How to map a password policy onto your Mask?
#6
(05-29-2013, 10:31 AM)rob911 Wrote: Hi Friends,
lets assume you know details of your password policy e.g.:
  • Amount of characters
  • minimum/maximum amount of letters
  • minimum/maximum amount of numbers
  • restrictions like "no repeating characters" e.g. aa,bb, and so on
  • the pool of special characters

I really don't know how to build a mask like that. Is it even possible to build such a mask, which is usable by hashcat?
If you don't know the answer, maybe you know a good tutorial on building such masks!?

it is dependent on which system you use. If you use unix, like most of the people here, the combination of maskprocessor and hashcat is so easy, they would not understand you "lazyness" to read.

If you use window you need unixtool for window install, then you can run tool/tools in the method of "pipe in"  and answer your questions yourself.

what is "pipe in"

Take the example 8 characters long password, and digits only 

use maskprocessor to generate you get 10^8 combis.

you can pipe in

maskprocessor  ?d?d?d?d?d?d?d?d | haschcat-cli64.exe -a 0 ....

if you realise your friends trick you for advertising protection, but use only a password policy of 4 to 6 characters long passwords  

you can use the same pipe in but

maskprocessor  -pw-min 4  -pw-max 6 ?d?d?d?d?d?d?d?d | haschcat-cli64.exe -a 0 ....
(Attention: print out the results somehow maskprocessor still produces combis of lenght 1, 2, 3 before it generates the desired combis of 4 then 5 then 6 character/digit long, and stop ... It is fast s it doesn't matter much... but worth to check it is a bug?)

OR method Nr2
maskprocessor  ?d?d?d?d?d?d?d?d | len 4 6 | haschcat-cli64.exe -a 0 ....


In similar way we can cover password policy

use min 8 to 10 length
use HEX only ( use MP with charset -1 0123456789ABCDEF)
even must have one upper, one lower and one special ?l?u?s or ?a
all taht we can do with MP and hashcat

But if I understand,  I think @eduonline asks about a very special corner
what about a policy something like this:
1)must have length between 8 and 10
2)must use upper, lower special
Now if there is an EXTRA condition hang on then it is interesting, either 

3.1)  Upper, Lower, Spec not more (repeated) sequentially appears than 2 ( aaBcd1$23... allowed aaaBcd1$23... fail;answer you still use MP -q 2 and pipe in)
3.2) each character/digit occurs in the password only 3 times max   (aaBcad1$23... allowed ... aaBcaa$23 fail; answer you still use MP -r 3 or -r 4 and pipe in. Test it yourself, seem to be a bug there too)
3.3)  must use upper, lower special but special must not at beginning of your password
3.4) not more Upper than 2x, never more than 1X special sign
3.5) must not shows part of your family forname/name (take KIM, David Camaron) or company name (SIEMENS/Siemens)
3.6) never upper case before the fourth position
3.7) never use special more than twice  
3.8) never use special sign at beginning or end of password 
3.9) ... I think it is clear enough now, MP and HC alone can not solve smartly this problem.... 

I can stop here now to answer @rob911, @eduonline, We will still use "MP |  Hashcat" but inbetween we must build in one more mask/box; I call it filtering; it is the Regular Expression filter and can be used this way

maskprocessor  -pw-min 8 -pw-max 10 -q 2 -r 4 ?a?a?a?a?a?a?a?a | RegEx-Filter-box | haschcat-cli64.exe -a 0 ....

Is it what you ask @rob911, @eduonline?

It is an interesting area to play your fantasy,with filtering box we can clamp down the passwords amount if such strict policies are used. Strangely it does not help the company/people, i my opinion, they kind of difficult YES they make such more difficult passwords, BUT reduce immensely the key space  a tester must look into to reveal password weakness.


We can do it here too. The question is should we filtering or just brutal bruteforce, because our power nowadays is so strong (some have 4xTitians or 8 Titans) it does not matter to leave or throwaway some thousand/hundred thousands/millions wrongly formatted combis. Filtering takes its time, but maybe if it is interesting s.o can look into it and programming the filter faster


Take PW of length 8, you could clamp down up to half wrongly formatted password when apply these policies 3.x ... Years ago about the time linkedIn passwords leaked a group here at Hashcat has thought about this area. filtering, pipe in, wolfs attack ... technique


Messages In This Thread
RE: How to map a password policy onto your Mask? - by newntk - 02-28-2016, 03:11 PM