hashcat Forum
€-Symbol with Command ?b - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: €-Symbol with Command ?b (/thread-9305.html)



€-Symbol with Command ?b - HashGov - 06-16-2020

Hello everyone, my first post 😊

If I enter:

mp64.exe ?b -o Test.txt

in the maskprocessor, the Test.txt also contains the euro symbol (€).

If I now want to crack the password (one euro symbol / NTLM-Hash: 030926B781938DB4365D46ADC7CFBCB8) with the command:

hashcat.exe -m 1000 -a 3 hash.txt ?b

that doesn't work . Why?

Thx


RE: €-Symbol with Command ?b - undeath - 06-16-2020

First, € is a utf-8 multibyte symbol and cannot be cracked on any hash mode with ?b. You'd need to use ?b?b?b. Second, NTLM uses utf-16 and hashcat does some very naive charset conversion that can only handle ascii.


RE: €-Symbol with Command ?b - HashGov - 06-16-2020

Hi undeath,

ok, i understand.
Thank you for your prompt reply.

Best.


RE: €-Symbol with Command ?b - undeath - 06-16-2020

You can use the MD4 hash mode to crack your hash:

Code:
./hashcat -m900 030926B781938DB4365D46ADC7CFBCB8 euro.txt --encoding-from=utf8 --encoding-to=utf16le



RE: €-Symbol with Command ?b - philsmd - 06-16-2020

That's actually the funny and at the same time very difficult part of encoding.
the euro sign € can be also represented by just one byte in other encodings for instance ISO8859-15 has 0xa4 as a currency sign, see https://en.wikipedia.org/wiki/Currency_sign_(typography), https://en.wikipedia.org/wiki/ISO/IEC_8859-1#ISO/IEC_8859-15.

That's probably why you see the euro sign in the maskprocessor output. but of course 1 byte passwords (euro sign ISO8859-15 encoded) are not the same as 3 bytes (UTF8) passwords.

so yeah, undeath pretty much explained it perfectly... your hash was generated with more than 1 bytes (for utf16le, as used by NTLM, it's actually 2 bytes 0xac20 !)

so now we know 0xa4 (ISO8859-15), 0xe282ac (UTF8) and 0xac20 (UTF16LE) all represent the "same" euro sign. This just shows how confusing encoding is