+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Developer (https://hashcat.net/forum/forum-39.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-40.html)
+--- Thread: Hashes that don't work well with --remove (/thread-12210.html)
Hashes that don't work well with --remove - ZerkerEOD - 11-02-2024
I was hoping to get a list of hashes that do not work well with --remove. Right now, I know if I try to feed hashcat a hashlist using --remove with hashes straight from something like an NTDS file, it errors out. I was hoping to try and get a list of hashes that do not work well with it for future reference. Please let me know if you know of any particular hashes/formats that do not work well with the --remove option.
Side note, I am trying to automate some stuff and having it error is not good. Trying to find a list that I can then warn if used.
RE: Hashes that don't work well with --remove - Chick3nman - 11-02-2024
This really should not be happening with any modes, what error are you seeing?
RE: Hashes that don't work well with --remove - ZerkerEOD - 11-04-2024
Chick3nman, I get the "Use of --remove is not supported in native hashfile-format mode." error. The hash is a straight pull from NTDS which looks like 'Administrator:500:LM:NT::: (status=Enabled)'. Without the --remove though, it handles the hash fine. Also if I remove everything after the last colon i.e. (status=Enabled), I still get the error.
RE: Hashes that don't work well with --remove - Chick3nman - 11-05-2024
Ahhh, this is for the special file format handling for NT:LM and shadow files. If you want to avoid that issue, you need to load the hashes in their raw format, so just the NT hash alone, or LM hash alone. Only NT, LM, and a few of the crypt(3) hashes are capable of alternative file formats like that. Specifically meant to allow loading of pwdump and shadow file formats. This is a convenience feature but I would suggest simply parsing the hashes into their individual formats instead to avoid behavior like this.
RE: Hashes that don't work well with --remove - ZerkerEOD - 11-06-2024
(11-05-2024, 01:55 AM)Chick3nman Wrote: Ahhh, this is for the special file format handling for NT:LM and shadow files. If you want to avoid that issue, you need to load the hashes in their raw format, so just the NT hash alone, or LM hash alone. Only NT, LM, and a few of the crypt(3) hashes are capable of alternative file formats like that. Specifically meant to allow loading of pwdump and shadow file formats. This is a convenience feature but I would suggest simply parsing the hashes into their individual formats instead to avoid behavior like this.
That is what I was figuring. Do you know of a list of hashes that have different formats that don't work well with --remove?
RE: Hashes that don't work well with --remove - Chick3nman - 11-07-2024
There is no list but it should really only be those few mentioned. Perhaps the left over binary file formats as well.