Expected bcrypt input format and terminal input
#1
I'm looking at cracking one of my own passwords that's been leaked. From the looks of it, it was leaked but never cracked. It was too difficult for the attackers. For starters, it's hashed with bcrypt, and it's a very strong password that they knew nothing about. But I happen to know the password since it's my password. So I want to give it a go with Hashcat, to educate myself on cracking bcrypt.

For the sake of example, it looks something like this:
Code:
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6

No need to google this, this is not my actual hash. I took this from Hashcat example list. Mine is a 2y variant with cost of 10.

1. The first 22 chars (after last dollar) is salt?
2. The remaining 31 chars is blowfish hash?

I tried with a command like this:
Code:
hashcat -m 3200 -a 0 -O $2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6 ./wordlist

3. Is this the expected format for bcrypt hash parameter?
4. Am I allowed to supply the parameter inline on the terminal like this or do I have to use a file for input?

I have always wondered why Hashcat users create a file just to store a single hash. Is there any reasonable explanation for this? This seems like something you would only want to do when you want to work on two or more hashes.

5. How can I tell Hashcat how long my password is or to tell it what the password is and have it try that?

I have typed in my password in cleartext in the "wordlist" file. Is that the right way to do it?

I requested optimized kernel but got none:
Optimized kernel requested, but not available or not required

6. Is there any list of optimized kernels that Hashcat supports?

The command failed with this error:

Code:
Hash 'j0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6': Separator unmatched
No hashes loaded.

7. What separator matching is it looking for?

This is the 31 char of the string (see above). Although mine doesn't look like this, this is where it's at. Mine includes "/" chars, one at the beginning and one somewhere in the middle or so. Is this throwing off Hashcat in any way? Is it problematic to have these slashes in the string, and do I need to escape them?

Lastly, my hash included additional colon separated bits, ending with semicolon. Something like this:
Code:
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6:01234567890123456789:012345678;

8. What is the significance of these last bits and should they be included in input?

I would appreciate your help with this.
Reply
#2
(10-01-2022, 11:30 AM)meow Wrote: I tried with a command like this:

Code:
hashcat -m 3200 -a 0 -O $2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6 ./wordlist

3. Is this the expected format for bcrypt hash parameter?

Yes and no. Yes, if used in a file. No, if used on the command line.

(10-01-2022, 11:30 AM)meow Wrote: 4. Am I allowed to supply the parameter inline on the terminal like this or do I have to use a file for input?

I have always wondered why Hashcat users create a file just to store a single hash. Is there any reasonable explanation for this? This seems like something you would only want to do when you want to work on two or more hashes.

Yes, you can supply the hash in the command line.

See the help section for a hint:

Code:
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

What the help section doesn't give away is that for certain hashes, the command will fail if you supply the hash directly in terminal, on the command line, and your hash contains chars that Hashcat can choke on and you don't format the string correctly to avoid this choking hazard.

As it turns out – in my best ability to understand this – this is exactly the reason why users prefer to use a file, or have simply learned to default to (they don't know a better way) when supplying the hash:

(10-01-2022, 11:30 AM)meow Wrote: The command failed with this error:

Code:
Hash 'j0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6': Separator unmatched
No hashes loaded.

More on this in comments below.

(10-01-2022, 11:30 AM)meow Wrote: 7. What separator matching is it looking for?

This is the 31 char of the string (see above). Although mine doesn't look like this, this is where it's at. Mine includes "/" chars, one at the beginning and one somewhere in the middle or so. Is this throwing off Hashcat in any way? Is it problematic to have these slashes in the string, and do I need to escape them?

I still don't fully understand why it's matching separators or what kind of "separator" it fails to match. But I do know for sure now that something was indeed throwing off Hashcat, and that something is not the slash or slashes, but the dollar chars! As explained by Royce here: https://hashcat.net/forum/thread-8223-po...l#pid44115

Royce suggested escaping the dollar matching by enclosing them in single quote chars. Although I was unable to get lucky with this. Just how do you format it then? Let's have an example please?

But I was able to work my way around this by using a file for input, instead of supplying the hash directly on the command line, even if it's only one hash inside.

(10-01-2022, 11:30 AM)meow Wrote: 5. How can I tell Hashcat how long my password is or to tell it what the password is and have it try that?

I have typed in my password in cleartext in the "wordlist" file. Is that the right way to do it?

I still don't know how to tell Hashcat how long my password is. This is what masks are used for, right? I have not explored masks much and I'm still getting used to this weird syntax.

As for the second part of the question, yes, that's one way to tell Hashcat what the password is or might be and have it try that. You add the password candidate or candidates to a file, often called a "dictionary" or a "wordlist". You also have to specify "straight" as attack mode (another word for dictionary or wordlist).

Following questions still remain. Feel free to pitch in.

(10-01-2022, 11:30 AM)meow Wrote: For the sake of example, it looks something like this:
Code:
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6

No need to google this, this is not my actual hash. I took this from Hashcat example list. Mine is a 2y variant with cost of 10.

1. The first 22 chars (after last dollar) is salt?
2. The remaining 31 chars is blowfish hash?

I requested optimized kernel but got none:
Optimized kernel requested, but not available or not required

6. Is there any list of optimized kernels that Hashcat supports?

Lastly, my hash included additional colon separated bits, ending with semicolon. Something like this:
Code:
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6:01234567890123456789:012345678;

8. What is the significance of these last bits and should they be included in input?

I would appreciate your help with this.
Reply
#3
If you put the hash inside quotes, you would be fine doing this in commandline:

hashcat -m 3200 -a 0 -O "$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6" ./wordlist

A correct formatted bcrypt does not contain Confusedomething; in the end, so remove that. That's why you get separator unmatched. So everything after the first : should be removed, including the : itself.

If you want to try with the exact password, you can do

hashcat -m 3200 -a 3 "$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6" password

If you want to try with a list of words with size limits, you can use an inline rule like this:

hashcat -m 3200 -a 0 "$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6" ./wordlist -j >8

where >8 means try words greater than 8 chars. Be aware that sizes are given as 0-9 and a-z if bigger than 9.

See also hashcat --help
Reply
#4
(10-02-2022, 02:24 PM)b8vr Wrote: If you put the hash inside quotes, you would be fine doing this in commandline:

hashcat -m 3200 -a 0 -O "$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6" ./wordlist

A correct formatted bcrypt does not contain Confusedomething; in the end, so remove that. That's why you get separator unmatched. So everything after the first : should be removed, including the : itself.

If you want to try with the exact password, you can do

hashcat -m 3200 -a 3 "$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6" password

If you want to try with a list of words with size limits, you can use an inline rule like this:

hashcat -m 3200 -a 0 "$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6" ./wordlist -j >8

where >8 means try words greater than 8 chars. Be aware that sizes are given as 0-9 and a-z if bigger than 9.

See also hashcat --help
You should ever put the hash value in a single quote not in double quote, because on Linux/Bash/Zsh everything that starts with dollar sign like $2a,$05 or $Lh... is a name for local variable. And if it's not defined, it will be empty. Just try it out with: echo "$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6" and you will get ... 'a.Kj0jZ0pEmm134uzrQlFvQJLF6'
In double quoted strings, the local variables will be replaced with their value, in contrast to single quoted strings, where they will not be replaced. Quick test: 1='double quote'; echo "$1" vs 1=''single quote'; echo '$1'
Reply
#5
True. I didn't notice it was in Linux. So same answer, but use single quotes instead of double quotes.
Reply