Cracking unusual format StaticWord-Reverse(Password)-StaticWord
#1
Hi, 

I have an unusual MD5 hash format to try and crack. 
The hash is created by performing the following

md5(StaticWord + Reverse(Password) + StaticWord)

So I require a way to not only generate reversed password candidates, but have a prefix and a suffix to them as well.

Rules permit reversing the candidate password (r) so doing the reverse is straightforward, but I'm not sure how to position the candidates in between the two static words. 

I am planning on using a dictionary for the candidate passwords.

I was able to do the following to brute-force which isn't using a reversed dictionary but is allowing for a prefix and suffix to the password.

.\hashcat.exe -a 3 -m 0 .\AAA-HASHES\md5-reverso.txt "^&#*1234561?a?a?a?a?a?a?a?a1123456@&^%zzz" -O -w 3

Any help would be much appreciated.

Thanks!
Reply
#2
first if you intend to use bruteforce you didnt need the rule for reversing, because never the less bruteforce will generate both, password and reversed password, so there is no need for reversing

do you believe the passwords are randomly generated or do you think there are "mainstream pw"?

what about he static word? if you know it i would use prepend append rule for this, in your case

you can test this as following
testdic
Code:
12345
Password
rule
Code:
r $a$p$p$e$n$d ^p^r^e^p^e^n^d
hashcat
Code:
hashcat --stdout -r rule testdic

output
Code:
dneperp54321append

dneperpdrowssaPappend

as you can see, you have to reverse your prepend becaus the rules are read and worked left to right so to "read" prepend you have to use

rule
Code:
r $a$p$p$e$n$d ^d^n^e^p^e^r^p

you can modify this to get your fixed words, you can test with --stdout to see if it works like you intended

there is also the possiblity to use 3 wordlists and combine them to get the same behavior, but if you want to use a realword wordlist (without reversing them beforehand) i think the rule approach is better and maybe al little bit faster
Reply
#3
Ah yeah, sorry, I wasn't clear. I don't know the password, so I'm trying a straight brute force of available key space in line with my rig's available power while I tried to sort out this other issue. I am aware it searches all possible combinations as a result.

As the passwords are set by humans, I'm assuming they are dictionary based, so I'm hoping to utilize that using the rule you suggested.

Appreciate the help. Thanks!
Reply