Password Recovery Several attack modes of hashcat
2024-12-24 12:15:01
There are multiple attack modes for hashcat, check the full help with the parameter –help, you can see the "Attack Modes" table, as shown below:
| # | Mode |
|---|---|
| 0 | Straight |
| 1 | Combination |
| 3 | Brute-force |
| 6 | Hybrid Wordlist + Mask |
| 7 | Hybrid Mask + Wordlist |
1.Straight
This attack pattern is also known as "Dictionary Attack". Nothing to say, just given a dictionary, hashcat will read the contents of the dictionary line by line, calculate the hash value of each row, and compare it to the target hash value.
Example:
hashcat -a 0 -m 400 example400.hash example.dict
2.Combination
Baidu told me that Combination is a noun that means: "Combination; Complex; password combinations; Pantyhose". This attack mode is as simple as combining the contents of two password dictionaries. Using this attack pattern requires no more and no less, no less, two password dictionaries to be specified. Suppose we have two password dictionaries dict1.txt and a dict2.txt that have the following contents:
hunting kitty rainbow
and
paris rock
then command:
hashcat -m 0 -a 1 hash.txt dict1.txt dict2.txt
The dictionary that actually tried was:
huntingparis huntingrock kittyparis kittyrock rainbowparis rainbowrock
The words in the dict1.txt are on the left, and the words in the dict2.txt are on the right, a total of 3×2=6.
The parameters associated with this model are:
-j, --rule-left -k, --rule-right
The rule after -j acts on the left, and the rule after -k acts on the right, if you add the parameter -j '$-', then the dictionary you actually try is:
hunting-paris hunting-rock kitty-paris kitty-rock rain-bowparis rain-bowrock
Add the argument -j '^!', and the dictionary you actually try is:
!huntingparis !huntingrock !kittyparis !kittyrock !rainbowparis !rainbowrock
Add the -k '^>' argument and the dictionary you actually try is:
hunting>paris hunting>rock kitty>paris kitty>rock rain>bowparis rain>bowrock
What are these rules? "$" and "^" are used in a similar way to regular expressions, so are they regular? Actually, no, the rules of hashcat are implemented by themselves, which is another big piece of content, see Rule-based Attack for details
3.Brute-force
Try a wide variety of combinations of given character sets. According to the official hashcat wiki, this method has become obsolete and has been replaced by Mask-Attack in all directions, so no research is done.
4.Mask Attack
This is a relatively new attack method, as shown below:
hashcat -a 3 -m 0 md5.hash ?l?l?l?l?l
While the "Attack Modes" table shows that -a 3 corresponds to Brute-force, in reality, -a 3 uses Mask Attack. Mask Attack can be seen as an advanced Brute-force.
The -m parameter is used to specify the type of the hash function, and the md5.hash file stores the value of md5. The key is the last string "?l?l?l?l?l", which is called a mask.
A mask is a string of placeholders. "?l" is a placeholder, where "?" It is a keyword used to modify the "l" after it, and "?l" together represent a set of characters, in addition to "?l", it can also have "?u", "?d", "?h", "? H, ?s, ?a, and ?b, the following table shows the set of characters.
| ? | Charset |
|---|---|
| l | abcdefghijklmnopqrstuvwxyz |
| u | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| d | 0123456789 |
| h | 0123456789abcdef |
| H | 0123456789ABCDEF |
| s | ! “#$%&'()*+,-./:; <=>?@[\]^_`~{|} |
| a | ?l?u?d?s |
| b | 0x00 – 0xff |
In this way, we understand that "?l?l?l?l?l" is actually equivalent to a cipher dictionary:
aaaaa aaaab ... zzzzz
In the same way, "?l?u?d" is equivalent to a cipher dictionary:
aA0 aA1 ... bA0 ... zZ9
The character sets in the table above are built-in to hashcat, and we can also specify the character sets ourselves:
--custom-charset1=字符集合1 --custom-charset2=字符集合2 --custom-charset3=字符集合3 --custom-charset4=字符集合4
The parameter –custom-charsetN can be abbreviated to -N, e.g. –custom-charset1 can be abbreviated to -1. The set of characters specified with -N is represented in the mask with the placeholder "? N", for example:
-1 abc123 ?1?1?1
It is equivalent to a password dictionary:
aaa aab ... aa3 ... 333
-N can be followed by a .hcchr file that stores a collection of characters, in addition to a string representing a collection of characters. hashcat comes with a number of .hcchr files, in the charsets/ directory of the installation package.
Placeholder "??" The set of characters represented is "?" Itself. In addition, the rest of the characters, when used as placeholders, represent the characters themselves, such as "?lwerner?d", which is equivalent to a cipher dictionary:
awerner0 awerner1 ... zwerner9
With the above knowledge, it is easy to understand mask. A mask consists of several placeholders, each of which is a collection of characters, and a mask is a combination of the sets of placeholder characters. The number of placeholders is equal to the length of the password. What are the advantages of such a design compared to simply giving a set of characters and password length?
Let's say we know that someone's password has 7 digits, the first digit is an uppercase letter, the next 3 digits are lowercase letters, and the last 3 digits are numbers. If it is a traditional brute force attack, it requires the character set a-z, A-Z, and 0-9, a total of 62 characters, and a maximum of 62^7=3 521 614 606 208 attempts, which is trillion-level. The password described by mask is "\u\l\l\l\d\d\d", which is easy to calculate, with a total of (26^4)×(10^3)=456 976 000 possibilities, which is at the level of 100 million, which is 4 orders of magnitude less than the previous method.
Taking a step back, even if we don't know the distribution of passwords, it is easy to simulate the effect of traditional brute force cracking with a mask.
Now the question is how many placeholders are dead when the mask is fixed, and what if we don't know the length of the password. If the password is only 3 digits, and we have 4 placeholders, we can't solve it, wouldn't it be a loss. Do you want to start with 1 and write all the masks of all lengths? That's a lot of trouble.
There are two workarounds, one is to use a mask file, write multiple masks in one file, and then specify this file in the command line. Note that the mask file needs to end with .hcmask.
For example, the content of test.hcmask is:
?l ?l?l ?l?l?l ?l?l?l?l
Use the file with the following command:
hashcat -m 0 -a 3 --show md5.hash test.hcmask
Another workaround is to add the parameter –increment, which tells hashcat to try with a placeholder as we gave the mask, then two, three, until we give the given length. For example, we write the placeholder "abc" for this and then calculate the md5 value for the following string:
a:0cc175b9c0f1b6a831c399e269772661 b:92eb5ffee6ae2fec3ad71c777531578f c:4a8a08f09d37b73795649038408b5f33 ab:187ef4436122d1cc2f40dc2b92f0eba0 ac:e2075474294983e013ee4dd2201c7a73 ba:07159c47ee1b19ae4fb9c40d480856c4 bc:5360af35bde9ebd8f01f492dc059593c ca:5435c69ed3bcc5b2e4d580e393e373d3 cb:d0d7fdb6977b26929fb68c6083c0b439 abc:900150983cd24fb0d6963f7d28e17f72 abc:900150983cd24fb0d6963f7d28e17f72 bac:79ec16df80b57696a03bb364410061f3 bca:b64eab8ce39e013604e243089c687e4f cba:3944b025c9ca7eec3154b44666ae04a0 cab:16ecfd64586ec6c1ab212762c2c38a90
":" is the original string to be used to calculate the hash value, and ":" is followed by the calculated hasn value. Save the above in the file md5.hash and run the following command:
hashcat -m 0 -a 3 --show --username md5.hash abc
Add the parameter –username because we have the original string in front of each hash value, if we don't add this parameter, hashcat will show that the correct hash value was not found, add this parameter, hashcat will think that the string before the hash value is the username of the hash value, so that the hash value can be loaded smoothly.
The result is that only one hash is solved:
900150983cd24fb0d6963f7d28e17f72:abc
Now add the parameter –increment and run it again:
hashcat -m 0 -a 3 --show --increment --username md5.hash abc
This time, two more hashes were solved:
0cc175b9c0f1b6a831c399e269772661:a 187ef4436122d1cc2f40dc2b92f0eba0:ab
As you can see, –increment comes into play. But at the same time, we also know that with this parameter, hashcat will only try A, Ab and ABC in order, and will not arrange and combine placeholders in order, trying all kinds of possibilities.
5.Hybrid Attack
Hybrid Attack is similar to Combinator Attack, Combinator Attack is a combination of two dictionaries, and Hybrid Attack is a hybridization of a dictionary and a mask, and the two are similar.
Let's say we already have a dictionary example.dict that looks like this:
hello werner
then command:
hashcat -m 0 -a 6 md5.hash example.dict ?d?d
Equivalent to simply using a dictionary:
hello00 hello01 ... hello99 werner00 werner01 ... werener99
then command:
hashcat -m 0 -a 7 md5.hash ?d? dexample.dict
Equivalent to simply using a dictionary:
00hello 01hello ... 99hello 00werner 01werner ... 99werener