RevsUp Lab: Hashcat 04

Hashcat Wiki
oclHashcat Details
Hybrid Attacks

Hybrid Attacks and Brute Forcing

Now that we have a general understanding of mask attacks and brute forcing, we can try to utilize the benefits of these methods while avoiding some of the pitfalls. We know that brute forcing and mask attacks are powerful because they can find the widest spectrum of passwords, but as passwords become larger the number of hashes that will be performed for each password becomes too large. We can somewhat curb these downsides with Hybrid Attacks. A hybrid attack uses the familiar dictionary attack and combines it with a brute force attack. Think of it as a combination of dictionary, combination, and brute force attacks. For this example let's say we have a dictionary file called dictionary.dict. It contains only the word password.
        Hybrid Attack               Results
        dictionary.dict ?a?a        password00
Basically the word password is having every possible combination of two characters appended to it and checked. In a more realistic case you would have multiple passwords, and each one would go through the same process. This is obviously going to lead to a large amount of hashes , but if you were to perform a normal brute force attack it would look like this: ?a?a?a?a?a?a?a?a?a?a
We already know that this is a massive number and is exponentially worse than our hybrid attack.

Hybrid Attacks and Mask Attacks

You can probably guess the next step in improving our attack, when we realized brute forcing was inefficient we switched to masks. We will do the same here, and the concept is exactly the same. We can take a dictionary and combine it with your mask to refine the passwords we are searching for, greatly reducing the hashes we have to perform.
        Hybrid Attack               Results
        dictionary.dict ?d?d        password00
This particular example should remind you of one of our problems from the previous lab. We greatly increase our efficiency by replacing placeholders with actual words, and with a hybrid attack we can go through an entire list of words and accomplish the same thing.
A hybrid attack can be performed with the mask prepended instead of appended, simply reverse the order of the arguments when you run hashcat.
        Hybrid Attack               Results
        ?d?d dictionary.dict        00password

(1) How many hashes will hashcat perform to brute force a password of 6 characters?
(2) How many hashes will hashcat perform to mask attack the password if you know the first 4 characters are lowercase letters?
(3) How many hashes will hashcat perform to mask attack the password if you know the first 4 letters are "word"?
(4) We still have to be careful with hybrid attacks. Assume you have a dictionary of 10 words. How many hashes will be performed in the worst case if there are 100 passwords to crack using a straight attack?
(5) What if the previous problem was a hybrid attack with the ?a?a mask? How many more hashes will hashcat perform?
(6) Try filling a file with passwords that consist of simple words appended with random numbers/letters/symbols. Hash that file and perform a hybrid attack against it using the large.dict and a mask that you think would be appropriate.
(7) Create a file called password and insert these 3 versions of password: password, pAssword, p@ssword
Now hash these passwords into a new file and create a mask that will crack all 3 passwords.(Hint: It should not be all placeholders)


(1) Why do we make use of our GPU instead of our CPU? Try to be specific, this is good information for your poster.
(2) What is a hash? Why do we use them? How does hashing something differ from encrypting it?
(3) Why do websites go straight to password resets instead of telling you your original password?
(4) If a website uses a salt with their hashing, why do they have to store the salt but not the password?
(5) Knowing what you do about the different attacks and their strengths and weaknesses, what kind of passwords do you think are weak/secure?