I have JWT with HS256 algorithm that I want to crack with hachcat using brute force.
I run : hashcat pass.txt -m 16500 -a3 --session my_session
1) I got warning
Quote:The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted
I don't have a wordlist or make, I just want to brute force.
What does this warning?
2) How much time this crack will take on Intel I9 PC? Is that possible to crack and brute force all the options with original PC?
Thank you all!
.
-a3 is bruteforece yes, but you didnt specify an attackmask
try
hashcat -a3 -m16500 --session my_session --increment pass.txt ?a?a?a?a?a?a?a?a
this will start a bruteforceattack with all ascii signs start with lenght one, after that length 2, till reaching length 8
(05-20-2022, 09:58 AM)Snoopy Wrote: [ -> ]-a3 is bruteforece yes, but you didnt specify an attackmask
try
hashcat -a3 -m16500 --session my_session --increment pass.txt ?a?a?a?a?a?a?a?a
this will start a bruteforceattack with all ascii signs start with lenght one, after that length 2, till reaching length 8
If I didn't specify an attackmask so what will be the attack mask? All the options not?
if you didnt specify an attackmask you test your hash versus an empty word, so your wordlist is just one empty string ''
?a means is one position all possible 95 ascii signs which is bruteforce, you have to provide a mask for bruteforce because you could also just bruteforce ?l which means just lower ascii chars
(05-20-2022, 03:01 PM)Snoopy Wrote: [ -> ]if you didnt specify an attackmask you test your hash versus an empty word, so your wordlist is just one empty string ''
?a means is one position all possible 95 ascii signs which is bruteforce, you have to provide a mask for bruteforce because you could also just bruteforce ?l which means just lower ascii chars
I thank you about your help but when I didn't set any attack mask ,hashcat find key like 1234 so it's really run
I don't know what are all the options for HA256 but I want to run on all over the options, even not ascii
How can I do that please?
By the way I tried ?a?a?a?a?a?a?a?a
And I got
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Is that OK? why ascii chars are only 16 bits
(05-20-2022, 04:46 PM)Jojo koko Wrote: [ -> ] (05-20-2022, 03:01 PM)Snoopy Wrote: [ -> ]if you didnt specify an attackmask you test your hash versus an empty word, so your wordlist is just one empty string ''
?a means is one position all possible 95 ascii signs which is bruteforce, you have to provide a mask for bruteforce because you could also just bruteforce ?l which means just lower ascii chars
I thank you about your help but when I didn't set any attack mask ,hashcat find key like 1234 so it's really run
I don't know what are all the options for HA256 but I want to run on all over the options, even not ascii
How can I do that please?
By the way I tried ?a?a?a?a?a?a?a?a
And I got
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Is that OK? why ascii chars are only 16 bits
i think hashcat uses a standardmask when not providing a mask, but i didnt checked
yes hahscat uses the following masks when not providing any mask
UPDATE:
?1?2
...
?1?2?2?2?2?2
with the follwing charset -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
im not quite sure when ?3 is used because it seems hc just addes another ?2 when incrementing
well you could use ?h for all possible hex but this would result in an enormous keyspace, in fact it would be great if you know anything about the used charset, for example in germany there are some special chars like äöü, when used in passes you will not be able to crack even such a short word like germnan öl (oil) because ascii didnt cover this an you will need a custom charset
for a first run try the following with added options
and ?a?a?a?a?a?a?a?a as mask
-O is important using optimized kernel, supports length up to 55 which is quite enough for a mask of lenght 1to8
ignore the data for bitmaps, take a look at keyspace or progress