Resuming attack with maskprocessor?
#1
Question 
Hello all,

I have a question regarding how to properly use maskprocessor in Windows to pipe its output to hashcat. I have a truecrypt volume I'm trying to recover a password to, and so far I've done a brute force search up to 7 characters long using a custom character set I've defined in a file called likely.hcchr. The command line for that is as follows, for an 8 character search:

Code:
Hashcat64.exe -m 6211 -a 3 -1 likely.hcchr E:\volume.tc ?1?1?1?1?1?1?1?1 --outfile-format=2 -o result.txt --session eightchars

However, on my old GPU this will take way too long to finish (as in my children will have died of old age by then).

So I'd like to narrow down the amount of combinations by using maskprocessor to eliminate candidates that use the same character more than 3 times. From what I understand, maskprocessor doesn't accept as input a file with a character set, so I have to type it all out, like so:

Code:
mp64.exe -1 012345678abcdefghijlmnoprstuvxABCDEFGHIJLMNOPRSTUVX!$-._ -r 4 ?1?1?1?1?1?1?1?1

On its own it seems to work as intended. The question now is how to feed this output into hashcat, and in a way that allows me to interrupt and resume work (e.g. --session). Generating a dictionary file is out of the question as the file size would be ridiculous (over 1 petabyte).

I've tried piping the output to hashcat using this command:

Code:
mp64 -1 012345678abcdefghijlmnoprstuvxABCDEFGHIJLMNOPRSTUVX!$-._ -r 4 ?1?1?1?1?1?1?1?1 | Hashcat64.exe -m 6211 E:\volume.tc --outfile-format=2 -o test.txt --session testmp

But I don't think that's the right way to go as I have no idea how to resume the stdin input from where it was interrupted.

Do you have any suggestions on how I should do this?

Thanks
Reply
#2
the main question is: is this the correct approach ? does this even make sense with passwords not having 4 identical chars ?
... and most importantly: how much (percentage-wise) of the keyspace is even reduced by this filter... it's probably very small (do the math, just a few percent of enourmous many password candidates, almost negligible amount of passwords are filtered away).

to answer the question: yeah, you are right, neither -s/-l, nor --restore work with pipes/stdin (in hashcat).

that doesn't really prevent you from filtering it externally or internally (by modifying the source etc).

update: there is a better method to the below mentioned one using -s [password] in mp instead of some external skip_first_x_lines (tail -n +[amount])...: just use mp64.exe -s (see update below)

you could for instance just do something like this:
mp ... | skip_first_x_lines [amount] | hashcat64.exe ...

where skip_first_x_lines is just any standard tool (but of course it should be fast) to skip some lines from the input stream and only outputs the remaining part to the output stream (piped to the hashcat executable).

you can read the amount that needs to be skipped with --status --status-timer x or just by hitting s when hashcat is running

... but I would really suggest that you re-consider if not other attack types are better suited (like dictionary attack with rules etc). brute-force is always a very "desperate" strategy and most often the last thing you should do (last desperate hope to still crack something). It's even worse with a very slow hash type like the one you are running. Look here for other possibilities: https:/hashcat.net/wiki/ or just see the attack modes in the --help output



actually I just noticed there is a better method: I totally forgot that maskprocessor (mp64) "already" supports -s/-l. so you could just use -s to skip some of the words at start

mp64.exe -s [word] ... | hashcat64.exe

but be aware that -s works a little bit different in maskprocessor (compared to the -s in hashcat): it expects a password that is used to check if the next passwords should be in the output (instead of a line count or are starting position in the output).
Fortunately, hashcat also outputs password candidates (word), so you could just use that word from the last status of hashcat (--status --status-timer or just hitting s while hashcat is running)
Reply