Help with more "complex" passwords
#1
I hope this is the right place for this. Hello all, I'm somewhat new to Hashcat, and new here to the forum. I have recently taken an interest in Cyber Security audits, and Pen-testing. Soon I should have a GPU server at my disposal. That all said, I have been trying to look at different ways to attack non-standard passwords and variations. Being new to Hashcat what would be the best way to go about auditing a passwords of the following formats:

Examples:

1) /*thisIsaP@ssword++
2) 8RLD:;0Xza++

My main issue is getting something like a dictionary + hash, so say for example 1. I do "-a 6 ... rockyou.txt ?a" - that is only doing word combinations and trying different special char's at the end of the phrase. So what would be the best way for something like example 1? Is there some form of combinator with rules I should look at to do the beginning middle and end, or am I thinking about this all wrong?
Reply
#2
(01-05-2021, 07:53 PM)Volinity Wrote: I hope this is the right place for this. Hello all, I'm somewhat new to Hashcat, and new here to the forum. I have recently taken an interest in Cyber Security audits, and Pen-testing. Soon I should have a GPU server at my disposal. That all said, I have been trying to look at different ways to attack non-standard passwords and variations. Being new to Hashcat what would be the best way to go about auditing a passwords of the following formats:

Examples:

1) /*thisIsaP@ssword++
2) 8RLD:;0Xza++

My main issue is getting something like a dictionary + hash, so say for example 1. I do "-a 6 ... rockyou.txt ?a" - that is only doing word combinations and trying different special char's at the end of the phrase. So what would be the best way for something like example 1? Is there some form of combinator with rules I should look at to do the beginning middle and end, or am I thinking about this all wrong?
From my limited experience with hashcat, you can’t do that by itself.. in a sense.. and bruteforcing this, will take ages, depending on the hash...
That being said, I would do it this way:
Masprocessor (mp64.bin) -q 3 ?a?a?a?a?a?a?a?a?a?a?a?a |hashcat mode attack hash
That way you will generate the password in maskprocessor. Hashcat itself will not do masks that long on some hashes. But basically with that command you will generate passwords where any character repeats max twice and then push those into hashcat...

If you have a fast gpu acceleration and mp is too slow, you can do this with crunch too and crunch is ridiculously fast in making the words.. but essentially you are generating all password ever... 
you can add a rule into hashcat then still to reject things that don’t match a pattern , further reducing things
Reply