custom charset reality check
#1
Hi All,

Just wanted to do a reality check after doing a password attack on 3 sha512crypt password hashes for a competition.

I chose to do a dictionary + mask attack because I thought I knew what the password started with (the dictionary) plus 4 numbers followed by a dash -, then 4 uppercase letters.

I set "--custom-charset1=-" the mask was then ?d?d?d?d?1?u?u?u?u

My question is, did my custom charset work? how can I confirm that the hashes that hashcat tested were in fact, what I wanted to test for? Is one character "-" in a custom charset valid?

thanks in advance
#2
Depending on how long your dictionary words were, I would guess that most attempts were skipped. oclHashcat has a char limit and you are only leaving room for 6 letter dictionary words.
#3
Thanks Radix, the dictionary file only had one word, a four character dictionary word. If my guess was correct then the password should be a 13 character password, format XYZ-1234-ABCD, that should be under the 15 character limit.

(11-28-2012, 12:18 AM)radix Wrote: Depending on how long your dictionary words were, I would guess that most attempts were skipped. oclHashcat has a char limit and you are only leaving room for 6 letter dictionary words.
#4
if it only has one word you don't need to do a hybrid attack, you can just do a mask attack. also, while it is valid, you don't really need to use a custom charset for just one character. so, brute forcing the mask "word?d?d?d?d-?u?u?u?u" will work just fine.
#5
Thanks epix! I will try it that way also, just to be sure.

(11-28-2012, 10:21 AM)epixoip Wrote: if it only has one word you don't need to do a hybrid attack, you can just do a mask attack. also, while it is valid, you don't really need to use a custom charset for just one character. so, brute forcing the mask "word?d?d?d?d-?u?u?u?u" will work just fine.