Twelve characters, four numbers, eight lowercase a-z
#1
Password is twelve characters, four numbers, eight lowercase a-z. An example would be for cracking a password like this one I made up: "xjqe9hr2e9n2"
The placement of the numbers seems to be random.
This is what I have put together, so please laugh, because I'm sure it's stupid, but I'm new and learning...

hashcat -m 2500 -w 3 "/home/hs.hccapx" -a 3 -1 abcdefghijklmnopqrstuvwxyz0123456789 ?1?1?1?1?1?1?1?1?1?1?1?1 -w 4 --force -O


Any tips?
Reply
#2
"-1 abcdefghijklmnopqrstuvwxyz0123456789" can be shortened to "-1 ?l?d".
Don't use --force for no reason.
-m 2500 is deprecated, see: https://hashcat.net/forum/thread-10253.html
Then if it's really random and 12 chars, you're just not gonna crack it.
Reply
#3
"Then if it's really random and 12 chars, you're just not gonna crack it." to explain it, you have 36^12 possibilities (4738381338321616896 different passwords). Using a really good card, for example 3080Ti, and the correct
hashmode 22000 you can get around 1064 kH/s. Dividing 36^12 possibilities by 1064 kH/s get 141122 years.
Reply
#4
Thanks for tips! What if I wanted to make a limit that only 4 out of 12 characters could be numbers, and the rest had to be lowercase letters, albeit in no particular order, is there a rule to handle this type of specificity? Because If I can't narrow it down somehow, then according to hashcat, it looks like:

"Time.Estimated...: Next Big Bang.."

lol
Reply
#5
Do like this: ?d?d?d?d?l?l?l?l?l?l?l?l (change order for ?d for digits, ?l for lowercase)
Or with specified numbers or letters: -1 kliopasvr197830 ?1?1?1?1?1?1?1?1?1?1?1?1
With known order: -1 kliopasvr -2 197830 ?1?1?1?1?1?1?1?2?2?2?2

If you want to make a rule for 4 out of 12 characters use mask processor, but keep in mind, that this will be a hell of a big rule and it will take years to complete.
Reply
#6
(10-21-2021, 05:33 PM)ctrl Wrote: Do like this: ?d?d?d?d?l?l?l?l?l?l?l?l (change order for ?d for digits, ?l for lowercase)
Or with specified numbers or letters: -1 kliopasvr197830 ?1?1?1?1?1?1?1?1?1?1?1?1
With known order: -1 kliopasvr -2 197830 ?1?1?1?1?1?1?1?2?2?2?2

If you want to make a rule for 4 out of 12 characters use mask processor, but keep in mind, that this will be a hell of a big rule and it will take years to complete.

Yeah, i figured. There's something I'm missing, and it's not a supercomputer... Somehow there is a pattern I'm missing, something that allows for ~>75% of the default passwords for a certain local companies routers/gateways (that are supplied to the local non-enterprise consumer for personal/home use where I am currently studying these vulnerabilities) to be cracked in under 30 minutes, often less than 15 minutes, by online password cracking services, albeit with ostensibly powerful GPUs, but they couldn't just be brute forcing a password like this (12 digits, lowercase and numbers) in that amount of time consistently, could they? I'm obviously missing a pattern that they are privy to, right?
Reply
#7
there are some routers where the standard passes where generated out of the mac-adresses (easy to imlement) and these algorithms where leaked and or reverse engineered
Reply
#8
(10-22-2021, 01:06 PM)Snoopy Wrote: there are some routers where the standard passes where generated out of the mac-adresses (easy to imlement) and these algorithms where leaked and or reverse engineered

I think everyone has heard of the infamous netgear fiasco (adjective + noun + ###), but are there any others that are newer?
Reply