'Positional Anchor' type attacks?
#1
Hello,

I'm a little new to this, so apologies if this feature is in plain sight and I'm missing it. I've been looking in to recovering a bitcoin wallet with btcrecover; I know the approximate positions of each word, with one word missing (likely around 8 characters and all lowercase). With btcrecover, I could use positional anchors (specifying the locations of the words) to crack it. So something like (where the numbers in square brackets indicate the positions):


[2,5]word1
[3,1]word2
[7,4]word5
...
[n] [Random lowercase string]

However, btcrecover is grossly slower than hashcat; while btcrecover can preform around 300,000 attempts per second on a GTX 970, hashcat can run billions per second. I'd imagine a major factor would be the fact that much more sorting must be done every iteration, but I still feel as if hashcat could do this much more efficiently. Does hashcat have a function that can achieve the same result? If so, how much of a speed benefit will I get? Would throwing btcrecover at a powerful EC2 instance be a better idea?

Thanks in advance.
#2
Such an attack mode is not implemented. You'd need to emulate it using custom generated mask files.
#3
So to do this would I autogenerate a mask file with all of the possible combonations in a Python script, and then leave the missing word to hashcat to solve?
#4
I was able to prepare the mask file. It seems to be able to do ~1 hash per second on the GPU, and keeps repeating its status every 3 seconds or so. The guess queue also seems to be 5806072 even though there are ~780,000 entries in the mask list.
EDIT: Looks like I was running it in increment mode, which wasn't what I intended. Seems to be working fine now.
#5
Still have one more question: if I want to increment the wildcard characters (eg. ?l?l?l) but nothing else in the mask file, is that possible? Using --increment (with --max-increment 8) goes through every character every line and is extremely slow.
#6
No, using increment would only be possible if your variable part is at the end.