Need help with rule based attack
#1
Hello,

I'm trying to recover a password from a NTLM hash. I've tried using some of the rules included with hashcat, but they can't crack the one I'm working on. I generated simpler test hashes about 8 characters plain text, but hashcat is choking on my objective hash. It only tries for about 3 minutes best case before exhausting all combinations using my Tesla GPU. This seems short to me. Should it take longer?

I have some knowledge about the hashed password that might help, but I'm not sure how to generate the ruleset and the best syntax for hashcat to recover it.

For example, let's say the password has the word "cookies" in it. I'm pretty sure the password is something like

!luvcooki3s, 1lovecookies, or something to that nature

What's the best way to generate a ruleset with that in mind?
#2
You should not get tunnel vision there. You are not even sure that it has cookies in the word. However, the first thing that you can do is a quick check of that possibility. Put all the words or possible passwords that you can think of in a wordlist. Use that wordlist with 1 million randomly generated rules (1-3 or 1-4 rules "wide"). Next, try combinations of the wordlst with itself. After that, you can assume that you don't know anything from the passwords and do attacks the same way that you would treat a blank hash list. Good luck.
#3
(12-18-2012, 06:58 AM)mastercracker Wrote: You should not get tunnel vision there. You are not even sure that it has cookies in the word. However, the first thing that you can do is a quick check of that possibility. Put all the words or possible passwords that you can think of in a wordlist. Use that wordlist with 1 million randomly generated rules (1-3 or 1-4 rules "wide"). Next, try combinations of the wordlst with itself. After that, you can assume that you don't know anything from the passwords and do attacks the same way that you would treat a blank hash list. Good luck.

Noted. I am fairly confident that "cookies" or some leetspeak version thereof is in there.

How do I generate the 1 million randomly generated rules with this specified width? I don't even understand what that means. Forgive me, I'm new to this and still don't quite understand the rules syntax even after reading through the wiki.
#4
just add -g 1000000 to your command line.
#5
Ok I generated a NTLM hash for "biglove4"

The dictionary is given by:
love
heart
luv
lov
big

I then executed the following:
>cudaHashcat-plus64.exe -m 1000 -g 1000000 hashes/biglove4_hash.txt --username dict/words.lst -o out.txt --outfile-format=3

It says it cracked the hash, but the output file only displayed, <hash>:
but no cracked hash after the colon. I tried shorter passwords and it properly wrote the cracked hash to the output file. Is this a bug?