First time using hashcat, and am having difficulty getting it to work.
This command:
Get-ADReplAccount -All -Server dc1 | Format-Custom -View hashcatnt | Out-File -FilePath c:\temp\data.txt -Encoding ascii
yields output like this:
sum.dude:3ff966736c064feafdba792a0e02c099
I'm getting two error messages, depending on the commands used.
"Separator unmatched" from these commands
hashcat -m1100 -a0 --username ./data.txt ./rockyou.txt
hashcat -m2100 -a0 --username ./data.txt ./rockyou.txt
hashcat -m2100 -a0 ./data.txt ./rockyou.txt
"Token length exception" from this command
hashcat -m1100 -a0 ./data.txt ./rockyou.txt
I've verified that there are no spaces in data.txt. I copied the opened data.txt file in Notepad++, then pasted it into a vi document on my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) box.
So, questions:
1) Is the output from Get-ADReplAccount in DCCS or DCCS2 format (or something else)?
2) How do I massage the file to get it running?
Thanks,
Kurt
Your hash looks like MD5. You need to remove useless stuff from hash for hashcat, look up for hash examples.
Also posting hash is not allowed...
first mask the hash
second, it seems your are dumping an NT hash (like in hashcatnt), so the mode your are looking for is -m1000
third, delete sum.dude: in front of the hash or use option --username
(06-02-2023, 10:02 AM)Snoopy Wrote: [ -> ]first mask the hash
second, it seems your are dumping an NT hash (like in hashcatnt), so the mode your are looking for is -m1000
third, delete sum.dude: in front of the hash or use option --username
I should have masked - but I did munge it, changing a few characters. Will mask next time, if needed.
I got it working by rebuilding the machine using ubuntu instead of The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali), and using -m1000 and --username.
Also did a bit of searching and found how to get the username and password into a file.
One other question - I've searched a bit, but can't seem to find an explanation for output that shows a format of
$HEX[xxxxxxxxxx34303a29]
Would that be someone using upper ASCII/ALT-gray characters, or is it a glitch in the output, or something else?
Thanks for the help.
Kurt
This mostly happens when the cracked pass contains a : as this is used as seperator for hash:salt:pass. In your case use
https://www.rapidtables.com/convert/numb...ascii.html for converting the data between the [] to get yor plaintext.
Funny, your posted last hex converts to -> 40:)
So thats why the output is converted to hex
Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values
(06-05-2023, 09:37 PM)Snoopy Wrote: [ -> ]Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values
Thanks for your help. I did finally find reference on the $HEX output. Likely, as noted in that article it's a bible quote.
https://sensepost.com/blog/2020/nthashes-and-encodings/
I'll do some more searching on how best to convert to en-US output.
Kurt
(06-09-2023, 05:44 PM)Kurt-MT Wrote: [ -> ] (06-05-2023, 09:37 PM)Snoopy Wrote: [ -> ]Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values
Thanks for your help. I did finally find reference on the $HEX output. Likely, as noted in that article it's a bible quote.
https://sensepost.com/blog/2020/nthashes-and-encodings/
I'll do some more searching on how best to convert to en-US output.
Kurt
you can use an explizit outfile --outfile (see options) together with option --outfile-autohex-disable, this will result in an utf-8 formatted outfile where you can "see" the plain pw like John:10:10 or german umlauts like öäü, output in a potfile will allways use HEX[] when there is a : (and maybe other special chars) in the cracked password as this char/sign is used as seperator
This worked for me:
hashcat -m1000 -a0 --username ~/hashRepo/data.txt ~hashRepo/realuniq.lst -r ~/hashRepo/rule_them_all.rule
then:
hashcat -m1000 --username --potfile-path ~/.local/share/hashcat/hashcat.potfile --show -o ~/hashRepo/final --outfile-format 2 ~/hashRepo/data.txt
In 3 days, I recovered 305 of 795 hashes, and am trying again with -S -O -w 3 - my hardware is fairly weak, so that's going to take a long time.
Kurt
due to the fact, that it seems your dataset comes from an ActiveDirectory Controller or something similar
take a look at the passes you already cracked, AD comes mostly with some kind of password restrictions like lenght or used chars, when you get a good idea/guess of that password policy, you can modify your attack to be more effective