mask processor complexity and hashcat
#1
Hi, so, I have been playing now with hashcat for a while but only recently joined the forum.
So we did a small pentest on our in-house application and managed to the the database of our in-house users. All great. we extracted the hashes in the DB and asked one of the ladies from IT if we can attempt to crack her password.. she said: Go for it.. she even gave us hints.. but.. i nearly choked on the impossibility Big Grin So Now i am wondering if i can write an advanced mask filter or something that makes this a bit easier.. if anyone can push me in the right direction without generating 239578094589732895473 TB of data , would be awesome.. 

Hints were: 14 characters, Numbers and letters and special characters.
so that would make it impossible to realistically crack. She mentioned then this: password is NOT computer generated. Special characters and numbers are only in the later part of the password and the first part is letters.. HOWEVER , she did not state where the later part and the first part starts.. so I am gonna got with a split down the middle 7-7 to start with. She even cracked and told us which special characters are NOT in the last part.

Would a good approach be to generate 2 word lists (one with only letters and one withonly numbers and special characters ? And can you combine them in a combination attack without blowing it all out of proportion? BTW, its bcrypt the encryption. 

Last question: limiting the character repition in Maskprocessor etc, would limit the amount of stuff going on.. or would this be easier done with a rule??

Thanks for pointing me in the right direction.. :R
Reply
#2
By saying "password is NOT computer generated" and "generate 2 word lists (one with only letters and...)" do you mean that the first 7 characters are normal and human words or just random letters?
Reply
#3
(01-05-2021, 11:51 PM)parano1d Wrote: By saying "password is NOT computer generated" and "generate 2 word lists (one with only letters and...)" do you mean that the first 7 characters are normal and human words or just random letters?
Hi, yea... that’s how I understood it... I guess the problem lies in how many characters do I make “overlap” .

So I know that the first part is letters only.. but if I take the first part to be 7 letters... (reasonable assumption), it would leave me with 7 more in terms of full mixture including Letters numbers and symbols...
Because some human types words can be longer than 7 characters... but generating that word list and then making it run agains the hash and another work ist is probably not computationally feasible... and disk space might be an issue too Smile
Reply
#4
I don't understand why people tackle problems of feasibility in such a complicated manner. You know what cracking speed your hardware can achieve against your target hash and you can calculate a rough estimate of the number of candidates you have. With those numbers it should be straight forward to determine the feasibility of cracking your target hash.

My guess is that with bcrypt and your keyspace you don't have to worry about actually attacking it after you have done that math.
Reply