is a 'catchall' mask possible?

[crimso]

Greetings all,

I have two GPU servers each with eight Tesla V100's and I'm trying to recover my wife's iTunes backup passwd. These two servers are running different Linux flavors and hashcat was individually built for each one. I've read through the mask info on this site and searched the web but I cannot find any info on whether a 'catchall' mask is possible. For example, based on her passwd habits, it's likely a single upper case followed by 5-10 lwr case and then one to two digits and one to two special chars $|!|(. IE: Password99$ or Password99((

I've tried a few different command lines but got tired of typing the more than several iterations of the passwd style mentioned above. So currently I'm running:

Code:

./hashcat -a 3 -m 14800 -o cracked.txt --outfile-format=2 --increment hash.txt

It's running on a single GPU but I've yet to figure out how to spread the load to the others. Still looking into that.

Any mask/rules suggestions would be great, thanks.

[Banaanhangwagen]

There are different ways you can tackle your problem.

For me, a nice solution would be creating a file named "masks.hcmask" for example, and writing on each line a possible mask.

Code:

?u?l?l?l?l?l?s
?u?l?l?l?l?l?s?s
?u?l?l?l?l?l?l?s
?u?l?l?l?l?l?l?s?s
...

Finally you use this file as a mask-input:

Code:

./hashcat -m 14800 hash.txt -o cracked.txt -a3 masks.hcmask

PS: since it is a slow hash, you can use the -S flag, it will speed up things by fully using all the GPU's

[crimso]

Thank-you kindly. That was easy enough since I had just changed my command to:

Code:

./hashcat -a 3 -m 14800 -w 3 -o cracked.txt --outfile-format=2 --increment hash.txt ?u?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?l?l?d?d?s?
s ?u?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?l?l?d?d ?u?l?l?l?l?
l?l?l?l?l?d?d

It suggests -w but I'm not sure at this point if it's necessary. Now it's as you suggested, including the -S.

Since there are a few other passwd combos she might have used i'll create another mask file and throw that one over on the other server. Thank-you again for the guidance.

[crimso]

I know this might be a bit off topic but is there a way to simply try and 'guess' the first character or two of a passwd? That would certainly shorten the time from the current 566 years and probably jog her memory as to what it might be. Or is password cracking with hashcat an all or nothing affair?

[Banaanhangwagen]

A cryptographic hash (function) is non-reversible, so yeah, all or nothing.

[Snoopy]

Thank-you kindly. That was easy enough since I had just changed my command to:

Code:

./hashcat -a 3 -m 14800 -w 3 -o cracked.txt --outfile-format=2 --increment hash.txt ?u?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?l?l?d?d?s?
s ?u?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?l?l?d?d ?u?l?l?l?l?
l?l?l?l?l?d?d

It suggests -w but I'm not sure at this point if it's necessary. Now it's as you suggested, including the -S.

Since there are a few other passwd combos she might have used i'll create another mask file and throw that one over on the other server. Thank-you again for the guidance.

i dont really believe that this command works like you think. the masks after the first one (?u?l?l?l?l?l?d?d?s?s) are definitly skipped and therefore not attacked, on commandline there ist only one mask allowed

second thing, --increment tells hashcat to do the following (first mask) test:
?u
?u?l
?u?l?l
...
till you reach
...
?u?l?l?l?l?l?d?d?s?s

given your infos and this slow itunes hash, i would not using bruteforce, instead try building up a dictionary with words your wife is/was using (or use a dictionary for your language) and use rules to upper the first char and append the numbers/special chars this would significantly reduce the keyspace as "dumb not really words" or passes like

Aaaaaaaaa19!"

are not tested, rules to apppend numbers and chars are easily generated with the help of hashcat --stdout or maskprocessor

[crimso]

Thank-you kindly. That was easy enough since I had just changed my command to:

Code:

./hashcat -a 3 -m 14800 -w 3 -o cracked.txt --outfile-format=2 --increment hash.txt ?u?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?l?d?d?s?s ?u?l?l?l?l?l?l?l?l?l?d?d?s?
s ?u?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?l?l?l?l?d?d?s ?u?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?l?d?d ?u?l?l?l?l?l?l?l?l?d?d ?u?l?l?l?l?
l?l?l?l?l?d?d

It suggests -w but I'm not sure at this point if it's necessary. Now it's as you suggested, including the -S.

Since there are a few other passwd combos she might have used i'll create another mask file and throw that one over on the other server. Thank-you again for the guidance.

i dont really believe that this command works like you think. the masks after the first one (?u?l?l?l?l?l?d?d?s?s) are definitly skipped and therefore not attacked, on commandline there ist only one mask allowed

second thing, --increment tells hashcat to do the following (first mask) test:
?u
?u?l
?u?l?l
...
till you reach
...
?u?l?l?l?l?l?d?d?s?s

given your infos and this slow itunes hash, i would not using bruteforce, instead try building up a dictionary with words your wife is/was using (or use a dictionary for your language) and use rules to upper the first char and append the numbers/special chars this would significantly reduce the keyspace as "dumb not really words" or passes like

Aaaaaaaaa19!"

are not tested, rules to apppend numbers and chars are easily generated with the help of hashcat --stdout or maskprocessor

Good morning,

Thanks for the update. I did ultimately kill the command and used the following:

Code:

./hashcat -m 14800 hash.txt --session checkpoint -a 3 -S -o cracked.txt masks.hcmask

The masks.hcmask file contains the following:

Code:

?u?l?l?l?l?l?d?d?s?s
?u?l?l?l?l?l?l?d?d?s?s
?u?l?l?l?l?l?l?l?d?d?s?s
?u?l?l?l?l?l?l?l?l?d?d?s?s
?u?l?l?l?l?l?l?l?l?l?d?d?s?s

?u?l?l?l?l?l?d?d?s
?u?l?l?l?l?l?l?d?d?s
?u?l?l?l?l?l?l?l?d?d?s
?u?l?l?l?l?l?l?l?l?d?d?s
?u?l?l?l?l?l?l?l?l?l?d?d?s

?u?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?l?l?d?d

Though I'm beginning to think that I should switch to a dictionary attack since she rarely uses random passwords. She's more inclined to use a phrase of varying length(6-10 chars) that begins with an upper case letter and end in two numbers and either one or two special characters. The special characters are typically $ ( or ! so I need to figure out how to build an attack environment around that.

So I stopped the above, downloaded the rockyou.txt wordlist and am now running:

Code:

./hashcat -m 14800 hash.txt --session checkpoint -a 0 -S -o cracked.txt rockyou.txt

Still looking into whether I can tell hashcat that the passwd starts with an upper case letter followed by a couple numbers and special characters as a condition or if it's even necessary.

Kind regards.

[Snoopy]

two ways, rules and/or combinator attack

i will show you the easy combinator way with just one rule

well take a look at the following
prepare a file called masks.mask with content

Code:

!"()$,?d?1
!"()$,?d?d?1
!"()$,?d?1?1
!"()$,?d?d?1?1

and fire up 

Code:

hashcat -a3 --stdout masks.mask

as you see, these will generate all possbilitiy one to two digts, with one to two follow up special chars of !"()$ -> you can modify this with your special chars or even use full ?s instead of ?1 (if you are located in germany dont forget € or § wich are not included in ?s)

you can redirect these to a file like this

Code:

hashcat -a3 --stdout masks.mask > digits-special.txt

prepare a rule.rule file with just one line in it with the lower case letter c (this will tell hashcat to capitalize the first letter and lower the rest

for showing purposes only i generated a 2 chars lower dict as test.dict

now combine these two lists with hashcat tools combinator to get "your" dictionary

Code:

combinator.exe test.dict digits-special.txt > full.dict

when i fire up hashcat like this

Code:

hashcat --stdout -a0 -r rule.rule full.dict

you will see output (unordered) like this

Ih71("
Ih61("
Ih18("
Ih08("
Ih28("
Ih38("
Ih98("
Ih48("
Ih58("
Ih88("
Ih78("

as you see the first char is uppercase the rest your desired 1-2 digits + 1-2 special, all you will need is a proper dictionary with real world words to start with (depending on your language, there are for sure many ways)

when i was starting with hashcat i scraped, wikipedia german, english and other things like oxford dictionary, german duden or lists with citynames, countrynames or human names and so on to get my basic dict

EDIT:
saw your edit with rockyou, the problem with rockyou is, there are already realworld passes so it is not exactly what you want, because if you add your digits-special, you will end up with passes like

My$specialpas$word!"§09)!

which didnt fit

[crimso]

Greetings,
I've created the digit/special file using the mask file you suggested. If I combine a standard English dictionary with my newly generated digits_special.txt using the combinator can I expect this environment to find a passwd like Keepitreel99$ for example? My VERY basic knowledge in this area tells me no. That it's word based on the dictionary and not phrase based.

Knowing her passwd habits it's unlikely it's a single dictionary word but more likely a phrase followed by the number and special characters. Though I can't necessarily rule the single word scenario out. I suppose I could start with an English dictionary and go from there. The rockyou.txt run only took about 50 minutes.

For now I think I'll start with just the English Dictionary. Then repeat that run using a rule file with 'c' within. Then use your example and combine(combinator.bin) the number/special characters with the dictionary for a hybrid run. The rerun it using the 'c' rule. I figure the best way to get a handle on this is experiment. fortunately the syntax is fairly intuitive though masks, rules, etc are much less so to a newbie.

Thanks for your guidance.

[Snoopy]

if you have your basic english dictionary you could also use combinator to do something like this

combinator english.dict english.dict > two-words.dict

and combine this with the special dict

and feed this again with the single rule to hashcat, if this fails you could combine two-words.dict again with english.dict to get 3 words and so on

there is another possibility, called princeprocessor you could use to do these combinations on the fly, but i think as long as you have enough storage for your dictionaries, stick to your self generated it is much easier when it comes to command line, anyway for princeprocessor see

https://hashcat.net/wiki/doku.php?id=princeprocessor
or
https://reusablesec.blogspot.com/2014/12...rince.html