Posts: 5
Threads: 1
Joined: Feb 2023
02-20-2023, 03:00 AM
Hi all,
i'm wondering if it's possible to do a brute force attack by knowing some characters of the password but not their location.
Obviously the most obvious solution is this:
-a 3 -1 '?l?d' '?1?1?1?1?1?1?1?1'
But knowing that the password contains the character "9" would rule out a lot of futile attempts.
If you were sure instead that the password contains only lowercase letters and that number:
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1'
Same problem here:
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1'
is very different than:
-a 3 -1 '?l9' '?1?l?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?1?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?1?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?1?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?1?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?1?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?1?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?l?1'
In conclusion yes, I could try like this but if I know more characters how should I do? Start a lot of executions? I hope there is something better ..
Thanks
Andrea P.
Posts: 5
Threads: 1
Joined: Feb 2023
(02-20-2023, 03:00 AM)andreap Wrote: -a 3 -1 '?l9' '?1?l?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?1?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?1?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?1?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?1?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?1?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?1?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?l?1'
I meant:
-a 3 '9?l?l?l?l?l?l?l'
-a 3 '?l9?l?l?l?l?l?l'
-a 3 '?l?l9?l?l?l?l?l'
-a 3 '?l?l?l9?l?l?l?l'
-a 3 '?l?l?l?l9?l?l?l'
-a 3 '?l?l?l?l?l9?l?l'
-a 3 '?l?l?l?l?l?l9?l'
-a 3 '?l?l?l?l?l?l?l9'
Posts: 889
Threads: 15
Joined: Sep 2017
(02-20-2023, 05:25 AM)andreap Wrote: (02-20-2023, 03:00 AM)andreap Wrote: -a 3 -1 '?l9' '?1?l?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?1?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?1?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?1?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?1?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?1?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?1?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?l?1'
I meant:
-a 3 '9?l?l?l?l?l?l?l'
-a 3 '?l9?l?l?l?l?l?l'
-a 3 '?l?l9?l?l?l?l?l'
-a 3 '?l?l?l9?l?l?l?l'
-a 3 '?l?l?l?l9?l?l?l'
-a 3 '?l?l?l?l?l9?l?l'
-a 3 '?l?l?l?l?l?l9?l'
-a 3 '?l?l?l?l?l?l?l9'
well depends on how much chars do you know to reduce keyspace
also depending on the hashalgorithm, for fast algorithm like md5, you could simple stick to
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1' in your case, as one char/sign more is peanuts for a fast hash
23^8 = 78.300 million
24^8 = 110.075 million
knowing more chars will change this
Posts: 5
Threads: 1
Joined: Feb 2023
(02-20-2023, 01:30 PM)Snoopy Wrote: well depends on how much chars do you know to reduce keyspace
also depending on the hashalgorithm, for fast algorithm like md5, you could simple stick to
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1' in your case, as one char/sign more is peanuts for a fast hash
23^8 = 78.300 million
24^8 = 110.075 million
knowing more chars will change this
Ok, but this way would be a useless computational effort.
Look here:
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1'
--------------------------------------
aaaaaaaa - zzzzzzzz
-a 3 '9?l?l?l?l?l?l?l'
-a 3 '?l9?l?l?l?l?l?l'
-a 3 '?l?l9?l?l?l?l?l'
-a 3 '?l?l?l9?l?l?l?l'
-a 3 '?l?l?l?l9?l?l?l'
-a 3 '?l?l?l?l?l9?l?l'
-a 3 '?l?l?l?l?l?l9?l'
-a 3 '?l?l?l?l?l?l?l9'
---------------------
9aaaaaaa - zzzzzzz9
Note that no letter-only solutions are included here, and this is very efficient.
So again, is there a command to do exactly the same attempts as above?
Posts: 889
Threads: 15
Joined: Sep 2017
02-20-2023, 04:43 PM
(This post was last modified: 02-20-2023, 04:44 PM by Snoopy.)
as i said, this strongly depends on your hash, just take a look at a single NVIDIA GeForce RTX 3060 for md5
speed around 24645.8 MH/s, so in the case mentioned above this would result in a slight longer cracking ETA (maybe 3-5 seconds because of some overhead) but overall this few seconds are negligible
for the rest, no there is no command for that, you have to generate a maskfile like you already did for yourself containing all possibilities for this kind of attack, just put this into a file and use it as input for the mask, hashcat will handle each line as mask, running all of them step by step, the maskfile should look like this
9?l?l?l?l?l?l?l
?l9?l?l?l?l?l?l
?l?l9?l?l?l?l?l
?l?l?l9?l?l?l?l
?l?l?l?l9?l?l?l
?l?l?l?l?l9?l?l
?l?l?l?l?l?l9?l
?l?l?l?l?l?l?l9
Posts: 5
Threads: 1
Joined: Feb 2023
(02-20-2023, 04:43 PM)Snoopy Wrote: as i said, this strongly depends on your hash, just take a look at a single NVIDIA GeForce RTX 3060 for md5
speed around 24645.8 MH/s, so in the case mentioned above this would result in a slight longer cracking ETA (maybe 3-5 seconds because of some overhead) but overall this few seconds are negligible
for the rest, no there is no command for that, you have to generate a maskfile like you already did for yourself containing all possibilities for this kind of attack, just put this into a file and use it as input for the mask, hashcat will handle each line as mask, running all of them step by step, the maskfile should look like this
9?l?l?l?l?l?l?l
?l9?l?l?l?l?l?l
?l?l9?l?l?l?l?l
?l?l?l9?l?l?l?l
?l?l?l?l9?l?l?l
?l?l?l?l?l9?l?l
?l?l?l?l?l?l9?l
?l?l?l?l?l?l?l9
Sounds good, sadly I'm using the 22000 (WPA-PBKDF2-PMKID+EAPOL) and it's a bit slow, hopefully good, thanks.
Posts: 5
Threads: 1
Joined: Feb 2023
02-20-2023, 06:33 PM
This code generate the masks I was looking for:
Code:
from itertools import permutations
perms = [''.join(p) for p in permutations('9AAAAAAA')]
perms = set(perms)
with open('masks.txt', 'w') as file:
for perm in perms:
print(perm)
file.write(perm.replace("A", "?l") + "\n")
Posts: 19
Threads: 5
Joined: Jun 2021
(02-20-2023, 06:33 PM)andreap Wrote: This code generate the masks I was looking for:
Code:
from itertools import permutations
perms = [''.join(p) for p in permutations('9AAAAAAA')]
perms = set(perms)
with open('masks.txt', 'w') as file:
for perm in perms:
print(perm)
file.write(perm.replace("A", "?l") + "\n")
I was also looking for something a while back that generated the masks this way. The most similar solution was this tool that hasn't been updated in years, but does the job we are looking for:
https://github.com/iphelix/pack