Brute force knowing some characters (but not their location)
#1
Smile 
Hi all,
i'm wondering if it's possible to do a brute force attack by knowing some characters of the password but not their location.

Obviously the most obvious solution is this:
-a 3 -1 '?l?d' '?1?1?1?1?1?1?1?1'
But knowing that the password contains the character "9" would rule out a lot of futile attempts.


If you were sure instead that the password contains only lowercase letters and that number:
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1'

Same problem here:
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1'
is very different than:
-a 3 -1 '?l9' '?1?l?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?1?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?1?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?1?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?1?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?1?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?1?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?l?1'

In conclusion yes, I could try like this but if I know more characters how should I do? Start a lot of executions? I hope there is something better ..

Thanks
Andrea P.
Reply
#2
(02-20-2023, 03:00 AM)andreap Wrote: -a 3 -1 '?l9' '?1?l?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?1?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?1?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?1?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?1?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?1?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?1?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?l?1'

I meant:
-a 3 '9?l?l?l?l?l?l?l'
-a 3 '?l9?l?l?l?l?l?l'
-a 3 '?l?l9?l?l?l?l?l'
-a 3 '?l?l?l9?l?l?l?l'
-a 3 '?l?l?l?l9?l?l?l'
-a 3 '?l?l?l?l?l9?l?l'
-a 3 '?l?l?l?l?l?l9?l'
-a 3 '?l?l?l?l?l?l?l9'
Reply
#3
(02-20-2023, 05:25 AM)andreap Wrote:
(02-20-2023, 03:00 AM)andreap Wrote: -a 3 -1 '?l9' '?1?l?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?1?l?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?1?l?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?1?l?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?1?l?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?1?l?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?1?l'
-a 3 -1 '?l9' '?l?l?l?l?l?l?l?1'

I meant:
-a 3 '9?l?l?l?l?l?l?l'
-a 3 '?l9?l?l?l?l?l?l'
-a 3 '?l?l9?l?l?l?l?l'
-a 3 '?l?l?l9?l?l?l?l'
-a 3 '?l?l?l?l9?l?l?l'
-a 3 '?l?l?l?l?l9?l?l'
-a 3 '?l?l?l?l?l?l9?l'
-a 3 '?l?l?l?l?l?l?l9'

well depends on how much chars do you know to reduce keyspace

also depending on the hashalgorithm, for fast algorithm like md5, you could simple stick to

-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1' in your case, as one char/sign more is peanuts for a fast hash

23^8 = 78.300 million
24^8 = 110.075 million

knowing more chars will change this
Reply
#4
(02-20-2023, 01:30 PM)Snoopy Wrote: well depends on how much chars do you know to reduce keyspace

also depending on the hashalgorithm, for fast algorithm like md5, you could simple stick to

-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1' in your case, as one char/sign more is peanuts for a fast hash

23^8 = 78.300 million
24^8 = 110.075 million

knowing more chars will change this

Ok, but this way would be a useless computational effort.

Look here:
-a 3 -1 '?l9' '?1?1?1?1?1?1?1?1'
--------------------------------------
aaaaaaaa - zzzzzzzz

-a 3 '9?l?l?l?l?l?l?l'
-a 3 '?l9?l?l?l?l?l?l'
-a 3 '?l?l9?l?l?l?l?l'
-a 3 '?l?l?l9?l?l?l?l'
-a 3 '?l?l?l?l9?l?l?l'
-a 3 '?l?l?l?l?l9?l?l'
-a 3 '?l?l?l?l?l?l9?l'
-a 3 '?l?l?l?l?l?l?l9'
---------------------
9aaaaaaa - zzzzzzz9

Note that no letter-only solutions are included here, and this is very efficient.

So again, is there a command to do exactly the same attempts as above?
Reply
#5
as i said, this strongly depends on your hash, just take a look at a single NVIDIA GeForce RTX 3060 for md5
speed around 24645.8 MH/s, so in the case mentioned above this would result in a slight longer cracking ETA (maybe 3-5 seconds because of some overhead) but overall this few seconds are negligible

for the rest, no there is no command for that, you have to generate a maskfile like you already did for yourself containing all possibilities for this kind of attack, just put this into a file and use it as input for the mask, hashcat will handle each line as mask, running all of them step by step, the maskfile should look like this

9?l?l?l?l?l?l?l
?l9?l?l?l?l?l?l
?l?l9?l?l?l?l?l
?l?l?l9?l?l?l?l
?l?l?l?l9?l?l?l
?l?l?l?l?l9?l?l
?l?l?l?l?l?l9?l
?l?l?l?l?l?l?l9
Reply
#6
(02-20-2023, 04:43 PM)Snoopy Wrote: as i said, this strongly depends on your hash, just take a look at a single NVIDIA GeForce RTX 3060 for md5
speed around 24645.8 MH/s, so in the case mentioned above this would result in a slight longer cracking ETA (maybe 3-5 seconds because of some overhead) but overall this few seconds are negligible

for the rest, no there is no command for that, you have to generate a maskfile like you already did for yourself containing all possibilities for this kind of attack, just put this into a file and use it as input for the mask, hashcat will handle each line as mask, running all of them step by step, the maskfile should look like this

9?l?l?l?l?l?l?l
?l9?l?l?l?l?l?l
?l?l9?l?l?l?l?l
?l?l?l9?l?l?l?l
?l?l?l?l9?l?l?l
?l?l?l?l?l9?l?l
?l?l?l?l?l?l9?l
?l?l?l?l?l?l?l9

Sounds good, sadly I'm using the 22000 (WPA-PBKDF2-PMKID+EAPOL) and it's a bit slow, hopefully good, thanks.
Reply
#7
Lightbulb 
This code generate the masks I was looking for:

Code:
from itertools import permutations

perms = [''.join(p) for p in permutations('9AAAAAAA')]
perms = set(perms)

with open('masks.txt', 'w') as file:
    for perm in perms:
        print(perm)
        file.write(perm.replace("A", "?l") + "\n")
Reply
#8
(02-20-2023, 06:33 PM)andreap Wrote: This code generate the masks I was looking for:

Code:
from itertools import permutations

perms = [''.join(p) for p in permutations('9AAAAAAA')]
perms = set(perms)

with open('masks.txt', 'w') as file:
    for perm in perms:
        print(perm)
        file.write(perm.replace("A", "?l") + "\n")

I was also looking for something a while back that generated the masks this way. The most similar solution was this tool that hasn't been updated in years, but does the job we are looking for:
https://github.com/iphelix/pack
Reply