Posts: 6
Threads: 1
Joined: Nov 2017
Hello,
I can't find the answer to this question in the wiki but maybe I'm not searching with the proper terms.
I'm trying to find out how a specific 8 hex digit hash/checksum is generated by a closed-source program.
I'm pretty sure the build number of the program (e.g. "104") or maybe the full version number (e.g. "2.1.104") is part of the input when this checksum is generated.
Question:
How would I use the string "104" as a dictionary word in hashcat without specifying its position in the mask, so that hashcat increments in the following way:
104?a
?a104
?a104?a
104?a?a
?a?a104
?a104?a?a
?a?a104?a
?a?a?a104
104?a?a?a
?a?a104?a?a
...
I've looked at hashcat's rule-based attacks but I don't see anything about this type of rule. Is this even possible?
I understand that hashcat was designed to crack passwords. Are there better tools out there to help guess the input strings of checksums when I have a plaintext file that I know part of which were used to generate the checksums but don't know exactly which parts?
Posts: 2,301
Threads: 11
Joined: Jul 2010
11-22-2017, 05:39 PM
(This post was last modified: 11-22-2017, 05:40 PM by undeath.)
There is no such attack mode. You need to emulate it using masks or generated rules. The hybrid attack modes would work, but only for mask + word or word + mask but not mask + word + mask.
Posts: 6
Threads: 1
Joined: Nov 2017
11-22-2017, 07:25 PM
(This post was last modified: 11-22-2017, 07:45 PM by badagaga.)
"You need to emulate it using masks or generated rules"
So I tried to use the maskprocessor to create some rules with both prepending and appending (e.g. "^?a$?a") but I can't even generate the simplest rule:
mp64.bin "$?d"
returns:
0d
not:
$0
$1
$2
$3
$4
$5
$6
$7
$8
$9
like it does in this demo video:
https://youtu.be/GOgjUkYZ8GA?t=384
Any idea as to what I might be doing wrong?
EDIT: tested on CentOS (mp64.bin) and macos (mp32.app) with maskprocessor-0.73
Posts: 2,301
Threads: 11
Joined: Jul 2010
Posts: 6
Threads: 1
Joined: Nov 2017
11-22-2017, 11:42 PM
(This post was last modified: 11-22-2017, 11:42 PM by badagaga.)
Thanks undeath. Sorry about that mistake.
So just in case this can help someone else save a bit of time, here is how I generated my rules file with Python:
Code:
import subprocess
prepend = "^?a"
append = "$?a"
masks = []
for begin_count in range(3):
for end_count in range(begin_count+1):
mask1 = begin_count * prepend + end_count * append
mask2 = end_count * prepend + begin_count * append
if mask1 != '': masks.append(mask1)
if mask1 != mask2: masks.append(mask2)
for mask in masks:
cmd = "./maskprocessor-0.73/mp64.bin '{}' -o prepend-append-anywhere.rule".format(mask)
process = subprocess.Popen(cmd.split(),stdout=subprocess.PIPE)
output, error = process.communicate()
Results:
Code:
./maskprocessor-0.73/mp64.bin '^?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a^?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '$?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a^?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a$?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a^?a$?a$?a' -o prepend-append-anywhere.rule
/!\ If you're a beginner like me, be careful with commands like "./maskprocessor-0.73/mp64.bin '^?a^?a^?a^?a$?a$?a$?a$?a' -o prepend-append-anywhere.rule" and any command longer than that, it will fill up your disk space real fast.
Posts: 2,301
Threads: 11
Joined: Jul 2010
you could just generate a file for ^?a and $?a and use rule file chaining in hashcat by using multiple -r switches
Posts: 6
Threads: 1
Joined: Nov 2017
11-23-2017, 11:51 AM
(This post was last modified: 11-23-2017, 01:17 PM by badagaga.)
That would be great as I wouldn't have to use a whole hard drive to store the mask list but I don't see how that would work.
Wouldn't I need a "prepend-null" or "prepend-empty" rule token to do that? Is there one I'm not aware of?
Here's an example:
prepend.rule
^0
^0^0
^0^0^0
append.rule
$1
$1$1
$1$1$1
./hashcat64.bin --stdout -r apppend.rule -r prepend.rule dict.lst
0word1
0word11
0word111
00word1
00word11
00word111
000word1
000word11
000word111
But what I want is:
word1
word11
word111
0word
0word1
0word11
0word111
00word
00word1
00word11
00word111
000word
000word1
000word11
000word111
Posts: 6
Threads: 1
Joined: Nov 2017
Small fix to the Python snippet as single-quotes don't do well with Popen/split (they end up in the rules file):
Code:
import subprocess
prepend = "^?a"
append = "$?a"
masks = []
for begin_count in range(3):
for end_count in range(begin_count+1):
mask1 = begin_count * prepend + end_count * append
mask2 = end_count * prepend + begin_count * append
if mask1 != '': masks.append(mask1)
if mask1 != mask2: masks.append(mask2)
for mask in masks:
cmd = "./maskprocessor-0.73/mp64.bin {} -o prepend-append-anywhere.rule".format(mask)
process = subprocess.Popen(cmd.split(),stdout=subprocess.PIPE)
output, error = process.communicate()
Posts: 2,301
Threads: 11
Joined: Jul 2010
note about your python script: specify the command as list of strings and you don't have to worry about any kind of escaping.
but anyway, just generate a rule file with pattern ^?a and one with $?a and then run commands like
hashcat -a0 hash.txt wordlist.txt -r append-char.rule -r append-char.rule -r prepend-char.rule
Posts: 6
Threads: 1
Joined: Nov 2017
If I use the following command:
Code:
./hashcat-4.0.1/hashcat64.bin --stdout -a 0 -m 11500 hash.txt wordlist.txt -r apppend.rule -r prepend.rule
I get the following result:
Code:
Cannot convert rule for use on OpenCL device in file apppend.rule on line 1: $?a
Cannot convert rule for use on OpenCL device in file prepend.rule on line 1: ^?a
No valid rules left.
Am I missing something?