RevsUp Lab: Hashcat 03
Mask Attacks Continued
In this lab we will continue looking at mask attacks and their applications. We have already gone over the different
placeholders when creating masks:
?l - lowercase letters - 26 possibilities - a - z
?u - uppercase letters - 26 possibilities - A - Z
?s - symbols - 35 possibilities - " - ~
?d - numbers - 10 possibilities - 0 - 9
The combination of your placeholders creates your mask. By using a mask instead of a dictionary you can thoroughly
attack a specific keyspace combination. The passwords we want to crack with a mask must match the specifications
of the placeholders, as well as the length of the mask itself.
?l?l?l?l aaaa --valid
A mask attack is ran in a very similar way to a dictionary attack, the attack mode simply needs to be
changed and the dictionary needs to be swapped with a mask.
./cudaHashcat64.bin -m (hashing algo) -a 3 (file of hashes) (your mask)
In this way masks replace a dictionary file when using hashcat. Each string of numbers/letters/symbols is hashed and
compared, rather than each line of a word list.
Due to some of the limitations of using a single mask, hashcat also
supports making a file of multiple masks. For every hash that you are trying to crack, every combination of each mask
in your mask file will be attempted.
Password Mask File
PassWord ?l?l?l?l?l?l?l?l --will try all lowercase letters and fail
?u?l?l?l?l?l?l?l --will try an uppercase letter followed by lowercase letters and fail
With these mask files effective groups of masks can be saved and reused many times. This can be extremely useful
when popular patterns in passwords are discovered. The convenience of these files can come at a steep price. Having a lengthy
mask file, or a mask file with numerous long masks, will lead to a massive increase in the number of hashes performed by
hashcat per password hash.
On top of storing different masks in files, hashcat also supports
custom masks. By indicating 1,2,3, or 4 with hashcat you can specify a custom mask to be associated with that number.
Hashcat Arguments Output
-a 3 -1 ?l?d ?1?1?1?1 aaaa - zzzz
In this example the 2 placeholder mask ?l?d is being stored in 1. Now by using the custom charset 1 for the placeholder instead,
you can represent ?l?d.
Hashcat Arguments Output
?b?b?b 0x00 - 0xff
Taking a look at hashcat's ?a placeholder, you can see that it was implemented in much the same way. The lowercase, uppercase,
digit, and symbol placeholders can all be represented by this custom charset. The ?b placeholder is an often overlooked
placeholder as well, it can be used to represent hex numbers in a password.
Incrementing a mask
One big problem with the entire premise of the mask attack is the fact that the password must fit the mask exactly. If you have
a mask that is 8 placeholders long, any password that is less than 7 characters, or greater than 8, will fail. This is where
the increment option comes in. By specifying your mask and using the --increment argument you can try smaller chunks of your mask
first. Incrementing is essentially marginally increasing a value little by little.
Mask Incrementing Through Mask
This process elimates the problem of a mask having to fit the exact same length of a password, as long as the password
is smaller than the total size of your mask. The --increment flag is the most basic form of incrementing through your mask,
--increment-min and --increment-max can be used to hone in on a certain area.
Mask min=4, max=7
By narrowing down the increment range, you drastically reduce the number of iterations your mask will go through, and thus
greatly reduce the number of hashes performed per password.
(1) What are some of the limitations of mask attacks?
(2) Assume you have a hash file containing 100 hashes. If the mask ?u?l?d is used in a cracking attempt against
the hashes, how many times will hashcat have to perform a hash in the worst case scenario?
(3) If I have a file of 5 hashed passwords and a masks file, how many hashes will be performed in the worst
case if the file contains: ?d?d?d, ?l?d, ?u?l?l
(4) If you have a password of 5 letters and you somehow know there is a single uppercase, give an educated
guess for a successful mask.
(5) Write out a hashcat call filling in these parameters: the hashing method is sha256, the attack type is a mask attack,
the file holding your hashes is passwords.hash, and the mask itself covers a pattern of uppercase letter, lowercase letter, digit
3 times. Write out the mask using a custom charset
(6) Check your masks folder and vi into one of the premade mask files. Think about the impact running that mask file against
and extensive list of hashed passwords would be. In what situation are mask attacks likely to be most useful?
(7) In general terms, the speed of cracking passwords is impacted by two major factors. One is the number of hashes that
must be performed. What is the other major factor? What factors decide how many hashes will be performed?
(8) Make a file called passwords. Fill this file with the word "password" with combinations of uppercase/lowercase letters
and/or numbers appended to the end. Make at least 10 combinations. Now use hashMultiPass to MD5 hash these passwords into a
separate file. Run a mask attack against these hashes. (Hint: If your entire mask is made up of placeholders, there is a
much more efficient way!)
(9) Imagine you have a file full of hashed passwords. You know these passwords came from a company that follows a
pattern for all employee passwords: first letter of first name (uppercase), 3 letters from last name (first letter uppercase),
followed by their year of birth. Assuming some employees give their full year, and some reduce it to 2 digits, create a mask
and a --increment-min --increment-max that will find all of the passwords.
(10) Is there a more efficient method to cracking the previous problem using mask files instead of incrementing? Explain.
(11) Given the mask ?l?l?l?l, if the --increment tag is used, how many hashes will be performed in the worst case?