How to bruteforce?
#11
(11-16-2011, 12:32 PM)atom Wrote: you guys read this? http://hashcat.net/wiki/brute_force_in_oclhashcat_plus

First of all Thanks for the OHC Plus program, Atom. It is a great job.


Yes,I have read that document. In my first post I indicated that I have used bf , TOXLC, specific, best64 and I was surprised that with any rule it took longer to catch the simple password. I have post the command I used also. That surprised me because like in case with JTR rule, the first run it use the content of wordlist itself, then when no success it use rule to modify, e.g turn lower to upper case, mirror, add digit at the end etc. with JTR it the rules option is on the side of the tool to generate "wordlist", so I can pipe result in a txt file to see what it create, or when run with aircrack it displays the being tested key. That is why I try to understand more about rule, to be able to chop out most of the rules which makes the run takes too much time to run. If I understand rule, and have a guess for example, it could be a double-password, or maybe the same simple password added date of birth, or a mirror I would modify rule file to have the two or three scenario in it only.

By the way, I have the feeling I found a bug in OHC plus. Where is it appropriated to report. Thanks again for your prompt reply.
#12
(11-17-2011, 12:31 AM)ntk Wrote: First of all Thanks for the OHC Plus program, Atom. It is a great job.


Yes,I have read that document. In my first post I indicated that I have used bf , TOXLC, specific, best64 and I was surprised that with any rule it took longer to catch the simple password.

In your example you used

./maskprocessor.exe -1 abcdwxyz ?1?1?1?1?1?1?1?1

Your password was = abcdwxyz

If you used a rule file that for example appended 123 or 123! then you will never get your password.

If however your rule file started with :

Example

:
$1$2$3
$1$2$3$!

Then you would have found your password in the same 3 seconds you stated you did.

The reason is the ":" in the rule file will try the password "as is" meaning no rule. It would then go on to appending 123 / 123! in this case.

Personally I always perform a full run on my lists without any modification and then each rule file doesn't need the ":" within it because if you do that in each rule file you will be running through your lists multiple times unnecessarily duplicating runs. This of course would totally waste all atoms efforts to make hashcatplus as fast as it is for you !

(11-17-2011, 12:31 AM)ntk Wrote: That is why I try to understand more about rule, to be able to chop out most of the rules which makes the run takes too much time to run.

I suggest it is better to build your own rules from the start and not try to do it the other way round as there is always a chance you will miss something. Its a bit like tidying a drawer, tip it all out and only put back in what you want to keep ! Smile

(11-17-2011, 12:31 AM)ntk Wrote: If I understand rule, and have a guess for example, it could be a double-password, or maybe the same simple password added date of birth, or a mirror I would modify rule file to have the two or three scenario in it only.

To do what you are asking here type the following in your rule file..

d
$1$9$6$0
$1$9$6$1 (etc)
f

(11-17-2011, 12:31 AM)ntk Wrote: By the way, I have the feeling I found a bug in OHC plus. Where is it appropriated to report. Thanks again for your prompt reply.

http://hashcat.net/forum/forum-23.html or http://hashcat.net/forum/forum-8.html
#13
also note the maximum supported password plaintext length is 15 and the minimum for WPA is 8.
#14
@Hash-IT thank for taking time to understand my problem. Am very new in OHCP and general password auditing, so my questions could be very confused. Read with excitement about your response. I have digged also little into john.conf and started to have a little idea but still swimming with head under water with most of lines trying to understand what they want/create. have also found the :. Need to try and to understand the rest of your proposal. I am newbie so could talk long time to report back. So Thanks first of all.
@Atome
yes, for WPA my most basic wordlist must fulfil these 4
1.Must contains at least 8 char long and longest 12
2.contains at least 1 low case char, and
3.contains at least 1 upper case char, and
4.contains at least 1 digit.

I do it by 4xegrep condition. Not very proud because 4 time piped egrep make the process painfully slow...but at least it serves the purpose to eliminate a lot of combinations for a start. would like to know if there is any faster method, in case one day similar idea with condition could come up,though. Have checked with 2 different routers passwrd requirement (UK) they worded similar condition, one using free rule ?l?u?D min 8 and they all not using a set of char a..mA..M0..9, as we usually suggest "study the router, it could use a small defined set of char". Those dinosaur dying out in UK, Atom. Not surprise to see dcbawxyz accepted with one UK's ISP, aBc123dx, a1b2C3d4, amacBMAC01092000, Tievhna88 at the minimum, or in one case chosen password "Thep datoitheday". Also in general they advise using at least 12 chars. so could not see other way than how to do creative, effective bruteforce and need to get lots of speed to come close to the solution. Everyone is against bruteforce because of the time required, but since dive into general password auditing except with WEP, I cant see how to get close without speed & bruteforce. at first I got on CPU 210 k/s, I know after one week it is a illusion to say you have a tool to anything, even with a proud after long time research and download several over 200 GIGA dicts, with CUDA aircrack-ng manage to go up to 5200k/s, with Pyrit at first on CPU got 670 PMK/s on ATI reach 42k PMKs/s first was very happy then come to the same conclusion. Your OHC plus makes me the most happy as it hits 49k, then 60k c/s, but still after 2 week when recive some password VNthepdatoitheday2011, I realise no wordlist in the world contain the to pick out teach me if I am wrong
#15
this is not about WPA, this applies to all algorithms. if the password is secure, this means long and with full charset, then nothing in the world can crack it. fortionally people do not use secure passwords. for example, if you take a look at the rockyou.txt, which is a leaked plaintext password list from a multi-million site, you see 97% of the passwords contains simple words. some with easy, some with complex mutations techniques. since we focus advanced attackes in hashcat world, these 97% are reachable targets. if you want to learn more about advanced techniques rather than brute-force, take a look at our wiki. start with mask attack.
#16
thanks Atom for the advise. I will look into it. the mask attack sugess that you may have know part of the password e.g ABC then add_forname.rule or add_3_number.rule etc that could be useful.

In general few idea to make password is important to me
1. the 4 strict_password_rules length,
2. some combination one can easily remember, e.g my_memorable_password then for yahoo I add _yahoo at the end, for facebook add _face etc otherwise I have to carry USB stick of 10 website forum, 5 for bank, 10 etc and when the USB is lost or crashed I have a very big problem, I want to pay attention on knowledge, on joy, on wife, on good living but not on how to keep-safe-my-USB-stick with all the complicate passwords on it

therfore password must be at least 75% crackable using method+speed

In the mean time, could you help me with general idea how to go against these password types

ADGadg66
JohnWayne666
6John6Wayne6
This is fun 666
99 Call Me Love
try me mate 2011 (forget this one longer than 15, right?)
mynameisEarl1
my name is Earl1
6a6_6A6@666?

Could you give a newbie like me ideas in general how to tackle these types. Thanks
I can not losen me from getting idea to have a crack on these types, because if a over_1month_newbies can think of them million already dealt with password over the years can make a cracker's lifes a lot harder, speed or no speed.
#17
I am not entirely sure I understand your post but I will do my best ! Smile

I think you are asking for help to write rules. I could write some very specific rules for your list but then that wouldn’t be the right thing to do as it would be too specific to those few passwords.

If you would like a general rule that would help catch most of those words and also others try the following

Prefix numbers
Suffix numbers
Toggle Case.

So example password.

Pass123

With a supplied password list of “pass” would be caught using this rule.

C$1$2$3

pass + ( c ) = Pass + ( $1 ) = Pass1 + ( $2) =Pass12 + ($3) = Pass123 > to hashcat.

The password rule list can get VERY long so I couldn’t post it here. Basically I would experiment with individual appended numbers as 0-100 or 0-1000 can get a bit to long to list, especially when combined with toggles. Experiment with the toggles.rule as well. All these rules can be joined together in a single rule line. Once you understand them it is very easy to work out, even I can do it and I am a bit thick ! Smile

As a final example try this rule for the password you supplied.

ADGadg66

So to test the rules make your password list adgadg

So your input password to test is “adgadg”

Then make a rule file containing the following.

T1T2T3$6$6

Run it and it should find your password.
#18
and you say you are a bit thick ! Smile.

Thank you, I am learning.
what do you suggest with "This is fun 2011"? I guess a combination of one-syllable meaningful word from an dictionary, e.g abd is not but bad is ok, bac is not but cab is ok, but how to search and rule-link them together making combination of one "syllable"s. Would it be possible at all?
#19
check out hashcats attack modes: http://hashcat.net/wiki/doku.php#attack_modes

also check out hashcat-utils: http://hashcat.net/wiki/hashcat_utils

if you gained some experience how to use these modes efficiently you can generate nearly all attacks you want to do.
#20
thanks Atom. I am keen to study those docs.