Bruteforce + rules
#1
Consider the following scenario: you have to crack a md5 hash which belong to a password which has a lenght of 16 characters with the following format:

$password = $word . $word;
# password is the duplicated word (word concatenate with itself)
# e.g. if word='guy12345' then password='guy12345guy12345'

As you can imagine, it is very difficult to crack a 16-chars password, but a 8-chars password can be broken in a few days.

I know there is a rule for duplicate a word, but I don't know how to use it in a bruteforce attack, because the word is not in a dictionary (it is composite for lowcase, uppercase, numbers and special characters). If I try it, hashcat says rules cannot be used in attack mode 3...

An alternative could be use maskprocessor to generate a dictionary with '?a?a?a...?a' and then use a pipe to pass it like input to hashcat running with that rule. Well, I tryed it, but it is increeeeeeedibly slow.

Generating a whole 8-chars words dictionary in order to use it with hashcat and rules is not a feasible option since it could be around 38 petabytes...

So, is there any option to use rules with bruteforce attacks? If there isn't, will you develop it? It would be really useful...
#2
https://hashcat.net/wiki/doku.php?id=rule_based_attack
https://hashcat.net/wiki/doku.php?id=mask_attack
https://hashcat.net/wiki/doku.php?id=maskprocessor

./mp64.bin ?a?a?a?a?a?a?a?a | ./hashcat64.bin -r dublicate.rule -m 0 md5.txt

cat my.rule
## original
:
## lower
l
## upper
u
## ucfirst
c
## Toggle Case
t
## dublicate
d
## Duplicate 2
p2
## Duplicate 3
p3
## reverse
r
#3
phahRoe1, thanks for your answer, but...

I know how to use mask attacks, bruteforce attacks, dictionary attack, and rules. And I have read these links too.

In fact, it works. But it is very very very slow (as I said in the fifth paragraph in the last message):

Code:
$ mp64.bin ?a?a?a?a?a?a?a?a | hashcat -m0 -O -r rules.file hash.file

But the question, if you have read the message and the example, is how to use bruteforce attacks (with masks) and rules all together to duplicate the word in order to make an attack of the half of lenght (the previous example uses a 8-chars mask instead 16-chars) when you know you are cracking that kind of passwords.

Because if you try it:
Code:
$ hashcat -m0 -a3 -O -r rules.file hash.file ?a?a?a?a?a?a?a?a

... you get this:
Use of -r/--rules-file and -g/--rules-generate only allowed in attack mode 0.
#4
To fully take advantage of GPU for a fast hash like MD5, you have to have more than a few rules.

You might try emulating a hybrid attack with generated rules.

https://hashcat.net/wiki/doku.php?id=hyb...with_rules

Basically:

Code:
$ mp64 '$?a$?a$?ad' >append-aaa.rule

$ wc -l append-aaa.rule
857375 append-aaa.rule

$ mp64 ?a?a?a?a?a | hashcat -w 4 -a 0 -O -r append-aaa.rule

You might have to adjust the number of rules to fit your amount of allocatable GPU memory.

[Edit: dangit, I forgot that that doesn't duplicate the whole word. Grrr.]
~
#5
What is the point to generate 857,375 rules when I'm only interested in one of them: duplicate (concatenate with itself) the random word?

Well, you'll get more speed but it'll be based on processing not valid (for this case) words... won't it?

If you execute that command (without pay attention to the number of chars), you'll see on the candidate line that words aren't valid:

Code:
Candidates.#1....:    *j3HH ->    0/aK*


(they should be: '*j3HH*j3HH' and '0/aK*0/aK*')

And anyway the speed is still very slow...
#6
Yeah, like I said in my edit - it doesn't work like I was hoping it would. I don't have a better answer yet.

But notice that what I was trying to do - generate some of the word on GPU with a large number of rules, to improve overall speed. I have a few other ideas. Will update.
~
#7
OK, this is ugly as heck, and buggy (it doesn't fully emulate bruteforce for the last two characters), but it's getting close:

Code:
$ for item in `mp64 '?aTEMP?a'`; do echo "di6${item}iE${item}"; done | sed 's/TEMP/i7/;s/TEMP/iF/' >dupedouble.rule

$ wc -l dupedouble.rule
9025 dupedouble.rule

$ head dupedouble.rule
di6i7iEiF [this one is bogus]
di6i7!iEiF!
di6i7"iEiF"
di6i7#iEiF#
di6i7$iEiF$
di6i7%iEiF%
di6i7&iEiF&
di6i7'iEiF'
di6i7(iEiF(
di6i7)iEiF)

$ mp64 ?a?a?a?a?a?a | hashcat -w 4 -a 0 -O -r dupedouble.rule

Candidates.#1....:  !~UjRe) !~UjRe) ->  "%`cegl "%`cegl
Candidates.#2....:  "1vV/!! "1vV/!! ->  "8"OB"G "8"OB"G
Candidates.#3....:  !xJq>}X !xJq>}X ->  !~UjQ~~ !~UjQ~~
Candidates.#4....:  !r?x*}X !r?x*}X ->  !xJq=~~ !xJq=~~
Candidates.#5....:  "%`cf!! "%`cf!! ->  "+k\y"G "+k\y"G
Candidates.#6....:  "+k\z!! "+k\z!! ->  "1vV."G "1vV."G

The idea here - borrowing in part from the "hybrid attack with rules" wiki page - is to generate the last two characters on GPU, using a generated list of rules. Basically, I'm doubling the word that is being input from stdin, and then inserting specific characters at positions 6, 7, 15, and 16. 

My first-attempt script isn't covering all of the characters properly, and generates some bogus rules, but you get the idea.
~
#8
royce, thanks. I'll try something like that.

Anyway, it would be so easier if there was possible to use rules with brute force attacks. So, what is the reason for not allowing that?
#9
I'm guessing ... but if I had to say, it's probably that in practice, most attacks are possible without it (by chaining stuff together, Unix-style) - so adding it internally could (arguably) add unnecessary complexity to the hashcat code.
~
#10
I would use rule chaining here, i.e. -r best64.rule -r duplicate.rule