So, I've had this encrypted box I've been locked out of for a few years. This week I decided to see if there wasn't a way I could open it again. As you can guess my search pretty quickly turned up Hashcat and Johntheripper.

Now, it's great that these tools which look to be pretty powerful exist, don't get me wrong. Since I have a general recollection of the password I used, I in theory have a realistic shot of getting my box open again. The problem is, 1. my old password is pretty long and complicated and 2. these programs are SUPER confusing if you don't have a lot of experience with Linux and command line programs. I spent all day today trying to figure them out, and my head's still spinning.

I looked for GUI versions of these programs, and while there are a couple out there, none of them have a simple way of laying down the password criteria. Hashcat Launcher, one of the popular GUIs for Hashcat, as far as I can tell makes you enter the [rules for https://i.imgur.com/NnxWKhU.png using the same confusing code the command line version uses. So there's really no effective difference between the GUI and that.

The super simple GUI solution that I would have thought would be widely used is a set of boxes, like a row of cards on a table. You start by typing in as much of the password as you can remember. For those characters you don't, you click on the box representing that character to open up a menu, and based on your recollection you punch in the possibilities for what goes in that box. Whether's it just letters, just numbers, a limited set of certain letters or numbers, or any character for the parts you don't remember at all.

Let me use a relatively simple password as an illustration. Let's say you're pretty sure your password was "Iamevilmwhahaha". Nice and short, right? But, you don't remember if the I was a capital, a lower or a 1, and if it was "iam" or "im". A couple of additional headaches are, you don't remember if you used a 'u" or a "w" in "mwhahaha", if it was capital or lowercase, if it was two "ha"s or three.

As if that wasn't enough, being a huge fan of l33tsp34k in your youth, you might possibly have used the symbols "||" to represent the "u" if you'd used one. "||" is obviously, multiple characters. And last but not least, you don't remember what you ended the password with. It could have been a period, a single exclamation mark or 3, or no punctuation at all.

Whew! All of that sounds like a lot to digest. Well, here is what I believe is a stupidly easy way to punch all of that information into one interface.

https://i.imgur.com/aje4oZj.png

Does anyone know if something like this exists out there?

1

There are 1 answers

0
Andrew Zick On

Maybe you could take the opposite approach. Figure out a way to generate all possible strings between X and Y length, then filter those strings to match a regex based on what you remember for your password, then it's just a dictionary attack.

Found this Security s/o answer for generating, but no idea how long it might take to generate everything up to your max possible password length. The current top 3 answers all have good suggestions e.g. Python itertools.product, Hashcat masks, crunch Linux tool.

For building out the possible password regex, I've used https://regex101.com/ before. You could also do the filtering in Python or via grep or whatever is comfortable.