Posts: 4
Threads: 2
Joined: Sep 2016
Howdy yall, long time listener first time caller.
Simple Q, got a WPA2 hash that needs a crackin (I don't know why i'm talking like this, can't seem to stop)
I know i'm looking at 10 digits, random mix of uppercase and numeric so i made a basic mask -1 ?u?d ... ?1?1?1?1?1?1?1?1?1?1 .
So on my leet gaming rig i'm rolling a 150 odd Kh/s (could probably push it a bit more if I needed to).
My question is, is there a better way I could be doing this?
Posts: 259
Threads: 13
Joined: Jun 2016
09-01-2016, 12:51 PM
(This post was last modified: 09-01-2016, 12:53 PM by kiara.)
10 characters not 10 digits..
yes their is, u are running a full brute force.. which take alot of time.
u can minimize ur time by generating a mask file for example
?u?d?d?d?d?d?d?d?d?d
?d?u?d?d?d?d?d?d?d?d
?d?d?u?d?d?d?d?d?d?d
etc...
+
wordlist + rules
to generate a mask file u can use PACK
https://thesprawl.org/projects/pack/
if ur using The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) its already there
Posts: 87
Threads: 4
Joined: Dec 2015
09-01-2016, 02:58 PM
(This post was last modified: 09-01-2016, 03:09 PM by jodler303.)
kiara's suggestion with the masks sounds good. watch out though, statting a dictionary *might* miss some of the possible combinations. timbo writes the passwords are random-generated. so the mask stuff is very good to produce mask candidates, will reduce keyspace. as long as you are aware that the statting might miss some possible combinations and you got an eye on it, should be fine.
alternatively to finding out all possible mask combinations, you could use maskprocessor with -r and -q options to limit the maximum number of occurences for individual letters, coz it is unlikely that passwords like:
AAAAAAAAAA or AAAAABBBBB
would be used in any productive system.
So by setting a limit how often an individual character is used in the password candidates, it will reduce your keyspace. you can start with low values and increase them by iteration, if required.
For details see
https://hashcat.net/wiki/doku.php?id=maskprocessor
Posts: 4
Threads: 2
Joined: Sep 2016
Thanks guys, appreciate your help.
Jodler, i'm running with your suggestion but can you please check my math?
mp64.exe -q 3 -1 ?u?d "?1?1?1?1?1?1?1?1?1?1" -o belong.rule
so keeping it simple still 10 chars upper and numeric but max of 2 of the same in a row yeah?
Posts: 87
Threads: 4
Joined: Dec 2015
09-01-2016, 11:52 PM
(This post was last modified: 09-02-2016, 12:22 AM by jodler303.)
hi there.
mp64 produces password candidates, not masks. so for a mask of length 10 you would want to pipe (|) the output from mp64 directly into hashcat instead of writing to a file. -q 2 should limit 2 in a row, not -q 3. Also, the -r 2 parameter will reduce the keyspace a LOT more, because it limits the occurances of each character.
Applying -r 2 on a mask of length 10 seems to be slow though, so why not first produce all candidates for length 5, like this:
./mp64.bin -q 2 -r 2 -1 ?u?d "?1?1?1?1?1" -o tmp2.txt
or
./mp64.bin -q 3 -r 3 -1 ?u?d "?1?1?1?1?1" -o tmp3.txt
and then use a combination attack -a 1 to append two length 5 candidates to produce candidates of length 10. could look something like this:
./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp2.txt tmp2.txt
or:
./hashcat -w 4 -m 2500 eapol.hccap -a 1 tmp3.txt tmp3.txt
tmp2.txt would be ~261 MB and
tmp3.txt would be ~344 MB ...
p.s. since you are doing WPA2 which is a slow hash, the discussed keyspace reduction most likely still won't do the trick for you. especially if you can only do 150 kH/s ... you really want to find out more details about the exact router model and further reduce the keyspace (e.g. possibly the vendor calculated the password from the mac address or so ... some routers don't use 1 and I and 0 and O because of readability. some have fixed parts, like the first two characters being model specific or such). good luck!
Posts: 4
Threads: 2
Joined: Sep 2016
yeah, i was starting to get a bit worried when my output file reached 244 gb.
i'll try both of those thanks (pipe and combination).