Need help with mask and/or rule - 7 characters, must have a letter and number
#1
I am using mode 3200 for bcrypt.

Passwords requirements:
- 7 characters long
- Must have letters (upper and/or lower) and numbers.



The closest I've been able to come up with is using a mask:

Code:
hashcat -a 3 -m 3200 -1 ?l?u?d hashes.txt ?1?1?1?1?1?1?1



The problem is that this will generate a lot of passwords that only have numbers or only have letters.  All passwords must have both, and bcrypt is slow.
Reply
#2
My initial suggestion would be to run something like

hashcat -a 3 -1 ?l?u?d ?1?1?1?1?1?1?1 --stdout > m3200candidates.txt

and then use grep to output all those that does not contain only numbers or only letters. I'm not strong with grep, though, so not sure exactly how to do it....

Maybe something like

hashcat -a 3 -1 ?l?u?d ?1?1?1?1?1?1?1 --stdout | grep -v [a-zA-Z]{7} | grep -v [0-9]{7} > m3200candidates.txt
Reply
#3
(11-13-2022, 02:06 AM)b8vr Wrote: My initial suggestion would be to run something like

hashcat -a 3 -1 ?l?u?d ?1?1?1?1?1?1?1 --stdout > m3200candidates.txt

and then use grep to output all those that does not contain only numbers or only letters. I'm not strong with grep, though, so not sure exactly how to do it....

Maybe something like

hashcat -a 3 -1 ?l?u?d ?1?1?1?1?1?1?1 --stdout | grep -v [a-zA-Z]{7} | grep -v [0-9]{7} > m3200candidates.txt

I was able to replicate that using crunch.  The problem is that I believe it would be about 17TB of data.  So I was hoping to avoid a wordlist.
Reply
#4
What if you create a list of 6 character candidates, how large would that be?
Then you could create a rule file where you append each of the allowed characters like
$0
$1
$2
.
.
$9
$a
$b
.
.
$z
$A
$B
.
.
$Z

It would mean, though, that you would miss out on some candidates like abcdef0, 123456G etc.

Another option could be to create your wordlist with digits and lowercase only, and then use a mix of toggle rules.

Now that I think about it.... Maybe create 2 wordfiles. One with all possible 3 character candidates and one with all 4 character candidates and then run them together in a combinator attack -a1 in hashcat?
Reply
#5
(11-13-2022, 01:26 AM)Pusher Wrote: I am using mode 3200 for bcrypt.

Passwords requirements:
- 7 characters long
- Must have letters (upper and/or lower) and numbers.



The closest I've been able to come up with is using a mask:

Code:
hashcat -a 3 -m 3200 -1 ?l?u?d hashes.txt ?1?1?1?1?1?1?1



The problem is that this will generate a lot of passwords that only have numbers or only have letters.  All passwords must have both, and bcrypt is slow.

You could always look into policygen in the PACK suite of tools:
https://github.com/iphelix/pack
Reply