custom charset reality check

[piffdos]

Hi All,

Just wanted to do a reality check after doing a password attack on 3 sha512crypt password hashes for a competition.

I chose to do a dictionary + mask attack because I thought I knew what the password started with (the dictionary) plus 4 numbers followed by a dash -, then 4 uppercase letters.

I set "--custom-charset1=-" the mask was then ?d?d?d?d?1?u?u?u?u

My question is, did my custom charset work? how can I confirm that the hashes that hashcat tested were in fact, what I wanted to test for? Is one character "-" in a custom charset valid?

thanks in advance

[radix]

Depending on how long your dictionary words were, I would guess that most attempts were skipped. oclHashcat has a char limit and you are only leaving room for 6 letter dictionary words.

[piffdos]

Thanks Radix, the dictionary file only had one word, a four character dictionary word. If my guess was correct then the password should be a 13 character password, format XYZ-1234-ABCD, that should be under the 15 character limit.

Depending on how long your dictionary words were, I would guess that most attempts were skipped. oclHashcat has a char limit and you are only leaving room for 6 letter dictionary words.

[epixoip]

if it only has one word you don't need to do a hybrid attack, you can just do a mask attack. also, while it is valid, you don't really need to use a custom charset for just one character. so, brute forcing the mask "word?d?d?d?d-?u?u?u?u" will work just fine.

[piffdos]

Thanks epix! I will try it that way also, just to be sure.

if it only has one word you don't need to do a hybrid attack, you can just do a mask attack. also, while it is valid, you don't really need to use a custom charset for just one character. so, brute forcing the mask "word?d?d?d?d-?u?u?u?u" will work just fine.