Known String - Sequential Loop
#1
I've spent a fair amount of time trying to find the answer before reaching out, but maybe someone can help me out. 

I need a specific mask/attack based on the following. 
I know the password is derived from a specific set of characters, in a specific order. But I'd like to loop through all possibilities, for example:

If the complete string is: *j?nXt*WR9?e>o>
I would like to cycle through
*
*j
*j?

....etc.

Further, then I would like to begin with the second character:
j
j?
j?n

....etc. 
Continuing on of course with each next character in the string.  
This would be easy enough to do manually, however the string is 120+ characters.
If there's a specific term or thread that has already explained this, I would appreciate a pointer. 

Thanks!
Reply
#2
i think i would use a self generated ruleset for this with rules to delete or truncate at position X see https://hashcat.net/wiki/doku.php?id=rule_based_attack for futher details

you can use maskprocessor from hashcat team or the option --stdout from hashcat to help you generate these ruleset

i'll give you a starting point, with the first rules to delete chars from the end of the password (which will be the first thing you mentioned

option -i1:120 will tell increment given mask from 1 to max 120 positions, you will have to "expand" the ?1?1?1?1 to the lenght you will need (use c&p on commandline, use a fixed lenght of lets say ten, and copy this till you reach your desired lenght 

Code:
mp32.exe -i1:120 -1 ] ?1?1?1?1 >> ruleend.rule

this will generate a ruleset ] to ]]]] meaning delete last, to delete last 4 times

to see that this works i made a pass.txt with string 
Code:
0123456789
and ran hashcat with 
Code:
hashcat --stdout -r ruleend.rule pass.txt

output is 
Code:
012345678
01234567
0123456
012345

as you can see this would delete the pass from the end, given the the max length of the rules

to achieve the second point you will have to mostly do the same but with [ instead of ]

Code:
mp32.exe -i1:120 -1 [ ?1?1?1?1 >> rulestart.rule

and combine the two rules with hahscat tool combinator

Code:
combinator ruleend.rule rulestart.rule > rulefull.rule

using this ruleset like above would do this to the string 0123456789

Code:
12345678
2345678
345678
45678
1234567
234567
34567
4567
123456
23456
3456
456
12345
2345
345
45

this ruleset "isnt really complete" you will have to manually copy the content of ruleend.rule and rulestart.rule into these rulefull.rule to get the basic delete combinations as well

yeah, this should do the whole trick you want to achieve
Reply
#3
Star 
(01-28-2022, 01:52 PM)Snoopy Wrote: i think i would use a self generated ruleset for this with rules to delete or truncate at position X see https://hashcat.net/wiki/doku.php?id=rule_based_attack for futher details

you can use maskprocessor from hashcat team or the option --stdout from hashcat to help you generate these ruleset

i'll give you a starting point, with the first rules to delete chars from the end of the password (which will be the first thing you mentioned

option -i1:120 will tell increment given mask from 1 to max 120 positions, you will have to "expand" the ?1?1?1?1 to the lenght you will need (use c&p on commandline, use a fixed lenght of lets say ten, and copy this till you reach your desired lenght 

Code:
mp32.exe -i1:120 -1 ] ?1?1?1?1 >> ruleend.rule

this will generate a ruleset ] to ]]]] meaning delete last, to delete last 4 times

to see that this works i made a pass.txt with string 
Code:
0123456789
and ran hashcat with 
Code:
hashcat --stdout -r ruleend.rule pass.txt

output is 
Code:
012345678
01234567
0123456
012345

as you can see this would delete the pass from the end, given the the max length of the rules

to achieve the second point you will have to mostly do the same but with [ instead of ]

Code:
mp32.exe -i1:120 -1 [ ?1?1?1?1 >> rulestart.rule

and combine the two rules with hahscat tool combinator

Code:
combinator ruleend.rule rulestart.rule > rulefull.rule

using this ruleset like above would do this to the string 0123456789

Code:
12345678
2345678
345678
45678
1234567
234567
34567
4567
123456
23456
3456
456
12345
2345
345
45

this ruleset "isnt really complete" you will have to manually copy the content of ruleend.rule and rulestart.rule into these rulefull.rule to get the basic delete combinations as well

yeah, this should do the whole trick you want to achieve

SUCCESS!!
Thank you very much for such a detailed response. Upfront I will say, I successfully cracked the hash because of your help!

One thing to note:
The rules became quite long as the known string was actually 128 characters; and the limitations for rules (I quickly learned) is 31. Therefore I manually ran the rules-start and rule-end files a few times on the string after manually chopping off 31 characters at a time. The end result was the same, a beautiful systematic dictionary.
And just as suspected, the password was revealed to be only the first 64 characters of the 128 character string. 

I owe you many many pub pints my friend, thank you.
Reply
#4
you are welcom

thanks for the hint with max length of rules, i wasnt quite aware of this limitation either
Reply