Single 15 char NTLM Hash with known info
#1
Trying to crack a single 15-length NTLM hash.  I know the following:
1 - special
1 - upper
13 - lower
no - digits
consists of 6 words (no spaces)
it's a phrase

Assume cracking rig has 2 GTX1080.

My first thought was to take the google-top-10000 list of short words located here (which is actually ONLY 2184 words)
Code:
https://github.com/first20hours/google-10000-english/blob/master/google-10000-english-usa-no-swears-short.txt

And running that through combinator3:
Code:
combinator3.bin google-short google-short google-short > google-3times-short

Then after that's done, I could do something like this:
Code:
combinator.bin google-3times-short google-3times-short  | len.bin 14 15 | hashcat -m1000 -O -w4 -a0 hash.txt -r .rules/best64

I'm guessing this is going to be quite slow.

Or maybe I could do something like this:
Code:
hashcat -m1000 -O -w4 -a1 hash.txt google-3times-short google-3times-short and somehow use -j or -k rules to capitalize the first character and add a special at end

Thoughts?  Other ideas?  Looking for a way to utilize GPU as much as possible (I'm sure this goes without saying 😉). Any help is appreciated.
#2
https://hashcat.net/wiki/doku.php?id=princeprocessor may help, but the additional modifications would need some extra rules work - maybe a subset of those in prince_optimized.rule, depending on your use case.

But if it's six words, and you don't know which words ... that's a steep hill to climb. Even without additional modifications or characters, your 2184 wordlist would be 2184^6 or 1x10^20 combinations.
~
#3
Thanks for the suggestion - I'll give it a try.

One question though - since I want to take advantage of GPU as much as possible, and with this being fast hash, I'll be using either the prince_optimized or prince_generated rule.  My wordlist is all LOWER.  So should I also use --case permute with princeprocessor to get UPPER candidates?  Or will the rule file be applied to take care of UPPER?

Is it suggested that people ONLY use the "prince_optimized" or "prince_generated" rules due to something in the way that pp was written?  Or, is it OK to use other rules as well?

Guess that was two questions Smile

Thanks for the assistance.
#4
You can use whatever rules make sense for your target. You may have to experiment with --stdout to determine whether the combination of --case-permute and your rules are doing what you're expecting.
~
#5
>15-Length

> consists of 6 words (no spaces)

What 6 words fit in 15 characters? That's like, <3 letters per word.

"is it a big word set" < this is an example of 6 words and 15 characters without spaces. The words need to be relatively simple/short to fit, so it should be pretty easy to attack i would think. With 1 upper and 1 special, i would bet on it being a capital at the beginning of the password and 1 punctuation mark at the end, such as a '!' or a '.'

I'd say take all words of 1, 2, 3, and 4 length, smash them into a dict, and run a prince attack with rules to upper the first character and maybe append a few symbols that seem to fit.