RevsUp Lab: Hashcat 03

Hashcat Wiki
oclHashcat Details
Mask Attack
Hybrid Attack

Mask Attacks Continued

In this lab we will continue looking at mask attacks and their applications. We have already gone over the different placeholders when creating masks:
    ?l - lowercase letters - 26 possibilities -  a - z
    ?u - uppercase letters - 26 possibilities -  A - Z
    ?s - symbols           - 35 possibilities -  " - ~
    ?d - numbers           - 10 possibilities -  0 - 9
The combination of your placeholders creates your mask. By using a mask instead of a dictionary you can thoroughly attack a specific keyspace combination. The passwords we want to crack with a mask must match the specifications of the placeholders, as well as the length of the mask itself.
    ?l?l?l?l                aaaa  --valid
                            abcd  --valid
                            abc   --invalid
A mask attack is ran in a very similar way to a dictionary attack, the attack mode simply needs to be changed and the dictionary needs to be swapped with a mask.
    ./cudaHashcat64.bin -m (hashing algo) -a 3 (file of hashes) (your mask)
In this way masks replace a dictionary file when using hashcat. Each string of numbers/letters/symbols is hashed and compared, rather than each line of a word list.

Mask Files

Due to some of the limitations of using a single mask, hashcat also supports making a file of multiple masks. For every hash that you are trying to crack, every combination of each mask in your mask file will be attempted.
    Password      Mask File
    PassWord        ?l?l?l?l?l?l?l?l --will try all lowercase letters and fail
                    ?u?l?l?l?l?l?l?l --will try an uppercase letter followed by lowercase letters and fail
                    ?u?l?l?l?u?l?l?l --success
With these mask files effective groups of masks can be saved and reused many times. This can be extremely useful when popular patterns in passwords are discovered. The convenience of these files can come at a steep price. Having a lengthy mask file, or a mask file with numerous long masks, will lead to a massive increase in the number of hashes performed by hashcat per password hash.

Custom Charsets

On top of storing different masks in files, hashcat also supports custom masks. By indicating 1,2,3, or 4 with hashcat you can specify a custom mask to be associated with that number.
    Hashcat Arguments             Output
    -a 3 -1 ?l?d ?1?1?1?1         aaaa - zzzz
In this example the 2 placeholder mask ?l?d is being stored in 1. Now by using the custom charset 1 for the placeholder instead, you can represent ?l?d.
    Hashcat Arguments             Output
    ?a?a?a                        ?l?u?d?s
    ?b?b?b                        0x00 - 0xff
Taking a look at hashcat's ?a placeholder, you can see that it was implemented in much the same way. The lowercase, uppercase, digit, and symbol placeholders can all be represented by this custom charset. The ?b placeholder is an often overlooked placeholder as well, it can be used to represent hex numbers in a password.

Incrementing a mask

One big problem with the entire premise of the mask attack is the fact that the password must fit the mask exactly. If you have a mask that is 8 placeholders long, any password that is less than 7 characters, or greater than 8, will fail. This is where the increment option comes in. By specifying your mask and using the --increment argument you can try smaller chunks of your mask first. Incrementing is essentially marginally increasing a value little by little.
    Mask           Incrementing Through Mask
    ?d?d?d?d?d      ?d
This process elimates the problem of a mask having to fit the exact same length of a password, as long as the password is smaller than the total size of your mask. The --increment flag is the most basic form of incrementing through your mask, --increment-min and --increment-max can be used to hone in on a certain area.
    Mask           min=4, max=7
    ?u?l?l?d?d?d?d    ?u?l?l?d
By narrowing down the increment range, you drastically reduce the number of iterations your mask will go through, and thus greatly reduce the number of hashes performed per password.

(1) What are some of the limitations of mask attacks?
(2) Assume you have a hash file containing 100 hashes. If the mask ?u?l?d is used in a cracking attempt against the hashes, how many times will hashcat have to perform a hash in the worst case scenario?
(3) If I have a file of 5 hashed passwords and a masks file, how many hashes will be performed in the worst case if the file contains: ?d?d?d, ?l?d, ?u?l?l
(4) If you have a password of 5 letters and you somehow know there is a single uppercase, give an educated guess for a successful mask.
(5) Write out a hashcat call filling in these parameters: the hashing method is sha256, the attack type is a mask attack, the file holding your hashes is passwords.hash, and the mask itself covers a pattern of uppercase letter, lowercase letter, digit 3 times. Write out the mask using a custom charset
(6) Check your masks folder and vi into one of the premade mask files. Think about the impact running that mask file against and extensive list of hashed passwords would be. In what situation are mask attacks likely to be most useful?
(7) In general terms, the speed of cracking passwords is impacted by two major factors. One is the number of hashes that must be performed. What is the other major factor? What factors decide how many hashes will be performed?
(8) Make a file called passwords. Fill this file with the word "password" with combinations of uppercase/lowercase letters and/or numbers appended to the end. Make at least 10 combinations. Now use hashMultiPass to MD5 hash these passwords into a separate file. Run a mask attack against these hashes. (Hint: If your entire mask is made up of placeholders, there is a much more efficient way!)
(9) Imagine you have a file full of hashed passwords. You know these passwords came from a company that follows a pattern for all employee passwords: first letter of first name (uppercase), 3 letters from last name (first letter uppercase), followed by their year of birth. Assuming some employees give their full year, and some reduce it to 2 digits, create a mask and a --increment-min --increment-max that will find all of the passwords.
(10) Is there a more efficient method to cracking the previous problem using mask files instead of incrementing? Explain.
(11) Given the mask ?l?l?l?l, if the --increment tag is used, how many hashes will be performed in the worst case?