Hybrid attack keyspace inconsistency
#1
Heya,

I've just ran into problem using hybrid attack. I've tried using --skip and --limit parameters in the same manner for both attack types, but it didn't work out since hashcat report different keyspace for each of them. This behaviour confused me because FAQ What is keyspace? clearly states following:
Quote:-a 6 – number of words in wordlist
-a 7 – number of words in wordlist

while when executing hashcat I get different results. As show this example.
Code:
$ wc -l simple.dict
8
$ ./hashcat.exe -a 7 --keyspace ?a?a?a?a simple.dict
81450625
$ ./hashcat.exe -a 6 --keyspace simple.dict ?a?a?a?a
8

I've tried hashcat 5.1.0 and latest beta release with the same results. Is this a bug or is FAQ outdated and what is the reasoning behind different behaviour? I did try searching some related topics on this forum without much luck.
Reply
#2
The option name "keyspace" is misleading and isn't actually the keyspace. It's just some internal hashcat number.

Or to quote the FAQ entry you linked:
Quote:hashcat's --keyspace is specifically designed to optimize distribution of work, and is not a literal representation of the total possible keyspace for a given attack.

The part about how the hashcat "keyspace" is calculated is probably wrong.
Reply
#3
I know that it isn't actual "keyspace" and I have got no issue with that. My issue is that once the reported hashcat-keyspace is determined from dictionary a in the second case it is determined from mask which is huge deal-breaker when using --skip and --limit. I asked here about it, because I saw and worked with the information from FAQ and I couldn't find any change regarding this in release version change logs. And I wonder what are the benefits or reasons that hashcat behaves this way. I'm well aware that hashcat-keyspace != literal keyspace nor I need hashcat-keyspace value for anything, I've just found it as the reason why the commands below perform significantly different task and internally generate various number of hashes.

Code:
$ ./hashcat.exe -a 7 --limit=4 ?a?a?a?a simple.dict

$ ./hashcat.exe -a 6 --limit=4 simple.dict ?a?a?a?a
Reply
#4
thanks for the report of this documentation problem (it has actually changed a little bit between versions of hashcat). The general rule now is that the left part matters (dict for -a 6; and mask for -a 7).

The FAQ should be up to date again. thx
Reply