Mask attack help
#1
I just started learning how to crack some handshakes this Friday, and with my limited knowledge, I've been able to reach somewhere. Unfortunately, I'm having problems with the mask attack.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: capture.hccapx
Time.Started.....: Sat Feb 10 22:22:32 2018 (13 mins, 10 secs)
Time.Estimated...: Sat Feb 10 22:35:42 2018 (0 secs)
Guess.Mask.......: ?d?d?d?d?d?d?d?d [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:   124.3 kH/s (2.40ms)
Recovered........: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 100000000/100000000 (100.00%)
Rejected.........: 0/100000000 (0.00%)
Restore.Point....: 10000000/10000000 (100.00%)
Candidates.#2....: 60521739 -> 67646497
HWMon.Dev.#2.....: Temp: 82c Fan:100% Util: 80% Core:1683MHz Mem:3802MHz Bus:16

Started: Sat Feb 10 22:22:24 2018
Stopped: Sat Feb 10 22:35:44 2018

C:\Users\ice\Music\hashcat-4.0.1>pause

Based on my limited knowledge, I know that the password is in the range of 60521739 -> 67646497 from the information above.
If some can guide me on how to properly understand mask attacks to solve this I'll be grateful. Also, maybe my analysis may be wrong.
#2
(02-11-2018, 01:04 AM)zap44 Wrote: Based on my limited knowledge, I know that the password is in the range of 60521739 -> 67646497 from the information above.

Wrong. Based on the information in the status output you know the password does not match the mask ?d?d?d?d?d?d?d?d because hashcat just used that mask and finished with status "Exhausted", meaning no match found.

The candidates are just the range that hashcat was testing at the time the status was printed.
#3
Hashcat will not know a specific range of the password. It will only match the inputted handshake and output the result in plain text. So as undeath has mentioned, your attack of 8 digits has cycled all possibilities (00000000-99999999) and did not find a match to the password. So time to test some other possible mask or wordlist. 

Just out of curiosity but what GPU are you using because it's getting damn hot and throttling itself.
#4
(02-11-2018, 04:36 AM)slyexe Wrote: Hashcat will not know a specific range of the password. It will only match the inputted handshake and output the result in plain text. So as undeath has mentioned, your attack of 8 digits has cycled all possibilities (00000000-99999999) and did not find a match to the password. So time to test some other possible mask or wordlist. 

Just out of curiosity but what GPU are you using because it's getting damn hot and throttling itself.

Gtx 1060 3GB
#5
(02-11-2018, 01:09 AM)undeath Wrote:
(02-11-2018, 01:04 AM)zap44 Wrote: Based on my limited knowledge, I know that the password is in the range of 60521739 -> 67646497 from the information above.

Wrong. Based on the information in the status output you know the password does not match the mask ?d?d?d?d?d?d?d?d because hashcat just used that mask and finished with status "Exhausted", meaning no match found.

The candidates are just the range that hashcat was testing at the time the status was printed.

Does that mean I need to increase my range? For example ?d?d?d?d?d?d?d?d?d?d?d instead of ?d?d?d?d?d?d?d?d.
I just looked at the wiki again and it says these are the built-in chars,


?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

which is what I've been using. But this mask example uses -1 ?l?d?u ?1?1?1. And I can't seem to understand.
I've already read https://hashcat.net/wiki/doku.php?id=mask_attack
#6
Something seems wrong with your airflow for your video card...especially for a GTX 1060 which consumes very little power. The max temperature I've seen my 1070 is 52ºC and thats under -w 4. 

Otherwise, regarding the custom character set you're looking at (-1 ?l?d?u) this creates your own quick and easy multiple built in character sets. So what it does is creates a new built in character set  which can include whatever you like. So if you want only numbers 1234 and abcd you can limit your character set by adding in the parameter -1 1234abcd then add it to your attack with ?1. 

hashcat64.exe  -1 abcd1234 -m 2500 -a 3 -w 4  capture.hccapx ?1?1?1?1?1?1?1?1?1

So this would test each character with 8 different possibilities rather than doing ?l?d which would test all 26 lower case letters and 10 digits (0-9) which will significantly reduce the keyspace your videocard has to process. 

As the example shows using -1 ?l?d?u this will do all 26 lower case letters all 26 uppercase letters and 10 digits which is a large keyspace for attacking. You want to make justified decisions when determining your attack to limit it to as short as possible. It's easier to run 100 short attacks than 1 long attack, but sometimes it's necessary to find the password. 

So in your case if you KNOW the password is between 8-10 digits long and are certain of it than you can use an increment attack to try from a keyspace of 8 to 10 digits. 

hashcat64.exe -m 2500 -a 3 -w 4 -i --increment-min 8 --increment-max 10 capture.hccapx ?d?d?d?d?d?d?d?d?d?d

So this will first run an attack of 8 length and increase upto 10. Notice how the keyspace is set as 10 digits (?d?d?d?d?d?d?d?d?d?d) You want this to be the longest keyspace of your attack.  OR you can just do 3 separate attacks too.  

Other common attacks include phone numbers (which is part of the 10 digit keyspace as well) but you can run that test initially as it is alot shorter than running a full 10 length attack. 

hashcat64.exe -m 2500 -a 3 -w 4 capture.hccapx XXX?d?d?d?d?d?d?d

Where X is your area code. This reduces the keyspace to 7 digits rather than 10. 

Although not all passwords are obviously restricted to digits, there is a number of wordlist to attempt as well. Here is a good site which includes a number of wordlist which is good to use with rules. 


In your case though, using a single 1060 card, I would look at running many short attacks as your speeds are quite limited and could leave you running it for weeks or longer trying a 10 length keyspace.