quick run and slow algos such as FreeBSD MD5, etc.
For example: the new T0XlC.rule set is really cool, try it on rockyou.txt or any other good dictionaries.

well my 5GB dictionary is made up of the best dictionaries there are. Rockyou,phpbb,insidepro's,etc... Well then i'll try my dictionary with the T0XIC rule, any other advice?

With the T0XIC rule it will take 2 days to run through the whole dictionary XD i'll try T0XIC with rockyou only.
#6
I updated my previous post.
All the .rule sets provided with oclhashcat-plus are really good. You should try them all but some will takes age on a 5Gb dict...
Get some details about your hashes : knowing where they come from or if it's related to something like video games help a lot.
Also keep in mind that not all hashes are recoverable (at least within a lifespan) (:
#7
(10-05-2011, 09:03 PM)mormaii2 Wrote: So i'd have the wordlist and rule file too?

Yes

(10-05-2011, 09:03 PM)mormaii2 Wrote: What program can i use to create wordlists as you said?

Google. Should be lots of small utils like that. Or mail me and ill send something.

(10-05-2011, 09:03 PM)mormaii2 Wrote: How would i do it with 1-16 characters (lower.upper and symbols)

Depending on the lenght you wanna do, much depends on what type of encryption you are cracking. The method i described for HC+ i only for the hashtypes that the regular version of HC cant do (like DEScrypt and MD5crypt). As others already pointed out, if you wanna brute long words, expect a very long run. And if the hashtype can be run with the regular HC i suggest you to use that for bruting.

(10-05-2011, 09:03 PM)mormaii2 Wrote: I'm using hashcat lite to bruteforce 1 hash at a time, is that good too?

I have not tried that one myself so...
#8
@ Gajan
I do following just to understand howto apply a rule, and found something strange
my paswsword is simple abcdwxyz when I use
./maskprocessor.exe -1 abcdwxyz ?1?1?1?1?1?1?1?1 | ./oclhashcat-plus64.exe -m 2500 -o D:\finished.txt D:\cap.hcccap,
I found it in 3s.
Whereas with best64.rule like
./maskprocessor.exe -1 abcdwxyz ?1?1?1?1?1?1?1?1 | ./oclhashcat-plus64.exe -m 2500 -r rules/best64.rule -o D:\finished.txt D:\cap.hcccap, it took 1min30 to catch the password.
When use specific rule it tooks over 4min30 TOXLC rule over 7min still no result etc.

So it seems with rule it performs "worse"! Why? Is somethingI do not correct?

My system is AMD X2 3.4GHz, ATI 6850, 59000 c/s )
@ gajan reg post #3
"Run the wordlist with these rules and the output will be all possible combinations of uppercased/lowercased alpha + digits & 6 characters of lenght (3 in the wordlist and another 3 added by the rule)."

Could you explain further. Do you mean the command to call is as follows:

./oclHashcat-plus64.bin --rules-file /home/king/ohcp/rules/add3.rule /home/king/ohcp/3-character-words.txt -o D:\finished.txt D:\cap.hcccap

the places with $ seem not to change at all. In my case I have generated file with
mp64.bin ?l ?1?1?1?1 > 4-character-words.txt; then run ultraedit, column mode, to place the $ as you shown (aaaa => a$a$a$a) and save it as add4.rule, it runs and runs over 1hr but can not find the password abcdwxyz! With pipe in method it tooks only 3s to catch it! It seems that the $s stay special $ and not change. I do not know for sure

BTW, Using oclhashcatplus64 is it possible to display which key/code is currently feeded-in the system, like I can see when running aircrack-ng
#9
I need some help in creating rule modifying wordlist, my wordlist contains Zmazone0..Zmazone9 (that's sufficient to resolve password problem e.g Zmazone9, according to a stricter 4-rules password conditions :
1.Must contains at least 8 char long, and
2.contains at least 1 low case char, and
3.contains at least 1 upper case char, and
4.contains at least 1 digit.
)
How can I add a rule that dynamically turns a just tested code into

scenario 0:
even though I call rules file, first of all program should just test the basic codes in the wordlist of 8-permutations.

Only if not found password then apply next possible scenarios

scenario 1:
Some routers requires must contain at least one upper alphabet, but not need a digit
Zmazone0..9 into Zmazonea..Zmazonez (when found one digit at the end, cut the digit at the end, and permutate it with a..z, if not catch password,, then go to next code)

scenario2:
some routers still allow all chars in lower case, so the password turns into zmazonez| here I need a rule that when come to code ZmazoneZ, it also modify it to lower case it to amazonez and test it. It is clear that it takes 2 times longer to run with this conversion rule, but perhap it come to crack the password quicker then running test on two wordlists: one with the stricter 4-rules conditions, then one with 8-chars long but all low case alphabet, remember the to be cracked code starts with a z ends with z

scenario3:
have guess the pattern Zmazone9 used by one admin, but another naughty admin was cautious with the speed of bruteforce so he/she uses Zmazone91234567890, ah, that is a noughty 15 char long!. So is there any rule or method to stay with testing a normal 8-permutation, if not found then apply dynamic rule to cover an extended permutation e.g here Zmazone9+"1234567890". Without running into the problem howto and how long will bruteforce on 15 char length permuation wordlist or how many years would take to run from A until reach the start-with-z or Z code of a 15-space-

scenario4:

just when problem with "Zmazone9" solved, the next day, an over-cautious admin come along then change code into this Zmazone91234567890Zmazone91234567890. Simple to remember, and naughtly ask Can you also hack this? I won't ask do you have an idea how to hack this without running educated guess on 8, then 9, .., then 10, then 15-characters-permutation wordlist, then then 16-characters-permutation wordlist then ups is it not a 30-char-long permutation???
#10
you guys read this? http://hashcat.net/wiki/brute_force_in_oclhashcat_plus