Expander / fingerprint attack
#1
I was reading this article about a fingerprint attack and decided to try it. The results on a picked clean by multiple dictionary attacks and a few rule attacks hashlist is impressive (in 27 min I got about 2.4% of the remaining). However, I noticed that the founds are 8 characters max. Looking at expander's source, that makes sense as the max pattern length is hard coded as 4 and 4+4 =8. I could take the source and increase that number and recompile, but should I?

The reason I ask is I've got lots of passwords longer than 8 characters I found by the earlier mentioned methods. I've found five 31 character passwords! So I'm pretty sure some of the remaining un-cracked hashes are more than 8 characters.

But I also suspect the 4 limit wasn't arbitrarily chosen. Can someone shed some light on what my next step should be to use the attack on the 9+ character passwords? Maybe combinator my expander dictionary with itself to make a new dict and then run the combinater with the new and old dict? Or would switching to rules be [in general] a better strategy?
[url=https://www.question-defense.com/2010/08/15/automated-password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack][/url]
#2
You can generate longer fingerprints if you want but the resulting file could be quite massive. Of course you'll want to uniq it before running it, but even then a 2-way combinator might never finish if you end up with too large of a file.
#3
I think I'm beginning to understand why the 4 limit. I tried to combinator my initial (already uniqued) dictionary with itself. I stopped it at 281 Gigs. Even stripping out all the 4 characters from the initial and combinating that with itself (so 6 max length), I stopped it at 27 Gigs. (Those numbers are before attempting to unique.)

I guess it's time to try editing the source to 5 and re-compiling, but I suspect the resulting file will be so huge as to be unworkable.

In the meantime, I tried using my initial 4-char max expander dictionary with an English unabridged dictionary (expander being the suffix/right side) combo attack, no rules, and that -- on my picked over dictionary -- still gave me an average of  about 1400 hashs cracked/minute. Not huge, but it is on an already picked over hash list, so I'd call that respectable since it only took about 11 minutes to run. Plus I got a bunch of 15+ character passwords.

=== Update ===

After editing and recompiling to a max of 5 characters, the expander program, after unique-ing, gave me a dictionary of about 40MB. Running the combo attack on my system will take a day with that dictionary. I thought about eliminating all the 3 or less character patterns since I already ran the 4 char dictionary, but then that only took 27 minutes.

As a quick sanity test, I let the 5 character (not eliminating the < 3) for about 5 minutes and I did get some new < 8 passwords cracked. That makes sense as I have 5 character patterns to combine with 3 or less that I didn't have before, so it would try some new passwords.

On my rig, I'm running it now and getting 1-2 hashes (SHA1) cracked per second on my already worked over hashlist. Not great, but not horrible either considering only the harder hashes are left.

Still, it looks like the current upper limit of a fingerprint attack is 10 characters. It's just not workable higher than that.