Use dictionary word anywhere in the mask
#1
Hello,

I can't find the answer to this question in the wiki but maybe I'm not searching with the proper terms.

I'm trying to find out how a specific 8 hex digit hash/checksum is generated by a closed-source program.

I'm pretty sure the build number of the program (e.g. "104") or maybe the full version number (e.g. "2.1.104") is part of the input when this checksum is generated.

Question:
How would I use the string "104" as a dictionary word in hashcat without specifying its position in the mask, so that hashcat increments in the following way:
104?a
?a104
?a104?a
104?a?a
?a?a104
?a104?a?a
?a?a104?a
?a?a?a104
104?a?a?a
?a?a104?a?a
...

I've looked at hashcat's rule-based attacks but I don't see anything about this type of rule. Is this even possible?

I understand that hashcat was designed to crack passwords. Are there better tools out there to help guess the input strings of checksums when I have a plaintext file that I know part of which were used to generate the checksums but don't know exactly which parts?
Reply
#2
There is no such attack mode. You need to emulate it using masks or generated rules. The hybrid attack modes would work, but only for mask + word or word + mask but not mask + word + mask.
Reply
#3
"You need to emulate it using masks or generated rules"

So I tried to use the maskprocessor to create some rules with both prepending and appending (e.g. "^?a$?a") but I can't even generate the simplest rule:

mp64.bin "$?d"

returns:

0d

not:

$0
$1
$2
$3
$4
$5
$6
$7
$8
$9

like it does in this demo video:
https://youtu.be/GOgjUkYZ8GA?t=384

Any idea as to what I might be doing wrong?

EDIT: tested on CentOS (mp64.bin) and macos (mp32.app) with maskprocessor-0.73
Reply
#4
try mp64.bin '$?d'
Reply
#5
Thanks undeath. Sorry about that mistake.

So just in case this can help someone else save a bit of time, here is how I generated my rules file with Python:

Code:
import subprocess

prepend = "^?a"
append = "$?a"

masks = []
for begin_count in range(3):
    for end_count in range(begin_count+1):
        mask1 = begin_count * prepend + end_count * append
        mask2 = end_count * prepend + begin_count * append
        if mask1 != '': masks.append(mask1)
        if mask1 != mask2: masks.append(mask2)

for mask in masks:
    cmd = "./maskprocessor-0.73/mp64.bin '{}' -o prepend-append-anywhere.rule".format(mask)
    process = subprocess.Popen(cmd.split(),stdout=subprocess.PIPE)
    output, error = process.communicate()

Results:

Code:
./maskprocessor-0.73/mp64.bin '^?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a^?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '$?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a^?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a$?a$?a' -o prepend-append-anywhere.rule
./maskprocessor-0.73/mp64.bin '^?a^?a$?a$?a' -o prepend-append-anywhere.rule

/!\ If you're a beginner like me, be careful with commands like "./maskprocessor-0.73/mp64.bin '^?a^?a^?a^?a$?a$?a$?a$?a' -o prepend-append-anywhere.rule" and any command longer than that, it will fill up your disk space real fast.
Reply
#6
you could just generate a file for ^?a and $?a and use rule file chaining in hashcat by using multiple -r switches
Reply
#7
That would be great as I wouldn't have to use a whole hard drive to store the mask list but I don't see how that would work.
Wouldn't I need a "prepend-null" or "prepend-empty" rule token to do that? Is there one I'm not aware of?

Here's an example:

prepend.rule
^0
^0^0
^0^0^0

append.rule
$1
$1$1
$1$1$1

./hashcat64.bin --stdout -r apppend.rule -r prepend.rule dict.lst
0word1
0word11
0word111
00word1
00word11
00word111
000word1
000word11
000word111

But what I want is:
word1
word11
word111
0word
0word1
0word11
0word111
00word
00word1
00word11
00word111
000word
000word1
000word11
000word111
Reply
#8
Small fix to the Python snippet as single-quotes don't do well with Popen/split (they end up in the rules file):

Code:
import subprocess

prepend = "^?a"
append = "$?a"

masks = []
for begin_count in range(3):
   for end_count in range(begin_count+1):
       mask1 = begin_count * prepend + end_count * append
       mask2 = end_count * prepend + begin_count * append
       if mask1 != '': masks.append(mask1)
       if mask1 != mask2: masks.append(mask2)

for mask in masks:
   cmd = "./maskprocessor-0.73/mp64.bin {} -o prepend-append-anywhere.rule".format(mask)
   process = subprocess.Popen(cmd.split(),stdout=subprocess.PIPE)
   output, error = process.communicate()
Reply
#9
note about your python script: specify the command as list of strings and you don't have to worry about any kind of escaping.

but anyway, just generate a rule file with pattern ^?a and one with $?a and then run commands like
hashcat -a0 hash.txt wordlist.txt -r append-char.rule -r append-char.rule -r prepend-char.rule
Reply
#10
If I use the following command:

Code:
./hashcat-4.0.1/hashcat64.bin --stdout -a 0 -m 11500 hash.txt wordlist.txt -r apppend.rule -r prepend.rule

I get the following result:

Code:
Cannot convert rule for use on OpenCL device in file apppend.rule on line 1: $?a
Cannot convert rule for use on OpenCL device in file prepend.rule on line 1: ^?a
No valid rules left.

Am I missing something?
Reply