permutation patterns
#1
hi all,

im playing with a cracking a default WPA passphrase. the passphrase is very long but defined by a pattern, im trying to establish how best to express the pattern to hashcat, and establish how vulnerable the passphrase is.

the pattern is as follows

three or four five-letter words, followed by a 5 digit number. im fairly sure the words are uppercase, so possibles could be

WATERTHANKPIPER52415
WATERTHANKPIPERCROSS52415
BRAKETHROWSLAPS98342
BRAKETHROWSLAPSBOARD98342

any ideas on how i should tackle this? im imagining that ill need to create a five-letter wordlist, perhaps by following http://hashcat.net/forum/thread-1305.html and adding an expression to filter anything != to 5 letters. then do a combinator + mask attack, where permutations of three or four 5-letter basewords are appended by !d!d!d!d!d

im new to hashcat (since last night), this is mostly a learning exercise for me - there are probably going to be far too many permutations for my linux-in-VM hardware to grapple. if anyone has any ideas or suggestions for how to a combinator + mask attack, or a different methodology, id love to hear it.
#2
No, there are not that many permutations. Ok, it still going to be slow because of WPA but it's easily feasible. Just take an english dictionary like oxford, filter the 5 letter words (let's call that file 5letters.txt). Use the combinator to combine 5letters.txt with himself and generate 2words.txt. Combine 2words.txt with 5letters.txt to generate 3words.txt. Make a list of 5 digits numbers using the maskprocessor and call it 5nums.txt. Combine 5letters.txt with 5nums.txt and call it end.txt. Now you potentially have all the material that you need. Ideally, you have a GPU and can use oclhashcat with -a 1 mode. In this case you do 2 attacks: 1) with 2words.txt and end.txt, 2) with 3words.txt and end.txt. If you don't have a GPU and forced to use hashcat, you will have to either use combinator to do the final combination of the files (like 2words.txt + end.txt) and use that for dictionary attack OR transform one of the wordlist as rules (like $S$L$A$P$S$9$8$3$4$2) and use dictionary + rules. Good luck.
#3
great, thanks for the tip.

that makes perfect sense and is working well so far, but ive run into my first problem.

5letters.txt is contains ~6900 words, and is ~40 kb, 2words.txt contains ~47,000,000 words and is ~500mb. threewords.txt got to AOUADDOGEYOFTEN and was 200gb when i cancelled it, as there wasnt ample space to let it finish.

i have a couple of thoughts; it could be that there is come kind of inter-os problem that is making third.txt inflate in size (combinator is running in vm and outputting to osx) but i dont really think this is the case. it could be that i could manage this size escalation by splitting 5letters into smaller sections, but either way it neccessitates storage on a an external, which is going to be usb2. this would slow things down, yeah? and given that storage is my limiting factor, id have to generate sections, test them against the password, and delete them before generating the next section.

let me know what you think.
#4
Apparently, I greatly underestimated the number of 5 letter words in english. I thought that there would be something like 1000 of them which would have made a dictionary around 13 Gb. Then your best bet could be of limiting your wordlist to the most common (top 1000) 5 letter words in english.

EDIT: By the way, the file size you gave are probably correct. If you start with 7 times the amount I was expecting (my bad) and the fact that the size grows exponentially, the end result would be really huge.
#5
yeah, i was taken aback by the number of available words too.

i didnt start with a standard dictionary, i started with a list of `every word` which includes all plurals and conjugations, etc, as well as multitudes of words ive never seen before.

i thought about finding a list of more common words, but then i was less confident that the default passphrase pattern of 3/4 5-letter words actually contained dictionary words, and not random letters in a pronuncable format. maybe ill give it a try. thanks again for the help.
#6
Btw, if this is about WPA, I remember one vendor from UK using such an algorithm. There's a wordlist for that case which is much lower than 1000 words. We successfully cracked them, see Blandys hashkiller contest from Sept last year.