Mix of single and multi byte in wordlist
#1
Hi,

Royce has written a good post ( https://security.stackexchange.com/quest...-passwords ) to deal with accented letters, german here.

i am wondering how to deal with wordlists and rules  ; no -a 3 mode.

Should I convert all my items from my german wordlist to hexadecimal and then specify --hex-charset ?
Or is there another way to deal with accented letters in wordlists  ? Which are a mix of single and multi byte.

Thank you.
#2
multibyte wordlists with rules are an open problem. Your wordlists will just work but rules will still only modify single bytes. Converting to hex or whatever is not going to solve that limitation.
#3
You can add utf-8 german umlauts by using two function calls:

Quote:root@ht:~/hashcat# cat rule
$\xc3 $\xa4
root@ht:~/hashcat# echo test | ./hashcat --stdout -r rule
testä
#4
(06-23-2018, 11:29 AM)undeath Wrote: multibyte wordlists with rules are an open problem. Your wordlists will just work but rules will still only modify single bytes. Converting to hex or whatever is not going to solve that limitation.

To be sure to well understand you, if for example :

Example #1:
- Password of my WPA capture is "éatonávo"
- This word is inside my wordlist, encoded into UTF-8
Am I able to recover this password straight forward ?


Example #2:
- Password of my WPA capture is "éatonávo123"
- The wordlist includes "éatonávo", and I add a rule to add '123' at the end.
Do you mean the rule will not generate "éatonávo123" ?

Thank you for this clarification.
#5
Both your cases will work. What will not work is for example rule "T0" to change the word to "Éatonávo".
#6
OK got it.

By the way, I just figure out that WPA-Personal has a limitation conerning accented letters : "passphrase of 8 to 63 printable ASCII characters" : meaning it's not possible to enter 'é' or 'à', right ?
#7
From technical perspective there's no problem with utf8 used with PBKDF2 (the KDF of WPA/WPA2). The same goes with passwords < length 8. If a client or AP ignores the policies from WPA on passwords it's possible to use them.