Posts: 9
	Threads: 2
	Joined: Oct 2018
	
	
 
	
	
		Hello Guys,
I write a thesis to review the security in windows systems starting with LM-Hash.
For showing the weakness of the LM-Algorithm I create a 14 char random password without numbers.
The first part i successfully obtained with help of rainbow tables and now i want to obtain the second part.
The netntlm.pl script which uses John is much too slow for it. It runs 8 hours until I canceled it.
So i created a file with all upper/lower case possibilites first (with echo{a,A}..etc)
The benchmark says that i have the power to calculate 11873 MH/s (AMD R9 390)
My calculation is that hashcat should be able to crack the remaining 7 chars in under an hour:
85(- 10 numbers)^7 / 11873000000 H/s  = time in second
85^7/11873000000= 2700 s
passwordpossibilites.txt= All Lower/Uppercase possibilites of M%RFOFT
But when i start the hybrid attack
hashcat64.exe -m 5500 hash.txt -a  6 passwordpossibilites.txt ?a?a?a?a?a?a?a
the status said that it tooks 26 years.
I then tried the example hash for netlmv1 from wiki. Pure bruteforcing is done in seconds and when i try a hybrid attack it tooks 189 days.
test.txt simple contains an 'h' (first capitol of 'hashcat')
hashcat64.exe -m 5500 hash.txt -a 6 test.txt ?a?a?a?a?a?a
What did i'm wrong im confused. I also tried to create "more work" which the program suggests :
hashcat64.exe -a 6 test.txt ?a?a?a?a?a?a | hashcat64.exe -m 5500 hash.txt
but then the estimated time is always 0 sec.
I hope someone can help me here 
Greetings
Marsupilami
	
	
	
	
	
 
 
	
	
	
		
	Posts: 2,301
	Threads: 11
	Joined: Jul 2010
	
	
 
	
		
		
		10-26-2018, 03:35 PM 
(This post was last modified: 10-26-2018, 03:40 PM by undeath.)
		
	 
	
		your are doing something weird. Why are you using -a6 with a 7 char mask when you're trying to crack a LM hash? The plaintext cannot be longer than 7 chars. -a6 is only fast if your left side has enough candidates. piping is best solution. To check your speed just check if hashcat's speed matches your expectation.
 (10-26-2018, 03:30 PM)Marsupilami Wrote:  but then the estimated time is always 0 sec.
When piping candidates hashcat cannot calculate the estimated time.
	
 
	
	
	
	
 
 
	
	
	
		
	Posts: 9
	Threads: 2
	Joined: Oct 2018
	
	
 
	
	
		 (10-26-2018, 03:35 PM)undeath Wrote:  your are doing something weird. Why are you using -a6 with a 7 char mask when you're trying to crack a LM hash? The plaintext cannot be longer than 7 chars.
 (10-26-2018, 03:30 PM)Marsupilami Wrote:  but then the estimated time is always 0 sec.
When piping candidates hashcat cannot calculate the estimated time.
ah ok thats confusing yes i see..
 what i want to to
The plaintext password(of course I know it) is M%rFofT!:W$u.M
The first part M%RFoFT i got with rainbowtables. Because of the design of LM Algorithm its all Uppercase
M%RFOFT
Unfortunately hashcat don't support the old NetLM- Algorithm so i have to crack the NetNTLM-Part of it which is case sensitive
So i created a textfile with all possibilities as described above and want to Brute force the remaining 7 chars a?a?a?a?a?a?a? that i get the 14 chars NTLMv1 password
hashcat -a 6(hybrid attack dict+mask) possibilities.txt ?a?a?a?a?a?a?a -m 5500 (NetNTLMv1)
I expect something like this:
M%RFoFTsH!:KI%
	
 
	
	
	
	
 
 
	
	
	
		
	Posts: 2,301
	Threads: 11
	Joined: Jul 2010
	
	
 
	
	
		see my edit above, piping (as you were already doing) is the correct approach.
	
	
	
	
	
 
 
	
	
	
		
	Posts: 9
	Threads: 2
	Joined: Oct 2018
	
	
 
	
	
		Ok my dictionary has 128 entries with all possibilites of that word. I think thats not enough or?
"To check your speed just check if hashcat's speed matches your expectation."
Do you want to say that i just have to wait that hour to prove my expectation and use that piping?
hashcat64.exe -a 6 possibilities.txt ?a?a?a?a?a?a?a | hashcat64.exe -m 5500 hash.txt
	
	
	
	
	
 
 
	
	
	
		
	Posts: 9
	Threads: 2
	Joined: Oct 2018
	
	
 
	
	
		Hi again,
after 35 min hashcat has finished but without success. It says "Exhausted".
It seems that it only uses the first entry from the dictionary of 128 entries M%RFOFT. How can i hashcat tell it should uses the remaining entries too? 
Entries of possibilities.txt
M%RFOFT
m%RFOFT
M%RFOFT
M%rFOFT
M%RfOFT
M%RFoFT
M%RFOfT
M%RFOFt
m%RFOFT
m%rFOFT
m%RfOFT
m%RFoFT
m%RFOfT
m%RFOFt
M%rFOFT
M%RfOFT
M%RFoFT
M%RFOfT
M%RFOFt
M%rfOFT
M%rFoFT
M%rFOfT
M%rFOFt
M%RfoFT
M%RfOfT
M%RfOFt
M%RFofT
M%RFoFt
M%RFOft
m%rFOFT
....
I used the following command: (modified for less keyspace(without numbers))
hashcat64.exe -a 6 possibilities.txt -1 ?l?u?s ?1?1?1?1?1?1?1 --stdout | hashcat64.exe -m 5500 hash.txt
	
	
	
	
	
 
 
	
	
	
		
	Posts: 2,301
	Threads: 11
	Joined: Jul 2010
	
	
 
	
	
		it should have used all the possibilities. You can check that by examining the output of the first command on its own.
	
	
	
	
	
 
 
	
	
	
		
	Posts: 9
	Threads: 2
	Joined: Oct 2018
	
	
 
	
		
		
		10-27-2018, 05:58 PM 
(This post was last modified: 10-27-2018, 06:38 PM by Marsupilami.
 Edit Reason: further checks and corrections
)
		
	 
	
		hi, unfortunately hashcat dont uses all possibilities but only the first entry. 
When i paste the correct first half on the first place it successfully gets the password. When the correct is somewhere else hashcat says Exhausted. I approved this behavior with many passwords and im still confused
Greetings
Edit:
Hi I checked the first output and as you expect it creates all possibilities howewer the second part after the pipe only use the first entry without the pipe it is working
hashcat64.exe -a 6 possibilities.txt -1 ?l?u?s ?1?1?1?1?1?1?1 --stdoud => Creates all possibilities
hashcat64.exe -a 6 possibilities.txt -1 ?l?u?s ?1?1?1?1?1?1?1 --stdout | hashcat64.exe -m 5500 hash.txt => Only uses the first entry => Exhausted
hashcat64.exe -m 5500 -a hash.txt possibilities.txt ?l?u?s ?1?1?1?1?1?1?1 => works
	
	
	
	
	
 
 
	
	
	
		
	Posts: 2,266
	Threads: 16
	Joined: Feb 2013
	
	
 
	
		
		
		10-27-2018, 09:12 PM 
(This post was last modified: 10-27-2018, 09:15 PM by philsmd.)
		
	 
	
		this sounds very strange and I'm pretty sure that it doesn't behave like you think it behaves.
How would the second process even know when the "second" word from possibilities.txt begins. It has no information about the words. The second command only runs everything it get's as input.
I think there are many ways to troubleshoot this. e.g. using a "cat" or "type" command as the first part of your pipe, instead of the stdout command.
you should also test with the newest beta version of hashcat from 
https://hashcat.net/beta just to make sure and probably also test older versions from 
https://hashcat.net/hashcat
you should also look carefully at your status prompt (hashcat output). maybe you have a lot of rejected password candidates (there is a line for that too)?
	
 
 
	
	
	
		
	Posts: 9
	Threads: 2
	Joined: Oct 2018
	
	
 
	
		
		
		10-27-2018, 09:59 PM 
(This post was last modified: 10-27-2018, 10:05 PM by Marsupilami.
 Edit Reason: corrections
)
		
	 
	
		 (10-27-2018, 09:12 PM)philsmd Wrote:  this sounds very strange and I'm pretty sure that it doesn't behave like you think it behaves.
How would the second process even know when the "second" word from possibilities.txt begins. It has no information about the words. The second command only runs everything it get's as input.
I think there are many ways to troubleshoot this. e.g. using a "cat" or "type" command as the first part of your pipe, instead of the stdout command.
you should also test with the newest beta version of hashcat from https://hashcat.net/beta just to make sure and probably also test older versions from https://hashcat.net/hashcat
you should also look carefully at your status prompt (hashcat output). maybe you have a lot of rejected password candidates (there is a line for that too)?
I think it has something to do with the stdout command. When i remove it and just pipe on cat i get the error "Token length exeption". On beta version i have the same behaviour. Its difficult for me to split the commands.. cause the a6 (hybrid attack) expects a hashfile I get the Token length expetion. But I want to start the cracking process in the second part after the pipe for creating more work and the first pipe just should just create the candidates. 
I did  tries with prince and maskprocessor but unfortunately it dont work.
My thought was that the princeprocessor reads in the dictionary and the maskprocessor adds the remaining characters and then hashcat uses the result as input for cracking.
pp64.exe possibilities.txt | mp64.exe ?a?a?a?a?a?a?a | cat
I would expect something like
M%RFOFtafDK!%A but when i cat the result i just get the output of mp64.exe tafDK!%A