Need help with rules/mask - WPA2 handshake
#1
Question 
Hello guys!
I've been using oclHashcat with my amd GPU for a few months but only with my little understanding of what I read hashcat wiki.

Since I've only tried basic rules, I now need your help to ensure that I apply the right restrictions(if possible) and also improve my knowledge of hash cat.

So this is the information that I have to able to obtain the password of my wpa2 handshake via brute force:
  • Its exactly 10 digits long
  • only contains UPPERCASE letters(A-Z) and numbers(0-9)
  • Its 3/4 letters max and the rest is numbers
  • Not 100% sure but wanted to filter that ins't possible to have 2 letters in a row
  • Valid examples: A1B2C3D567 / 12A3B5678C
  • Invalid example: 12AB34567C

So I want to convert,if possible, some of this information in a mask and that would make the process alot faster

Right now the only code that I have is this one:
Code:
oclHashcat64.exe -m 2500 -a 3 --session=test --gpu-temp-abort=90 wpa2.hccap ?u?d?u?d?u?d?d?d?d?d

Also I'm not sure if this randomize the letters position, or is only fixing the letters in the same spot like this :A0B1C23456 / D0E1F23456
#2
you can generate masks matching a policy using pack https://thesprawl.org/projects/pack/
#3
the mask does not randomize the positions, no. a mask is a per-position character set, so only the character set used in each position will be tried.

don't forget to add '-w 3' to your command line.
#4
(07-18-2014, 01:06 AM)epixoip Wrote: the mask does not randomize the positions, no. a mask is a per-position character set, so only the character set used in each position will be tried.

don't forget to add '-w 3' to your command line.

I was afraid of that, so my mask right now is pretty useless because is way incomplete! Just tried the "-w 3" command, gave me 10000H/s more, thanks! =P
Thought that knowing all this information could make me close to find the password but even if with some miracle I know where the current location for the 3 "A-Z" letters are it can take me 20 days to find it... is it normal? Because it will take me 20days vs 51masks = 1020 days =|

I've manage to create all the masks (50+-) with the help of policygen for fun, thanks for the suggestion undeath!
#5
I had a similar challenge (not WPA/WPA2), used PACK for generating the masks and the sed to clean up the ones I did not need/want. Tried this with your policies.

keep in mind that a single AMD HD7970 does about 140,000 c/s on WPA/WPA2! If --pps is not specified in PACK it calculates with 1,000,000,000

So using your rules 1-3 and a part of rule #4 (never two letters in a row, so a minimum of 5 digits) I got

Code:
python policygen.py --pps 140000 --minlength 10 --maxlength 10 --minupper 1 --mindigit 5 --minlower 0 --minspecial 0 --maxupper 7 --maxdigit 10 --maxlower 0 --maxspecial 0 -o example.hcmask -q

[*] Policy Masks: 637 Time: >1 year

Then used sed to eliminate all mask-lines that contain at least one occurance of ?u?u

Code:
cat example.hcmask | sed -e '/?u?u/d' > example_clean.hcmask

Got it down to 143 policy masks. I'd guess even getting it down to 143 masks, there is time for a giant coffee break.
#6
One more, maybe I got it wrong. Your policy #3 says max of 3/4 uppers, rule #4 doesn't allow two upper in a row? So --maxupper should be 5.
#7
Nice thread. I have a similar question. Someone may help me? Thank you very much

Rules:
Code:
1) length: 10 characters  from UPPER HEX (0123456789ABCDEF)
2) no more than 5 alpha chars (yes ABCDE01234 no ABCDEF0123)
3) no more than 2 consecutive chars (yes AABCDEF012 no AAABCDEF01)
4) no more than 2 equal numbers in the password (yes A1A123456 no A1A123451)
5) no more than 3 equal alpha chars in the password (yes 8017C24CCF no C017C24CCF)

[/code]
#8
what exactly about the previous answers doesn't satisfy you?