Estimated time difference using --increment vs. mask length?
#1
Hello,

I am running hashcat to crack some NTLM passwords for testing. I noticed that there is a huge difference in estimated time when running hashcat with --increment parameter vs. providing a password length mask.

Here is an example...

Code:
hashcat64.exe -a 3 -m 1000 --potfile-path test.pot --username -1 ?u?l?d!@#$ test.ntlm.txt ?1?1?1?1?1?1?1?1?1

Session.Name...: hashcat
Status.........: Aborted
Input.Mode.....: Mask (?1?1?1?1?1?1?1?1?1) [9]
Custom.Chars...: -1 ?u?l?d!@#$, -2 Undefined, -3 Undefined, -4 Undefined
Hash.Target....: File (test.ntlm.txt)
Hash.Type......: NTLM
Time.Started...: Thu Nov 10 08:39:58 2016 (3 secs)
Time.Estimated.: Fri Dec 09 11:09:17 2016 (29 days, 2 hours)
Speed.Dev.#1...:  9450.0 MH/s (11.20ms)
Recovered......: 191/651 (29.34%) Digests, 0/1 (0.00%) Salts
Recovered/Time.: CUR:N/A,N/A,N/A AVG:0.00,0.00,0.00 (Min,Hour,Day)
Progress.......: 29560960000/23762680013799936 (0.00%)
Rejected.......: 0/29560960000 (0.00%)
Restore.Point..: 6656000/5455160701056 (0.00%)

We then run it using the --increment parameter and set it to start/end at 9 characters.


Code:
hashcat64.exe -a 3 -m 1000 --potfile-path test.pot --username -1 ?u?l?d!@#$ --increment --increment-min 9 --increment-max 9 test.ntlm.txt

Session.Name...: hashcat
Status.........: Aborted
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3?3) [9]
Custom.Chars...: -1 ?u?l?d!@#$, -2 Undefined, -3 Undefined, -4 Undefined
Hash.Target....: File (test.ntlm.txt)
Hash.Type......: NTLM
Time.Started...: Thu Nov 10 08:40:49 2016 (12 secs)
Time.Estimated.: Thu Nov 10 15:49:12 2016 (7 hours, 8 mins)
Speed.Dev.#1...:  9395.9 MH/s (11.64ms)
Recovered......: 191/651 (29.34%) Digests, 0/1 (0.00%) Salts
Recovered/Time.: CUR:N/A,N/A,N/A AVG:0.00,0.00,0.00 (Min,Hour,Day)
Progress.......: 118717378560/241505293049856 (0.05%)
Rejected.......: 0/118717378560 (0.00%)
Restore.Point..: 49674240/101643641856 (0.05%)

How come the estimated time is so much different yet both are 9 character using the same "-1 ?u?l?d!@#$" (upper, lower, digits, and only !@#$ special characters).

I must not be understanding something correctly, anyone able to point me in the right direction?

Why is a password length of 9 characters defined as ?1?1?1?1?1?1?1?1?1 much longer to crack vs. the same password length defined as --increment --increment-min 9 --increment-max 9 ?
#2
Pay attention, masks are different for the two attacks, so yes, estimated times will be different.
Actually defining the mask for the second one could be a great idea.
#3
That makes sense now, thank you. So with the --increment it is using a mask = (?1?2?2?2?2?2?2?3). 

Just so i understand this fully, by adding "-1 ?u?l?d!@#$" I am defining the character range only for the ?1 in the mask above.

What will ?2 and ?3 in the mask above use?
#4
https://hashcat.net/wiki/doku.php?id=fre...s_it_doing
#5
I already looked at the wiki/faq, you pointing me back there is not helping.

What would be helpful if you could answer my question instead of sending me back in a loop.

When we run:

Code:
hashcat64.exe -a 3 -m 1000 --potfile-path oppy.pot --username -1 ?u?l?d!@#$ --increment --increment-min 9 --increment-max 9 oppy.ntlm.txt

The input mode mask is:

Code:
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3?3) [9]

I already set..
?1 = ?u?l?d!@#$

What is the default character set used for ?2 and ?3...

Before you point me back to other links, I did read everything related "Hashcat mask" and I am still confused, as such I came here looking for answers not links.
#6
(11-10-2016, 09:24 PM)v3rd1ct Wrote: I already looked at the wiki/faq, you pointing me back there is not helping.
It's not about looking, it's about reading.

(11-10-2016, 09:24 PM)v3rd1ct Wrote: The input mode mask is:

Code:
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3?3) [9]

I already set..
?1 = ?u?l?d!@#$

What is the default character set used for ?2 and ?3...

What would be helpful if you could answer my question instead of sending me back in a loop.


Before you point me back to other links, I did read everything related "Hashcat mask" and I am still confused, as such I came here looking for answers not links.
Still, you need to actually read, I don't post links for fun and giggles, it's because you people keep asking the same questions, so we try our best to compile all the answers in a FAQ (you know, not reinventing the wheel and shit).

I have also another pro tip about links, I myself spent quite some time on the Internet, and know some things, when you follow a link, it leads to a page, and sometimes there may be more links on that page, leading to even more answers.


tl;dr:
Go on the link I posted in my previous post (reminder: https://hashcat.net/wiki/doku.php?id=fre...s_it_doing) and read even only the first line of that paragraph, there is a link which leads to the answers (yes you can even follow it).