hashcat Forum

Full Version: Help making custom charset/rule
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Hello, a large ISP in Sweden are distributing Thomson routers when buying their deals. (Telia)
This routers are widely spread and are preconfigured with WPA and uses the routers MAC in the SSID to make rainbowtabels useless.
However, there are a certain pattern in the preconfigured PSK on the routers that decreases the total number of possible PSKs a lot.
So I need help making a charset and/or rule that makes hashcat only look for PSKs filling the fallowing criteria:
  • Is 10 chars total
  • Is only the hexadecimal chars, 1 to F (Uppercase)
  • Contains at least 1 digit
  • Contains at least 1 letter
  • Same letter or digit may only exist twice in same key
  • At least one letter or digit exist twice in same key

Would it maybe be worth it to generate a wordlist with these keys or how big will it be?
(03-26-2012, 07:04 PM)ZerXes Wrote: [ -> ]
  • # Contains at least 1 digit
    # Contains at least 1 letter
    # Same letter or digit may only exist twice in same key
    # At least one letter or digit exist twice in same key

Do you know this for sure?

What you described about before sounds very similar to BT Homebub v2.

It is made by Thomson.

Charset is 23456789abcdef
Length 10
Lowercase

See stkeygen for more info.

If it is exactly the same then a precomputed word list would be gigantic because it is salted.

CPU is far too slow to crack this but if one was coded for a GPU it could be cracked within a few hours.
Im pretty sure those rules applies too, got a large set of know keys and the rules always seem to apply.
Yeah, a precomputed wordlist would be silly, my bad.

Thanks for the link.
I hoped to be able to use my GPUs, it will probably be able to crack 350 000 WPA/s
How does limiting the keyspace increase the overall speed?
I think this whole thread is an extension of the “Pseudo Markov” request I made earlier.

I personally believe that the functionality to allow the user the ability to make rules on how hascatplus should generate a brute force list will make one of the most significant reductions in crack time since hashcatplus started using GPU’s instead of CPU’s.

(03-27-2012, 03:18 PM)atom Wrote: [ -> ]How does limiting the keyspace increase the overall speed?

I am guessing that ZerXes was meaning the cracking process as a whole rather than actually speeding up keys tested per second. As the keyspace would be so dramatically reduced by giving the user the ability to narrow down the possible combinations it may yield the “equivalent” cracking speed as ZerXes implies. I’m only guessing that’s what he meant.
Yeah, sorry about the cryptic last part.
I meant to answer james123's statement that CPUs will be to slow anyway.
I will be using my new GPUs who will probably be able to generate 350 000 WPA hashes/s
Hopefully this will be enough to chew through all the possible combinations in not too long time.

*edit*
another user have created a python script that generates cleartext-keys that fill the requirements that I can pass through to hashcat.
However the pythonscript itself is being a bottleneck and I end up running about 60 000 WPA hashes/s.
(03-27-2012, 04:20 PM)Hash-IT Wrote: [ -> ]I think this whole thread is an extension of the “Pseudo Markov” request I made earlier.

This is absolutly not about markov. Its about a bug in the default password generation for these routers. The exploit code is in stkeygen.
(03-27-2012, 08:23 PM)ZerXes Wrote: [ -> ]another user have created a python script that generates cleartext-keys that fill the requirements that I can pass through to hashcat.
However the pythonscript itself is being a bottleneck and I end up running about 60 000 WPA hashes/s.

Why not using maskprocessor? http://hashcat.net/wiki/maskprocessor
(03-28-2012, 10:11 AM)atom Wrote: [ -> ]
(03-27-2012, 04:20 PM)Hash-IT Wrote: [ -> ]I think this whole thread is an extension of the “Pseudo Markov” request I made earlier.

This is absolutly not about markov. Its about a bug in the default password generation for these routers. The exploit code is in stkeygen.

I was referring to this…

Quote:So I need help making a charset and/or rule that makes hashcat only look for PSKs filling the fallowing criteria:

I understood it to mean that ZerXes was asking for a way to make a specific pattern or password values using hashcat. To make a list as he wished wouldn’t it require a type of “Pseudo Markov” feature ? I understand he could simply brute force, but as he knows a lot about the password layout he could fine tune his brute force and reduce cracking time.

I am not aware of a way to manipulate the standard rules feature to meet all the requirements he mentioned. I can work out the first 2 but not the rest as I believe this would require the “Pseudo Markov” feature I mentioned above.

Quote:Is 10 chars total
Is only the hexadecimal chars, 1 to F (Uppercase)
Contains at least 1 digit
Contains at least 1 letter
Same letter or digit may only exist twice in same key
At least one letter or digit exist twice in same key

You are clearly much better at using rules than I am atom so would you please explain how ZerXes could achieve this pattern without the “Pseudo Markov” feature ? I would dearly love to be able to do it myself and I would be very grateful to learn how to do it using the current tools as I have been unsuccessful so far.

Thank you.

(03-28-2012, 10:11 AM)atom Wrote: [ -> ]
(03-27-2012, 08:23 PM)ZerXes Wrote: [ -> ]another user have created a python script that generates cleartext-keys that fill the requirements that I can pass through to hashcat.
However the pythonscript itself is being a bottleneck and I end up running about 60 000 WPA hashes/s.

Why not using maskprocessor? http://hashcat.net/wiki/maskprocessor

Yeah, If its possible to create rules for the maskprocessor that fulfil my criteria that would be awesome, is that possible?


(03-28-2012, 03:09 PM)Hash-IT Wrote: [ -> ]
(03-28-2012, 10:11 AM)atom Wrote: [ -> ]
(03-27-2012, 04:20 PM)Hash-IT Wrote: [ -> ]I think this whole thread is an extension of the “Pseudo Markov” request I made earlier.

This is absolutly not about markov. Its about a bug in the default password generation for these routers. The exploit code is in stkeygen.

I was referring to this…

Quote:So I need help making a charset and/or rule that makes hashcat only look for PSKs filling the fallowing criteria:

I understood it to mean that ZerXes was asking for a way to make a specific pattern or password values using hashcat. To make a list as he wished wouldn’t it require a type of “Pseudo Markov” feature ? I understand he could simply brute force, but as he knows a lot about the password layout he could fine tune his brute force and reduce cracking time.

I am not aware of a way to manipulate the standard rules feature to meet all the requirements he mentioned. I can work out the first 2 but not the rest as I believe this would require the “Pseudo Markov” feature I mentioned above.

Quote:Is 10 chars total
Is only the hexadecimal chars, 1 to F (Uppercase)
Contains at least 1 digit
Contains at least 1 letter
Same letter or digit may only exist twice in same key
At least one letter or digit exist twice in same key

You are clearly much better at using rules than I am atom so would you please explain how ZerXes could achieve this pattern without the “Pseudo Markov” feature ? I would dearly love to be able to do it myself and I would be very grateful to learn how to do it using the current tools as I have been unsuccessful so far.

Thank you.


Yes, that is exactly what I want to achieve Smile
Pages: 1 2