Looking for A Little Push - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: Looking for A Little Push (/thread-5790.html) |
Looking for A Little Push - msf004 - 08-23-2016 I am still learning the ways of Hashcat - I used a previous version a few years back for a single task, now I have another task. My question is if anyone can give me a suggestion of the best way(s) (attack methods/wordlists/etc.) to start trying to crack a password file that has these rules: Minimum password length = 10 Minimum lowercase chars = 1 Minimum uppercase chars = 1 Minimum numeric chars = 1 Minimum symbolic chars = 1 Obviously, brute-force is out being 10 chars minimum. I have been reading many threads and taking notes, but I have been possibly trying to over analyze the best ways to start. Being there are many of you on here that has experience, I thought I would ask for some feedback based on the password rules I listed. There are ~2000 hashes in this file. RE: Looking for A Little Push - royce - 08-23-2016 It sounds like you've discovered a number of options from your research. What are they? What criteria have you considered for prioritizing them? RE: Looking for A Little Push - msf004 - 08-23-2016 (08-23-2016, 08:48 PM)royce Wrote: It sounds like you've discovered a number of options from your research. What are they? What criteria have you considered for prioritizing them? That is a great question, Royce. First, I have found many wordlists from posts and online, such as: english words, 1337, casemutation, first names, last names, as well as others. I have read many opinions that say long word lists are not as important as applying rules to smaller, great word lists. Thus my initial notes were: (1) try a straight against the popular passwords file: -a 0 (2) try a wordlist with brute-force: -a 6 example.dict ?d?d?d?d (3) try wordlists with rules: -r <rules file> <hashes> <dictionary> On #3, I mostly have rules files that came with hashcat. When I apply all of this, being I have ~10 wordlists as well as >10 rules files. Suddenly I have many dozens of different attacks to try - which is good; however, I think this is also my reason for the post. Thus, I was hoping someone may have some opinions/views/knowledge on attack methods that may be better for my password rules that I know. RE: Looking for A Little Push - rico - 08-24-2016 You haven't mentioned the hash type though. Each of them have different hash rates, sometimes vastly so. Faster hash rates open up the scope for experimentation (more rules, brute-force, etc.). RE: Looking for A Little Push - msf004 - 08-24-2016 (08-24-2016, 12:09 AM)rico Wrote: You haven't mentioned the hash type though. Each of them have different hash rates, sometimes vastly so. Faster hash rates open up the scope for experimentation (more rules, brute-force, etc.). Right, good point! It is from OpenLDAP and as such, I used slapcat to extract into LDIF format (LDAP Data Interchange Format) which is no more than a SSHA password (a SHA-1 that includes a salt in the computation) that has been base64 encoded. From slapcat, I have: e1NTSEF9b0pvQTdrMDVhMVRSazgxR2pzQ2tONUEybW9kNVNsQkI I can then decode using: Code: echo "$(echo e1NTSEF9b0pvQTdrMDVhMVRSazgxR2pzQ2tONUEybW9kNVNsQkI= | base64 --decode )" Giving me: {SSHA}oJoA7k05a1TRk81GjsCkN5A2mod5SlBB RE: Looking for A Little Push - atom - 08-24-2016 To attack with the above cirterias you need to use PACK, it will generate the needed maskfiles for it RE: Looking for A Little Push - msf004 - 08-24-2016 (08-24-2016, 07:47 AM)atom Wrote: To attack with the above cirterias you need to use PACK, it will generate the needed maskfiles for it Hi Atom, could you please elaborate? In my minimal experience with hashcat I have never heard of PACK. From a search, if I found the correct "pack", it appears to be a separate github project that utilizes hashcat. Is that accurate? RE: Looking for A Little Push - atom - 08-25-2016 As I said, it will generate the needed maskfiles for it. Just try and find out RE: Looking for A Little Push - hashcrash - 08-26-2016 Here you go: http://thesprawl.org/projects/pack/ RE: Looking for A Little Push - msf004 - 08-26-2016 (08-26-2016, 01:24 PM)hashcrash Wrote: Here you go: http://thesprawl.org/projects/pack/ Thanks hashcrack - I assumed the github project I found was the same thing and downloaded it last night and started playing around. This package looks very cool - thanks for confirming the package and the link. |