+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Finding all the collisions for a given hash (/thread-5861.html)
Finding all the collisions for a given hash - jj - 09-11-2016
I'm brute forcing crc32 check sums and they have many collisions. For e.g. following strings have the same crc32.
[.ERM*]
[B6In]
[^y#Hz]
[cho "]
So, is there a way that I can get all the collisions for a given checksum?
Currently hashcat gives only the first one in the results
I'm executing this -
Code:
hashcat64.exe -a 3 -m 11500 hashes.txt ?a?a?a?a?aRE: Finding all the collisions for a given hash - royce - 09-11-2016
I don't know of a way to do this with hashcat today.
But the "jumbo" edition of John the Ripper has a "hidden" option (--keep-guessing) that will do this.
For CRC32, the source file has to be assembled in a particular way, as documented here:
http://openwall.info/wiki/john/hash-formats
Here is a working example.
$ cat crc32.hash
user_x:$crc32$00000000.bb0e6e9b:::dummy
$ ./john --fork=4 --format=crc32 --keep-guessing crc32.hash
Using default input encoding: UTF-8
Loaded 1 password hash (CRC32 [CRC32 32/64 CRC-32C SSE4.2])
Node numbers 1-4 of 4 (fork)
Note: Will keep guessing even after finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
dhtchm (user_x)
ikiotid (user_x)
B6In (user_x)
... etc. Adjust the "fork" value for your number of CPUs/cores, of course.
RE: Finding all the collisions for a given hash - jj - 09-11-2016
(09-11-2016, 06:43 AM)royce Wrote: I don't know of a way to do this with hashcat today.
But the "jumbo" edition of John the Ripper has a "hidden" option (--keep-guessing) that will do this.
For CRC32, the source file has to be assembled in a particular way, as documented here:
http://openwall.info/wiki/john/hash-formats
Here is a working example.
$ cat crc32.hash
user_x:$crc32$00000000.bb0e6e9b:::dummy
$ ./john --fork=4 --format=crc32 --keep-guessing crc32.hash
Using default input encoding: UTF-8
Loaded 1 password hash (CRC32 [CRC32 32/64 CRC-32C SSE4.2])
Node numbers 1-4 of 4 (fork)
Note: Will keep guessing even after finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
dhtchm (user_x)
ikiotid (user_x)
B6In (user_x)
... etc. Adjust the "fork" value for your number of CPUs/cores, of course.
Is there a way by which we can resume the hashcat from where it stopped when it cracked the hash?
I'm getting this error when trying to use restore :/
ERROR: Restore file '<directory>/hashcat.restore': No such file or directory
RE: Finding all the collisions for a given hash - jj - 09-11-2016
I made a python script to do the work.
Code:
import re
import subprocess
import math
import os
with open('hashes.txt','r') as f:
hashes=f.readlines()
hashes=list(map(str.strip,hashes))
def status(hash):
with open(hash[:8]+'.txt','r')as f:
lines=f.readlines()
for line in lines:
if re.match('Status\.\.\.\.\.\.\.\.\.: \w*',line):
s=re.match('Status\.\.\.\.\.\.\.\.\.: \w*',line).group()
break
print s[17:]
if s[17:]=='Exhausted':
return 0
else:
return 1
def offset(hash):
keyspace=int(subprocess.check_output(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500','--keyspace','?a?a?a?a?a']))
print int(keyspace)
with open(hash[:8]+'.txt','r')as f:
lines=f.readlines()
for line in lines:
if re.match('Progress\.\.\.\.\.\.\.:.*',line):
progress=re.match('Progress\.\.\.\.\.\.\.: .*',line).group()
progress=float(progress[-8:].strip(' ()%'))/100
break
print progress
off=int(math.ceil(progress*keyspace))
return off
def cracks(hash):
with open(hash[:8]+'.txt','r')as f:
lines=f.readlines()
for line in lines:
if re.search(re.escape(hash)+'.*',line):
crack=re.search(re.escape(hash)+'.*',line).group()
break
return crack
def main():
for hash in hashes:
print hash
f1=open(hash[:8]+' cracked.txt','a')
subprocess.call(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500',hash, '?a?a?a?a?a' ,'--potfile-disable'],stdout=open(str(hash[:8])+'.txt','w'))
f1.write(cracks(hash)+'\n')
while (status(hash)):
off=offset(hash)
print(off)
subprocess.call(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500','-s',str(off),hash, '?a?a?a?a?a' ,'--potfile-disable'],stdout=open(str(hash[:8])+'.txt','w'))
try:
f1.writelines(cracks(hash)+'\n')
except:
print 'Exhausted'
os.remove(str(hash[:8])+'.txt')
if __name__ == '__main__':
main() RE: Finding all the collisions for a given hash - royce - 09-11-2016
When using masks, hashcat uses the same sequence of passwords every time.
I haven't read your script thoroughly, but how does the script teach hashcat that it shouldn't just stop at the first one it finds every time? Just disabling the potfile would not be sufficient, I think.
Are you successfully getting collisions with this wrapper?
RE: Finding all the collisions for a given hash - royce - 09-11-2016
Ah, you're using the offset - nice!
RE: Finding all the collisions for a given hash - jj - 09-11-2016
(09-11-2016, 04:39 PM)royce Wrote: Ah, you're using the offset - nice!
Yep, the script worked. I was able to get all the collisions. It uses the -s option. I'm calculating the offset by multiplying progress % to keyspace. This is done until the keyspace is exhausted.
RE: Finding all the collisions for a given hash - atom - 09-12-2016
You can do what --keep-guessing is doing by adding OPTS_TYPE_PT_NEVERCRACK to the hashconfig->opts_type for mode 11500 in src/interface.c
RE: Finding all the collisions for a given hash - jj - 09-12-2016
(09-12-2016, 12:22 AM)atom Wrote: You can do what --keep-guessing is doing by adding OPTS_TYPE_PT_NEVERCRACK to the hashconfig->opts_type for mode 11500 in src/interface.c
Adding an option would be nice for future?
RE: Finding all the collisions for a given hash - atom - 09-12-2016
If you want it added as option please open an issue on github