Quiet often people ask me to bruteforce a hash for them. My usual response after the obligatory; where did you get the hash from? is “I’ll run a few dictionaries against it unless you provide me with a charset and length!”

For those that don’t understand it needs to be made clear exactly what bruteforce cracking means.

Lets just say we have a four character pin that can only contain digits; we know that there are 10,000 (104) combinations that we can try: 0000 all the way through to 9999. This is obvious to most people, so why isn’t it obvious when we also use letters and special characters?

An 8 character password of just UPPERCASE characters can contain 26 possibilities per character position (1-7 length not included). That’s 208,827,064,576 possible password combinations, or an easier representation is 268.

Now lets just say they know the password is 7 characters but dont know what character sets it contains, it means i’ll have to include a-z, A-Z, 0-9 and special characters !”#$%&’()*+,-./:;⇔?@[\]^_`{|}~.

That’s 92 (26 + 26 + 10 + 30) possible values per character position, leading to an incredible 55,784,660,123,648 possible combinations (927). And if they don’t know how long the password is what do I try? 1 character is just 92 possible combinations, but as the length grows so does the possible combinations, exponentially! And don’t forget to attempt the cracking of a password of up to length 6 also includes the possibilities of lengths 1, 2, 3, 4 & 5!

  • length 1 = | 921 | 92
  • length 2 = | 922 | 8464
  • length 3 = | 923 | 778688
  • length 4 = | 924 | 71639296
  • length 5 = | 925 | 6590815232
  • length 6 = | 926 | 606355001344
  • length 7 = | 927 | 55784660123648
  • length 8 = | 928 | 5132188731375616
  • length 9 = | 929 | 472161363286556672
  • length 10= | 9210| 43438845422363213824
  • length 11= | 9211| 3996373778857415671808
  • length 12= | 9212| 367666387654882241806336
  • length 13= | 9213| 33825307664249166246182912
  • length 14= | 9214| 3111928305110923294648827904
  • length 15= | 9215| 286297404070204943107692167168

I hope this has given an understanding in to what it really means when “bruteforcing a hash”. In order to reduce the keyspace it’s worth trying a more sophisticated attack such as a capital as the first letter and then lowercase followed by a digit or 2; doing this massively reduces the attack time and allows much quicker cracking when using the GPU.

Oh, and before I forget don’t even get me started on the possibilities of using Russian, French or German characters, let alone the non printable characters between 0xc0 – 0xff as well!

Leave a Reply