hashcat Forum
What am I doing wrong? - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: What am I doing wrong? (/thread-13307.html)

What am I doing wrong? - tccmartist - 07-05-2025

I'm working my way through a module on HTB.  One of the questions is a crack a MD5 hash.  I was using hashcat on Windows instead of my linux VM so I'd have the benefit of the GPU (I'm impatient).  The hash would not crack though.  Even once I viewed the solution and tried the exact command.  I then tried running in the linux VM using CPU and the hash cracked.  What did I do wrong?

Output running from windows:
Code:
C:\hashcat-6.2.6>hashcat -a 3 -m 0 1e293d6X12d074X0fdXX844XX03X00dd '?u?l?l?l?l?d?s'
hashcat (v6.2.6) starting

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
CUDA API (CUDA 12.9)
====================
* Device #1: NVIDIA GeForce RTX 4060, 7099/8187 MB, 24MCU

OpenCL API (OpenCL 3.0 CUDA 12.9.90) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 4060, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1475 MB

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 1e293d6X12d074X0fdXX844XX03X00dd
Time.Started.....: Sat Jul 05 14:08:17 2025 (0 secs)
Time.Estimated...: Sat Jul 05 14:08:17 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: '?u?l?l?l?l?d?s' [9]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10853.3 MH/s (5.25ms) @ Accel:256 Loops:338 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 3920854080/3920854080 (100.00%)
Rejected.........: 0/3920854080 (0.00%)
Restore.Point....: 5800080/5800080 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:338-676 Iteration:0-338
Candidate.Engine.: Device Generator
Candidates.#1....: 'Exuzq4 ' -> 'Zvqxq6{'
Hardware.Mon.#1..: Temp: 75c Fan: 31% Util: 98% Core:2745MHz Mem:8251MHz Bus:8

Started: Sat Jul 05 14:08:15 2025
Stopped: Sat Jul 05 14:08:19 2025

Output running from linux VM:
Code:
# hashcat -a 3 -m 0 1e293d6X12d074X0fdXX844XX03X00dd '?u?l?l?l?l?d?s'
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz, 6943/13950 MB (2048 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Cracking performance lower than expected?               

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

1e293d6X12d074X0fdXX844XX03X00dd:MXXXX5!                 
                                                         
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 1e293d6X12d074X0fdXX844XX03X00dd
Time.Started.....: Sat Jul  5 13:29:28 2025 (8 secs)
Time.Estimated...: Sat Jul  5 13:29:36 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?u?l?l?l?l?d?s [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 62513.3 kH/s (1.29ms) @ Accel:1024 Loops:32 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 469696512/3920854080 (11.98%)
Rejected.........: 0/469696512 (0.00%)
Restore.Point....: 24576/223080 (11.02%)
Restore.Sub.#1...: Salt:0 Amplifier:6112-6144 Iteration:0-32
Candidate.Engine.: Device Generator
Candidates.#1....: Brlrg9! -> Dikyt8_
Hardware.Mon.#1..: Util: 36%

Started: Sat Jul  5 13:29:15 2025
Stopped: Sat Jul  5 13:29:37 2025


RE: What am I doing wrong? - penguinkeeper - 07-05-2025

Cmd doesn't recognise the single quotes, only double quotes, so it's trying the literal string of 'MXXXXX5!' (with the quotes) instead of MXXXXX5!. So either exchange them for double quotes " or use powershell, which does recognise single quotes

Candidates.#1....: 'Exuzq4 ' -> 'Zvqxq6{'

RE: What am I doing wrong? - tccmartist - 07-06-2025

(07-05-2025, 10:04 PM)penguinkeeper Wrote: Cmd doesn't recognise the single quotes, only double quotes, so it's trying the literal string of 'MXXXXX5!' (with the quotes) instead of MXXXXX5!. So either exchange them for double quotes " or use powershell, which does recognise single quotes

Candidates.#1....: 'Exuzq4 ' -> 'Zvqxq6{'

That did it.  Thanks!  I knew it was going to be something stupid and simple.