Increment switch use
#1
Trying to use hashcat with the increment switch? I have a NTLM hash value that I know is 13 characters so I want to create an attack that doesn't waste any time banging away are possible passwords shorting that the 13 characters. I have tried  hashcat.exe -a 3 -m1000 -i --increment-min13 hash.txt but the command is not correct.

Any tips on what I am missing? Or a better method of attaching this password.
Reply
#2
you are using the bruteforce attack without a mask/maskfile

hashcat.exe -a 3 -m 1000 -i --increment-min=13 hash.txt ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a

or put the 15 ?a inside another file (mask.txt) and run
hashcat.exe -a 3 -m 1000 -i --increment-min=13 hash.txt mask.txt

this would test 13-15 positions with complete upper, lower, digits, special charset starting with 13 positions

another approach would be a dictionary attack with rules/and or single rule truncate at position 13
jfmi why/how are you knowing that the password is exactly 13 chars?
Reply
#3
If I run it the first way you suggested I get an "Integer overflow detected in keyspace of mask" and if I run it with the mask.txt file I get an "Invalid mask" error. The contents of my Mask.txt is just ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?
Reply
#4
I have already run the dictionary attacks using 6 different dictionaries including one made up from a generated word list from the user's computers. The dictionaries range in size from 4 GB to 30 GB. I have also used the rockyou-3000, best 64 and dive rules with these dictionaries with no luck. This was before I learned that the password was 13 characters (My first go to was Ophcrack using the large Rainbow tables that go up to 10 characters). I submitted the hash to an online hashcracking website and they reported that they had successfully obtained the password after 4 days and they reported that the password was 13 characters. I could just pay them the $15 fee to learn the password but this is a learning/research project on how to use hashcat beyond the standard dictionary/rules attacks I normally do rather than actually needing to know the password. I am using 12 X 2080ti video cards for the attack so I can run through them fairly quickly.
Reply
#5
Quote:The contents of my Mask.txt is just ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?

Not sure if the word "just" fits here. That is in total 4,876,749,791,155,298,590,087,890,625 passwords.

Basically it's a number too large to fit into an unsigned 64 bit integer and that's why you receive the integer overflow detected message. So that's exactly what hashcat should do in this case. You need to rethink about your strategy.
Reply
#6
That makes sense...I had not considered that. So what would be a practical limit for a mask based attack? As for another strategy I have been thinking of generating a word list of just 13 characters but I don't see much hope for that, rather I suspect that the password is a phrase so I am thinking of an attack that uses multiple dictionary words with a shorter mask would be a more productive way to go?
Reply
#7
Just by way of a test I modified the command to -
hashcat.exe -a 3 -m 1000 -i --increment-min=8 hash.txt ?a?a?a?a?a?a?a?a

And it runs fine so at least I can be confident that the command is now correct.
I think I will try the 2 dictionary plus a short 4 digit mask.....
Reply