Please note, this is a STATIC archive of website hashcat.net from 08 Oct 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

Full Version: How to map a password policy onto your Mask?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi Friends,
lets assume you know details of your password policy e.g.:
  • Amount of characters
  • minimum/maximum amount of letters
  • minimum/maximum amount of numbers
  • restrictions like "no repeating characters" e.g. aa,bb, and so on
  • the pool of special characters

I really don't know how to build a mask like that. Is it even possible to build such a mask, which is usable by hashcat?
If you don't know the answer, maybe you know a good tutorial on building such masks!?

Thanks in advance,
rob
Hey Rob,
the best thing you should do is to have a look into the hashcat wiki https://hashcat.net/wiki/ and for your particular problem, see here: https://hashcat.net/wiki/doku.php?id=mask_attack
Your points:
1. Use your defined mask together w/ pw-min, pw-max if you want to restrict the password length, if you want to reduce the keyspace instead i.e. the chars used see answer 2.
2. you can define custom charsets if the default charsets (Built-in charsets, ?l ?u ?d ?s ?h ... ?a) do not fit for you, use -1 (a number *not* ELL), -2 up to -3 parameter: e.g. -1 abcd and your mask could contain now this charsets as password?1 where ?1 is either a, b, c or d
3. same as in 2. applies here, but you put numbers in ?1
4. either you are able to put this resriction directly into the mask (*not* very likely) or please try maskprocessor (https://hashcat.net/wiki/doku.php?id=maskprocessor ) and also see this topic https://hashcat.net/forum/thread-2161.html
5. see ?s

Hopefully this helps you to get started ;-)
Best
what do you mean by w/ pw-min , pw-max
how you use that?
(08-25-2013, 07:04 AM)eduonline Wrote: [ -> ]what do you mean by w/ pw-min , pw-max
how you use that?
1) Follow the advice and read the wiki.
2) You might get your answer with one of the features of PACK:

https://thesprawl.org/projects/pack/
I also get this link https://www.googleappsecurity.com/password-policies I have found almost all the features concern with password policies...
(05-29-2013, 10:31 AM)rob911 Wrote: [ -> ]Hi Friends,
lets assume you know details of your password policy e.g.:
  • Amount of characters
  • minimum/maximum amount of letters
  • minimum/maximum amount of numbers
  • restrictions like "no repeating characters" e.g. aa,bb, and so on
  • the pool of special characters

I really don't know how to build a mask like that. Is it even possible to build such a mask, which is usable by hashcat?
If you don't know the answer, maybe you know a good tutorial on building such masks!?

it is dependent on which system you use. If you use unix, like most of the people here, the combination of maskprocessor and hashcat is so easy, they would not understand you "lazyness" to read.

If you use window you need unixtool for window install, then you can run tool/tools in the method of "pipe in"  and answer your questions yourself.

what is "pipe in"

Take the example 8 characters long password, and digits only 

use maskprocessor to generate you get 10^8 combis.

you can pipe in

maskprocessor  ?d?d?d?d?d?d?d?d | haschcat-cli64.exe -a 0 ....

if you realise your friends trick you for advertising protection, but use only a password policy of 4 to 6 characters long passwords  

you can use the same pipe in but

maskprocessor  -pw-min 4  -pw-max 6 ?d?d?d?d?d?d?d?d | haschcat-cli64.exe -a 0 ....
(Attention: print out the results somehow maskprocessor still produces combis of lenght 1, 2, 3 before it generates the desired combis of 4 then 5 then 6 character/digit long, and stop ... It is fast s it doesn't matter much... but worth to check it is a bug?)

OR method Nr2
maskprocessor  ?d?d?d?d?d?d?d?d | len 4 6 | haschcat-cli64.exe -a 0 ....


In similar way we can cover password policy

use min 8 to 10 length
use HEX only ( use MP with charset -1 0123456789ABCDEF)
even must have one upper, one lower and one special ?l?u?s or ?a
all taht we can do with MP and hashcat

But if I understand,  I think @eduonline asks about a very special corner
what about a policy something like this:
1)must have length between 8 and 10
2)must use upper, lower special
Now if there is an EXTRA condition hang on then it is interesting, either 

3.1)  Upper, Lower, Spec not more (repeated) sequentially appears than 2 ( aaBcd1$23... allowed aaaBcd1$23... fail;answer you still use MP -q 2 and pipe in)
3.2) each character/digit occurs in the password only 3 times max   (aaBcad1$23... allowed ... aaBcaa$23 fail; answer you still use MP -r 3 or -r 4 and pipe in. Test it yourself, seem to be a bug there too)
3.3)  must use upper, lower special but special must not at beginning of your password
3.4) not more Upper than 2x, never more than 1X special sign
3.5) must not shows part of your family forname/name (take KIM, David Camaron) or company name (SIEMENS/Siemens)
3.6) never upper case before the fourth position
3.7) never use special more than twice  
3.8) never use special sign at beginning or end of password 
3.9) ... I think it is clear enough now, MP and HC alone can not solve smartly this problem.... 

I can stop here now to answer @rob911, @eduonline, We will still use "MP |  Hashcat" but inbetween we must build in one more mask/box; I call it filtering; it is the Regular Expression filter and can be used this way

maskprocessor  -pw-min 8 -pw-max 10 -q 2 -r 4 ?a?a?a?a?a?a?a?a | RegEx-Filter-box | haschcat-cli64.exe -a 0 ....

Is it what you ask @rob911, @eduonline?

It is an interesting area to play your fantasy,with filtering box we can clamp down the passwords amount if such strict policies are used. Strangely it does not help the company/people, i my opinion, they kind of difficult YES they make such more difficult passwords, BUT reduce immensely the key space  a tester must look into to reveal password weakness.


We can do it here too. The question is should we filtering or just brutal bruteforce, because our power nowadays is so strong (some have 4xTitians or 8 Titans) it does not matter to leave or throwaway some thousand/hundred thousands/millions wrongly formatted combis. Filtering takes its time, but maybe if it is interesting s.o can look into it and programming the filter faster


Take PW of length 8, you could clamp down up to half wrongly formatted password when apply these policies 3.x ... Years ago about the time linkedIn passwords leaked a group here at Hashcat has thought about this area. filtering, pipe in, wolfs attack ... technique
This thread is over 2 years old and OP hasn't posted on the forums since, so why are you reviving it from the dead?