+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: md5 bruteforce with 2 known salts (/thread-9710.html)
md5 bruteforce with 2 known salts - AlanGomes_ - 12-17-2020
Given a known left salt and right salt, how can I bruteforce a md5 hash with a unknown password between them? For example:
md5($salt1 . $password . $salt2)
$salt1 is known
$salt2 is known too
$password is unknown and needs to be bruteforced (unknown length and unknown charset)
I tried using a mask attack but the performance wasn't so great.
Mask:
Code:
?a,SALT1_EXAMPLE?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1?1?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1?1?1?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1?1?1?1?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1?1?1?1?1?1?1SALT2_EXAMPLE
?a,SALT1_EXAMPLE?1?1?1?1?1?1?1?1?1?1SALT2_EXAMPLECommand:
Code:
hashcat -m 0 -a 3 -w 3 --force --opencl-device-types 1,2 test.hash mask.txtSpeed of this method in a RTX 2060 Super:
Code:
Time.Started.....: Wed Dec 16 19:35:52 2020 (26 mins, 31 secs)
Time.Estimated...: Wed Dec 23 08:44:37 2020 (6 days, 12 hours)
Speed.#1.........: 123.4 MH/s (4.53ms) @ Accel:256 Loops:1 Thr:256 Vec:1I was expecting something close to 12940.3 MH/s (as performed in benchmark mode)
Can someone guide me in how to perform this in hashcat?
Thanks in advance!
RE: md5 bruteforce with 2 known salts - undeath - 12-17-2020
Use mode 20 (md5($salt.$pass)) for good performance. Never use --force.
RE: md5 bruteforce with 2 known salts - AlanGomes_ - 12-17-2020
(12-17-2020, 01:05 AM)undeath Wrote: Use mode 20 (md5($salt.$pass)) for good performance. Never use --force.
Mode 20 only supports 1 salt as far as I know, is there some workaround to add another salt?
RE: md5 bruteforce with 2 known salts - undeath - 12-17-2020
You already posted the workaround in your first post: append the second salt to your mask.
RE: md5 bruteforce with 2 known salts - AlanGomes_ - 12-17-2020
(12-17-2020, 01:26 AM)undeath Wrote: You already posted the workaround in your first post: append the second salt to your mask.
It works but the problem remains the same, the performance is extremely low compared to a simple md5 bruteforce. I think the problem is in the mask attack itself :/
Code:
Speed.#1.........: 123.2 MH/s (3.98ms) @ Accel:256 Loops:1 Thr:256 Vec:1Additionally, hashcat gives me this warning, but I don't think I need/can increase the work amount:
Code:
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.Do you have another idea?
RE: md5 bruteforce with 2 known salts - undeath - 12-17-2020
Did you only measure that speed with the first mask in your list or also with longer ones? Masks with only few variable chars will always produce low performance.
RE: md5 bruteforce with 2 known salts - AlanGomes_ - 12-17-2020
(12-17-2020, 01:37 AM)undeath Wrote: Did you only measure that speed with the first mask in your list or also with longer ones? Masks with only few variable chars will always produce low performance.
Alright, I was doing something wrong, I changed to mode 20 without removing the first salt of the mask file.
Now the speed increased from ~123.2 MH/s in mode 0 to ~6126.4 MH/s in mode 20.
Still is a little under the 12940.3 MH/s speed I got in the benchmark. Maybe some optimization I have to do?
My current mask (9999999999 is a placeholder with the same length of the real salt):
Code:
?h,?19999999999
?h,?1?19999999999
?h,?1?1?19999999999
?h,?1?1?1?19999999999
?h,?1?1?1?1?19999999999
?h,?1?1?1?1?1?19999999999
?h,?1?1?1?1?1?1?19999999999
?h,?1?1?1?1?1?1?1?19999999999
?h,?1?1?1?1?1?1?1?1?19999999999
?h,?1?1?1?1?1?1?1?1?1?19999999999I measured the speed with the largest mask.