statsprocessor v0.03

I'm very proud to present you a new toy: statsprocessor

Download here:

This is a standalone word-generator like the maskprocessor, but based on markov-attack!

The markov-attack is a statistically based brute-force like attack, but instead of specifying a charset or a mask, we specify a file.

This file is once generated by ourself in a previous step. It contains statistical informations which are made out an automated analysis of a given dictionary.

To do the analysis we use another new tool called "hcstatgen" which is part of the new hashcat-utils package, starting with version 0.6.

Download 32 bit here:
Download 64 bit here:

The second program, the new tool "statprocessor", generates the words based on the statistical order of the .hcstat file.

NOTE: In Brute-Force Attack or in Mask Attack we can limit the keyspace by setting a smaller charset in order to reduce the attack-time.

In Markov Attack we have something similar, the "threshold". All you do is to specify a number. The higher the number, the higher the threshold to add a new link between two characters on the two-level table on which the markov-attack bases on.

This background is not so important, just remember that the higher the value, the smaller the keyspace and thus the faster the attack.

If you set the threshold to 0 its like a real Brute-Force attack but with markov ordering.

Here is a example usage:

Generate the .hcstat out of the rockyou.txt dictionary

root@sf:~/statsprocessor-0.01# /root/hashcat-utils-0.6/hcstatgen.bin rockyou.hcstat < /root/dict/untouched/rockyou.txt
Reading input...
Sorting tables...
Writing stats...

NOTE: I will add rockyou.hcstat as an example to the distribution so that new users have something to instantly play with.

Now lets run the statprocessor just to see what comes out. I will set an totally oversized threshold which is not for concrete usage but this way the output is so small that you will get an idea of how it looks like

root@sf:~/statsprocessor-0.01# ./sp64.bin --pw-min 5 --pw-max 5 --threshold 400000 rockyou.hcstat | head -20

I will explain a bit in detail next. This if for those who want to know how markov-attack works internally. Otherwise you can skip to the next command.

As you can see, it starts with the char "a". That is because "a" is the most used char in rockyou.txt.

The first character is what we call the root-character. All the following char are looked up from the markov-table.

The table is an 1-to-n table. The key can be any char. For this char, the table holds an ORDERED array structure which char follows next.

From what we see here is that the char "n" is the most followed char after the char "a". Because of some statistical accident the char "a" is followed most by the char "n", so it ends up in a loop.

In the next iteration, the 2nd most followed char after "n" is the "e", and so on.

As you can see after the word "anasa" there is a four char word "anat" following, even though we specified --pw-min 5.

This happend because of the high threshold. There is simply no char following the "t" char more than 400000 times in rockyou.txt.

Since we always focus on performance, see how fast this beast is

root@sf:~/statsprocessor-0.01# ./sp64.bin --pw-min 5 --pw-max 5 rockyou.hcstat | wc -l    
root@sf:~/statsprocessor-0.01# time ./sp64.bin -o /dev/null --pw-min 5 --pw-max 5 rockyou.hcstat        

real    0m18.234s
user    0m17.981s
sys     0m0.244s

This makes it 89.6 Mplains/s fast - on a single cpu core!

This 89.6 Mplains/s is fast enough to feed oclHashcat-plus for slow algorithms like DCC2 or WPA/WPA2. Here is an example run

root@sf:~/oclHashcat-plus-0.09# /root/statsprocessor-0.01/sp64.bin --pw-min 8 /root/statsprocessor-0.01/rockyou.hcstat | ./oclHashcat-plus64.bin -m 2500 test.hccap -n 80


Starting attack in wordlist stdin mode...    

Status.......: Running
Input.Mode...: Pipe
Hash.Target..: hashcat (00:aa:aa:aa:aa:aa <-> aa:aa:aa:aa:aa:aa)
Hash.Type....: WPA/WPA2
Time.Running.: 10 secs
Time.Util....: 10001.1ms/241.1ms Real/CPU, 2.5% idle
Speed........:   172.0k c/s Real,   181.3k c/s GPU
Recovered....: 0/1 Digests, 0/1 Salts
Progress.....: 1474560
Rejected.....: 0
HWMon.GPU.#1.: 98% Util, 60c Temp, 84% Fan
HWMon.GPU.#2.: 98% Util, 60c Temp, 30% Fan

As you can see, this is full speed for my hd6990.

But what if we want to use this with fast algorithms like MD5/SHA1? Well that would require a special new attack-mode for oclHashcat-lite or oclHashcat-plus. I will defenitly add this to a later version. Till that you can workaround this just by adding some workload to each generated word

$ /root/statsprocessor-0.01/sp64.bin --pw-min 6 /root/statsprocessor-0.01/rockyou.hcstat | ./oclHashcat-plus64.bin -n 80  example0.hash -r rules/hybrid/prepend_ld.rule -r rules/hybrid/prepend_ld.rule


Starting attack in wordlist stdin mode...    


Well you got the idea...

  • This is a very strong attack-mode. I think you will have a lot of fun with it.
  • Increment mode is already added. Like always, you can specify --pw-min and --pw-max.
  • The default threshold is set to 48.

Messages In This Thread
statsprocessor v0.03 - by atom - 06-10-2012, 02:58 PM
RE: statsprocessor v0.01 - by M@LIK - 06-10-2012, 03:09 PM
RE: statsprocessor v0.01 - by Hash-IT - 06-10-2012, 03:16 PM
RE: statsprocessor v0.01 - by Pixel - 06-10-2012, 03:29 PM
RE: statsprocessor v0.01 - by rurapenthe - 06-10-2012, 06:27 PM
RE: statsprocessor v0.01 - by .::Rizwan::. - 06-10-2012, 09:21 PM
RE: statsprocessor v0.02 - by atom - 06-10-2012, 09:53 PM
RE: statsprocessor v0.02 - by Hash-IT - 06-11-2012, 12:23 AM
RE: statsprocessor v0.02 - by ntk - 06-11-2012, 11:34 PM
RE: statsprocessor v0.03 - by atom - 06-13-2012, 12:38 PM
RE: statsprocessor v0.03 - by atom - 09-07-2012, 05:13 PM