markov mode
#1
Hello. Until recently, I used JTR. Now I decided to try hashcat and I don’t understand how to run it in "markov" mode.
In JTR, I generated the stats dictionary from wordlist. In the config of John, I prescribe the path to the generated stats file
. And start the john command:
Code:
john --format=Raw-MD5 --markov:265:0:0:10 hash.txt
Changing the first number in after "markov:", I change the level of generation of the Markov chain. The bigger it is, the more it opens hashes. The last number in markov is the length of the search password.
For hashcat, I created the hcstat2 file according to this instruction https://hashcat.net/wiki/doku.php?id=has...hcstat2gen
How to use this file similar to JTR, those. so that you can specify the level of markov and the length of the password you are looking for?
Reply
#2
maybe you are looking for the command line argument:
Code:
--markov-threshold

see --help output of hashcat.

normally the length of the password candidates is determined by the mask length (or in case of dictionary attack -a 0 with rules, the rules can truncate etc).
Reply
#3
As I understand it, this is how to work with the old version of hcstat. And it works
Code:
sp64 --pw-max 10 --threshold=13 hc.hcstat | hashcat64 -O -a0 -m0 hash.txt
The new version of hcstat2 doesn't need a statsprocessor?
Code:
hashcat64 -a3 -O -m0 --markov-hcstat2=top2b.hcstat2 -t265 --potfile-disable hash.txt .\masks\rockyou-1-60.hcmask
It doesn't work that way. What am I doing wrong?
Reply
#4
And more about Markov testing on JTR and HC. I took a wordlist of 10,000 passwords. I made a second file with MD5 hashes from this passwords. From the wordlist file I made stats files for JTR and for HC.
Next I started JTR with the command below
Code:
john --fork=4 --format=Raw-MD5 --markov:265:0:0:10 10000_hash.txt
He revealed 9462 passwords out of 10,000 in 32 minutes
I looked at what JTR wrote at launch: lvl=265 len=10 pwd=169,013,300,254
Using the matching method, I found out that statsprocessor generates 149,346,699,502 passwords from a previously created stats file at --pw-max 10 --threshold=13. Which is approximately equal to the number of passwords when JTR is running early.
Accordingly I started HC with the parameters
Code:
sp64 --pw-max 10 --threshold=13 10000_hc.hcstat | hashcat64 -O -a0 -m0 10000_hash.txt
At the moment HC is still running for 1 hour 30 minutes and 4,265 passwords out of 10,000 have been found so far.
If this comparison of password matching between two programs is not correct, I apologize. In this case, how do I compare correctly or what am I doing wrong?


Attached Files
.txt   10000_words.txt (Size: 78.49 KB / Downloads: 4)
Reply
#5
Why are you using statsprocessor instead of hashcat's native markov support? Piping words in will almost always be slower. Also, you should specify a mask.
Reply
#6
(05-22-2020, 10:25 PM)undeath Wrote: Why are you using statsprocessor instead of hashcat's native markov support? Piping words in will almost always be slower. Also, you should specify a mask.
Because I never figured out how to properly use Markov mode in HC. Please tell me how to correctly set the password search command using the Markov method for hash disclosure with a password length limit of 10 characters? I would be very grateful.
Reply
#7
I think I figured out how to work with the Markov method in HC. But the result was not very good. Let knowledgeable people correct me if I made a mistake in the method of comparison.
Code:
john --fork=4 --format=Raw-MD5 --markov:265:0:0:7 test_10000_hash.txt
8171 pwd opened (pwd try = 16 816 369 953)
Code:
hashcat64 -a3 -m0 -w3 -O --markov-hcstat2=test_10000.hcstat2 -t29 -i --increment-min=1 --increment-max=7 -1 ?a test_10000_hash.txt ?1?1?1?1?1?1?1
7282 pwd opened (pwd try = 17 249 876 309)
Code:
john --fork=4 --format=Raw-MD5 --markov:265:0:0:10 test_10000_hash.txt
9931 pwd opened (pwd try = 169 013 300 254)
Code:
hashcat64 -a3 -m0 -w3 -O --markov-hcstat2=test_10000.hcstat2 -t14 -i --increment-min=1 --increment-max=10 -1 ?a test_10000_hash.txt ?1?1?1?1?1?1?1?1?1?1
4914 pwd opened (pwd try = 289 254 654 976)

The parameter "--markov-threshold " I selected so that the number of generated passwords coincides with JTR. That is, if the number of generated passwords is approximately equal according to the Markov method, the HC has fewer successful attempts.
As I said above, if my comparisons are not correct, please point out errors in the comparison method.
Reply