MD5 Help

[Ark223]

Hello. I'm a totally novice at this cracking program. I'd like to brute-force the following hash with salt:
Hash: <32-character>
Salt: <8-character>
Could you write me a right command that would decrypt it?

[Flomac]

Please do not post plain hashes in the forum!

Despite that, the command depends on how you want to crack the hash (wordlist, brute-force, markov) etc.

[Ark223]

Edited and sorry for that. I just need a command to crack it by myself. Could you write it?

[Flomac]

Sure. But not without the information
- how long that password is or might be
- what combinations of characters it contains (numbers, letters, symbols)
- how you are planning to crack it (brute-force, wordlist etc.)

Any variantion can make the difference between hours or centuries in cracking time.

[Ark223]

Password should contain:
- length: min. 3, max. 12
- combination: numbers, small and big letters - nothing else
- method: brute-force

[Flomac]

hashcat -m 10 -w 4 -a 3 -1 ?l?u?d --force --increment-min 3 --increment-max 12 [your_hash:your_salt] ?1?1?1?1?1?1?1?1?1?1?1?1

But it will take a few hundred years, depending on your hardware. If the password is not completely random, a dictionary attack might make more sense.

[DanielG]

Hi, you would probably already be cracking if you followed the information on the wiki. Here you can follow the steps needed to crack your hash:

https://hashcat.net/wiki/doku.php?id=hashcat#options This page has the basic usage:

Code:

Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

First is what you want to crack.

Code:

-m, --hash-type | Hash-type

As you stated, you are cracking an MD5 hash with salt, the reference states this as 

Code:

      # | Name                                             | Category
  ======+==================================================+======================================
    10 | md5($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
    20 | md5($salt.$pass)                                 | Raw Hash, Salted and/or Iterated

So first part of your command line is either -m 10 or -m 20 depending if you hash comes first or last.

next is how you want crack (attack)

Code:

-a, --attack-mode | Attack-mode

this is shown as 3 for brute force.

So the second part of your command line is -a 3.

The brute force mode needs to know what it will brute force, also called the Charset. In the options this is shown:

Code:

 ? | Charset
===+=========
 l | abcdefghijklmnopqrstuvwxyz
 u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
 d | 0123456789
 h | 0123456789abcdef
 H | 0123456789ABCDEF
 s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
 a | ?l?u?d?s
 b | 0x00 - 0xff

 
There is no charset with exactly what you want (well there is, but this gives you more info and flexibility if you want to change things). You need a combination of the l, u and d. This is possible using a custom charset or mask. 

Code:

-1, --custom-charset1 | User-defined charset ?1

So the third part of your command line is -1 ?l?u?d.

Now usually you brute force a single length, but you want multiple lengths (min. 3, max. 12). This is also documented. 

Code:

-i, --increment                |      | Enable mask increment mode                           |
    --increment-min            | Num  | Start mask incrementing at X                         | --increment-min=4
    --increment-max            | Num  | Stop mask incrementing at X                          | --increment-max=8

The fourth part of your command line is -i --increment-min 3 --increment-max 12.

Now we can combine this, I would recommend to put your hash in a hashfile. Be sure to put the hash in the correct format as described on https://hashcat.net/wiki/doku.php?id=example_hashes (modes 10 and 20 use hex_hash:plain_salt).

hashcat -m 10 -a 3 -1 ?l?u?d -i --increment-min 3 --increment-max 12 hashfile.txt ?1?1?1?1?1?1?1?1?1?1?1?1

Be sure to read more on the wiki on tweaking your settings, other attack types and for any other questions you have.

[Ark223]

Thank you for your answers! The last question is, what does the parameter "?1?1?1?1?1?1?1?1?1?1?1?1" depends on?

[slyexe]

Thank you for your answers! The last question is, what does the parameter "?1?1?1?1?1?1?1?1?1?1?1?1" depends on?

You can create custom character sets. In this case you create the custom set by using -1 and appending the character set so -1 ?l?u?d sets ?1 to do all lower case, upper case and digits as your character set. 

So a 2nd example would be say I wanted digits and special characters, you can create a second custom character set by creating -2. so adding the parameter -2 ?d?s would allow you to use ?2 as a shortcut. so doing ?1?2?1?d would cycle through lower, upper and digits for 1's and 2's would run through digits and special characters.

3rd example could relate to targeting specific characters. so lets say we know it includes AbC135 as the first character in our password. so you could create -3 AbC135 and add it to the password with ?3 in the first position. so ?3?2?2?2?1?1?d?s?u etc can all be used.

[DanielG]

?1 is indeed how you access the custom charset mentioned. In the example I put 12 "?1" combinations because that is your max length for your password. This makes it easy if you decide to try something as '12 chars but first must be only number' then you can change it to ?d?1?1?1?1?1?1?1?1?1?1?1