Help with commandline for md5 hash crack
#1
Hi there,
I am trying to crack some hashes, which I need to open some files we lost the excel sheet for the passwords.

The password length and composition is always the same and that might help the hashing.

- Password length is 28 char
- The first part of the password is always known and is COMMDEPT#. This lowers the unknown chars to 19.
- The other parts of the password are groups of 4 chars, with a # in the middle. This lowers the unknown chars to 16 and sets password composition to COMMDEPT#????#????#????#????
- The ? char above is anything in A->Z and 0->9.
- No lowercase and no other symbols other than separating # whose position is known.
- Hashing algorithm is plain MD5 (that is MD5(password) = hash)

Can someone help me with creating the right command-line for hashcat?

Thanks in advance!
Reply
#2
EDIT:
while testing this, this mask is to long, hashcat runs into a bufferoverflow so you will need another apraoch to run this attack gimme some time
EDIT2:
the only thing i came up with (without generating a first part dictionary of more then 40 TB) is using maskprocessor to feed hashcat
Code:
mp64 -1 ?u?d COMMDEPT#?1?1?1?1#?1?1?1?1#?1?1?1?1#?1?1?1?1 | hashcat -O -m0 --status hash
maskprocessor can be found here https://hashcat.net/wiki/doku.php?id=maskprocessor

be aware, that this attack will be slow and you will not profit from any inbuilt things like shuffling the candidates, it will straight test the AAAA to 9999 beginning at the end (just see the output of hashcat testet candidates

for simplicity
generate a file mask.txt with content
Code:
?u?d,COMMDEPT#?1?1?1?1#?1?1?1?1#?1?1?1?#?1?1?1?1

the rest is simple 
Code:
hashcat -a3 -m0 -O -w3 --status hashfile mask.txt

add other options like outputfile when needed

be aware that this mask will generate 16.293.529.225.644.736.512 possible passwords so you will still need some time
Reply
#3
(09-15-2022, 04:52 PM)Snoopy Wrote: EDIT:



while testing this, this mask is to long, hashcat runs into a bufferoverflow so you will need another apraoch to run this attack gimme some time

Yep! Buffer Overflow also here.

I am also getting Failed to initialize NVIDIA RTC library, but CUDA IS installed (C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.7\bin) since today and NVIDIA drivers are up to date (11.7 CUDA - 516.94 NVIDIA)

OpenCL Platform ID #1
Vendor..: NVIDIA Corporation
Name....: NVIDIA CUDA
Version.: OpenCL 3.0 CUDA 11.7.101

Backend Device ID #1
Type...........: GPU
Vendor.ID......: 32
Vendor.........: NVIDIA Corporation
Name...........: NVIDIA GeForce RTX 3080 Laptop GPU
Version........: OpenCL 3.0 CUDA
Processor(s)...: 48
Clock..........: 1710
Memory.Total...: 16383 MB (limited to 4095 MB allocatable in one block)
Memory.Free....: 15616 MB
Local.Memory...: 48 KB
OpenCL.Version.: OpenCL C 1.2
Driver.Version.: 516.94
PCI.Addr.BDF...: 01:00.0
Reply
#4
(09-15-2022, 05:42 PM)MilWib Wrote: Yep! Buffer Overflow also here.

I am also getting Failed to initialize NVIDIA RTC library, but CUDA IS installed (C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.7\bin) since today and NVIDIA drivers are up to date (11.7 CUDA - 516.94 NVIDIA)

try installing release 11.6.2
https://developer.nvidia.com/cuda-toolkit-archive

specific CUDA versions also need specific drivers, cuda 11.6.2 should work just out of the box with any recent driver, please test

also see my EDIT2 above
Reply
#5
(09-15-2022, 05:57 PM)Snoopy Wrote: try installing release 11.6.2
https://developer.nvidia.com/cuda-toolkit-archive



specific CUDA versions also need specific drivers, cuda 11.6.2 should work just out of the box with any recent driver, please test



also see my EDIT2 above


Unfortunately same result, failed to initialise RTC.

So, basically without possibility to avoid buffer overflow it is an almost impossible task?
Reply
#6
well no, see above, using maskprocessor as input, the attack is possible, but slow

the other way would be generating a dictionary of the first half of the pass, but this would consume around 40 Terrabyte of storage (it would be possible to split these using the start and limit options of hashcat) and combine these dict with a mask of the second half of the password

so using maskprocessor would be slow, using pre generated dictionary would take some time and manual work beforehand
Reply
#7
(09-16-2022, 01:44 PM)Snoopy Wrote: well no, see above, using maskprocessor as input, the attack is possible, but slow

the other way would be generating a dictionary of the first half of the pass, but this would consume around 40 Terrabyte of storage (it would be possible to split these using the start and limit options of hashcat) and combine these dict with a mask of the second half of the password

so using maskprocessor would be slow, using pre generated dictionary would take some time and manual work beforehand

So, for example, I might also go by first letter? For example, I pre-generate all COMMDEPT#A???#????#????#????, then all COMMDEPT#B???#????#????#???? in separate files and, one letter by one letter, I check if there are valid passwords, keep what is valid and scrap remaining?
Reply
#8
tl;dr dont try it

after some trying around, even halfing the mask isnt enough for mode 6, the longest mask without overflow for hybrid attack is ?1?1#?1?1?1?1

i pregenerated the first 500.000.000 passes (see below) and started hybrid attack with

hashcat -a6 -m0 -O hahsh.txt 500m.txt -1 ?1?1#?1?1?1?1

the result with an RTX 3060 is 11.000 MH/s -> ETA 3 Years and this is just the first 500.000.000 possibilities of 3.656.158.440.062.976, dividing this yould take 7.312.316 more of these pregenerated dicts, so cracking this hash will be somewhat of impossible or a really lucky shot

JFYI
pregenerating mask is
premask.txt
Code:
?u?d,COMMDEPT#?1?1?1?1#?1?1?1?1#?1?1

possible combinations, each password candidate would consume 23 bytes, 21 bytes string + \r\n (on windows)
3.656.158.440.062.976 * 23 bytes, yeah some PETA-Bytes

hashcat -a3 --stdout -l 500000000 premask.txt > 500m.txt (~11 GB)
the next one woud be (using start option to skip the first 500.000.000 for generation)
hashcat -a3 --stdout -s 500000000 -l 500000000 premask.txt > 500m.txt
Reply