Some interesting test 14100
#1
Here we are :

this is command line created using real values, for verify how does it work 14100:

hashcat -m 14100 XAXBFXX6X8AXX7X:5XXCXXFXE6XCXCXX -a 3 --hex-charset XDX6XX7X46X9XXX7XX0XCXBXX4XX1A9XXDX6XX7X46X9XXX7 --outfile-format 5 --potfile-disable

Code:
Session..........: hashcat
Status...........: Cracked
Hash.Type........: 3DES (PT = $salt, key = $pass)
Hash.Target......: XAXBFXX6X8AXX7X:5XXCXXFXE6XCXCXX
Time.Started.....: Mon Apr 27 20:29:33 2020 (0 secs)
Time.Estimated...: Mon Apr 27 20:29:33 2020 (0 secs)
Guess.Mask.......: XDX6XX7X46X9XXX7XX0XCXBXX4XX1A9XXDX6XX7X46X9XXX7 [48]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    4802 H/s (0.05ms) @ Accel:2 Loops:1024 Thr:256 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:2 Loops:1024 Thr:256 Vec:1
Speed.#3.........:        0 H/s (0.00ms) @ Accel:2 Loops:1024 Thr:256 Vec:1
Speed.#*.........:    4802 H/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1024
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-1024
Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-1024
Candidates.#1....: $HEX[XDX6XX7X46X9XXX7XX0XCXBXX4XX1A9XXDX6XX7X46X9XXX7] -> $HEX[XDX6XX7X46X9XXX7XX0XCXBXX4XX1A9XXDX6XX7X46X9XXX7]
Candidates.#2....: [Generating]
Candidates.#3....: [Generating]
Hardware.Mon.#1..: Temp: 56c Fan: 50% Util: 70% Core:1923MHz Mem:3802MHz Bus:16
Hardware.Mon.#2..: Temp: 72c Fan: 53% Util: 76% Core:1847MHz Mem:3802MHz Bus:16
Hardware.Mon.#3..: Temp: 53c Fan: 48% Util: 16% Core:1923MHz Mem:3802MHz Bus:8

Having all this values seems to be easy , but i i try to build a mask to replicate this it seems i go into a wrong way.
Question, can someone give me a tip ho to revert this data into a mask?
Guess.Mask.......: XDX6XX7X46X9XXX7XX0XCXBXX4XX1A9XXDX6XX7X46X9XXX7 [48]
is a 3des=k1k2k3 whrere k1=k3
we knew also ?h= 0123456789abcdef, who can cover all digit and letter used into the hex lgo,i knew keyspace is hard to pronounce, but some thing i think can be fitted in...
Reply
#2
You cannot do something like k1=k3 with a mask.
Reply
#3
But if we decrease (kenrnel based ) the guessmask to 16 bytes from 24 , i think also keyspace will be lees bigger and maybe there a mask will be possible ( use of k1k2 only). Is only to understood the mechanism. I have full 3des key and it works probed with decrypt/encrypt CT to PT and reverse.
Reply
#4
Please request this new feature on github https://github.com/hashcat/hashcat/issues

It would probably require a new optimized kernel that is dedicated to this special variant and I would suggest that it just internally copies the first 8 bytes to the end. pw_min == pw_max == 16 i.e. it always requires 16 bytes instead of 24 bytes
Reply
#5
I will.
youre suggestion is what i'm thougth to be "pw_min == pw_max == 16". I test also on free online tools using only 16bytes insted of 24 and result = tha same , also if i use only half of ct ( 8 bytes only ) aplying key as encryptdecrypt(k=k1k2,k1=k3,k3 ommited) will obtain same result.
Reply
#6
good option needed for testing too Wink
Reply
#7
Any news here? I'm interested to brute a 3des key where the first 8 out of 16 bytes are already known.
Reply