MD5 Brute Force: Prefix/Suffix Attack

TL;DR

This guide shows you how to brute-force an MD5 hash using a prefix and suffix, up to a specified length. We’ll use hashcat for this, as it’s a powerful tool designed for password cracking (and MD5 is often used in similar contexts). We assume you have a basic understanding of the command line.

Prerequisites

• Hashcat: Download and install hashcat. Make sure it’s added to your system’s PATH so you can run it from anywhere.
• Wordlist (optional): While we’re focusing on prefix/suffix attacks, a small wordlist can sometimes help speed things up if combined with the attack.

Step-by-step Guide

1. Understand the Attack: A prefix and suffix attack tries all possible combinations of characters before and after a given string (the ‘target’). This is effective when you know *part* of the original password/string.
2. Identify the Hash Type: MD5 hashes are 32 hexadecimal characters long. Make sure you’re dealing with an actual MD5 hash before proceeding.
3. Basic Command Structure: The core hashcat command will look like this:

   hashcat -m 0     

   Where:

   • -m 0: Specifies the hash type (MD5).
   • : The file containing the MD5 hash you want to crack. Each hash should be on a new line in this file.
   • : The attack mode we’ll use for prefix/suffix attacks (see Step 4).
   • : The known characters at the beginning of the string.
   • : The known characters at the end of the string.
   • : The maximum length of the unknown part between the prefix and suffix.
4. Choose an Attack Mode: For prefix/suffix attacks, use mode 3200 (prefix brute-force) or 3300 (suffix brute-force). You can also combine them with a wordlist using modes like 3400.
   • 3200: Prefix Brute-Force. Tries all possible prefixes up to the specified length.
   • 3300: Suffix Brute-Force. Tries all possible suffixes up to the specified length.
   • 3400: Combined Wordlist + Prefix/Suffix. Useful if you have a small wordlist and know parts of the password.
5. Example 1: Prefix Attack (Known prefix, unknown middle, no suffix): Let’s say your hash is ‘e4d909c290d0fb1ca068ffaddf22cbd0’, and you know the password starts with ‘abc’. You want to try all possible combinations up to 3 characters after ‘abc’.

   hashcat -m 0 hash.txt 3200 abc ?????

   The question marks represent the unknown characters. Hashcat will automatically try a-z, A-Z, 0-9 for each character.

6. Example 2: Suffix Attack (Known suffix, unknown middle, no prefix): If you know the password ends with ‘123’ and want to try up to 4 characters before it:

   hashcat -m 0 hash.txt 3300 ????? 123

7. Example 3: Combined Attack (Prefix, Suffix & Wordlist): If you know the password starts with ‘pass’, ends with ‘word’ and have a wordlist called ‘common_words.txt’:

   hashcat -m 0 hash.txt 3400 pass ????? word common_words.txt

8. Adjusting the Character Set: By default, Hashcat uses lowercase letters, uppercase letters, numbers and some symbols. You can customize this with the -c option.

   hashcat -m 0 hash.txt 3200 abc ????? -c 'abcdefghijklmnopqrstuvwxyz'

   This example only uses lowercase letters for the unknown part.

9. Running the Attack: Once you have your command, run it in a terminal. Hashcat will start trying combinations and display its progress. It can take a long time depending on the length of the unknown part and the complexity of the character set.
10. Interpreting Results: If Hashcat finds a match, it will print the cracked password along with the hash.

Important Considerations

• Time: Brute-force attacks can be very slow, especially for longer passwords or complex character sets.
• Resources: Hashcat is resource intensive (CPU and GPU). A powerful GPU will significantly speed up the process.
• Legality: Only attempt to crack hashes you own or have explicit permission to test. Cracking someone else’s password without authorization is illegal.