0

I know of mask and dictionary attacks.

Using a mask attack, I specify the charset for each position in the password pattern, e.g., ?1?1?d?1?d?1?1?d, where ?1 := ?l?u?s.

But how do I tell hashcat to only hash (fixed length) passwords with at least N digits (?d)? That is, the ?d charset specifiers may float around in the pattern above.

Shuzheng
  • 1,097
  • 4
  • 22
  • 37

1 Answers1

1

There's no native way to do this with hashcat. Instead, you must generate a list of masks that contain all of the permutations that fit your criteria.

The common tool for this is policygen from the PACK toolkit. My answer here outlines how to use it.

For your use case, it would be something like this (assuming 8-character passwords and a minimum of 3 digits):

$ policygen --minlength=8 --maxlength=8  --mindigit=3 \
    -o len8mindigit3.masks

               _ 
     PolicyGen 0.0.2  | |
      _ __   __ _  ___| | _
     | '_ \ / _` |/ __| |/ /
     | |_) | (_| | (__|   < 
     | .__/ \__,_|\___|_|\_\
     | |                    
     |_| iphelix@thesprawl.org


[*] Saving generated masks to [len8mindigit3.masks]
[*] Using 1,000,000,000 keys/sec for calculations.
[*] Password policy:
    Pass Lengths: min:8 max:8
    Min strength: l:None u:None d:3 s:None
    Max strength: l:None u:None d:None s:None
[*] Generating [compliant] masks.
[*] Generating 8 character password masks.
[*] Total Masks:  65536 Time: 76 days, 18:50:04
[*] Policy Masks: 21067 Time: 3 days, 8:11:03

$ head len8mindigit3.masks
?d?d?d?d?d?d?d?d
?d?d?d?d?d?d?d?l
?d?d?d?d?d?d?d?u
?d?d?d?d?d?d?d?s
?d?d?d?d?d?d?l?d
?d?d?d?d?d?d?l?l
?d?d?d?d?d?d?l?u
?d?d?d?d?d?d?l?s
?d?d?d?d?d?d?u?d
?d?d?d?d?d?d?u?l

$ tail len8mindigit3.masks
?s?s?s?s?d?d?d?s
?s?s?s?s?d?d?l?d
?s?s?s?s?d?d?u?d
?s?s?s?s?d?d?s?d
?s?s?s?s?d?l?d?d
?s?s?s?s?d?u?d?d
?s?s?s?s?d?s?d?d
?s?s?s?s?l?d?d?d
?s?s?s?s?u?d?d?d
?s?s?s?s?s?d?d?d

You would then supply that file of masks to hashcat.

Royce Williams
  • 9,128
  • 1
  • 31
  • 55
  • Thank you - do you know if John the Ripper supports floating charset specifiers? – Shuzheng Jul 06 '18 at 04:24
  • I think JtR has the same capability. – Royce Williams Jul 06 '18 at 04:33
  • I meant if JtR supports floating charset specifiers instead of multiple masks? I will definitely try out Pack :) Do multiple masks provide huge overhead on the hashcat engine? That is, does switching masks take “long” time? – Shuzheng Jul 06 '18 at 04:38
  • I meant that JtR and hashcat are the same - JtR also does not support such floating specifiers as far as I am aware. And on hashcat, there is a small performance cost - a second or two between each mask. so if your results are large, compressing them to use only a non-digit charset (?l?u?s) may be somewhat more efficient. – Royce Williams Jul 06 '18 at 06:25
  • I am not sure what you mean by compressing. Would you instead of specifying at least one of ?l, ?u, and ?s, say that the candidates much contain at least three -1 ?l?u?s..? I cannot see Pack supports this? – Shuzheng Jul 06 '18 at 07:02
  • Furthermore, the "Guess.Queue......: 6/186480 (0.00%)" describes the current mask in the mask list, right? Can hashcat provide me with an approximation of total time? Right now, the estimation is per mask. – Shuzheng Jul 06 '18 at 07:22
  • Here is a simple example. You can take these three masks: ?d?d?l, ?d?d?u, ?d?d?s and replace them with the single mask and custom charset -2 ?l?u?s ?d?d?2. See https://hashcat.net/wiki/doku.php?id=mask_attack#custom_charsets – Royce Williams Jul 06 '18 at 13:45
  • Is there any tools to make such (optimal) transformations to reduce the number of masks? – Shuzheng Jul 06 '18 at 16:49