Speeding up bruteforce cracking time
#1
Hello, im wondering if there is a way to use custom rules Or masks? 
Im trying to crack my talltalk router wifif password from the handshake.
I know my password is 8 charecters long and is a combination of 5 uppercase letters and 3 numbers.
I see in the bruteforce it is trying all hashes ,example- abcdefgh, jkmnpqrt.
Is there a way to make it only search with a max of 5 uppers and 3 numbers in any order
Example- A3B4CDE6, 9TA4VYQ6
Reply
#2
(01-26-2020, 04:32 AM)Leaver77 Wrote: Hello, im wondering if there is a way to use custom rules Or masks? 
Im trying to crack my talltalk router wifif password from the handshake.
I know my password is 8 charecters long and is a combination of 5 uppercase letters and 3 numbers.
I see in the bruteforce it is trying all hashes ,example- abcdefgh, jkmnpqrt.
Is there a way to make it only search with a max of 5 uppers and 3 numbers in any order
Example- A3B4CDE6, 9TA4VYQ6

If you want to limit your keyspace simply append a new custom charset using -1 to -4.
Check out the Wiki for more info
https://hashcat.net/wiki/doku.php?id=hashcat

So example would be say I have a password with only vowels and digits and one special character of ! which is in total 8 characters. I could create a custom mask by doing this:

hashcat -m 2500 -a 3 -1 aeiouAEIOU123456890! hash.txt ?1?1?1?1?1?1?1?1

Lets say you know the first 5 characters of the password are vowels and last 3 are digits only between 1-5 we can create 2 customs charsets to use.

hashcat -m 2500 -a 3 -1 aeiouAEIOU -2 12345 hash.txt ?1?1?1?1?1?2?2?2

Hope this helps and answers your question.
Reply
#3
Thanks for your reply. Im already using -1 ABCDEFGHJKMNPQRTUVWXY346789
Should the numbers be in -2 not in -1?
When im looking at the hashes it is trying, its trying everything, i dont want it to look
Through hashes with 0 or 1 or 2 or 4 or 5 or 6 or 7 or 8 numbers. Only 3.
The 3 numbers that are there could be in any position.
Reply
#4
(01-26-2020, 02:21 PM)Leaver77 Wrote: Thanks for your reply. Im already using -1 ABCDEFGHJKMNPQRTUVWXY346789
Should the numbers be in -2 not in -1?
When im looking at the hashes it is trying, its trying everything, i dont want it to look
Through hashes with 0 or 1 or 2 or 4 or 5 or 6 or 7 or 8 numbers. Only 3.
The 3 numbers that are there could be in any position.

My masks are ?1?1?1?1?1?1?1?1
Reply
#5
If there is a way to make it search the 8 character password using min and max of 5 uppercase letters in random positions and  min and max of 3 numbers in random positions. This would speed up cracking time significantly. Instead of looking through all the hashes in any random order like this... 87989943, BB48N679,BBBBBN98 . They would all have 5 uppercase and 3 numbers like this ... TAM43PR9, 8Q6MTW3D. not in fixed positions like this.. W9K8DS4H, Q4H6GW8K.
Reply
#6
(01-26-2020, 05:24 PM)Leaver77 Wrote: If there is a way to make it search the 8 character password using min and max of 5 uppercase letters in random positions and  min and max of 3 numbers in random positions. This would speed up cracking time significantly. Instead of looking through all the hashes in any random order like this... 87989943, BB48N679,BBBBBN98 . They would all have 5 uppercase and 3 numbers like this ... TAM43PR9, 8Q6MTW3D. not in fixed positions like this.. W9K8DS4H, Q4H6GW8K.

We can generate a hcmask file which has every possible way of arranging 5 upper, 3 digits to make 8 chars, e.g. 

ABCDEFGHIJKLMNOPQRSTUVWXYZ,0123456789,?1?1?1?1?1?2?2?2
ABCDEFGHIJKLMNOPQRSTUVWXYZ,0123456789,?1?1?1?1?2?1?2?2
...

then run with -a3 hash.txt mask.hcmask 

I guess the lazy way to generate would be to generate all possible combinations and then filter out any which don't match the 5 / 3 split criterion. The proper way would be to use recursion and only generate valid patterns.

(I might have a pop at this later, as it's pretty similar to the default on my home router.)
Reply
#7
This should do what you want?  Basically walks the binary tree of choices - either capital or digit until we run out of one or the other. 

#!/usr/bin/python3

def talktalkmask(mask,caps,digits):

    if (caps>=1):
        talktalkmask(mask+'?1',caps-1,digits)
       
    if (digits>=1):
        talktalkmask(mask+'?2',caps,digits-1)
       
    if caps==0 and digits==0:
        print("ABCDEFGHIJKLMNOPQRSTUVWXYZ,0123456789,"+mask)
       

talktalkmask('',5,3)
Reply