RevsUp Lab: Hashcat 04
resources:
Hashcat Wiki
oclHashcat Details
Hybrid Attacks
Hybrid Attacks and Brute Forcing
Now that we have a general understanding of mask attacks and brute forcing, we can try to utilize the benefits of these
methods while avoiding some of the pitfalls. We know that brute forcing and mask attacks are powerful because they can
find the widest spectrum of passwords, but as passwords become larger the number of hashes that will be performed for
each password becomes too large. We can somewhat curb these downsides with Hybrid Attacks. A hybrid attack uses
the familiar dictionary attack and combines it with a brute force attack. Think of it as a combination of dictionary,
combination, and brute force attacks. For this example let's say we have a dictionary file called dictionary.dict. It contains
only the word password.
Hybrid Attack Results
dictionary.dict ?a?a password00
....
password99
passwordaa
....
passwordzz
password@@
....
Basically the word password is having every possible combination of two characters appended to it and checked. In a more realistic case
you would have multiple passwords, and each one would go through the same process. This is obviously going to lead to a large amount of hashes
, but if you were to perform a normal brute force attack it would look like this: ?a?a?a?a?a?a?a?a?a?a
We already know that this is a massive number and is exponentially worse than our hybrid attack.
Hybrid Attacks and Mask Attacks
You can probably guess the next step in improving our attack, when we realized brute forcing was inefficient we switched to masks. We will
do the same here, and the concept is exactly the same. We can take a dictionary and combine it with your mask to refine the passwords we are
searching for, greatly reducing the hashes we have to perform.
Hybrid Attack Results
dictionary.dict ?d?d password00
....
password99
This particular example should remind you of one of our problems from the previous lab. We greatly increase our efficiency by replacing
placeholders with actual words, and with a hybrid attack we can go through an entire list of words and accomplish the same thing.
A hybrid attack can be performed with the mask prepended instead of appended, simply reverse the order of the arguments when you run
hashcat.
Hybrid Attack Results
?d?d dictionary.dict 00password
....
99password
Hashcat Options for Hybrid Attacks
Hashcat supports both types of hybrid attacks, but you must use a different option for each one. To use the dictionary word first, then the mask,
use the -a 6 option as follows:
./hash.sh sha1sum 3e 56 a9 89 password123 > test_hybrid.hash
./hashcat64.bin -m 120 --hex-salt -a 6 test_hybrid.hash example.dict ?d?d?d
To use the mask first, then the dictionary word, use the -a 7 option as follows:
./hash.sh sha1sum 3e 56 a9 89 123password > test_hybrid.hash
./hashcat64.bin -m 120 --hex-salt -a 7 test_hybrid.hash ?d?d?d example.dict
(1) How many hashes will hashcat perform to brute force a password of 6 characters?
(2) How many hashes will hashcat perform to mask attack the password if you know the first 4 characters are lowercase letters?
(3) How many hashes will hashcat perform to mask attack the password if you know the first 4 letters are "word"?
(4) We still have to be careful with hybrid attacks. Assume you have a dictionary of 10 words. How many hashes will be
performed in the worst case if there are 100 passwords to crack using a straight attack?
(5) What if the previous problem was a hybrid attack with the ?a?a mask? How many more hashes will hashcat perform?
(6) Try filling a file with passwords that consist of simple words appended with random numbers/letters/symbols. Hash that
file and perform a hybrid attack against it using the large.dict and a mask that you think would be appropriate.
(7) Create a file called password and insert these 3 versions of password: password, pAssword, p@ssword
Now hash these passwords into a new file and create a mask that will crack all 3 passwords.(Hint: It should not be all placeholders)
Review
(1) Why do we make use of our GPU instead of our CPU? Try to be specific, this is good information for your poster.
(2) What is a hash? Why do we use them? How does hashing something differ from encrypting it?
(3) Why do websites go straight to password resets instead of telling you your original password?
(4) If a website uses a salt with their hashing, why do they have to store the salt but not the password?
(5) Knowing what you do about the different attacks and their strengths and weaknesses, what kind of passwords
do you think are weak/secure?