Floating Mask. How to?
#1
Hi, Everyone,
What you are doing here is very interesting and I am impressed. I performed several tests using BruteForce, oclHashcat and Hashoctopus. I am writing here because I want to achieve a specific task with brute force and hashcat mask and I didn`t find the right solution or syntax searching this forum and the  Net.
Here is what I want to do:
 I know that the password contains one special character and one Upper Case character, the rest is lower case. I do not know the positions of the special char and the upper case character, so I need a mask that will test all combinations with different position. For example:


Password             MASK 
P@ssword           ?u?a?l?l?l?l?l?l
passwo!D            ?l?l?l?l?l?l?a?u
pa$wOrd             ?l?l?a?l?u?l?l

I want ?u?a to float around the whole password length, and to be present only once. This will reduce dramatically the combination for testing.
Is there a way to achieve that in a single mask?

Thank you in advance.
#2
Your attempt of reduction actually ends up more expensive than just doing ?a?a?a?a?a?a?a?a. I know it's hard to believe, so do the math yourself.
#3
or You can use ULM
1.Create "dictionary" with specyfic lenght with charset u l s
2.In "downsize" tab select "contain at most count of letter X (use this to delete words/masks with more tan 1 U)
3. Repeat it with "s"
4. "EXP/Mangle" tab Preffix/Suffix everywhere that hit "?"
After this steps You will got txt file with masks what You need
#4
Hi, Again,

Let`s do the math:

According to hashcat:
Mask1: “?a?l?l?l?l?l?l?l” has 308 915 776 combinations.
Mask2: “?a?u?l?l?l?l?l?l” has 308 915 776 combinations.
Mask3: “?a?a?a?a?a?a?a?a” has 735 091 890 625 combinations.

Let assume that I want “?a” to float in mask1 on all position it is equal to run 8 different masks (?a?l?l?l?l?l?l?l, ?l?a?l?l?l?l?l?l, ?l?l?a?l?l?l?l?l, ?l?l?l?a?l?l?l?l  ….. ?l?l?l?l?l?l?l?a). The result will be:

308 915 776 * 8= 2 471 326 208 (~0,33 % from Mask3).

If I want “?a” and “?u” to float then we have 8 * 7 = 56 different masks for execution. Total of combination will be:
308 915 776*56= 17 299 283 456 (~ 2,353% from Mask3).

I don’t see your logic magnum.

Creating a dictionary for length of 8 char is ok, but for length of 12 char I think it is unpractical.

Thank you for your answers.
#5
BF 12 chars pasword with ?a is almost all time "unpractical" unless You got 100% sure for password coplex policy
#6
What you (@agenta) should consider is that this "floating technique" in theory is efficient/meaningful/clever only if the (different) charsets you are using (in your specific case there are 2, ?a and ?l) are disjoint (see https://en.wikipedia.org/wiki/Disjoint_sets).

The problem is that ?l is a subset of ?a, i.e. ?a contains every char from ?l. They are overlapping. So for instance it would make sense to "float" ?s within a mask of all ?l (e.g. ?s?l?l?l?l?l?l?l, ?l?s?l?l?l?l?l?l, ?l?l?s?l?l?l?l?l, ?l?l?l?s?l?l?l?l ….. ?l?l?l?l?l?l?l?s), but not to "float" ?a within ?l.

This of course is only theory, there are some specific cases (with fast algorithms) where it is more efficient/faster to use a mask for which the total keyspace must be large enough to reach full acceleration (especially the left-hand side shouldn't be too small in general). This of course depends on which algorithm and attack mode is used.

BTW: in your case it would probably make sense to use ?l, ?u and ?s and something like PACK's policygen ( http://thesprawl.org/projects/pack/#policygen )
Code:
python policygen.py --minlength 7 --maxlength 8 --minupper 1 --maxupper 1 --mindigit 0 --maxdigit 0 --minlower 5 --maxlower 6 --minspecial 1 --maxspecial 1 -o my.hcmask

PS. it is still not very much clear to me what you mean by "special character", the definition of oclHashcat/hashcat of special character is ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ (including the space " " character), there is also ?b which is even larger (?b = 0x00 - 0xff), but again you shouldn't "float" overlapping (character) sets, so you could define your own with --custom-charset1...--custom-charset4, e.g. every "meaningful" character NOT in ?l and ?u.
Above, I assumed that the special characters you were referring to are all contained within ?s.



update: I just found out that there was a small problem with policygen.py and it did not respect the --maxdigit value (see fix here: https://github.com/iphelix/pack/pull/2 ), you should either wait for a new fixed version or use the patch (or my modified github master branch of PACK).
#7
At first one would ask why not use option q or r in mask processor?

But you want to apply q, r rule on the Upper case and Special sign only, not all parts of the PW... Very nice trick.

I would put in that what you point here is result of a RegEx filter where your upper case letters [A-z], and special signs !"£$%^&*()@~:;{}[]+-_ <>,.?/|\ should float around the length of your password combis, BUT they can only appears exactly ONCE. The rest of the combi you want to have digits or lower case characters and you also want
1/ it does not matter how many time they occur or
2/ they can sequentially repeat as the rest length allowed

So you look out for something like this filter
[A-Z\!\"\£\$\%\^\&\*\(\)\@\~\:\;\{\}\[\]\+\-\_\ \<\>\,\.\?\/\|\\]\x{x,y}
or something of similar syntax( [...]\x{..})

In words: "matched" if anything matched A-Z or these special sign they can appear only once (But your PW combis consist of ?as so that u and ial sign appear exact once, while the digit or lower appear as they will be pleased

good matchhed
@aabcAa1; @atomAa1 is good
@aa@cAa1 is bad
@aabcAA1 is bad
@!"£$%^Y no one wants

You thought about extensions like
"must have also lower
must use at least (or exact!) one digit ...."

Google Key word is PW policy

RegEx (regular expression) is your key.

Few years ago somewhere I already came across more than 90 pre-formulated filters what you like could already be there.

@Szulik
"BF 12 chars pasword with ?a is almost all time "unpractical" unless You got 100% sure for password complex policy"
No. Because you don't want to see the way he see it, you think about time and use power force to BF.

Try it with 4 or 5 or 6 character/digit/signs PW combis only you will see what he wants... and you will be surprised.

Here, if he solves the problem with the loss because of sorting time, he cuts easily the BF time down by half ... or more.

But he will be very lonely in this area ... most of programmers black/white/yellow/blue/red/even zebra hate or despite these filter expressions, like you say you like Latin speaking in our world of living languages

"unless You got 100% sure for password complex policy"

True, but not that difficult. Social Engineering.

No one like risking to be sacked by releasing company secrets, but study their moans/complaint about hated/repeated unwanted monthly job and you see they secretly paint on the wall the company PW policy... what you last need to adore is "Ahummmn you mind tell me you travel far to work"
#8
@newtk: ... and you've TRIPLE posted on this thread. Good lord, have you no netiquette? Seriously, next time you double post you will be banned. Learn how to use the edit button.
#9
(02-29-2016, 04:23 PM)agenta Wrote: Let`s do the math:

According to hashcat:
Mask1: “?a?l?l?l?l?l?l?l” has 308 915 776 combinations.
Mask2: “?a?u?l?l?l?l?l?l” has 308 915 776 combinations.
Mask3: “?a?a?a?a?a?a?a?a” has 735 091 890 625 combinations.

Let assume that I want “?a” to float in mask1 on all position it is equal to run 8 different masks (?a?l?l?l?l?l?l?l, ?l?a?l?l?l?l?l?l, ?l?l?a?l?l?l?l?l, ?l?l?l?a?l?l?l?l  ….. ?l?l?l?l?l?l?l?a). The result will be:

308 915 776 * 8= 2 471 326 208 (~0,33 % from Mask3).

If I want “?a” and “?u” to float then we have 8 * 7 = 56 different masks for execution. Total of combination will be:
308 915 776*56= 17 299 283 456 (~ 2,353% from Mask3).

I don’t see your logic magnum.
That is incorrect. Perhaps you used the --keyspace option? That isn't usable for these calculations because the output figure is scaled with a "hidden multiplier", and that multiplier is different for Mask1/2 vs. Mask3 so you can't compare the numbers at all.

Here's math:
Mask1: “?a?l?l?l?l?l?l?l” has 95*26^7 = 763 021 966 720 combinations.
Mask2: “?a?u?l?l?l?l?l?l” has the same numbers.
Mask3: “?a?a?a?a?a?a?a?a” has 95^8 = 6 634 204 312 890 625 combinations.

So your exact figures are not correct BUT other than that you are right, sorry! I was thinking of the opposite case (that Phil mentioned) to try to reduce ?a?a?a?a?a?a?a?a given that at least one of them is ?u and one is ?l. That will end up more expensive than just biting the bullet.