I have tried ?a up to six times now with only exhausted results.
FYI, for anyone else attempting to try to crack this, using hengrui?a or any number of mask attack characters limits your performance significantly. I was getting 1.2mhs trying
`hashcat -O -a 3 -m 0 -i hengrui.hash hengrui?a?a?a?a?a?a?a?a'
After 6 ?a characters I decided to spin up an EC2 instance type g4dn.16xlarge
When I tried the same I was getting less performance than my home Radeon RX590
I then read:
hashcat/docs/performance.txt at e194fec2291e487d01c313934932ba782eed1367 · hashcat/hashcat
I then tried:
`.\hashcat -O -a 3 -m 20 -i --increment-min=4 admin.hash.txt ?a?a?a?a?a
`
where admin.hash.txt contains one line:
f6fdffe48c908deb0f4c3bd36c032e72:admin
The bruteforce ran much quicker treating the username as a salt and yielded:
f6fdffe48c908deb0f4c3bd36c032e72:admin:admin
I'm now running against hengrui.hash with a single line of:
81d57ea79621e8887914f40ee4122185:hengrui
locally using:
`.\hashcat -O -a 3 -m 20 -i --increment-min=7 .\hengrui.hash ?a?a?a?a?a?a?a?a`
It should only take 9 more hours for me to finish the 7 character attempt. 8 characters on my EC2 instance is going to take 6 days and 9 hours, and I'm probably going to cancel it tomorrow because I don't want to spend $3/hour for the next week to try. I am getting good speeds though at 12009.4 MH/s. Locally I'm only getting 1934.2 MH/s
Anyone else wanting to try, use the following options:
-O -a 3 -m 20 -i --increment-min=8 .\hengrui.hash ?a?a?a?a?a?a?a?a
with as many ?a's appended that you can afford.
Options:
-a 3
mask attack brute force
-m 20
md5($salt.$pass)
-i
incremental, tries each combo of ?a incrementally
--increment-min=8
I've ran ?a incrementally up to 6, and 7 should be done in 8 hours or so, this will start you at 8 and will run until ?a's are exhausted or a password is cracked
cat .\hengrui.hash
81d57ea79621e8887914f40ee4122185:hengrui
To test that it will work on admin:
cat .\admin.hash.txt
f6fdffe48c908deb0f4c3bd36c032e72:admin
If you're on Windows, be wary of how you create the text files to avoid incompatible line endings as hashcat expects CRLF linux line endings.
Now that I have this running better, I'm going to let 7 finish as a brute force attempt, cancel at 8 and try against more dictionary attacks with exotic rulesets. My previous attempts at this that have failed were:
.\hashcat.exe -O -w 3 -a 7 -m 0 hengrui.hash hengrui?a?a?a .\password-list-cn.tx
where password-list-cn.txt came from
password-list/countries/password-list-cn.txt at main · scipag/password-list
I want to try with the m 20 attack mode, which will be faster along with other variations of much larger word lists using masks and known compromised passwords because I don't have the patience to wait a year to crack this through brute force means and don't want to drop the cash on a new graphics card or pay extravagant EC2 prices.