custom rules for hybrid-like attack
#1
hi,

my case here was cracking my client hashdump and after using jtr+ocl concurrently (straight wordlist with some mangling rules in both) and cracked some of the hashes, it turns out they tend to use password like 'companyname$s$d$d' ($s=symbol,$d=numeric).

almost like korelogic rules (appendSymbolNumNum), in jtr i can customize the rules to fit my needs but in hashcat, i haven't tried before.

so here my maskprocessor that i want to make it generate the custom rules.

Code:
append 1 symbol then Nth lowercase alpha
mp64.exe -o bfappend1sym2alpha.rule '$?s $?l $?l'
mp64.exe -o bfappend1sym3alpha.rule '$?s $?l $?l $?l'
mp64.exe -o bfappend1sym4alpha.rule '$?s $?l $?l $?l $?l'
mp64.exe -o bfappend1sym5alpha.rule '$?s $?l $?l $?l $?l $?l'

append 2 symbol then Nth lowercase alpha
mp64.exe -o bfappend2sym1alpha.rule '$?s $?s $?l'
mp64.exe -o bfappend2sym2alpha.rule '$?s $?s $?l $?l'
mp64.exe -o bfappend2sym3alpha.rule '$?s $?s $?l $?l $?l'
mp64.exe -o bfappend2sym4alpha.rule '$?s $?s $?l $?l $?l $?l'

prepend 1 symbol then Nth lowercase alpha
mp64.exe -o bfprepend1sym2alpha.rule '^?s ^?l ^?l'
mp64.exe -o bfprepend1sym3alpha.rule '^?s ^?l ^?l ^?l'
mp64.exe -o bfprepend1sym4alpha.rule '^?s ^?l ^?l ^?l ^?l'
mp64.exe -o bfprepend1sym5alpha.rule '^?s ^?l ^?l ^?l ^?l ^?l'

prepend 2 symbol then Nth lowercase alpha
mp64.exe -o bfprepend2sym1alpha.rule '^?s ^?s ^?l'
mp64.exe -o bfprepend2sym2alpha.rule '^?s ^?s ^?l ^?l'
mp64.exe -o bfprepend2sym3alpha.rule '^?s ^?s ^?l ^?l ^?l'
mp64.exe -o bfprepend2sym4alpha.rule '^?s ^?s ^?l ^?l ^?l ^?l'

prepend Nth lowercase alpha then 1 symbol
mp64.exe -o bfprepend2alpha1sym.rule '^?s ^?s ^?l'
mp64.exe -o bfprepend3alpha1sym.rule '^?l ^?l ^?l ^?s'
mp64.exe -o bfprepend4alpha1sym.rule '^?l ^?l ^?l ^?l ^?s'
mp64.exe -o bfprepend5alpha1sym.rule '^?l ^?l ^?l ^?l ^?l ^?s'

append 1 symbol then Nth numeric  
mp64.exe -o bfappend1sym2digi.rule '$?s $?d $?d'
mp64.exe -o bfappend1sym3digi.rule '$?s $?d $?d $?d'
mp64.exe -o bfappend1sym4digi.rule '$?s $?d $?d $?d $?d'
mp64.exe -o bfappend1sym5digi.rule '$?s $?d $?d $?d $?d $?d'

append 2 symbol then Nth numeric
mp64.exe -o bfappend2sym1digi.rule '$?s $?s $?d'
mp64.exe -o bfappend2sym2digi.rule '$?s $?s $?d $?d'
mp64.exe -o bfappend2sym3digi.rule '$?s $?s $?d $?d $?d'
mp64.exe -o bfappend2sym4digi.rule '$?s $?s $?d $?d $?d $?d'

append 1 numeric then Nth symbol
mp64.exe -o bfappend1digi2sym.rule '$?d $?s $?s'
mp64.exe -o bfappend1digi3sym.rule '$?d $?s $?s $?s'
mp64.exe -o bfappend1digi4sym.rule '$?d $?s $?s $?s $?s'
mp64.exe -o bfappend1digi5sym.rule '$?d $?s $?s $?s $?s $?s'

append 2 numeric then Nth numeric
mp64.exe -o bfappend2digi1sym.rule '$?d $?d $?s'
mp64.exe -o bfappend2digi2sym.rule '$?d $?d $?s $?s'
mp64.exe -o bfappend2digi3sym.rule '$?d $?d $?s $?s $?s'
mp64.exe -o bfappend2digi4sym.rule '$?d $?d $?s $?s $?s $?s'

prepend 1 symbol then Nth numeric
mp64.exe -o bfprepend1sym2digi.rule '^?s ^?d ^?d'
mp64.exe -o bfprepend1sym3digi.rule '^?s ^?d ^?d ^?d'
mp64.exe -o bfprepend1sym4digi.rule '^?s ^?d ^?d ^?d ^?d'
mp64.exe -o bfprepend1sym5digi.rule '^?s ^?d ^?d ^?d ^?d ^?d'

prepend 2 symbol then 1 numeric
mp64.exe -o bfprepend2sym1digi.rule '^?s ^?s ^?d'
mp64.exe -o bfprepend2sym2digi.rule '^?s ^?s ^?d ^?d'
mp64.exe -o bfprepend2sym3digi.rule '^?s ^?s ^?d ^?d ^?d'
mp64.exe -o bfprepend2sym4digi.rule '^?s ^?s ^?d ^?d ^?d ^?d'

prepend Nth numeric then 1 symbol
mp64.exe -o bfprepend2digi1sym.rule '^?d ^?d ^?s'
mp64.exe -o bfprepend3digi1sym.rule '^?d ^?d ^?d ^?s'
mp64.exe -o bfprepend4digi1sym.rule '^?d ^?d ^?d ^?d ^?s'
mp64.exe -o bfprepend5digi1sym.rule '^?d ^?d ^?d ^?d ^?d ^?s'

is that correct?


thank you and please don't bash me. Big Grin
#2
since this was posted in the oclHashcat-plus forum, how about a solution that works best for oclHashcat-plus?

just create an hcmask file with all these different masks in it, then run hybrid attacks with that hcmask file.

Code:
epixoip@token:~/oclHashcat-1.00$ cat > anomalies.hcmask << EOF
> ?s?l?l
> ?s?l?l?l
> ?s?l?l?l?l
> ?s?l?l?l?l?l
> ?s?s?l
> ?s?s?l?l
> ?s?s?l?l?l
> ?s?s?l?l?l?l
> ?s?d?d
> ?s?d?d?d
> ?s?d?d?d?d
> ?s?d?d?d?d?d
> ?s?s?d
> ?s?s?d?d
> ?s?s?d?d?d
> ?s?s?d?d?d?d
> ?d?s?s
> ?d?s?s?s
> ?d?s?s?s?s
> ?d?s?s?s?s?s
> ?d?d?s
> ?d?d?s?s
> ?d?d?s?s?s
> ?d?d?s?s?s?s
> EOF


epixoip@token:~/oclHashcat-1.00$ ./oclHashcat64.bin -a 6 hashlist wordlist anomalies.hcmask

epixoip@token:~/oclHashcat-1.00$ ./oclHashcat64.bin -a 7 hashlist anomalies.hcmask wordlist
#3
Thumbs Up 
hi epixoip,

i like your solution, simply elegant.


thanks.