Mask Attack

[Idle_Wild]

Hi there,

I'm attempting to use the mask attack with a custom charset which is:

346789ABCDEFGHJKMNPQRTUVWXY

?1?1?1?1?1?1?1?1 [8]

I'm getting around 1MH/s on my hardware and a prediction of 4 days to complete.  However I can see that the mask being generated is for example:

TWPYHKEA

Now I know in my particular circumstance that the password will have at least 2 numeric characters, however, I do not know their position in the string.  I can't seem to see any way of specifying this in the mask?  Ergo, skip anything such as the example above which is only character based, only generate strings which contain 2 numbers minimum. Such as:

T3P6HKEA

or

T3PYHK99

Can anyone advise how I can do this as I suspect it will speed things up quite dramatically? Thanks.

[Snoopy]

this is a common question when it comes to masks

the problem is, any built-in logic (there is noone) to skip such inputs would reduce the overall performance dramatically due to the fact how hahscat generates its password canditates

the only way to achieve what you want is to provide a maskfile with every possible mask-combination like that

maskfile.txt
3456789,ABCDEFGHJKMNPQRTUVWXY,?1?1?2?2?2?2?2?2
3456789,ABCDEFGHJKMNPQRTUVWXY,?1?2?1?2?2?2?2?2

to help you, you can utilize maskprocessor see https://hashcat.net/wiki/doku.php?id=maskprocessor and invoke it like that

Code:

mp64 -1 12 ???1???1???1???1???1???1???1???1 > maskfile.txt

BEWARE: this will generate ALL combinations, you need to clean the file from the unwanted ones (there are only 9, so its not that hard)

and then you need to copy 3456789,ABCDEFGHJKMNPQRTUVWXY, to the front of each line (use an editor like sublimetext for that)

then run hashcat with the maskfile instead of your mask

[Idle_Wild]

Thank you very much for the detailed response, I will give it a try.

[Idle_Wild]

Wow, that was really worth while.  So if the theory is correct and there are at least 2 numbers. 

The result is a mask file with 247 lines (after removing the 9 which you kindly pointed out would be redundant).

Total time to crack is significantly reduced due to splitting the charsets.

As I now have charset 1, 7 chars long together with charset 2, 21 chars long resulting in a worst case of:

21^6 * 7^2 = 4,202,539,929 = ?1?1?1?1?1?1?2?2 which at 1MH/s is about 1 hour of processing time.

But most of them are less than that, its been running for about 10 minutes and I've already processed 9/247 so yep, this is definately worth the effort. Thanks again.

[Idle_Wild]

Did some back of the envelope calculations on the improvement in processing time:

21^6 * 7^2 = 4,202,539,929 hashes / 1MH/s = 4,202.539,929 seconds / 60^2 = 1.167 hours. 8C2 = 28 rows * 1.167 = 32.676 hours total.
21^5 * 7^3 = 1,400,846,643 hashes / 1MH/s = 1,400.846,643 seconds / 60^2 = 0.389 hours. 8C3 = 56 rows * 0.389 hours = 21.784 hours total.
21^4 * 7^4 = 466,948,881 hashes / 1MH/s = 466.948,881 seconds / 60^2 = 0.129 hours. 8C4 = 70 rows * 0.129 hours = 9.079 hours total.
21^3 * 7^5 = 155,649,627 hashes / 1MH/s = 155.649,627 seconds / 60^2 = 0.043 hours. 8C5 = 56 rows * 0.043 hours = 2.421 hours total.
21^2 * 7^6 = 51,883,209 hashes / 1MH/s = 51.883,209 seconds / 60^2 = 0.014 hours. 8C6 = 28 rows * 0.014 hours = 0.403 hours total.
21^1 * 7*7 = 17,294,403 hashes / 1MH/s = 17.294,403 seconds / 60^2 = 0.004 hours. 8C7 = 8 rows * 0.004 hours = 0.038 hours total.

So the total time should be: 66.401 hours / 24 = 2.766 days = 2 days 18 hours and 24 minutes.

Around 69% of the original time of 4 days.

What would be nice, is if hashcat could calculate this dynamically, but I guess that would be dependant on hashcat supporting a combinatorics mask parameter (which is what I was looking for in the first place), as it would need to calculate the combination of each charset desired to work out the effective "rows" as I've done above.

If you could do something like this on the command line that would be ideal:

-1 3456789 -2 ABCDEFGHJKMNPQRTUVWXY -minc 8C2 -maxc 8C7 -choose 1