How to apply password known constraints while using dictionnary and rules ?
#1
Question 
Hello,

At first thank you very much to those who are developing and maintaining hashcat!

I'm trying to find passwords matching md5crypt salted hashes using CUDA with a P2000, the only GPU I have.
I know that the passwords have at least 8 characters, at least one lower (a-z) case letter (?l), at least one upper (A-Z) case letter (?u), at least one number (0-9) (?d) and at least one special character (?s without the "space").
I would like to use a dictionary like rockyou.txt and rules like OneRuleToRuleThemAll.rule from NotSoSecure to expand it.
However by doing that a lot of passwords which do not meet the known requirements, below the minimum length or including chars out of the known charset, are hashed uselessly.
From what I read, due to the fact that password candidates are generated using the rules directly by the GPU, no hashcat option exists to enforce these requirements, is that right ?

I also read about the "-S" option with the following description : "Enable slower (but advanced) candidate generators"
I don't know exactly what does it mean but probably that in this case the password candidates are not generated directly by the GPU ; so by using this option, if it makes any sense regarding the performances, is there a way to enforce the password known constraints detailed previously ?

I also read about a solution which consists to generate the candidates to stdout and then pipe them to hashcat through stdin.
Once again, I don't know the impacts regarding the performances and if it does make any sense, however by doing that how should I enforce the password constraints ? Through a mask or specific rules ?
Using the stdout / pipe / stdin solution I'll also inevitably lose the estimated time... if I try at first with for example 1% of the dictionary content and then multiply the time it needed to finish by 100, does it make any sense ?

If you have any other suggestion to meet to goal which is to crack those md5crypt salted hashes, feel free to share.

Thank you very much,
Reply
#2
All your findings are correct. There is no way to enforce such policy requirements in hashcat.

Pretty much the only solution is to use stdin and filter the input words in advance using an external program (eg grep).

Yes, you will lose the estimated time by doing that. Extrapolating the time needed to process 1% would work for a rough estimate, but even knowing when you hit the 1% will be a challenge and it assumes the amount of filtered candidates remains roughly the same within the other 99%.
Reply
#3
Hello undeath,

Thank you very much for the quick reply.
So finally here's what I did, if it may help others :
hashcat.exe rockyou.txt -r rules/OneRuleToRuleThemAll.rule --stdout | .\hashcat-utils-1.9\bin\len.exe 8 15 | .\hashcat-utils-1.9\bin\req-include.exe 15 | hashcat.exe -m500 pass.txt -O -w 3
I don't know if using a regex with grep would be faster than using the hashcat-utils tools, however the regex I found to filter the charset, and not to enforce the length, wasn't very friendly :
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!"#$%&'()*+,\-./:;<=>?@[\\\]^_`{|}~])[a-zA-Z0-9!"#$%&'()*+,\-./:;<=>?@[\\\]^_`{|}~]*$
Reply