Cisco ASA
#11
I checked out using the maskprocess and piping it in. It does work but I must say, the performance was no where near as fast as a straight brute force mode.

I was noticing that the GPU utilization gets very erratic which makes sense as its waiting on STDIN.

I played around with a mask attack and got better performance. I create four custom charsets, one for each letter of the "salt" and make the mask look like this:

?a?a?a?a?a?1?2?3?4

That worked really well, except that you can only attack the hashes with the same "salt" at a time.

I still really wish there was a option for oclHashcat to just put all the salts in a file and have the engine just append them.
#12
Yes, I will be lying if I said I didn't think about that.
Indeed, maskprocessor's performance is nowhere around GPU's performance.

You can also make a file with all chopped usernames, analyze them, set 4 character sets and use them as a mask. This will also allow you to do hybrid attack which means use dicts on left side and chopped usernames on the right side.

Cracking those hashes like any other regular salted hash would require a new kernel since they are "salted".
However, as you can see we have more than one possible workaround, it should do.
#13
(10-18-2012, 08:25 PM)fuzztester Wrote: I checked out using the maskprocess and piping it in. It does work but I must say, the performance was no where near as fast as a straight brute force mode.

I was noticing that the GPU utilization gets very erratic which makes sense as its waiting on STDIN.

I played around with a mask attack and got better performance. I create four custom charsets, one for each letter of the "salt" and make the mask look like this:

?a?a?a?a?a?1?2?3?4

That worked really well, except that you can only attack the hashes with the same "salt" at a time.

I still really wish there was a option for oclHashcat to just put all the salts in a file and have the engine just append them.


If you're willing to give up some performance (and with a GPU you should have performance to spare), you could do something like the following.

For usernames:
jire
bile
jane

Your charset would be:
-1 jb -2 ia -3 rln -4 e

This will approach pure brute force of the keyspace with enough usernames, but if you only have a few, it should be quite reasonable.
#14
(10-18-2012, 09:06 PM)M@LIK Wrote: Yes, I will be lying if I said I didn't think about that.
Indeed, maskprocessor's performance is nowhere around GPU's performance.

You can also make a file with all chopped usernames, analyze them, set 4 character sets and use them as a mask. This will also allow you to do hybrid attack which means use dicts on left side and chopped usernames on the right side.

Cracking those hashes like any other regular salted hash would require a new kernel since they are "salted".
However, as you can see we have more than one possible workaround, it should do.

I really like the idea of using the hybrid attack. Although, instead of making the charsets of the chopped up usernames, I think i'll try just using a list of usernames as the wordlist.

That will free up the custom charsets for me to attack the real password component instead.

This thread has been most useful Smile
#15
Then -a7 is the way to go!

It requires a mask on the left side and a dict on the right side, means, the brute-force mask on the left side and the chopped usernames on the right side. See below:
Code:
-plus -m2400 -a7 hashfile ?d?d?d?d usernames
This will brute-force all 4-in-length digits, but careful it's not incremental.
#16
Btw, I wrote this perl script to make the charactersets out of the usernames list, you don't need to chop them or anything, just do:
Code:
perl CiscoASA.pl < usernames

CiscoASA.pl:
Code:
#!/usr/bin/perl

# extracts 4 character-sets basesd on given usernames list for *MD5 Cisco ASA* algorithm, written by malik51

#use v5.14;
use strict;
use warnings;

if (scalar(@ARGV) != 0) { die("usage: $0 < usernames\n"); }

sub uniq {
    
    my %seen;
    my @newarray;
    
    foreach my $item (@_) {
        
        unless ($seen{$item}) {
            
            push(@newarray, $item);
            $seen{$item}++;
            
        }
        
    }
    
    undef(%seen);
    return @newarray;
    
}

my @_1_chararr;
my @_2_chararr;
my @_3_chararr;
my @_4_chararr;

while (my $line = <STDIN>) {
    
    chomp($line);
    next if (length($line) < 4);
    
    push(@_1_chararr, substr($line, 0, 1));
    push(@_2_chararr, substr($line, 1, 1));
    push(@_3_chararr, substr($line, 2, 1));
    push(@_4_chararr, substr($line, 3, 1));
    
}

for my $i (1 .. 4) {
    
    my $u = $i - 1;
    
    eval '
    
    @_' . $i . '_chararr = uniq(@_' . $i . '_chararr);
    
    open(CHARSET' . $i . ', \' > charset' . $i . '.txt\') || die(\'charset' . $i . '.txt: \' . lc($!) . "\n");
    
    print CHARSET' . $i . ' join(\'\', @_' . $i . '_chararr);
    print STDOUT \'CHARSET' . $i . ' written to .\charset' . $i . '.txt successfully...\' . "\n";
    
    ';
    
    warn($@) if ($@);
    
}

print STDOUT "\nuse:\n" . '-1 .\charset1.txt -2 .\charset2.txt -3 .\charset3.txt -4 .\charset4.txt ... ?1?2?3?4' . "\n";
exit(0);

It still feels a bit cheesy for me so expect any bugs!