Quiet often people ask me to bruteforce a hash for them. My usual response after the obligatory; *where did you get the hash from*? is **“I’ll run a few dictionaries against it unless you provide me with a charset and length!”**

For those that don’t understand it needs to be made clear exactly what bruteforce cracking means.

Lets just say we have a four character pin that can only contain digits; we know that there are 10,000 (10^{4}) combinations that we can try: 0000 all the way through to 9999. This is obvious to most people, so why isn’t it obvious when we also use letters and special characters?

An 8 character password of just UPPERCASE characters can contain 26 possibilities per character position (1-7 length not included). That’s 208,827,064,576 possible password combinations, or an easier representation is 26^{8}.

Now lets just say they know the password is 7 characters but dont know what character sets it contains, it means i’ll have to include a-z, A-Z, 0-9 and special characters **!ā#$%&'()*+,-./:;ā?@[\]^_`{|}~**.

That’s 92 (26 + 26 + 10 + 30) possible values per character position, leading to an incredible 55,784,660,123,648 possible combinations (92^{7}). And if they don’t know how long the password is what do I try? 1 character is just 92 possible combinations, but as the length grows so does the possible combinations, exponentially! And don’t forget to attempt the cracking of a password of up to length 6 also includes the possibilities of lengths 1, 2, 3, 4 & 5!

- length 1 = | 92
^{1}| 92 - length 2 = | 92
^{2}| 8464 - length 3 = | 92
^{3}| 778688 - length 4 = | 92
^{4}| 71639296 - length 5 = | 92
^{5}| 6590815232 - length 6 = | 92
^{6}| 606355001344 - length 7 = | 92
^{7}| 55784660123648 - length 8 = | 92
^{8}| 5132188731375616 - length 9 = | 92
^{9}| 472161363286556672 - length 10= | 92
^{10}| 43438845422363213824 - length 11= | 92
^{11}| 3996373778857415671808 - length 12= | 92
^{12}| 367666387654882241806336 - length 13= | 92
^{13}| 33825307664249166246182912 - length 14= | 92
^{14}| 3111928305110923294648827904 - length 15= | 92
^{15}| 286297404070204943107692167168

I hope this has given an understanding in to what it really means when “bruteforcing a hash”. In order to reduce the keyspace it’s worth trying a more sophisticated attack such as a capital as the first letter and then lowercase followed by a digit or 2; doing this massively reduces the attack time and allows much quicker cracking when using the GPU.

Oh, and before I forget don’t even get me started on the possibilities of using Russian, French or German characters, let alone the non printable characters between 0xc0 – 0xff as well!