Optimize this crack
#1
Wink 
Hello guys,
There's a kind of MD5 hash I was trying to solve in a fastest way I could figure out.
The password is 10 chars random-alphanumeric plus a random of 8 chars at the end, means (36^10) * 8 = 29,249,267,520,503,800 tries (worst-luck).
See it through this command:
Code:
./hashcat64.bin -a 3 -m 0 hash.txt -1 ?d?l -2 abcdefgh Some10FixedChars?1?1?1?1?1?1?1?1?1?1FIXED?2 -w 4 -O

Of course this command is slow so I've tried -m 20 and treat those fixed chars as a salt, which brings the cracking speed down to a half of pure MD5. 

Code:
./hashcat64.bin -a 3 -m 20 d68236t3236g64a02c8520cd9771d758:Some10FixedChars -1 ?d?l -2 abcdefgh ?1?1?1?1?1?1?1?1?1?1FIXED?2 -w 4 -O

With a p3.16 spot instance from AWS (8x V100 GPUs) it will take 36 hours to finish which will cost me $300 each hash. I did try distributed way with 8 instances within an hour and it just went 1/4 the road without result Sad

The main 10 chars password might be a truly random string generated by CSPRNG method, I created a markov chain hcstat2 from 300 sample and couldn't crack it in the first 10 quadrillion.
Some sample:
Code:
dt4q44vnr5
e8jjgsrdp9
ehu8e2uiz9
ejiusv72o6
em4gqvtd6a
euu1kuhfr6
evis5gpp4s
f367q538my

Stats found:
- Maximum 7 digits
- No more than 3 repeated chars side-by-side (mp -q 3)
- Hundreds of masks to try (PACK policygen)

My goal is to make this crack finishes within an hour. So please help me if I'm missing something to make this crack runs faster or any possible solution to try (except for hiring 32x p3.16 instance ~ 256x V100s xD).

My big thanks
#2
(10-04-2018, 11:10 AM)spin711 Wrote: The main 10 chars password might be a truly random string generated by CSPRNG method

Stats found:
- Maximum 7 digits
- No more than 3 repeated chars side-by-side (mp -q 3)
- Hundreds of masks to try (PACK policygen)

???
#3
do you mean that there is a 10-character-long (digits + lower-case letters) random string at the beginning and 1 character (out of a character set of 8 different characters) appended? otherwise this calculation: (36^10) * 8 would make no sense

(10 (decimal) + 26 (lower-case letters)) ^ 10 (10 positions) * 8 (8 different possibilities/chars)

that's how I understand your formula

if the 10 characters are random I wouldn't call it "Some10FixedChars", except if you know this sequence of chars already (like a salt).

It's not obvious from your description which of the 10 + 1 (I assume the total length is 11, but you didn't really clearly say it. it's a little bit confusing with those "Some10FixedChars" and "FIXED" within your mask) is attached to the hash.

My guess is that your plan is to make 8 hashes out of 1 hash (i.e. combine each hash with the 8 possible appended chars). If you do so, you wouldn't need that charset within your mask anymore, therefore this makes no sense
Code:
-m 20 -1 ?d?l -2 abcdefgh d68236t3236g64a02c8520cd9771d758:Some10FixedChars  ?1?1?1?1?1?1?1?1?1?1FIXED?2

but it should be:
Code:
-m 10 -1 ?d?l expanded_hashes_with_abcdefgh_salt.txt ?1?1?1?1?1?1?1?1?1?1

(I assume you also want to use -m 10 = md5 ($pass.$salt), because the 1-out-of-8 character is appended)

In general, I would assume that this is faster
Code:
./hashcat64.bin -a 3 -m 0 -O -w 4 hash.txt -1 ?d?l -2 abcdefgh ?1?1?1?1?1?1?1?1?1?1?2

because you don't really seem to have any relation between hash and salt and the (made up) salt is using the whole abcdefgh keyspace.

... but maybe I got it totally wrong and I missinterpreted the Some10FixedChars vs FIXED strings within your examples. You also should have mentioned the total length because it's not obvious if it is 10+1 (11) or 10+8 (18)
#4
Sorry I made you confused.
This is a sample password:
Code:
thebigwormevis5gpp4sEGa


thebigworm and EG is actually salts as they are known fixed chars. EG is fixed between password and last char as you can see from the mask.

Actual command:

Code:
-m 20 -1 ?d?l -2 abcdefgh 5ff9b10817850c50186cf65e0de19060:thebigworm  ?1?1?1?1?1?1?1?1?1?1EG?2

The mask is the password I want to crack evis5gpp4sEGa

Edit: the total length won't change and will be exact 27 like this password thebigwormevis5gpp4sEGa