hashcat Forum

I'm playing around with accented characters in passwords, which inevitably results in multi-byte characters. Doing some reading, it looked like using the --hex-wordlist option would take care of this, but the candidate hex doesn't look anything like the wordlist hex.

For the word otoño:


...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: bc4a371bba2211148ebcdee649c561fc
Time.Started.....: Fri May 10 14:21:57 2019 (0 secs)
Time.Estimated...: Fri May 10 14:21:57 2019 (0 secs)
Guess.Base.......: File (test)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#3.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#4.........:     4922 H/s (0.01ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#*.........:     4922 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#4...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: [Copying]
Candidates.#2....: [Copying]
Candidates.#3....: [Copying]
Candidates.#4....: $HEX[8d9e38] -> $HEX[8d9e38]
Hardware.Mon.#1..: Temp: 37c Fan: 27% Util: 42% Core:1657MHz Mem:4513MHz Bus:16
Hardware.Mon.#2..: Temp: 42c Fan: 27% Util: 42% Core:1657MHz Mem:4513MHz Bus:16
Hardware.Mon.#3..: Temp: 44c Fan: 28% Util: 42% Core:1657MHz Mem:4513MHz Bus:16
Hardware.Mon.#4..: Temp: 41c Fan: 27% Util: 42% Core:1657MHz Mem:4513MHz Bus:16

Started: Fri May 10 14:21:49 2019
Stopped: Fri May 10 14:21:59 2019

as the name of the option suggests, it expects all lines in the wordlist to be hex-encoded. What exactly did you expect the option to "take care of"?

I see, I misunderstood. However, I changed to to hex encoding, then ran it again. The candidates are correct this time, but the crack still failed.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: bc4a371bba2211148ebcdee649c561fc
Time.Started.....: Fri May 10 15:12:49 2019 (1 sec)
Time.Estimated...: Fri May 10 15:12:50 2019 (0 secs)
Guess.Base.......: File (test)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     4379 H/s (0.01ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#3.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#4.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#*.........:     4379 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#4...: Salt:0 Amplifier:0-0 Iteration:0-1
Candidates.#1....: otoño -> otoño

indeed that doesn't seem to work.

and

can't crack the hash.

but you can workaround it using mode 900:
this will crack the hash

No idea how to get mode 1000 to work correctly though.

(05-10-2019, 08:26 PM)undeath Wrote: [ -> ]

Code:

echo 'otoño' | hashcat -m 900 bc4a371bba2211148ebcdee649c561fc --encoding-from=utf-8 --encoding-to=utf-16le

this will crack the hash

It does indeed, but comes out as: bc4a371bba2211148ebcdee649c561fc:$HEX[6f0074006f00f1006f00]
which is some sort of two-byte unicode (UCS-2?). Is there a switch to convert it to an unencoded form?

I've tried various mashups of iconv and xxd, but none give it back correctly (mangles the ñ)

as the command line indicates, this is utf-16le.

(05-10-2019, 10:31 PM)undeath Wrote: [ -> ]as the command line indicates, this is utf-16le.

Code:

echo 6f0074006f00f1006f00 | xxd -r -p | iconv --from=utf-16le

That worked, thanks!