+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Confusion regarding output from Get-ADReplAccount (/thread-11448.html)
Confusion regarding output from Get-ADReplAccount - Kurt-MT - 06-01-2023
First time using hashcat, and am having difficulty getting it to work.
This command:
Get-ADReplAccount -All -Server dc1 | Format-Custom -View hashcatnt | Out-File -FilePath c:\temp\data.txt -Encoding ascii
yields output like this:
sum.dude:3ff966736c064feafdba792a0e02c099
I'm getting two error messages, depending on the commands used.
"Separator unmatched" from these commands
hashcat -m1100 -a0 --username ./data.txt ./rockyou.txt
hashcat -m2100 -a0 --username ./data.txt ./rockyou.txt
hashcat -m2100 -a0 ./data.txt ./rockyou.txt
"Token length exception" from this command
hashcat -m1100 -a0 ./data.txt ./rockyou.txt
I've verified that there are no spaces in data.txt. I copied the opened data.txt file in Notepad++, then pasted it into a vi document on my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) box.
So, questions:
1) Is the output from Get-ADReplAccount in DCCS or DCCS2 format (or something else)?
2) How do I massage the file to get it running?
Thanks,
Kurt
RE: Confusion regarding output from Get-ADReplAccount - lapsikmees - 06-01-2023
Your hash looks like MD5. You need to remove useless stuff from hash for hashcat, look up for hash examples.
Also posting hash is not allowed...
RE: Confusion regarding output from Get-ADReplAccount - Snoopy - 06-02-2023
first mask the hash
second, it seems your are dumping an NT hash (like in hashcatnt), so the mode your are looking for is -m1000
third, delete sum.dude: in front of the hash or use option --username
RE: Confusion regarding output from Get-ADReplAccount - Kurt-MT - 06-05-2023
(06-02-2023, 10:02 AM)Snoopy Wrote: first mask the hash
second, it seems your are dumping an NT hash (like in hashcatnt), so the mode your are looking for is -m1000
third, delete sum.dude: in front of the hash or use option --username
I should have masked - but I did munge it, changing a few characters. Will mask next time, if needed.
I got it working by rebuilding the machine using ubuntu instead of The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali), and using -m1000 and --username.
Also did a bit of searching and found how to get the username and password into a file.
One other question - I've searched a bit, but can't seem to find an explanation for output that shows a format of
$HEX[xxxxxxxxxx34303a29]
Would that be someone using upper ASCII/ALT-gray characters, or is it a glitch in the output, or something else?
Thanks for the help.
Kurt
RE: Confusion regarding output from Get-ADReplAccount - Snoopy - 06-05-2023
This mostly happens when the cracked pass contains a : as this is used as seperator for hash:salt:pass. In your case use https://www.rapidtables.com/convert/number/hex-to-ascii.html for converting the data between the [] to get yor plaintext.
Funny, your posted last hex converts to -> 40:)
So thats why the output is converted to hex
RE: Confusion regarding output from Get-ADReplAccount - Snoopy - 06-05-2023
Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values
RE: Confusion regarding output from Get-ADReplAccount - Kurt-MT - 06-09-2023
(06-05-2023, 09:37 PM)Snoopy Wrote: Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values
Thanks for your help. I did finally find reference on the $HEX output. Likely, as noted in that article it's a bible quote.
https://sensepost.com/blog/2020/nthashes-and-encodings/
I'll do some more searching on how best to convert to en-US output.
Kurt
RE: Confusion regarding output from Get-ADReplAccount - Snoopy - 06-13-2023
(06-09-2023, 05:44 PM)Kurt-MT Wrote:(06-05-2023, 09:37 PM)Snoopy Wrote: Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values
Thanks for your help. I did finally find reference on the $HEX output. Likely, as noted in that article it's a bible quote.
https://sensepost.com/blog/2020/nthashes-and-encodings/
I'll do some more searching on how best to convert to en-US output.
Kurt
you can use an explizit outfile --outfile (see options) together with option --outfile-autohex-disable, this will result in an utf-8 formatted outfile where you can "see" the plain pw like John:10:10 or german umlauts like öäü, output in a potfile will allways use HEX[] when there is a : (and maybe other special chars) in the cracked password as this char/sign is used as seperator
RE: Confusion regarding output from Get-ADReplAccount - Kurt-MT - 06-13-2023
This worked for me:
hashcat -m1000 -a0 --username ~/hashRepo/data.txt ~hashRepo/realuniq.lst -r ~/hashRepo/rule_them_all.rule
then:
hashcat -m1000 --username --potfile-path ~/.local/share/hashcat/hashcat.potfile --show -o ~/hashRepo/final --outfile-format 2 ~/hashRepo/data.txt
In 3 days, I recovered 305 of 795 hashes, and am trying again with -S -O -w 3 - my hardware is fairly weak, so that's going to take a long time.
Kurt
RE: Confusion regarding output from Get-ADReplAccount - Snoopy - 06-14-2023
due to the fact, that it seems your dataset comes from an ActiveDirectory Controller or something similar
take a look at the passes you already cracked, AD comes mostly with some kind of password restrictions like lenght or used chars, when you get a good idea/guess of that password policy, you can modify your attack to be more effective