05-16-2017, 04:40 PM

Hi all,

I'm trying to understand Markov chains in relation to incremental brute force attacks a little better and was playing around with masks over the weekend. I'm not actually trying to crack anything, just learning about Markov.

Let's assume I have some awesome hardware (better than the stats below) and wanted to brute force a WPA2 handshake by way of an incremental attack starting at 8 and ending with 50 using the following

I might get the following output

My question is specific to how Markov chains increment. Let's take Candidates.#1 as an example

Even though I'm able to crack through 98261 H/s, I've noticed when checking the status, there are times where the progress moves forward but the candidates do not changes for X seconds. Let's call it 15 seconds which got me thinking.

How exactly does Markov increment in hashcat? Will hashcat start with the first 8 character candidate and work it's way to the last 8 character candidate before it increments?

Or will the Markov chain increment the current candidate until the max length is reached before moving on to the next?

Example

and so on until all possible 8 character combinations are satisfied

or

and so on until the current candidate has tried all possible combinations between 8 and 50?

I don't fully understand Markov chains yet so it's difficult to articulate my question in exactly the right way, please ask if you have any questions about what I'm asking.

I'm trying to understand Markov chains in relation to incremental brute force attacks a little better and was playing around with masks over the weekend. I'm not actually trying to crack anything, just learning about Markov.

Let's assume I have some awesome hardware (better than the stats below) and wanted to brute force a WPA2 handshake by way of an incremental attack starting at 8 and ending with 50 using the following

Code:

`hashcat64 -w 4 --restore-file-path=~/my.restore -o ~/cracked.txt -m 2500 -a 3 --increment --increment-min=8 --increment-max=50 handshakes.hccapx ?a?a?a?a?a?a?a?a`

I might get the following output

Code:

`Session..........: hashcat`

Status...........: Running

Hash.Type........: WPA/WPA2

Hash.Target......: handshakes.hccapx

Time.Started.....: xxxxxxx (9 hours, 30 mins)

Time.Estimated...: xxxxxx (3 years, 61 days)

Guess.Mask.......: ?a?a?a?a?a?a?a?a [8]

Guess.Queue......: 1/1 (100.00%)

Speed.Dev.#1.....: 98261 H/s (55.75ms)

Recovered........: 0/80 (0.00%) Digests, 0/24 (0.00%) Salts

Progress.........: 94919065600/159220903509375000 (0.00%)

Rejected.........: 0/94919065600 (0.00%)

Restore.Point....: 41615360/69833729609375 (0.00%)

Candidates.#1....: hH2Pmane -> hXU<LINA

HWMon.Dev.#1.....: Temp: 59c Fan:100% Util: 98% Core:1024MHz Mem:1333MHz Bus:16

My question is specific to how Markov chains increment. Let's take Candidates.#1 as an example

Code:

`Candidates.#1....: hH2Pmane -> hXU<LINA`

Even though I'm able to crack through 98261 H/s, I've noticed when checking the status, there are times where the progress moves forward but the candidates do not changes for X seconds. Let's call it 15 seconds which got me thinking.

How exactly does Markov increment in hashcat? Will hashcat start with the first 8 character candidate and work it's way to the last 8 character candidate before it increments?

Or will the Markov chain increment the current candidate until the max length is reached before moving on to the next?

Example

Code:

`"aaaaaaaa"`

"aaaaaaab"

"aaaaaaac"

"aaaaaaad"

and so on until all possible 8 character combinations are satisfied

or

Code:

`"aaaaaaaa"`

"aaaaaaaab"

"aaaaaaaabc"

and so on until the current candidate has tried all possible combinations between 8 and 50?

I don't fully understand Markov chains yet so it's difficult to articulate my question in exactly the right way, please ask if you have any questions about what I'm asking.