DES Token encoding exception

[Miragui]

I have a problem with this DES hash that gives me a Token encoding exception.

I'm running hashcat with the following command:

hashcat.exe -m 1500 -a 3 -w 3 hash.txt ?a?a?a?a?a?a?a?a -i

It throws the following error:

hashcat (v7.1.2) starting

CUDA API (CUDA 13.0)
====================
* Device #01: NVIDIA GeForce RTX 5090, 30841/32606 MB, 170MCU

OpenCL API (OpenCL 3.0 CUDA 13.0.78) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #02: NVIDIA GeForce RTX 5090, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 8
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashfile 'hash.txt' on line 1 (c6[PGXUxuoBd2): Token encoding exception
No hashes loaded.

Started: Fri Sep 05 09:18:13 2025
Stopped: Fri Sep 05 09:18:14 2025

How can I fix this?

[buka]

"[" isn't part of the DES alphabet.

[Miragui]

"[" isn't part of the DES alphabet.

Do you know what kind of hash it can be then? Because the autodetect won't detect it.

[buka]

What made you think it's a hash at all? Where did you get it?

[Miragui]

What made you think it's a hash at all? Where did you get it?

It's from a Mercedes head unit, it's from the hash table so it is a hash, but maybe some modified hash.

root:c6[PGXUxuoBd2:0:0:0
shell:HJN1iF85dz3Ro:1293840094:0:0
sys:BL0jQTmGRDIn2:1293840106:0:0
nav:3N5kliW2JsKSY:1293840115:0:0
scp:SOCc6dfKiSADw:1293840127:0:0
hmi:WQnGwnojBE0xk:1293840137:0:0
mm:4SU87ZeSfTU06:1293840150:0:0
pdFBT4Q6blglPc:1293840069:0:0
ons:ODkh6Wb74a23I:1293840053:0:0
conn:5BCMEOw32KcrE:1293849462:0:0
pt:6B/B4vvyKqaKU:1293846391:0:0

[buka]

I think it was corrupted at some point, either accidentally or deliberately.

[Miragui]

I think it was corrupted at some point, either accidentally or deliberately.

Must be deliberate then, because I have another device that has the bracket exactly in the same spot in the hash table.

[DanielG]

It is the correct mode, but there is somehow one or more typo's in the first line, because there should not be a [ in it.
The rest of the hashes work (hint, username is password)

[Miragui]

It is the correct mode, but there is somehow one or more typo's in the first line, because there should not be a [ in it.
The rest of the hashes work (hint, username is password)

I don't think it's a typo, this is directly from a flash dump of the device. Here is one that is slightly different but has the bracket in the same location.

root:c6[YgflxsopH3:0:0:0
shell:HJN1iF85dz3Ro:1293840094:0:0
sys:BL0jQTmGRDIn2:1293840106:0:0
nav:3N5kliW2JsKSY:1293840115:0:0
scp:SOCc6dfKiSADw:1293840127:0:0
hmi:WQnGwnojBE0xk:1293840137:0:0
mm:4SU87ZeSfTU06:1293840150:0:0
pd:PFBT4Q6blglPc:1293840069:0:0
ons:ODkh6Wb74a23I:1293840053:0:0
conn:5BCMEOw32KcrE:1293849462:0:0
pt:6B/B4vvyKqaKU:1293846391:0:0
stunnel:R6HiSrByvzzZE:1293842066:0:0

[Chick3nman]

For DEScrypt hashes, the first 2 characters are a "salt" and the following 11 characters are the actual "hash". The resulting outputs should always be 13 characters.

Code:

c6[YgflxsopH3
c6[PGXUxuoBd2

The above outputs are 14 characters long. Both seem to have the same "salt" portion, "c6", followed by a "[" and then a different hash. This would seemingly indicate reuse of the salt but different passwords. All of the other hashes appear to be the correct length and have the same salts and hashes (ignoring the ones that don't appear in both like "stunnel"). This would lead me to believe that the "[" is simply added into the root hash for some reason, possibly to invalidate it or possibly because it follows a noncompliant/different/custom algorithm and format. Best guess would be just to remove the "[" and try both of the root accounts and see if either crack with the salt that's present.

Edit: I made a mistake when checking the lengths of these hashes, my original theory no longer holds up and I'm not sure what these are yet.