Combining list and mask

[povlhp]

How do I, with good performance, combine a list with a mask + a list ?
I suspect many passwords are made up as word + (?d?s)* + word

Tried the combinator3 with the middle part being a file with all digits + 10 specials, and the performance was about 1MH/s instead of my usual 10000MH/s. So a factor 10000.

I am using NTLM - aka a fast algorithm.

A Combination attack does not work, as both dictionaries has to be files (Can not use - as stdin). So I cannot use -a 6 / -a7 as a preprocessor to stdin.

[philsmd]

precompute one of the sides and use -a 1 ?

Code:

hashcat --stdout -a 6 -1 ?d?s --increment -o dict1_mod.txt dict1.txt ?1?1?1

Code:

hashcat -m 0 -a 1 -w 3 hash.txt dict1_mod.txt dict2.txt

note: I omitted -O on purpose, because I have no clue how large your words will be, but the performance will be much better with that restriction and -O added

an alternative could also be to use -j with a single rule and repeat that command for each character (rule) you want to use in the middle of the two dicts

[povlhp]

Tried combinator and pipe, and it is way too slow:

Code:

C:hashcat-6.1.1>.\hashcat.exe --stdout -a1 dk.txt dk.txt  "-j$."| hashcat.exe -m1000 pwdump20201019 -o fall2020.txt -O  -w 4

Session..........: hashcat
Status...........: Running
Hash.Name........: NTLM
Hash.Target......: pwdump20201019
...
Guess.Base.......: Pipe
Speed.#1.........:  944.0 kH/s (0.66ms) @ Accel:1024 Loops:1 Thr:64 Vec:1

But running something like this is WAY FASTER:

Code:

C:hashcat-6.1.1>hashcat.exe -m1000 pwdump20201019 -o fall2020.txt -O -a6  -w 4  -1 "0123456789+-*/,.-;:_!#%&=??" -2 ?a?l?1  dk.txt ?1?2?2?2?2?2 --increment
...
Speed.#1.........:  8448.0 MH/s (11.72ms) @ Accel:1024 Loops:1024 Thr:64 Vec:1

[philsmd]

the pipe makes absolutely no sense

you can use -a 1 directly (i.e. adapt the right-hand command and only use that command with -a 1 -j added to it)
(no pipe, no stdout needed with -j )

[povlhp]

the pipe makes absolutely no sense

you can use -a 1 directly (i.e. adapt the right-hand command and only use that command with -a 1 -j added to it)
(no pipe, no stdout needed with -j )

You are absolutely right - Was trying to see if that speeded things up (more work).
A ruleset is one thing I would try:

Code:

.\hashcat.exe  -a1 --stdout  dk.txt dk.txt "-j$."  |  .\hashcat.exe  -m1000 pwdump20201019 -O -w 4 -o fall2020.txt -r rules\best64.rule

But that is very slow. 

I can do stuff like this pretty fast - It has a long startup time - but fast run-time (few secs) on 100.000 word dictionaries. and runs at 10GH/s on things like rockyou on my 5600XT.

Code:

.\hashcat.exe  -a1    -m1000 pwdump20201019 -o fall2020.txt -O  -w 4 rockyou.txt rockyou.txt "-j$0" "-kl"

I would then need to create a batch file with many of these commands to cover my case. But that is likely the best option, at least for large dicts.

I now have 250000+ out of 575000 hashes cracked. Having history in there of course makes things easier. Many users just adds or increments the end or any number. I get a diminishing return on effort, so wanted to try some more ideas, like 2 dictionary words separated by a non-letter - possible a sequence of digits. From what I can see, it is actually pretty normal where there are complexity requirements, and thus I wonder why there is no optimized module for this.

love4ever is one password from rockyou.

[philsmd]

Did you try the pre-computation of one side (the dict1_mod.txt or dict2_mod.txt approach) ? It's not always worse to use a strategy like this (mainly when the dicts aren't that huge and pre-computation of a new file is still manageable... also sometimes one dict is much smaller, e.g. domain names or something like this, so it's very doable and also effective).

Yeah we also had ideas in mind of using ?w in a new attack type or something similar to replace the placeholder ?w with the word from one dict... but it's not that fast and easy to implement efficiently (so it's still just an idea). The problem is also that with ?w the lengths of the words of course change a lot, so it's not something predictable and constant (and thus not that easy to optimize). With that idea something like ?w?d?d?w would probably be possible (but again, it's not supported yet, this was just an idea).

[povlhp]

Did you try the pre-computation of one side (the dict1_mod.txt or dict2_mod.txt approach) ? It's not always worse to use a strategy like this (mainly when the dicts aren't that huge and pre-computation of a new file is still manageable... also sometimes one dict is much smaller, e.g. domain names or something like this, so it's very doable and also effective).

Yeah we also had ideas in mind of using ?w in a new attack type or something similar to replace the placeholder ?w with the word from one dict... but it's not that fast and easy to implement efficiently (so it's still just an idea). The problem is also that with ?w the lengths of the words of course change a lot, so it's not something predictable and constant (and thus not that easy to optimize). With that idea something like ?w?d?d?w would probably be possible (but again, it's not supported yet, this was just an idea).

I am doing a little manipulation now, with dict files, and rules like -kc etc - But what I am seeing in many of the brute-forced earlier passwords is that 2 words separated by a number (not necesarily a digit) is pretty common.

Being able to do some ?w?d?d?d?d?w and then maybe a ruleset on it would be good. Often one of the words are capitalized to match company complexity policies.

I guess that optimizing the ?d?d part on openCL would we doable, and the words would then be cached ? I have no experience with vector processing, so no idea if words with pattern in middle could be optimized to run pure GPU.