I am still learning the ways of Hashcat - I used a previous version a few years back for a single task, now I have another task.
My question is if anyone can give me a suggestion of the best way(s) (attack methods/wordlists/etc.) to start trying to crack a password file that has these rules:
Minimum password length = 10
Minimum lowercase chars = 1
Minimum uppercase chars = 1
Minimum numeric chars = 1
Minimum symbolic chars = 1
Obviously, brute-force is out being 10 chars minimum. I have been reading many threads and taking notes, but I have been possibly trying to over analyze the best ways to start.
Being there are many of you on here that has experience, I thought I would ask for some feedback based on the password rules I listed. There are ~2000 hashes in this file.
It sounds like you've discovered a number of options from your research. What are they? What criteria have you considered for prioritizing them?
(08-23-2016, 08:48 PM)royce Wrote: [ -> ]It sounds like you've discovered a number of options from your research. What are they? What criteria have you considered for prioritizing them?
That is a great question, Royce.
First, I have found many wordlists from posts and online, such as: english words, 1337, casemutation, first names, last names, as well as others.
I have read many opinions that say long word lists are not as important as applying rules to smaller, great word lists.
Thus my initial notes were:
(1) try a straight against the popular passwords file: -a 0
(2) try a wordlist with brute-force: -a 6 example.dict ?d?d?d?d
(3) try wordlists with rules: -r <rules file> <hashes> <dictionary>
On #3, I mostly have rules files that came with hashcat.
When I apply all of this, being I have ~10 wordlists as well as >10 rules files. Suddenly I have many dozens of different attacks to try - which is good; however, I think this is also my reason for the post.
Thus, I was hoping someone may have some opinions/views/knowledge on attack methods that may be better for my password rules that I know.
You haven't mentioned the hash type though. Each of them have different hash rates, sometimes vastly so. Faster hash rates open up the scope for experimentation (more rules, brute-force, etc.).
To attack with the above cirterias you need to use PACK, it will generate the needed maskfiles for it
(08-24-2016, 07:47 AM)atom Wrote: [ -> ]To attack with the above cirterias you need to use PACK, it will generate the needed maskfiles for it
Hi Atom, could you please elaborate? In my minimal experience with hashcat I have never heard of PACK. From a search, if I found the correct "pack", it appears to be a separate github project that utilizes hashcat. Is that accurate?
As I said, it will generate the needed maskfiles for it. Just try and find out
(08-26-2016, 01:24 PM)hashcrash Wrote: [ -> ]Here you go: http://thesprawl.org/projects/pack/
Thanks hashcrack - I assumed the github project I found was the same thing and downloaded it last night and started playing around.
This package looks very cool - thanks for confirming the package and the link.