phillips321.co.uk

Quiet often people ask me to bruteforce a hash for them. My usual response after the obligatory; where did you get the hash from? is “I’ll run a few dictionaries against it unless you provide me with a charset and length!”

For those that don’t understand it needs to be made clear exactly what bruteforce cracking means.

Lets just say we have a four character pin that can only contain digits; we know that there are 10,000 (10⁴) combinations that we can try: 0000 all the way through to 9999. This is obvious to most people, so why isn’t it obvious when we also use letters and special characters?

An 8 character password of just UPPERCASE characters can contain 26 possibilities per character position (1-7 length not included). That’s 208,827,064,576 possible password combinations, or an easier representation is 26⁸.

Now lets just say they know the password is 7 characters but dont know what character sets it contains, it means i’ll have to include a-z, A-Z, 0-9 and special characters !”#$%&'()*+,-./:;⇔?@[\]^_`{|}~.

That’s 92 (26 + 26 + 10 + 30) possible values per character position, leading to an incredible 55,784,660,123,648 possible combinations (92⁷). And if they don’t know how long the password is what do I try? 1 character is just 92 possible combinations, but as the length grows so does the possible combinations, exponentially! And don’t forget to attempt the cracking of a password of up to length 6 also includes the possibilities of lengths 1, 2, 3, 4 & 5!

• length 1 = | 92¹ | 92
• length 2 = | 92² | 8464
• length 3 = | 92³ | 778688
• length 4 = | 92⁴ | 71639296
• length 5 = | 92⁵ | 6590815232
• length 6 = | 92⁶ | 606355001344
• length 7 = | 92⁷ | 55784660123648
• length 8 = | 92⁸ | 5132188731375616
• length 9 = | 92⁹ | 472161363286556672
• length 10= | 92¹⁰| 43438845422363213824
• length 11= | 92¹¹| 3996373778857415671808
• length 12= | 92¹²| 367666387654882241806336
• length 13= | 92¹³| 33825307664249166246182912
• length 14= | 92¹⁴| 3111928305110923294648827904
• length 15= | 92¹⁵| 286297404070204943107692167168

I hope this has given an understanding in to what it really means when “bruteforcing a hash”. In order to reduce the keyspace it’s worth trying a more sophisticated attack such as a capital as the first letter and then lowercase followed by a digit or 2; doing this massively reduces the attack time and allows much quicker cracking when using the GPU.

Oh, and before I forget don’t even get me started on the possibilities of using Russian, French or German characters, let alone the non printable characters between 0xc0 – 0xff as well!