Posts: 3
Threads: 1
Joined: Jul 2013
07-31-2013, 05:01 AM
(This post was last modified: 07-31-2013, 05:02 AM by feedworks.)
I am new to hashcat and trying to do a simple experiment.
I generated a hash using the following:
echo -n "abcd" | openssl dgst -sha1 -hmac 1234
It generated a hash:
8717c25d45b7c48e66d917255c6e5b9e15edc46c
I would like to use hashcat to break this. How will I do it?
I tried using the following and it gives me an error: line length exception
hashcat-cli64.bin -m150 -a3 hashfile outputfile
I have the above mentioned hash in the hashfile.
I also have a GPU but I am NOT running oclHashcat-plus.
I really appreciate any help.
Posts: 76
Threads: 8
Joined: Feb 2013
The hash is not formated correctly. see:
https://hashcat.net/wiki/doku.php?id=example_hashes
That command is also wrong. outfile should be replaced with a mask. see:
http://hashcat.net/wiki/doku.php?id=mask_attack
In this case a mask of ?l?l?l?l should crack it.
I could be wrong but you might want mode 160 instead. Not sure.
Posts: 2,267
Threads: 16
Joined: Feb 2013
Code:
$ cat dict.txt
abcd
$ cat m0160.txt # masked
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c:1234
$ ./hashcat-cli64.bin --quiet -m 160 m0160.txt dict.txt
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c:1234:abcd
Posts: 3
Threads: 1
Joined: Jul 2013
(07-31-2013, 06:01 PM)philsmd Wrote: Code:
$ cat dict.txt
abcd
$ cat m0160.txt # masked
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c:1234
$ ./hashcat-cli64.bin --quiet -m 160 m0160.txt dict.txt
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c:1234:abcd
What should I do if I only know the hash? Is it possible to break? I know the hash is generated using SHA1 HMAC and length of the key and length of the plain text.
Thanks for your reply.
Posts: 2,267
Threads: 16
Joined: Feb 2013
07-31-2013, 06:58 PM
(This post was last modified: 07-31-2013, 06:59 PM by philsmd.)
Of course that is not good for attacking the hash, if you miss important information (the salt/key in general is known).
You could try to generate a list of salts (e.g. w/ maskprocessor and a suitable mask) and use this output (say "dict") as an external salt file (-e). In this way you search for the correct salt + bruteforce etc the password.
It is clear, that this takes way longer than knowing the salt!
Posts: 3
Threads: 1
Joined: Jul 2013
From One of the earlier replies - "In this case a mask of ?l?l?l?l should crack it."
Where will I put that mask? Will it be part of dict.txt in our example?
Thanks,
Satish
Posts: 4
Threads: 0
Joined: Aug 2013
Satish and I are working together on a school project - I have a quick question what if it is a truncated hash. Instead of having the full hash we know the message and the truncated hash - say we know abcd as the message and lets say we are limited in the hash length so only 8717 is available as the hash value. Would that improve the performance of hashcat in possibly finding collisions and keys that would provide the same resultant hash?
Posts: 2,267
Threads: 16
Joined: Feb 2013
Try it this way:
0. Check if the hash file is correct:
Code:
$ cat m0160.txt #masked
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c
1. Generate external salts list (file: external_salts.txt):
Code:
$ ./hashcat-cli64.bin --stdout -a 3 ?d?d?d?d > external_salts.txt
2. Launch hashcat w/ whatever attack mode you want (but use -e external_salts.txt):
Code:
$ ./hashcat-cli64.bin --quiet -m 160 -e external_salts.txt m0160.txt --pw-min 4 -a 3 ?l?l?l?l
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c:1234:abcd
Note: I am not totally sure if HMAC-SHA1 (160) + external salts (-e) were supposed to work so far, but I know that next version of cpu hashcat has support for it (I just tested it)
Posts: 76
Threads: 8
Joined: Feb 2013
08-01-2013, 03:05 AM
(This post was last modified: 08-01-2013, 03:06 AM by Mangix.)
(08-01-2013, 12:17 AM)feedworks Wrote: From One of the earlier replies - "In this case a mask of ?l?l?l?l should crack it."
Where will I put that mask? Will it be part of dict.txt in our example?
Thanks,
Satish
In the command you posted, replace outfile with ?l?l?l?l.
edit: understand that -a 3 is a mask attack. -a 0 is a dictionary attack.
Quote:Satish and I are working together on a school project - I have a quick question what if it is a truncated hash. Instead of having the full hash we know the message and the truncated hash - say we know abcd as the message and lets say we are limited in the hash length so only 8717 is available as the hash value. Would that improve the performance of hashcat in possibly finding collisions and keys that would provide the same resultant hash?
There's a higher chance of getting a collision assuming a random distribution. As for actually improving performance....probably not. At best you could get false-positives.
Posts: 4
Threads: 0
Joined: Aug 2013
(08-01-2013, 02:22 AM)philsmd Wrote: Try it this way:
0. Check if the hash file is correct:
Code:
$ cat m0160.txt #masked
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c
1. Generate external salts list (file: external_salts.txt):
Code:
$ ./hashcat-cli64.bin --stdout -a 3 ?d?d?d?d > external_salts.txt
2. Launch hashcat w/ whatever attack mode you want (but use -e external_salts.txt):
Code:
$ ./hashcat-cli64.bin --quiet -m 160 -e external_salts.txt m0160.txt --pw-min 4 -a 3 ?l?l?l?l
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c:1234:abcd
Note: I am not totally sure if HMAC-SHA1 (160) + external salts (-e) were supposed to work so far, but I know that next version of cpu hashcat has support for it (I just tested it)
I tried the command:
Code:
./hashcat-cli64.bin --stdout -a 3 ?d?d?d?d > external_salts.txt
Unfortunately the redirection to external_salts.txt was actually outputting the EULA from hashcat and did not generate the salts this was do to hashcat expecting an input from the user (i.e. accepting the eula). I removed the redirection and let salts output to the screen and just manually did a copy paste into the externa_salts.txt.
Afterwards when running the command:
Code:
$ ./hashcat-cli64.bin --quiet -m 160 -e external_salts.txt m0160.txt --pw-min 4 -a 3 ?l?l?l?l
8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c:1234:abcd
I received the following error:
Skipping line 8717XXX45b7cXXX66d9XXX55c6e5b9eXXXXc46c (line length exception)
No hashes loaded.
Any further assistance and guidance is greatly appreciated..