Help with more "complex" passwords
#1
I hope this is the right place for this. Hello all, I'm somewhat new to Hashcat, and new here to the forum. I have recently taken an interest in Cyber Security audits, and Pen-testing. Soon I should have a GPU server at my disposal. That all said, I have been trying to look at different ways to attack non-standard passwords and variations. Being new to Hashcat what would be the best way to go about auditing a passwords of the following formats:

Examples:

1) /*thisIsaP@ssword++
2) 8RLD:;0Xza++

My main issue is getting something like a dictionary + hash, so say for example 1. I do "-a 6 ... rockyou.txt ?a" - that is only doing word combinations and trying different special char's at the end of the phrase. So what would be the best way for something like example 1? Is there some form of combinator with rules I should look at to do the beginning middle and end, or am I thinking about this all wrong?
Reply
#2
(01-05-2021, 07:53 PM)Volinity Wrote: I hope this is the right place for this. Hello all, I'm somewhat new to Hashcat, and new here to the forum. I have recently taken an interest in Cyber Security audits, and Pen-testing. Soon I should have a GPU server at my disposal. That all said, I have been trying to look at different ways to attack non-standard passwords and variations. Being new to Hashcat what would be the best way to go about auditing a passwords of the following formats:

Examples:

1) /*thisIsaP@ssword++
2) 8RLD:;0Xza++

My main issue is getting something like a dictionary + hash, so say for example 1. I do "-a 6 ... rockyou.txt ?a" - that is only doing word combinations and trying different special char's at the end of the phrase. So what would be the best way for something like example 1? Is there some form of combinator with rules I should look at to do the beginning middle and end, or am I thinking about this all wrong?
From my limited experience with hashcat, you can’t do that by itself.. in a sense.. and bruteforcing this, will take ages, depending on the hash...
That being said, I would do it this way:
Masprocessor (mp64.bin) -q 3 ?a?a?a?a?a?a?a?a?a?a?a?a |hashcat mode attack hash
That way you will generate the password in maskprocessor. Hashcat itself will not do masks that long on some hashes. But basically with that command you will generate passwords where any character repeats max twice and then push those into hashcat...

If you have a fast gpu acceleration and mp is too slow, you can do this with crunch too and crunch is ridiculously fast in making the words.. but essentially you are generating all password ever... 
you can add a rule into hashcat then still to reject things that don’t match a pattern , further reducing things
Reply
#3
(01-12-2021, 02:44 PM)vicious1 Wrote:

you can add a rule into hashcat then still to reject things that don’t match a pattern , further reducing things


I've been searching forums for maybe a week now for this specific question and found nothing but "referring wiki page" replies.  

I've a password, a damn long one, and that password contains - lets say - 123456 numbers that i know. so i want to make a reject policy that each candidate doesnt contain that 123456 should be rejected (or ignored to accelerate the process to be precise - maybe im wandering in the wrong place i dont know). how to write this? wiki says 

Reject not contain  | /X  |  Reject plains which do not contain char X  |  /e

 and since there is no example of it at the page, i just wrote

-j /123456

is this correct? cuz it seems exactly the same in the command prompt if i didnt write that down at all
Reply