RevsUp Lab: Hashcat 02

Hashcat Wiki
oclHashcat Details
Bute Forcing
Brute Forcing with Hashcat

In this lab we will review some hexadecimal, as well as go over a couple new methods of attack. To begin with, hexadecimal is a way of representing numbers much like decimal. In decimal you have 10 numbers to work with, 0-9. This is why we use the prefix deci(means 10). In hexadecimal you break down the two prefixes and add them together. Hexa(means 6) + deci(means 10), giving you 16. This is why people often refer to hexadecimal as base 16. The same rules apply for hex, the base number is the amount of numbers, or characters, that you have to work with. In hex you have access to 0-9, but also a-f. This means that instead of wrapping around to the number 10 in decimal, hex uses the letter a.

    Decimal       Hexadecimal
        10              a
        11              b
        15              f
        16              10
        17              11
        31              1f
        32              20
So why is hex relevant to hashcat? Because hashing algorithms will often output their hash in hexadecimal, and sometimes the salt is stored in hex as well. In order to properly attack a password hash, the program must know the difference. How is hashcat supposed to know that the a that is in the file means the decimal number 10, not the letter. This is where the additional arguments like --hex-salt come into play. You can also use this knowledge as a means to verify you are hashing your passwords correctly. If the hash is stored in hex and you know how many bits the hashing algorithms use, it is simple division to check your hashes are the appropriate length.
    MD5 - 128 bits  Number of bits in a hex digit - 4   128/4 = 32 hex digits in your MD5 hash

Brute Forcing

Look over the wikipedia article for brute forcing, as well as the hashcat article. Brute forcing is exactly what it sounds like, you try to crack a password by hashing and comparing every possible combination. This might sound simple, because it is. But with the simplicity comes a massive increase in time. Let's imagine a 4 digit password, only numbers.
How many different passwords could you have with just these two rules? The answer is the number of permutations, with repeating allowed. So we look at the number of possibilities in each space, 0-9.
    10  10  10  10   = 10x10x10x10 = 10^4
As you can see, this is quite the large number for quite the small password. Brute Forcing a password becomes exponentially more difficult as you increase the number of characters, and you increase the keyspace. This is why you will notice hashcat no longer has a wiki article specifically for brute forcing, because there is a similar method that is strictly more efficient.

Mask Attack

A mask attack is very similar to brute forcing, you perform all the combinations available to you. However, with a mask attack you specifically shrink the keyspace available by following patterns often found in passwords. Look at the wiki page for mask attacks to see what each indicator means. In the very worst case possible, a mask attack is as bad as a brute force attack.
    Mask Attack
    ?a?a?a?a        Every index can be any number, letter, or symbol, upper or lowercase
Because at the worst a mask attack is equal to a brute force attack, it can only ever get better. By changing the keyspaces allowed to each index, you greatly reduce the number of possibilities. For instance:
    ?l?l?l?l?d?d        26x26x26x26x10x10
    ?a?a?a?a?a?a        97x97x97x97x97x97
In the first example we have 4 lowercase letters followed by two numbers. This pattern has far less possible outcomes than the second, which is everything possible. What if we also include the rule that no numbers in the password can be repeated? Well, then we decrease the number of possibilities each time.
    10  9  8  7  = 10x9x8x7 = 10!/6!
The numbers change depending on what is available, there are 26 letters, 26 uppercase letters, and numerous symbols.

After you have finished the lab, attempt to complete the following questions.
(1) How many digits should you have in a sha1 hash? sha256? sha512?
(2) How many attempts will it take to brute force a 6 digit password of only numbers in the worst case?
(3) How many possible passwords are there that follow the rules: 6 characters long, letters or numbers, all letters lowercase.
(4) Let's try hashcat's syntax, how many possible passwords are there that follow this format: ?u?u?l?l?d?d?d?d
(5) Give an example of a password that matches the previous format.
(6) What is the best thing about a brute force attack?
(7) How many possible passwords can be generated with these rules: 6 characters long, the first four are letters, the next is a number, the last is a symbol.
(8) What if I add the rule that any letter in the password can only repeat twice in a row? eg: aaa is invalid
(9) List some popular password patterns you can think of.
(10) What do you think the ./oclHashcat64.bin call will look like when using a mask attack? Remember, we are no longer using a dictionary.
(11) In your hashcat directory you should find a folder called masks. Enter that folder and vi into one of the files. What do you see? What do you think this is used for. These files are called custom charsets.