RevsUp Lab: Hashcat 04

resources:
Hashcat Wiki
oclHashcat Details
Hybrid Attacks

Hybrid Attacks and Brute Forcing

Now that we have a general understanding of mask attacks and brute forcing, we can try to utilize the benefits of these methods while avoiding some of the pitfalls. We know that brute forcing and mask attacks are powerful because they can find the widest spectrum of passwords, but as passwords become larger the number of hashes that will be performed for each password becomes too large. We can somewhat curb these downsides with Hybrid Attacks. A hybrid attack uses the familiar dictionary attack and combines it with a brute force attack. Think of it as a combination of dictionary, combination, and brute force attacks. For this example let's say we have a dictionary file called dictionary.dict. It contains only the word password.
        Hybrid Attack               Results
        dictionary.dict ?a?a        password00
                                    ....
                                    password99
                                    passwordaa
                                    ....
                                    passwordzz
                                    password@@
                                    ....
        
Basically the word password is having every possible combination of two characters appended to it and checked. In a more realistic case you would have multiple passwords, and each one would go through the same process. This is obviously going to lead to a large amount of hashes , but if you were to perform a normal brute force attack it would look like this: ?a?a?a?a?a?a?a?a?a?a
We already know that this is a massive number and is exponentially worse than our hybrid attack.

Hybrid Attacks and Mask Attacks

You can probably guess the next step in improving our attack, when we realized brute forcing was inefficient we switched to masks. We will do the same here, and the concept is exactly the same. We can take a dictionary and combine it with your mask to refine the passwords we are searching for, greatly reducing the hashes we have to perform.
        Hybrid Attack               Results
        dictionary.dict ?d?d        password00
                                    ....
                                    password99
        
This particular example should remind you of one of our problems from the previous lab. We greatly increase our efficiency by replacing placeholders with actual words, and with a hybrid attack we can go through an entire list of words and accomplish the same thing.
A hybrid attack can be performed with the mask prepended instead of appended, simply reverse the order of the arguments when you run hashcat.
        Hybrid Attack               Results
        ?d?d dictionary.dict        00password
                                    ....
                                    99password
        

Hashcat Options for Hybrid Attacks

Hashcat supports both types of hybrid attacks, but you must use a different option for each one. To use the dictionary word first, then the mask, use the -a 6 option as follows:
./hash.sh sha1sum 3e 56 a9 89 password123 > test_hybrid.hash
./hashcat64.bin -m 120 --hex-salt -a 6 test_hybrid.hash example.dict ?d?d?d
To use the mask first, then the dictionary word, use the -a 7 option as follows:
./hash.sh sha1sum 3e 56 a9 89 123password > test_hybrid.hash
./hashcat64.bin -m 120 --hex-salt -a 7 test_hybrid.hash ?d?d?d example.dict

(1) How many hashes will hashcat perform to brute force a password of 6 characters?
(2) How many hashes will hashcat perform to mask attack the password if you know the first 4 characters are lowercase letters?
(3) How many hashes will hashcat perform to mask attack the password if you know the first 4 letters are "word"?
(4) We still have to be careful with hybrid attacks. Assume you have a dictionary of 10 words. How many hashes will be performed in the worst case if there are 100 passwords to crack using a straight attack?
(5) What if the previous problem was a hybrid attack with the ?a?a mask? How many more hashes will hashcat perform?
(6) Try filling a file with passwords that consist of simple words appended with random numbers/letters/symbols. Hash that file and perform a hybrid attack against it using the large.dict and a mask that you think would be appropriate.
(7) Create a file called password and insert these 3 versions of password: password, pAssword, p@ssword
Now hash these passwords into a new file and create a mask that will crack all 3 passwords.(Hint: It should not be all placeholders)

Review

(1) Why do we make use of our GPU instead of our CPU? Try to be specific, this is good information for your poster.
(2) What is a hash? Why do we use them? How does hashing something differ from encrypting it?
(3) Why do websites go straight to password resets instead of telling you your original password?
(4) If a website uses a salt with their hashing, why do they have to store the salt but not the password?
(5) Knowing what you do about the different attacks and their strengths and weaknesses, what kind of passwords do you think are weak/secure?