Bruteforce partial HASH SHA1
#1
hello!
Please advice, i want to find binary password that will produce specific bytes of SHA1 hash
Where to change code in .CL modules to allow compare only first 8 bytes of SHA1 hash?

for example

running hashcat -m 100 -a 3 my.hash ?b?b?b?b?b
i have my.hash with
1122334455667788A1A2A3A4A5A6A7A812345678
and i want to find all 5-byte passwords where  hash will match first 8 bytes of hash
i.e. SHA1(pw5bytes) == [1122334455667788]

Thanks for helping.
#2
This is not support by default with hashcat, but it's pretty easy to hack hashcat to do it. 

I've attached a diff to do so. Make sure to clean old objects and cached kernels, too.

Quote:$ make clean
$ rm -rf kernels
$ git reset --hard
$ git checkout 477216ccdbc5fb9600a5092c269abebf4156b6b5
$ git apply git_apply.txt
$ make

After modifications the original password should, by design, still crack it:

Quote:$ echo -n password |sha1sum 
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8  -
$ cat > hash
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
$ ./hashcat -m 100 hash -O -a 3 -w 3 password --potfile-disable --self-test-disable --quiet
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8:password

So if this works you're ready to run:

Quote:$ ./hashcat -m 100 hash -O -a 3 -w 3 ?b?b?b?b?b --potfile-disable --self-test-disable 

Since the keyspace (2^40) of your mask is below the hash output size (2^64) there's no guarantee you will find a collision, except if the hash was actually created with a 2^40 password.

Also note that the modification for the kernel was only made for optimized -m 100 kernel in brute-force mode for single hashes. If you need other attack-modes etc you have to patch them as well.


Attached Files
.txt   git_apply.txt (Size: 2.07 KB / Downloads: 214)
#3
Hi!
Thanks a lot, seems working. Yes, hash created exactly from 40 bits.
Even without touching interface.c (is important to place all 4 parts of digest?)
And, please, another question, how to modify to get all possible collisions in keyspase 2^40 ? to not break at first one.
Cause is in example above it found first resut and stops immediately.
#4
use --keep-guessing