WPA2 could i be doing this better?
#1
Howdy yall, long time listener first time caller.

Simple Q, got a WPA2 hash that needs a crackin (I don't know why i'm talking like this, can't seem to stop)

I know i'm looking at 10 digits, random mix of uppercase and numeric so i made a basic mask -1 ?u?d ... ?1?1?1?1?1?1?1?1?1?1 .

So on my leet gaming rig i'm rolling a 150 odd Kh/s (could probably push it a bit more if I needed to).

My question is, is there a better way I could be doing this?
#2
10 characters not 10 digits..

yes their is, u are running a full brute force.. which take alot of time.
u can minimize ur time by generating a mask file for example
?u?d?d?d?d?d?d?d?d?d
?d?u?d?d?d?d?d?d?d?d
?d?d?u?d?d?d?d?d?d?d
etc...
+
wordlist + rules

to generate a mask file u can use PACK
https://thesprawl.org/projects/pack/

if ur using The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) its already there
#3
kiara's suggestion with the masks sounds good. watch out though, statting a dictionary *might* miss some of the possible combinations. timbo writes the passwords are random-generated. so the mask stuff is very good to produce mask candidates, will reduce keyspace. as long as you are aware that the statting might miss some possible combinations and you got an eye on it, should be fine.

alternatively to finding out all possible mask combinations, you could use maskprocessor with -r and -q options to limit the maximum number of occurences for individual letters, coz it is unlikely that passwords like:

AAAAAAAAAA or AAAAABBBBB

would be used in any productive system.

So by setting a limit how often an individual character is used in the password candidates, it will reduce your keyspace. you can start with low values and increase them by iteration, if required.

For details see https://hashcat.net/wiki/doku.php?id=maskprocessor
#4
Thanks guys, appreciate your help.

Jodler, i'm running with your suggestion but can you please check my math?

mp64.exe -q 3 -1 ?u?d "?1?1?1?1?1?1?1?1?1?1" -o belong.rule

so keeping it simple still 10 chars upper and numeric but max of 2 of the same in a row yeah?
#5
hi there.

mp64 produces password candidates, not masks. so for a mask of length 10 you would want to pipe (|) the output from mp64 directly into hashcat instead of writing to a file. -q 2 should limit 2 in a row, not -q 3. Also, the -r 2 parameter will reduce the keyspace a LOT more, because it limits the occurances of each character.

Applying -r 2 on a mask of length 10 seems to be slow though, so why not first produce all candidates for length 5, like this:

./mp64.bin -q 2 -r 2 -1 ?u?d "?1?1?1?1?1" -o tmp2.txt
or
./mp64.bin -q 3 -r 3 -1 ?u?d "?1?1?1?1?1" -o tmp3.txt

and then use a combination attack -a 1 to append two length 5 candidates to produce candidates of length 10. could look something like this:

./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp2.txt tmp2.txt
or:
./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp3.txt tmp3.txt

tmp2.txt would be ~261 MB and
tmp3.txt would be ~344 MB ...

p.s. since you are doing WPA2 which is a slow hash, the discussed keyspace reduction most likely still won't do the trick for you. especially if you can only do 150 kH/s ... you really want to find out more details about the exact router model and further reduce the keyspace (e.g. possibly the vendor calculated the password from the mac address or so ... some routers don't use 1 and I and 0 and O because of readability. some have fixed parts, like the first two characters being model specific or such). good luck!
#6
yeah, i was starting to get a bit worried when my output file reached 244 gb.

i'll try both of those thanks (pipe and combination).