Speed isn’t Everything !
#1
I have to say a big thank you once again to you atom for your fantastic work on hashcat+. The long awaited WPA support has been worth it, to gain that much of a speed increase over EWSA I thought I would have had to change hardware not just a simple software change from EWSA to Hashcat+ !!!

However, as a relatively new user to hashcat+ and a long time user of EWSA I have experienced some problems, mainly due to my own ignorance I admit. Although some issues I have had are down to not fully understanding the limitations of each version of hashcat, which to be fair are not clearly stated.

My post title may seem a little strange, as speed when cracking hashes, is of course very important but I personally believe there are other things to consider. A good example of this is the “resume” or “auto save” option (or lack of ). My reasoning for this is that it is all very well rattling through many thousands of WPA keys a second but a simple accidental shutdown many days or weeks into a cracking attempt can leave the user having to start all over again. So as you will probably have already worked out gaining those few thousand tests per second over EWSA is worthless if you have to start all over again losing many days, weeks or even months of work.

I have other requests which are probably best written in list form and I am sorry to bore you or anyone else with long explanations. :o) Although I would willingly elaborate on any of them if you wish.

Allow longer passwords. The password limit of 16 is quite restricting for WPA.

Auto save every 10 minutes. This would allow the user to start from almost where they left off due to accidental shutdown or power outage. Hashcat+ should just do this automatically in case the user forgets to set it. The recovery file or resume file should be named by whichever WPA key is being worked on.

Brute force. There are some wifi providers which use 8 character all upper case only, this is now brute-forcible but hashcat+ doesn’t allow u?u?u?u?u?u?u?u .

Brute Force Start From…
It would be a great help to allow users to define where the brute force (above) should start from. This would allow users to share workload between themselves as it would allow the use to do the following. Brute force A-Z (8) Start at NNNNNNNN.

Massive lists !! I am a great believer in small but effective password lists. It depresses me seeing these massive GB text files being shared on the internet. There is no need for it and that is one reason I helped, ( as much as I could ), Blazer who wrote ULM with his excellent program. I would very much appreciate it if you could make hashcat+ use password permutations just like Cain&Able does. This would allow users to make all their lists lowercase and without numbers prefixed or suffixed. This dramatically reduces the size of password lists and it would also mean that no number appended to a password was missed or any combination of upper / lower case either.

Even now EWSA doesn’t do password mutilation very well. Say a user selects to change the case and suffix numbers EWSA only performs these tasks separately and not collectively as Cain&Able does. In fact Cain&Able is the only program I have seen that correctly and comprehensively applies password permutations. I wish hashcat+ would have the same mutation ability as Cain&Able.

Anyway these are just a few ideas I ask you to think about, I recommend you sit back and enjoy the glory of being one of the coolest people on the internet for a while for releasing hashcat+ WPA support before considering my requests !

Thanks atom, you make computers fun !
#2
(09-17-2011, 05:21 PM)Hash-IT Wrote: Brute force. There are some wifi providers which use 8 character all upper case only, this is now brute-forcible but hashcat+ doesn’t allow u?u?u?u?u?u?u?u .

Brute Force Start From…
It would be a great help to allow users to define where the brute force (above) should start from. This would allow users to share workload between themselves as it would allow the use to do the following. Brute force A-Z (8) Start at NNNNNNNN.
That's why maskprocessor exists and oclhc+, like any other hashcat tools, is designed for advanced users.
#3
adding to what Rolf said you can use maskprocessor tool for BF

Usage: ./mp64.bin [options] mask

Startup:
-V, --version print version
-h, --help print help

Resources:
-s, --start-at=WORD start at specific position
-l, --stop-at=WORD stop at specific position

Files:
-o, --output-file=FILE output-file

Custom charsets:
-1, --custom-charset1=CS user-defineable charsets
-2, --custom-charset2=CS example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef
-4, --custom-charset4=CS sets charset ?1 to 0123456789abcdef

Built-in charsets:

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?h = 8 bit characters from 0xc0 - 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet
?R = 8 bit characters from russian alphabet

./mp64.bin -1 ?l?u?d ?1?1?1?1?1?1?1?1 | ./oclHashcat-plus64.bin -m 2500 linksys.hccap
#4
Thanks for your great feedback on this release.
I have read your comments very carefully.
I think they send me directly into the right direction what to do next.
But if someone out there has more ideas: Post them!

I will quote some of your comments. I think this way its easier to discuss them.

Quote:I have had are down to not fully understanding the limitations of each version of hashcat, which to be fair are not clearly stated.

Thats correct. The documentation does not fully include all the limitations around hashcat and oclHashcat*. This is a non-profit project. Please appreciate this circumstance.

Quote:... A good example of this is the “resume” or “auto save” option (or lack of ) ...

The resume thing is a bit more complicated than many of you may think. Especially due to the optimization that are included into oclHashcat-plus.
For example, a wordlist is scanned from top to bottom, but the execution of the words are not in order.
They are reordered inside oclHashcat-plus for optimal performance. This makes resuming a bit more complicated because
there is no way to say: Start from line 83925412 of the Dictionary X like in CPU version of hashcat.

Quote:I have other requests which are probably best written in list form and I am sorry to bore you or anyone else with long explanations. :o) Although I would willingly elaborate on any of them if you wish.

The more and the better you can explain your request, the better the chances are that i can implement it into oclHashcat-plus.

Quote:Allow longer passwords. The password limit of 16 is quite restricting for WPA.

Well that is a BIG problem. Especially because of the rule engine and the memory management. And a huge load of work, too.

Quote:Brute force. There are some wifi providers which use 8 character all upper case only, this is now brute-forcible but hashcat+ doesn’t allow u?u?u?u?u?u?u?u .

Well that is already possible. You just need to pipe the output of the maskprocessor into oclHashcat-plus.

Download it here: http://hashcat.net/files/maskprocessor-0.65.7z

Quote:Brute Force Start From…

Thats also possible with the maskprocessor.

Quote:Massive lists !!

What you mean with massive lists? Hashlists or Dictionaries? Well it doesnt matter though because both are well supported. Loading a 20gb dictionary or bigger should work fine. You can also pinpoint a directory. oclHashcat-plus will scan the content of the directory and then iterate through every file in that directory.

Quote:I would very much appreciate it if you could make hashcat+ use password permutations just like Cain&Able does

There are two attack forms in oclHashcat-plus. Either the rule based or the permutation attack (using -a 4). However the rule engine is a little programming engine that allows you to do exactly this what you were aksing for. Its just a bit more specific. See the rules/ folder for example or a good Documention from this sites: http://ob-security.info and here: http://kaoticcreations.blogspot.com/2011...rules.html


#5
Rolf, thanks for the tip to use maskprocessor.

Forumhero, thank you very much for the code you took the time to write out, I am going to study it !

Atom…

Quote:This is a non-profit project. Please appreciate this circumstance.

I totally understand and please don’t for a minute think I was ungrateful, text based communication is not the best way to convey mood so please don’t take it the wrong way. I have helped out on a few projects over the last few years and I know how miserable and lonely it can feel when all you seem to get back is bug reports and complaints !

I am also acutely Aspergic so please bear with me ! No seriously, I am !! ha ha !

Quote:Massive lists !!

I meant dictionaries, I feel sad about the wasted bandwidth and disk space used up when most of these so called “Uber L33t” dictionaries contain littler more than a few base words and then a suffix a number. I actually once downloaded a word list from a well known h4cK3r site which claimed to have 1,000,000 unique passwords in it. Well to be fair they weren’t lying but ….password1 – password1000000 is a bit of a disappointment to say the least. I kid you not !

My goal is to have dictionaries containing lower case base words only, thus massively reducing their size and then use the new functions (hopefully) in hashcat+ to modify them on the fly. So in the example above that 1,000,000 word list could actually be a single line, password.

There is much more to this as I know we can add numbers to the end with hashcat+ now but words such as PaSswOrD123! are a little harder to mutate at the moment.

It is a late here just now and my girlfriend (she who must be obeyed) has just presented me with a list of jobs to do and I am more frightened of her than I am keen to see these new implementations in hashcat+. I just wanted to quickly reply to you with something at least. Now I know you are a conscientious sort of chap and seem to be tolerating me at the moment I will think about hashcat+ a little more and try to present my requests and ideas in a more constructive and clearer way. I think it best if I get everything down in one go as some options may affect others later down the line.

Thank you atom and please don’t ever think anyone is ungrateful for your work, as I said before, you make computers fun !
#6
nothing to worry dude Smile i am looking forward for your rephrased version
#7
(09-17-2011, 11:21 PM)Hash-IT Wrote: Forumhero, thank you very much for the code you took the time to write out, I am going to study it !

oh i had nothing to do with it, it's Atom's tool

P.S
women don't respect men who kiss their ass. so make sure to keep the pimp hand strong
#8
Big Grin 
(09-18-2011, 01:16 AM)atom Wrote: nothing to worry dude Smile i am looking forward for your rephrased version

You are probably going to regret saying that !! Smile


I will no doubt be testing the boundaries of your tolerance as I think this is going to be a long one, but you may find some things of interest which I hope inspire you.

I am writing the following under no pretence that I know anything about hash cracking, theory or programming at all. I am just a humble user with little knowledge or understanding but just wants to get the job done so to speak. I think it would be good for you to hear what the hashcat experience is like from the other side ! So if I say something stupid that’s why, well…. there are many other reasons but that’s mainly why !

I personally am only interested in WPA but I guess my requests will also apply to all other hash types. So for now and for simplicities sake I will refer only to hashcat’s WPA feature if that’s ok. Also I mention “hashcat” when it actually applies to all versions.

To me, it seems as if you wish to maintain hashcat as a small, tight and compact executable. I guess this is the fine art of programming, keep it compact and minimalist. I understand this and admire it, I only wish this principle to be extended to dictionaries and rule files, which is why I am writing this.

Hashcat is fast, no question or doubt about it. You have won the speed race decisively and proved you really know how to program the fastest cracker on the internet. Congratulations, it is quite an achievement and most people would sit back and bathe in the glory but you do seem keen on further improvements, which is inspiring to me.

My thread title “Speed isn’t everything” is in no way a criticism, speed is vital when cracking WPA. However my point, although badly explained is, although hashcat’s speed is awesome….make that… totally awesome, lets please not lose the point of hashcat by admiring its outstanding technical achievements only.

Hashcat is surly about cracking hashes and breaking passwords. This is only achieved by 2 methods, brute force and dictionaries. Brute force is the very last resort and is the simpleton’s method of choice. Oh and by the way, I include myself in that category before anyone gets offended !! Brute force does indeed require tremendous speed to compensate for the lack of effort by the user to research possible passwords pertaining to the target in question. Hashcat has more than adequately catered for these types of users and this method of attack by its shear speed, I for one thank you very much for it !

Dictionaries are or should be the first method of attack for any sane penetration tester. In theory this sounds very simple and to be honest when first realising just how alike most users are when it comes to choosing a password one would think that a computer running many thousands if not millions of passwords a second will have no trouble finding a password from a dictionary.

As we know this isn’t as simple as it sounds, a dictionary has to actually contain the password verbatim, which is unlikely when you consider password padding. I call password padding things like prefix / suffixing numbers, other words or special characters etc. That simple trick to pad out a password can render most dictionaries useless and this was my main point. Hashcat running many thousands of the wrong passwords does mean it is fast but I say (humbly) it does not make it fast in the right way. This is where I wonder if you (again this is not a critical statement) have lost sight of what fast is when applied to crackers. Technical brilliance is great but real world results are better.

I suggest and hope you start to look at hashcat in a different way and not judge it on how fast it can try a password but on how fast it can successfully find one ! So looking at hashcat in this way can I suggest the following ?

My wish is that you would extend the principle of keeping code compact and minimalist to dictionaries also. What this means is that dictionary size can be kept to an absolute minimum by only storing words in lower case with no padding whatsoever.

These “base” words can then be mutilated or permutated into a theoretical list many times greater in size but without using up the hard drive space or bandwidth when sharing normally required as hashcat can do this on the fly. I believe this method will also more comprehensively cover most if not all possibilities of padding.

I understand this is where the rule files come in. This is a great idea and very much appreciated. Although this is another area where I hope you will extend your minimalist approach. At the moment if I want to sufix the numbers 0 – 10 (a common pad) to a password as it passes through hashcat I would have to make a rules list like the following.

$1
$2
$3
$4
$5
$6
$7
$8
$9
$10

If I need 0 – 1000….well I think you can see that this list would be huge. Can you please think of a way for users to be able to make smaller rule lists ? Perhaps something like the following ?

$ --increment d (0-10)
Or
$ --increment d (0-100)

Doubtless you are better qualified to suggest ideas for letters and special characters etc, but I am sure you get the idea.

Until recently I knew nothing about the maskprocessor, so I apologise for that. Interestingly this rather proves my point, for the average user like myself seeing it from the other side, hashcat is a confusing place to be ! The user is left not knowing which version they should be using and also not knowing that other programs are required to mutate passwords, such as maskprocessor. It has however given me an idea for hashcat.

As hashcat is just about perfect as it is, apart from the 16 character limit that is !!!! Could I interest you in attracting your attention to perhaps making a simpler (to use) and more comprehensive version of maskprocessor ?

I guess this would keep hashcat small and compact as it would simply test passwords passed to it from this other external program. This new, hopefully GUI could add all the mutations and also provide some sort of much needed resume feature. As I mentioned before, not having some sort of automatic backup and the ability to resume an attack can totally wipe out all speed gains over “other” WPA crackers.

With this separate program, being separate, should allow the hardcore hashcat users to still be able to use hashcat as they do now. I understand from your last post that using this external program will probably have a significant performance hit as it will force hashcat to work in a less efficient way. Well, there is no such thing as a free lunch so I would be more than willing to sacrifice a few thousand keys per second if I could know that all permutations were being catered for and that in the event of a power out I won’t lose everything. I like to think of it as intelligent brute force !

So, my humble requests in list form. I know you have explained some of them but I thought I would list them anyway.

Allow up to 63 character passwords for WPA

Automatically save position every 10 minutes in case of accidental power outs.

Easier to use and more comprehensive version of maskprocessor. Perhaps GUI ?
Brute force with start from.
Password padding.
Many more mutations.

Work on more than one WPA key at once like hashcat does with hashes.

Ability to accept standard .cap files. (I am grateful you made the online form after our last discussion but this would be one less step for the user to make.)

Better documentation. This was a problem on my other projects, it’s the boring bit but very useful.

You mentioned that hashcat with the maskprocessor can mutate passwords like Cain&Able does. Can I ask does maskprocessor do the mutations concurrently or consecutively ? You see with a base word of “pass” using Cain I would also get pAsS100 where I don’t think any other program does this.

Anyway thank you for reading this far down, if my suggestions don’t make any sense or are just plain wrong then I apologise in advance as I said I am a simple user with little knowledge in this subject. I also appreciate you may consider many of my requests beyond the remit of hashcat. You may say hashcat’s goal is to simply hash words provided to it which is fair enough, but I hope you perhaps think about changing how you view hashcat’s speed, more in found passwords rather than tests per second….however totally and utterly awesome that is !!!!

Thanks.

(09-18-2011, 03:38 AM)forumhero Wrote:
(09-17-2011, 11:21 PM)Hash-IT Wrote: Forumhero, thank you very much for the code you took the time to write out, I am going to study it !

oh i had nothing to do with it, it's Atom's tool

P.S
women don't respect men who kiss their ass. so make sure to keep the pimp hand strong

I loved your last post !!! Tears of laughter rolling down my cheeks !!

You gave me the confidence to leave my coffee cup out this morning and not return it to the dishwasher !!

Yeah, you know what I am talking about…..just keeping my bioatch in line !!
.
.
.

Probably should go and clear that up later….

#9
Quote:Allow up to 63 character passwords for WPA

cause of the wordlist cache that will increase the memory consumption * 4. my gtx285 with 240 SP requires 754mb per GPU in -n 160 mode. in case of 64 i would require > 2GB per GPU. thats to much.

Quote:Automatically save position every 10 minutes in case of accidental power outs.

as already explained above, cause of the wordlist cache this is not possible.

Quote:Easier to use and more comprehensive version of maskprocessor. Perhaps GUI ?

maskprocessor is easy to use.

Quote:Brute force with start from.

i really dont like to say it, but i already said above thats already possible.

Quote:Password padding.
Many more mutations.

use rules, they are flexible enough to achieve what you want to do

Quote:Work on more than one WPA key at once like hashcat does with hashes.

multihashed WPA cracking wont work. they are salted, each key will double the required time.

Quote:Ability to accept standard .cap files. (I am grateful you made the online form after our last discussion but this would be one less step for the user to make.)

no i've already explained my reasons. i will not write a .cap parser

Quote:Better documentation. This was a problem on my other projects, it’s the boring bit but very useful.

i still hope users will do that Smile

Quote:You mentioned that hashcat with the maskprocessor can mutate passwords like Cain&Able does. Can I ask does maskprocessor do the mutations concurrently or consecutively ? You see with a base word of “pass” using Cain I would also get pAsS100 where I don’t think any other program does this.

i did not. maskprocessor is a word generator. that also means you can automatically generate rules. for toogle case example see in the toggle rules in the rules/ folder.

#10
And i dont understand how this => mp64.exe -1 ?l?u?d?s | oclHashcat-plus64.exe -m 2500 -n 800 test.hccap <= is going to work for wpa .. Always gives me exhausted error on windows.. Running linux to get ati card to work is a pain for my samsung rf712 laptop. Guess the only thing that works for me is hashcat lite for the other hashes. I can only rely on bruteforce. Dict and wordlists really taking up too much space.