Consonant and Vowel masks
#1
So I've been playing with some masks based on consonant/vowel patterns extracted from the top 1M words (according to google) and was seeing some surprising hashrate drops vs just using the built in mask place holders.

(hashrates are with -O & ntlm hashes)

EG:
-a 3  -1 aeiouy -2 bcdfghjklmnpqrstvwxyz -3 AEIOUY -4 BCDFGHJKLMNPQRSTVWXYZ ?3?2?2?1?2?2?1?2?2?d?d
-a 3  -1 aeiouy -2 bcdfghjklmnpqrstvwxyz -3 AEIOUY -4 BCDFGHJKLMNPQRSTVWXYZ ?3?2?2?1?2?2?1?2?2?d
-a 3  -1 aeiouy -2 bcdfghjklmnpqrstvwxyz -3 AEIOUY -4 BCDFGHJKLMNPQRSTVWXYZ ?4?1?2?2?1?2?1?2?2?1?d?d?s
...etc

They crack at 42563.9 MH/s.
Comparably:
?l?l?l?l?l?l?l?l?l?l?l?l?l    63469.2 MH/s
?d?d?d?d?d?d?d?d?d?d?d?d  36738.2 MH/s

At the longer password lengths, the decrease in hashrate vs target space is still a lot faster in completing than using ?l and ?u, so it's still very much worth it.

I've also noticed something similar with masks containing static pieces in certain spots:

Ilove?a?a?a?a?a 572.7 MH/s   <-wut

?sIlove?a?a?a?a?a 16587.4 MH/s

I imagine it might have something to do with specific places having fewer options to iterate through, but whats going on that would cause that?
Reply
#2
This has been answered tons of times here on the forum. hashcat cannot make use of the inner loop acceleration while at the same time has to copy each password candidate (base section) over PCI Express, so PCI becomes the bottleneck. If you want fixed prefixes, be more creative, for example with a rule in combination with a piped maskprocessor output or use the prefix as a fake salt if the hash-mode supports it.
Reply
#3
Thanks for the response. I'd thought masks were handled exclusively in the GPU, effectively bypassing most bottlenecks from the cpu and pci (not arguing, just trying to get it).

I'll dig through the older posts now that I've got a better idea of what to look for.
Reply