it's always clever to step back a little bit and first try to understand and analyse the feasibility of this attack and the total keyspace.
My guess is that this is for WPA "hashes", so it's already one of the slower hash types that hashcat supports.
Therefore you need to come up with a clever strategy.
Do you know the list of possible words used ? do you already have such a dictionary ? How large is it ?
The problem with combining a lot of words together, is that the keyspace grows very fast ("exponentially") with the number of words that need to be combined. If you furthermore also add some random digits in between, the set of candidates multiplies again and again... making it very difficult to crack because of the very fast grow of the total number of password candidates (keyspace).
let's say you have 10000 words and your formula is (x = 10000)
x * 100 * x * 100 * x +
x * 10000 * x * 10000 * x
only the four digit (0000...9999) variant is basically 10000 ^ 5 (without any 2 digit numbers... I'm not sure if the 2 digit and 4 digits are mixed or not, or if this is an either 2 or 4 variant)
it's a very huge number for WPA.
If the keyspace would have been very small, you could have just generate a new dict consisting of digits and words, e.g
the ?d?d together with -a 7 will generate a new dict (file right_dict.txt) that has 2 numbers (00-99) prepended.
you could then for instance combine word + right_dict.txt for the total left part
(or use the tool "combinator" from hashcat-utils)
finally you run hashcat with combinator attack (-a 1)
of course all this only works if the amount of words (x) in the original dict (dict.txt) is small, otherwise it's a very difficult problem both for disk space, disk I/O and also the feasibility (as explained above).
also note that people already attempted for quite a while to attack similar passwords (diceware, passphrases)... but also more specifically for WPA, the Netgear approach and strategies to crack it like https://hashcat.net/forum/thread-4463.html and others https://hashcat.net/forum/thread-6170.html.
The best of course would be to discover how the hardware/router vendor comes up with the passwords... it's already discovered for a lot of router models that the passwords are not really random, but depend on for instance MAC addresses of network adapters or similar (I'm not sure about your vendor/model etc).
if dict.txt is large and your attack will take dozens/hundreds of years, it only proofs that combining words makes a password (in theory, but also sometimes in practice, if no algorithm behind the generation is discovered) hard to crack.
Another approach to crack the hashes could of course be to use stdin and pipe like this:
but this also has many disadvantages (most importantly that hashcat won't know what the total amount of password generated by the left part will be ... and it will probably be slower than -a 1 attacks, but not always the case).
the application "my_custom_password_generator.exe" is of course a newly developed, coded or scripted (python, php, perl etc), fast password generator that does exactly the combining of words with numbers etc... you would need to code it yourself of course, it's not available online.
all of this only makes sense, if you can exhaust the keyspace in a reasonable amount of time (say several weeks or month), otherwise it's just a waste of time !
My guess is that this is for WPA "hashes", so it's already one of the slower hash types that hashcat supports.
Therefore you need to come up with a clever strategy.
Do you know the list of possible words used ? do you already have such a dictionary ? How large is it ?
The problem with combining a lot of words together, is that the keyspace grows very fast ("exponentially") with the number of words that need to be combined. If you furthermore also add some random digits in between, the set of candidates multiplies again and again... making it very difficult to crack because of the very fast grow of the total number of password candidates (keyspace).
let's say you have 10000 words and your formula is (x = 10000)
x * 100 * x * 100 * x +
x * 10000 * x * 10000 * x
only the four digit (0000...9999) variant is basically 10000 ^ 5 (without any 2 digit numbers... I'm not sure if the 2 digit and 4 digits are mixed or not, or if this is an either 2 or 4 variant)
it's a very huge number for WPA.
If the keyspace would have been very small, you could have just generate a new dict consisting of digits and words, e.g
Code:
hashcat --stdout -a 7 -o right_dict.txt ?d?d dict.txtyou could then for instance combine word + right_dict.txt for the total left part
Code:
hashcat --stdout -a 1 -o left_dict.txt dict.txt right_dict.txt(or use the tool "combinator" from hashcat-utils)
finally you run hashcat with combinator attack (-a 1)
Code:
hashcat -m 2500 -a 1 -w 3 hash.hccapx left_dict.txt right_dict.txtof course all this only works if the amount of words (x) in the original dict (dict.txt) is small, otherwise it's a very difficult problem both for disk space, disk I/O and also the feasibility (as explained above).
also note that people already attempted for quite a while to attack similar passwords (diceware, passphrases)... but also more specifically for WPA, the Netgear approach and strategies to crack it like https://hashcat.net/forum/thread-4463.html and others https://hashcat.net/forum/thread-6170.html.
The best of course would be to discover how the hardware/router vendor comes up with the passwords... it's already discovered for a lot of router models that the passwords are not really random, but depend on for instance MAC addresses of network adapters or similar (I'm not sure about your vendor/model etc).
if dict.txt is large and your attack will take dozens/hundreds of years, it only proofs that combining words makes a password (in theory, but also sometimes in practice, if no algorithm behind the generation is discovered) hard to crack.
Another approach to crack the hashes could of course be to use stdin and pipe like this:
Code:
my_custom_password_generator.exe | hashcat.exe -m 2500 -w 3 hash.hccapxbut this also has many disadvantages (most importantly that hashcat won't know what the total amount of password generated by the left part will be ... and it will probably be slower than -a 1 attacks, but not always the case).
the application "my_custom_password_generator.exe" is of course a newly developed, coded or scripted (python, php, perl etc), fast password generator that does exactly the combining of words with numbers etc... you would need to code it yourself of course, it's not available online.
all of this only makes sense, if you can exhaust the keyspace in a reasonable amount of time (say several weeks or month), otherwise it's just a waste of time !