Unsure which method to use
#1
Hi all, hashcat is really great!

I'm trying to crack my forgotten password on a bitcoin wallet... I was able to extract the hash and I have all the GPU
drivers installed, but I'm struggling a little bit with what method would be the best to try to use.

I've got a list of possible strings, and then I know back then I was doing things like doing stupid modifications to passwords,
like changing E to be a 3 or making A be a 4, or "bitcoin" be bi7coin or bitcoiN, etc. I am pretty sure that if I replaced an "O"
with a zero (0) in a word, I would have done it for both instances of the letter "O" when it occurs.

The above kind of suggests I use the leetspeak.rule, but my list of possible strings is really short, so I think its too small to
be efficiently parallel. I tried ./hashcat.bin -a 0 -m 11300 ./hash.txt ./wordlist.txt -O -w 3 -r rules/unix-ninja-leetspeak.rule, but that finished way too fast (without success).

Any suggestions would be appreciated, I'm still reading the wiki and documentation to understand what options would make sense.
Reply
#2
The attack looks good, especially for your use case. One thing that ruleset does not do is toggling the case of characters. You'd have to chain together with toggles{1,2,3}.rule to include some case toggling. Chances are, one of your leetspeak modifications is not listed in unix-ninja-leetspeak.rule. In that case you can try with Incisive-leetspeak.rule which has a few more rules, again while chaining with the toggles rules.

Chaining rulesets simply works by using -r multiple times.
Reply
#3
Thanks for the suggestion, I still get the following when I run with the chained toggles{1,2,3}.rule:


Code:
./hashcat.bin -a 0 -m 11300 ./hash.txt ./wordlist.txt -O -w 3 -r rules/Incisive-leetspeak.rule -r rules/toggles{1,2,3}.rule
hashcat (v6.1.1) starting...

Kernel /home/user/Downloads/hashcat-6.1.1/OpenCL/m11300-optimized.cl:
Optimized kernel requested but not needed - falling back to pure kernel

OpenCL API (OpenCL 1.1 Mesa 18.3.6) - Platform #1 [Mesa]
========================================================
* Device #1: AMD Radeon (TM) RX 480 Graphics (POLARIS10, DRM 3.38.0, 4.19.0-10-amd64, LLVM 7.0.1), 26150/26214 MB (6553 MB allocatable), 36MCU

OpenCL API (OpenCL 2.1 AMD-APP (3143.9)) - Platform #2 [Advanced Micro Devices, Inc.]
=====================================================================================

Kernel /home/user/Downloads/hashcat-6.1.1/OpenCL/m11300-optimized.cl:
Optimized kernel requested but not needed - falling back to pure kernel

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 232305

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 696 MB

Dictionary cache hit:                 
* Filename..: ./wordlist.txt
* Passwords.: 240
* Bytes.....: 1835
* Keyspace..: 55753200

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Running
Hash.Name........: Bitcoin/Litecoin wallet.dat
Hash.Target......: xxx
Time.Started.....: Sun Aug 16 08:23:21 2020, (3 mins, 30 secs)
Time.Estimated...: Thu Aug 20 05:14:57 2020, (3 days, 20 hours)
Guess.Base.......: File (./wordlist.txt)
Guess.Mod........: Rules (rules/Incisive-leetspeak.rule, rules/toggles1.rule)
Guess.Queue......: 1/3 (33.33%)
Speed.#1.........:      167 H/s (2.80ms) @ Accel:128 Loops:64 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 34800/55753200 (0.06%)
Rejected.........: 0/34800 (0.00%)
Restore.Point....: 0/240 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:145-146 Iteration:17472-17536
Candidates.#1....: xxx -> 2011


A couple notes about the above:

1. The wordlist or mask that you are using is too small still, can I increase that somehow?
2. Approaching final keyspace - workload adjusted. <--- this happens right away, should I do something here?
3. I notice that the Guess.Mod line only has the rules/toggles1.rule, and not the other two, is that ok?
4. I am unaware of 167 H/s is a good speed or not?
5. I xxx'd out a couple things Big Grin
Reply