WPA 10 digit phone number using area code dictionary and 7 digit mask? HOW?
#1
Hi,
I am very new as this will illustrate.

Using ocl hashcat on ubuntu server 12.04 with Gnome
hashcat version 3.10
(4) amd HD5830 cards (so far)

Strictly WPA security testing here:

using something like:  .hc  -m2500 -a3 [hccap_file] ?d?d?d?d?d?d?d?d?d?d
This works but takes 4 days to run through 10^10 combinations (144kH/s) with overclock

I found this in an old forum
meow -m2500 -a3 [hccap_file] 707?d?d?d?d?d?d?d

Thats only aprox 30 min.

The problem is there are 387 area codes in the usa
I was hoping I could combine a rule and very small dictionary of the area codes (387) 3 digit numbers

tried this:  .hc  -m2500 -a3 [hccap_file] areacode.txt ?d?d?d?d?d?d?d (I don't have my notes in front of me but you get the idea. I think it worked but I got the message that the dictionary was to small and work load insufficient so
cards were throttled back to almost nothing. e.g. 137 days.. only 1 card runs, at aprox 40 H/s  (so basically nothing)

I tried something like .hc  -m2500 -a0 [hccap_file] ?d?d?d?d?d?d?d -r prepend_areacode.rule
where prepend_areacode. rule is:

^201
^202
^203
etc    387 area codes

That does not work because rules are only for dictionary attacks..
I also now realize it would be something like
^1^0^2
^2^0^2
^3^0^2
etc..

I think I also tried -a7 with no luck, i think that is left or right side of dictionary?

Any ideas? I have searched the forum I cannot believe i am the only person who has tried this..
using a dictionary attack of 387 area codes changes the combination from 10^10 or 10billion to 387x(10^7) or 3.8 billion

Thanks!
#2
Hybrid (-a 6 - word list on left-hand side, mask on right) should work for your use case. Please try again, and post your command line for a cross-check.
~
#3
Hi!
I thought I tried a hybrid, but I may have done it wrong. i will definitely will try that later tonight and post the results.
(not in front of the machine at the moment)
I do think I had something working, its just that as I mentioned it said the dictionary was too small, the GPUs not properly loaded and it proceeded to run EXTREMELY slow.. even with -w3 on the end of it per wicki FAQ

I will double check in a few hours.
Thanks
#4
ok here is what i have:

./hc -m 2500 -a 6 hccap-combined3/combined3.hccap /media/hal/My_Passport/WORDS2/AREA_CODES/areacodes.txt ?d?d?d?d?d?d?d

where ./hc is a shortcut for hashcat.bin
and areacodes.txt is a simple list 387 lines long - just 3 digit area codes

it works but,
Here is the message:

hal@ubuntu:~/hashcat-3.10$ ./hc -m 2500 -a 6 hccap-combined3/combined3.hccap /media/hal/My_Passport/WORDS2/AREA_CODES/areacodes.txt ?d?d?d?d?d?d?d
hashcat (v3.10) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Cypress, 128/512 MB allocatable, 14MCU
- Device #2: Cypress, 128/512 MB allocatable, 14MCU
- Device #3: Cypress, 128/512 MB allocatable, 14MCU
- Device #4: Cypress, 128/512 MB allocatable, 14MCU
- Device #5: AMD Sempron(tm) 145 Processor, skipped

Hashes: 3 hashes; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Slow-Hash-SIMD
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

Cache-hit dictionary stats /media/hal/My_Passport/WORDS2/AREA_CODES/areacodes.txt: 1935 bytes, 387 words, 3870000000 keyspace

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=fre...full_speed

INFO: approaching final keyspace, workload adjusted


when i get status:

Session.Name...: hashcat
Status.........: Running
Input.Left.....: File (/media/hal/My_Passport/WORDS2/AREA_CODES/areacodes.txt)
Input.Right....: Mask (?d?d?d?d?d?d?d) [7]
Hash.Target....: File (hccap-combined3/combined3.hccap)
Hash.Type......: WPA/WPA2
Time.Started...: Thu Oct 20 20:40:36 2016 (31 secs)
Time.Estimated.: Tue Mar 7 07:37:37 2017 (137 days, 11 hours)
Speed.Dev.#1...: 0 H/s (0.00ms)
Speed.Dev.#2...: 0 H/s (0.00ms)
Speed.Dev.#3...: 0 H/s (0.00ms)
Speed.Dev.#4...: 977 H/s (11.78ms)
Speed.Dev.#*...: 977 H/s
Recovered......: 0/3 (0.00%) Digests, 0/3 (0.00%) Salts
Progress.......: 30573/11610000000 (0.00%)
Rejected.......: 0/30573 (0.00%)
Restore.Point..: 0/387 (0.00%)
HWMon.Dev.#1...: Temp: 49c Fan: 25% Util: 0% Core: 865Mhz Mem:1170Mhz Lanes:1
HWMon.Dev.#2...: Temp: 30c Fan: 21% Util: 0% Core: 157Mhz Mem: 300Mhz Lanes:1
HWMon.Dev.#3...: Temp: 41c Fan: 21% Util: 0% Core: 157Mhz Mem: 300Mhz Lanes:1
HWMon.Dev.#4...: Temp: 49c Fan: 25% Util: 92% Core: 865Mhz Mem:1170Mhz Lanes:1

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

This same hccap file with ?d?d?d?d?d?d?d?d?d?d (10 dig) runs at 146kH/s

Note: with -w3 at the end:
./hc -m 2500 -a 6 hccap-combined3/combined3.hccap /media/hal/My_Passport/WORDS2/AREA_CODES/areacodes.txt ?d?d?d?d?d?d?d -w3

the hash rate goes from 977 to 1026 h/S

Any ideas?
#5
Just to prove it works with just mask:

This:
./hc -m 2500 hccap-combined3/combined3.hccap -a 3 ?d?d?d?d?d?d?d?d?d?d

yeilds:
./hc -m 2500 hccap-combined3/combined3.hccap -a 3 ?d?d?d?d?d?d?d?d?d?d
hashcat (v3.10) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Cypress, 128/512 MB allocatable, 14MCU
- Device #2: Cypress, 128/512 MB allocatable, 14MCU
- Device #3: Cypress, 128/512 MB allocatable, 14MCU
- Device #4: Cypress, 128/512 MB allocatable, 14MCU
- Device #5: AMD Sempron(tm) 145 Processor, skipped

Hashes: 3 hashes; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Brute-Force
* Slow-Hash-SIMD
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

and status:
Session.Name...: hashcat
Status.........: Running
Input.Mode.....: Mask (?d?d?d?d?d?d?d?d?d?d) [10]
Hash.Target....: File (hccap-combined3/combined3.hccap)
Hash.Type......: WPA/WPA2
Time.Started...: Thu Oct 20 20:48:35 2016 (48 secs)
Time.Estimated.: Sun Oct 23 06:51:01 2016 (2 days, 10 hours)
Speed.Dev.#1...: 35857 H/s (11.96ms)
Speed.Dev.#2...: 35940 H/s (11.92ms)
Speed.Dev.#3...: 35915 H/s (11.92ms)
Speed.Dev.#4...: 35874 H/s (11.92ms)
Speed.Dev.#*...: 143.6 kH/s
Recovered......: 0/3 (0.00%) Digests, 0/3 (0.00%) Salts
Progress.......: 6938624/30000000000 (0.02%)
Rejected.......: 0/6938624 (0.00%)
Restore.Point..: 186368/1000000000 (0.02%)
HWMon.Dev.#1...: Temp: 64c Fan: 43% Util: 96% Core: 865Mhz Mem:1170Mhz Lanes:1
HWMon.Dev.#2...: Temp: 52c Fan: 29% Util: 93% Core: 865Mhz Mem:1170Mhz Lanes:1
HWMon.Dev.#3...: Temp: 63c Fan: 41% Util: 93% Core: 865Mhz Mem:1170Mhz Lanes:1
HWMon.Dev.#4...: Temp: 58c Fan: 36% Util: 94% Core: 865Mhz Mem:1170Mhz Lanes:1

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>
#6
Ok I have been doing some reading:

This is what I think I will try next (maskfile)

./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt hccap-combined3/combined3.hccap AreaCodeMask.hcmask

Where AreaCodeMask.hcmask is:
201?d?d?d?d?d?d?d
202?d?d?d?d?d?d?d
203?d?d?d?d?d?d?d
802?d?d?d?d?d?d?d
etc
etc (387 different area codes)

Anyone think I am on the write track here?
I cannot test until tonight.
#7
If you want to verify the password candidates match your expectations you can use latest beta version, it will show them to you in the status view or use --stdout
#8
(10-21-2016, 07:01 PM)atom Wrote: If you want to verify the password candidates match your expectations you can use latest beta version, it will show them to you in the status view or use --stdout

Hi, thank you for the advice.
do you think my command line looks correct?
It will be several hours before i can  try it.


with --stdout :
and --remove

./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove --stdout hccap-combined3/combined3.hccap AreaCodeMask.hcmask


I assume this just shows the candidates in a long list on the screen? If you put a file name after them does it create a file?

my hccap file has 9 targets, am I currect in my understanding that --remove omits them from being hashed if they are already solved there by speeding up the process for the remaining un-solved targets?
#9
(10-21-2016, 07:21 PM)ICONOCLAST Wrote:
(10-21-2016, 07:01 PM)atom Wrote: If you want to verify the password candidates match your expectations you can use latest beta version, it will show them to you in the status view or use --stdout

Hi, thank you for the advice.
do you think my command line looks correct?
It will be several hours before i can  try it.


with --stdout :
and --remove

./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove --stdout hccap-combined3/combined3.hccap AreaCodeMask.hcmask


I assume this just shows the candidates in a long list on the screen? If you put a file name after them does it create a file?

my hccap file has 9 targets, am I currect in my understanding that --remove omits them from being hashed if they are already solved there by speeding up the process for the remaining un-solved targets?


Quick update:
This does not work:
./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove --stdout hccap-combined3/combined3.hccap masks/areacodes_no-tabs.hcmask

I believe this is working exactly as expected (I don't want to interupt it just yet):
./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove   hccap-combined3/combined3.hccap masks/areacodes_no-tabs.hcmask

For some reason the --stdout caused problems, i believe the error was mask file too short
My guess is the --stdout has to go at the end.
#10
(10-22-2016, 03:35 AM)ICONOCLAST Wrote:
(10-21-2016, 07:21 PM)ICONOCLAST Wrote:
(10-21-2016, 07:01 PM)atom Wrote: If you want to verify the password candidates match your expectations you can use latest beta version, it will show them to you in the status view or use --stdout

Hi, thank you for the advice.
do you think my command line looks correct?
It will be several hours before i can  try it.


with --stdout :
and --remove

./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove --stdout hccap-combined3/combined3.hccap AreaCodeMask.hcmask


I assume this just shows the candidates in a long list on the screen? If you put a file name after them does it create a file?

my hccap file has 9 targets, am I currect in my understanding that --remove omits them from being hashed if they are already solved there by speeding up the process for the remaining un-solved targets?


Quick update:
This does not work:
./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove --stdout hccap-combined3/combined3.hccap masks/areacodes_no-tabs.hcmask

I believe this is working exactly as expected (I don't want to interupt it just yet):
./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove   hccap-combined3/combined3.hccap masks/areacodes_no-tabs.hcmask

For some reason the --stdout caused problems, i believe the error was mask file too short
My guess is the --stdout has to go at the end.

Follow up:
Here is the error with --stdout (this time I put it at end, but same error)

hal@ubuntu:~/hashcat-3.10⟫ ./hc -a 3 -m 2500 --session=areacodeSession -w 2 -o AreaCodeOutput.txt --remove  hccap-combined3/combined3.hccap masks/areacodes_no-tabs.hcmask --stdout


ERROR: Invalid mask length (0)