Multiple wordlist with brute force
#1
Hi everyone,

I am new to hashcat and want to know if I can use multiple wordlists and brute force combinations. For example, Verizon FiOS uses the following key-space: 

(3,4,5 letter English word) + (2,4 digit number) + (3,4,5 letter English word) + (2,4 digit number) + (3,4,5 letter English word)

I want to create a hybrid hash attack that uses:

[wordlist] + [brute force (?d)] + [wordlist] + [brute force (?d)] + [wordlist]

I know hashcat allows for a [wordlist] + [brute force], however, I am not sure how to add multiple of each. Is this something that is possible? If not, is there another feasible way of accomplishing this? 

Please advise
Thanks!
Reply
#2
(06-17-2020, 12:26 AM)joshdanielsjr Wrote: Hi everyone,

I am new to hashcat and want to know if I can use multiple wordlists and brute force combinations. For example, Verizon FiOS uses the following key-space: 

(3,4,5 letter English word) + (2,4 digit number) + (3,4,5 letter English word) + (2,4 digit number) + (3,4,5 letter English word)

I want to create a hybrid hash attack that uses:

[wordlist] + [brute force (?d)] + [wordlist] + [brute force (?d)] + [wordlist]

I know hashcat allows for a [wordlist] + [brute force], however, I am not sure how to add multiple of each. Is this something that is possible? If not, is there another feasible way of accomplishing this? 

Please advise
Thanks!

You can use hashcat: wordlist+bruteforce ->stdout to wordlist_1
Hashcat: Wordlist_1+bruteforce ....and so on..
Reply
#3
(06-17-2020, 10:45 AM)Sondero Wrote:
(06-17-2020, 12:26 AM)joshdanielsjr Wrote: Hi everyone,

I am new to hashcat and want to know if I can use multiple wordlists and brute force combinations. For example, Verizon FiOS uses the following key-space: 

(3,4,5 letter English word) + (2,4 digit number) + (3,4,5 letter English word) + (2,4 digit number) + (3,4,5 letter English word)

I want to create a hybrid hash attack that uses:

[wordlist] + [brute force (?d)] + [wordlist] + [brute force (?d)] + [wordlist]

I know hashcat allows for a [wordlist] + [brute force], however, I am not sure how to add multiple of each. Is this something that is possible? If not, is there another feasible way of accomplishing this? 

Please advise
Thanks!

You can use hashcat: wordlist+bruteforce ->stdout to wordlist_1
Hashcat: Wordlist_1+bruteforce ....and so on..

How do I do this? Could you list an example command as a template for me to follow please?
Thanks
Reply
#4
it's always clever to step back a little bit and first try to understand and analyse the feasibility of this attack and the total keyspace.

My guess is that this is for WPA "hashes", so it's already one of the slower hash types that hashcat supports.
Therefore you need to come up with a clever strategy.

Do you know the list of possible words used ? do you already have such a dictionary ? How large is it ?

The problem with combining a lot of words together, is that the keyspace grows very fast ("exponentially") with the number of words that need to be combined. If you furthermore also add some random digits in between, the set of candidates multiplies again and again... making it very difficult to crack because of the very fast grow of the total number of password candidates (keyspace).

let's say you have 10000 words and your formula is (x = 10000)
x * 100 * x * 100 * x +
x * 10000 * x * 10000 * x
only the four digit (0000...9999) variant is basically 10000 ^ 5 (without any 2 digit numbers... I'm not sure if the 2 digit and 4 digits are mixed or not, or if this is an either 2 or 4 variant)

it's a very huge number for WPA.

If the keyspace would have been very small, you could have just generate a new dict consisting of digits and words, e.g
Code:
hashcat --stdout -a 7 -o right_dict.txt ?d?d dict.txt
the ?d?d together with -a 7 will generate a new dict (file right_dict.txt) that has 2 numbers (00-99) prepended.

you could then for instance combine word + right_dict.txt for the total left part
Code:
hashcat --stdout -a 1 -o left_dict.txt dict.txt right_dict.txt

(or use the tool "combinator" from hashcat-utils)

finally you run hashcat with combinator attack (-a 1)
Code:
hashcat -m 2500 -a 1 -w 3 hash.hccapx left_dict.txt right_dict.txt

of course all this only works if the amount of words (x) in the original dict (dict.txt) is small, otherwise it's a very difficult problem both for disk space, disk I/O and also the feasibility (as explained above).

also note that people already attempted for quite a while to attack similar passwords (diceware, passphrases)... but also more specifically for WPA, the Netgear approach and strategies to crack it like https://hashcat.net/forum/thread-4463.html and others https://hashcat.net/forum/thread-6170.html.

The best of course would be to discover how the hardware/router vendor comes up with the passwords... it's already discovered for a lot of router models that the passwords are not really random, but depend on for instance MAC addresses of network adapters or similar (I'm not sure about your vendor/model etc).
if dict.txt is large and your attack will take dozens/hundreds of years, it only proofs that combining words makes a password (in theory, but also sometimes in practice, if no algorithm behind the generation is discovered) hard to crack.

Another approach to crack the hashes could of course be to use stdin and pipe like this:
Code:
my_custom_password_generator.exe | hashcat.exe -m 2500 -w 3 hash.hccapx

but this also has many disadvantages (most importantly that hashcat won't know what the total amount of password generated by the left part will be ... and it will probably be slower than -a 1 attacks, but not always the case).

the application "my_custom_password_generator.exe" is of course a newly developed, coded or scripted (python, php, perl etc), fast password generator that does exactly the combining of words with numbers etc... you would need to code it yourself of course, it's not available online.

all of this only makes sense, if you can exhaust the keyspace in a reasonable amount of time (say several weeks or month), otherwise it's just a waste of time !
Reply
#5
(06-17-2020, 07:17 PM)philsmd Wrote: it's always clever to step back a little bit and first try to understand and analyse the feasibility of this attack and the total keyspace.

My guess is that this is for WPA "hashes", so it's already one of the slower hash types that hashcat supports.
Therefore you need to come up with a clever strategy.

Do you know the list of possible words used ? do you already have such a dictionary ? How large is it ?

The problem with combining a lot of words together, is that the keyspace grows very fast ("exponentially") with the number of words that need to be combined. If you furthermore also add some random digits in between, the set of candidates multiplies again and again... making it very difficult to crack because of the very fast grow of the total number of password candidates (keyspace).

let's say you have 10000 words and your formula is (x = 10000)
x * 100 * x * 100 * x +
x * 10000 * x * 10000 * x
only the four digit (0000...9999) variant is basically 10000 ^ 5 (without any 2 digit numbers... I'm not sure if the 2 digit and 4 digits are mixed or not, or if this is an either 2 or 4 variant)

it's a very huge number for WPA.

If the keyspace would have been very small, you could have just generate a new dict consisting of digits and words, e.g
Code:
hashcat --stdout -a 7 -o right_dict.txt ?d?d dict.txt
the ?d?d together with -a 7 will generate a new dict (file right_dict.txt) that has 2 numbers (00-99) prepended.

you could then for instance combine word + right_dict.txt for the total left part
Code:
hashcat --stdout -a 1 -o left_dict.txt dict.txt right_dict.txt

(or use the tool "combinator" from hashcat-utils)

finally you run hashcat with combinator attack (-a 1)
Code:
hashcat -m 2500 -a 1 -w 3 hash.hccapx left_dict.txt right_dict.txt

of course all this only works if the amount of words (x) in the original dict (dict.txt) is small, otherwise it's a very difficult problem both for disk space, disk I/O and also the feasibility (as explained above).

also note that people already attempted for quite a while to attack similar passwords (diceware, passphrases)... but also more specifically for WPA, the Netgear approach and strategies to crack it like https://hashcat.net/forum/thread-4463.html and others https://hashcat.net/forum/thread-6170.html.

The best of course would be to discover how the hardware/router vendor comes up with the passwords... it's already discovered for a lot of router models that the passwords are not really random, but depend on for instance MAC addresses of network adapters or similar (I'm not sure about your vendor/model etc).
if dict.txt is large and your attack will take dozens/hundreds of years, it only proofs that combining words makes a password (in theory, but also sometimes in practice, if no algorithm behind the generation is discovered) hard to crack.

Another approach to crack the hashes could of course be to use stdin and pipe like this:
Code:
my_custom_password_generator.exe | hashcat.exe -m 2500 -w 3 hash.hccapx

but this also has many disadvantages (most importantly that hashcat won't know what the total amount of password generated by the left part will be ... and it will probably be slower than -a 1 attacks, but not always the case).

the application "my_custom_password_generator.exe" is of course a newly developed, coded or scripted (python, php, perl etc), fast password generator that does exactly the combining of words with numbers etc... you would need to code it yourself of course, it's not available online.

all of this only makes sense, if you can exhaust the keyspace in a reasonable amount of time (say several weeks or month), otherwise it's just a waste of time !

Thanks for your reply it was extremely helpful. I created two wordlists and did a combination attack, needless to say, it would have taken 57 years... I then adjusted to dictionary to only ten words and still got an ETA of 3 days on a 2070 super. I think a large contributing factor is the fact that I am also getting the same words within the same line which is not appropriate. 

For example: few02few111few123

The word "few" should not be used more than once within the same line. How do I create a wordlist that does not duplicate words across the same line?

For example: few02egg1454saint735

Thanks a bunch!
Reply
#6
it's negligible. the more words, the less likely is that a word occurs multiple times.

As said, you could develop a fast password candidate generator that does all that fancy stuff: combining, concatenating, filtering etc ... but at the very end it could turn out to be much slower than just combining the words as described above. and most importantly, who knows if filtering is even correct ? maybe verizon doesn't do these strange filtering at all and the same word is allowed within a password multiple times?

There are of course some things you could do, for instance filter your left_dict.txt file and right_dict.txt with something like the unix grep command etc... but again, it will turn out to be only very few combinations out of hundred of thousands, negligible. This is normally not how you speed up things, it's probably best to come up with a more clever idea on how to attack those hashes ... and maybe reduce the number of words in the dict significantly (and also in a way it still cracks all/most of the hashes) etc
Reply
#7
(06-19-2020, 05:31 PM)philsmd Wrote: it's negligible. the more words, the less likely is that a word occurs multiple times.

As said, you could develop a fast password candidate generator that does all that fancy stuff: combining, concatenating, filtering etc ... but at the very end it could turn out to be much slower than just combining the words as described above.

There are of course some things you could do, for instance filter your left_dict.txt file and right_dict.txt with something like the unix grep command etc... but again, it will turn out to be only very few combinations out of hundred of thousands, negligible. This is normally not how you speed up things, it's probably best to come up with a more clever idea on how to attack those hashes ... and maybe reduce the number of words in the dict significantly (and also in a way it still cracks all/most of the hashes) etc

I don't think it's negligible because each term would have a repeat of 10,000 at [term] + [4 digit number] and then another 10,000 times X 10,000 when combining the first wordlist ([term] + [4 digit number]) + [term] and then another 10,000 for the 4 digit number thereafter and another multiple of 10,000 when adding in the final term.

Is what I am trying to do even possible in regards to filtering each line to prevent duplicate dictionary terms?
Reply
#8
it's a very special situation, which requires either a special password generator or a compromise to allow some duplicates for better speed.

The candidate generator could be as simple as this:
Code:
#!/usr/bin/env perl

# Author: philsmd
# Date: June 2020
# License: public domain, credits go to philsmd and hashcat

use strict;
use warnings;

#
# Constants
#

my $NUMBER_DIGITS = 2;
# my $NUMBER_DIGITS = 4;

#
# Start
#

if (scalar (@ARGV) < 1)
{
  print "ERROR: please specify the dict as first command line option\n";

  exit (1);
}

my $dict = $ARGV[0];

my $fh;

if (! open ($fh, "<", $dict))
{
  print "ERROR: could not open the dictionary file\n";

  exit (1);
}

binmode ($fh);

# deduplicate input:

my %words;

while (my $line = <$fh>)
{
  chomp ($line);

  $words{$line} = 1;
}

close ($fh);

my @word_list = ();

foreach my $w (sort (keys (%words)))
{
  push (@word_list, $w);
}

# w + ?d?d?d?d + w + ?d?d?d?d + w

my $out_format = "%s%0" . $NUMBER_DIGITS . "d%s%0" . $NUMBER_DIGITS . "d%s\n";

my $word_count = scalar (@word_list);

my $max_digit = 10 ** $NUMBER_DIGITS;

for (my $i = 0; $i < $word_count; $i++)
{
  for (my $j = 0; $j < $max_digit; $j++)
  {
    for (my $k = 0; $k < $word_count; $k++)
    {
      next if ($k == $i);

      for (my $l = 0; $l < $max_digit; $l++)
      {
        for (my $m = 0; $m < $word_count; $m++)
        {
          next if ($m == $i);
          next if ($m == $k);

          print sprintf ($out_format, $word_list[$i], $j, $word_list[$k], $l, $word_list[$m]);
        }
      }
    }
  }
}

The NUMBER_DIGITS determine if there are 2 digits in between or 4 digits etc.

you could run it as simple as this
Code:
perl verizon_pass_generator.pl dict.txt

(and use > stdout redirects to store it to a file or directly pipe it into hashcat)
Reply