Brute Forcing with Hashcat
In this lab we will review some hexadecimal, as well as go over a couple new methods of attack. To begin with, hexadecimal is a way of representing numbers much like decimal. In decimal you have 10 numbers to work with, 0-9. This is why we use the prefix deci(means 10). In hexadecimal you break down the two prefixes and add them together. Hexa(means 6) + deci(means 10), giving you 16. This is why people often refer to hexadecimal as base 16. The same rules apply for hex, the base number is the amount of numbers, or characters, that you have to work with. In hex you have access to 0-9, but also a-f. This means that instead of wrapping around to the number 10 in decimal, hex uses the letter a.
Decimal Hexadecimal 10 a 11 b ...... 15 f 16 10 17 11 ...... 31 1f 32 20So why is hex relevant to hashcat? Because hashing algorithms will often output their hash in hexadecimal, and sometimes the salt is stored in hex as well. In order to properly attack a password hash, the program must know the difference. How is hashcat supposed to know that the a that is in the file means the decimal number 10, not the letter. This is where the additional arguments like --hex-salt come into play. You can also use this knowledge as a means to verify you are hashing your passwords correctly. If the hash is stored in hex and you know how many bits the hashing algorithms use, it is simple division to check your hashes are the appropriate length.
MD5 - 128 bits Number of bits in a hex digit - 4 128/4 = 32 hex digits in your MD5 hash
How many different passwords could you have with just these two rules? The answer is the number of permutations, with repeating allowed. So we look at the number of possibilities in each space, 0-9.
10 10 10 10 = 10x10x10x10 = 10^4As you can see, this is quite the large number for quite the small password. Brute Forcing a password becomes exponentially more difficult as you increase the number of characters, and you increase the keyspace. This is why you will notice hashcat no longer has a wiki article specifically for brute forcing, because there is a similar method that is strictly more efficient.
Mask Attack ?a?a?a?a Every index can be any number, letter, or symbol, upper or lowercaseBecause at the worst a mask attack is equal to a brute force attack, it can only ever get better. By changing the keyspaces allowed to each index, you greatly reduce the number of possibilities. For instance:
?l?l?l?l?d?d 26x26x26x26x10x10 ?a?a?a?a?a?a 97x97x97x97x97x97In the first example we have 4 lowercase letters followed by two numbers. This pattern has far less possible outcomes than the second, which is everything possible. What if we also include the rule that no numbers in the password can be repeated? Well, then we decrease the number of possibilities each time.
10 9 8 7 = 10x9x8x7 = 10!/6!The numbers change depending on what is available, there are 26 letters, 26 uppercase letters, and numerous symbols. After you have finished the lab, attempt to complete the following questions.