0

I have a hashcat command line input via textarea to validate. The following commands are correct:

# wordlist attack
hashcat -a 0 -m 400 example400.hash example.dict
hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
hashcat -a 0 -m 0 example0.hash example.dict -r rules/rule1.rule -r rule2.rule

# bruteforce attack
hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
hashcat -a 3 -m 0 example0.hash -1 ?l?d?s?u ?1?1?1?1?1?1?1?1?1

where:

  • -a follows by 0 or 3 (attack type)
  • -m follows by an integer (hash mode)
  • -r follows by a file path (rule list)
  • -1 is custom character set, followed by a pattern

The basic syntax is:

# Word List Attack
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME}
# Word List Attack with 1 Rule
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME} -r {RULE_FILENAME}
# Word List Attack with multiple rules (can append infinite number of rules)
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME} -r {RULE1_FILENAME} -r {RULE2_FILENAME}

The other syntaxes can be found at the official documentation.

I tried to use the following jQuery code to validate during form submission, but I failed to catch some cases:

$('#frm_task').submit(function(event) {
    event.preventDefault();
    var cmd = $('#cmdLine').val(); // where the #cmdLine is the textarea
    cmd = cmd.replace('hashcat', '').trim();
    return checkCmd(cmd);
});

function checkCmd(cmd) {
    var args = cmd.split(' ');

    // Check for Attack Mode Flag
    var attackFlagPos = $.inArray('-a', args);
    if(attackFlagPos !== -1) {
        if(args[attackFlagPos + 1] != undefined && Number.isInteger(args[attackFlagPos + 1])) {
            args.splice(attackFlagPos, 2); // remove the found `-a` and the numeric value after
            cmd = args.join(' ');
            checkCmd(cmd); // check again
        } else {
            console.error('Syntax Error: Missing Attack Mode value');
            return false;
        }
    } else {
        console.error('Missing Attack flag');
        return false;
    }
    
    // Check for Hash Mode Flag
    var modeFlagPos = $.inArray('-m', args);
    if(modeFlagPos !== -1) {
        if(args[modeFlagPos + 1] != undefined && Number.isInteger(args[modeFlagPos + 1]) && (args[modeFlagPos + 1] == 0 || args[modeFlagPos + 1] == 3)) {
            args.splice(modeFlagPos, 2); // remove the found `-m` and the numeric value after
            cmd = args.join(' ');
            checkCmd(cmd); // check again
        } else {
            console.error('Syntax Error: Missing Hash Mode value');
            return false;
        }
    } else {
        console.error('Missing Mode flag');
        return false;
    }
    
    // Check for Rule Flags (extra rules will be checked and removed in the next iteration)
    var ruleFlagPos = $.inArray('-r', args);
    if(ruleFlagPos !== -1) { // Rule file flag exists
        if(args[ruleFlagPos + 1] != undefined && typeof args[ruleFlagPos + 1] == 'string') {
            args.splice(ruleFlagPos, 2); // remove the found `-r` and the rule file after
            cmd = args.join(' ');
            checkCmd(cmd); // check again
        } else {
            console.error('Missing Rule list');
            return false;
        }
    }

    // TODO: Check Bruteforce Attack syntaxes
    // Can I use Regex for this?
    
    // TODO: Check for Hashlist and Dictionary List
    // I am confused in this part, how can I differentiate the hashlist and dictionary list?

    // if everything is okay, return true to submit the form
    return true;
}

My question is:

  1. How can I simplify this piece of code?
  2. How can I check the bruteforce attack patterns (i.e. -1 ?l?d?s?u ?1?1?1?1?1?1?1?1?1)?

Sorry for such a long question. Thanks in advance.

Raptor
  • 53,206
  • 45
  • 230
  • 366
  • This is kind of reinventing the wheel, since presumably the hashcat command knows how to parse its arguments and will exit with a given code indicating bad input. Rather than attempting to check the validity of the arguments yourself, It would be much easier to just call hashcat with the given arguments (which you'll have to sanitize first, but that's another story) and take action based on the exit code. – kmoser Oct 20 '20 at 04:58
  • 1
    However, if you *really* want to do the parsing yourself, I'd do it this way: first [split the string into arguments and options](https://stackoverflow.com/questions/13796594/how-to-split-string-into-arguments-and-options-in-javascript). Then loop through each argument, decide whether it's -a, -m, etc., look forward to the subsequent option(s) and validate them. – kmoser Oct 20 '20 at 04:59
  • Thanks for the comment. I had considered the first option as well. However, `hashcat` took a long time to startup and I can only check the command is incorrect when the `hashcat` returns an error during startup. Since `hashcat` is a computing-intensive command, I cannot let the command to run just for checking the syntax. Your 2nd comment gave me some insights about how to parse the arguments. Thanks and I will have a try. – Raptor Oct 20 '20 at 07:30

0 Answers0