Attacking single md5crypt hash
#1
Hello,
I am a new user looking for the best approach to attack a single hash with a password containing a known "base word".

To explain further using an arbitrary example:

passwd file contains only root user:

root:$1$abcdefge$1234123512361237123812:root:/home/root:/bin/sh

Password is known to be based on a single word, in this example "accordion".
Password could be:
Accordion
Acc0rd1on
4Ac0rdi1on
!$@cC-oRD!#0n2

but is definitely not going to be:
harmonica
H4rmoniCa

I have tried:
hashcat -m 0500 -i --increment-min 7 -a 3 -1 "aA4@cC(" -2 "oO0iI!1" -3 "rRdDnN" testhash.hash "?1?1?1?2?3?3?2?2?a?a?a?a"
and things of that nature, this seems to cast the net very wide, trying passwords like CccIndo which are way off, but also takes a lot of time to fail to find the password. Perhaps this approach could work if there were 8-10 different custom character sets and the -i switch was able to prepend ?a or work backwards from the end of the mask. I feel like there has to be a better approach.

I have also tried creating a custom rule file to create the specific substitutions I am after:
soO
so0
etc.etc.
But have not quite figured out how to apply the substitutions to each possible combination of "accordion" "accOrdion" "accOrdi0n". Nor how to add ?a wildcards to either end or interspersed in the base word.

I'm open to using other tools to generate a more comprehensive wordlist containing the possible combinations of the base word but would appreciate any guidance, either on the appropriate toolchain or the best use of hashcat internals.

Thanks.
Reply
#2
hashcat utils and mask processor are a good point to start with

not long time ago a user posted a perl script, something like comboleeter or similar which is doing this leetspeak conversation for a given word/string whatever for you

edit found it https://www.jimby.name/techbits/recent/comboleetor/ (not mine, so see page for yourself)

so basic work would be, build up your own dict based on that special word and using dict + rules or any other combinator attack like dict + mask, mask + dict to attack your hash

for such a specialised attack you could also go for something like this
build basic wordlist
using hahscat in std-out mode for getting these possibilities
basic + ?a > new list 1
?a + basic > new lsit 2
(do anything with these list like you prefer)
merge | uniq all of them and then go for a basic wordlist + rules attack
Reply