how is --hex-wordlist supposed to function?
#1
I'm playing around with accented characters in passwords, which inevitably results in multi-byte characters. Doing some reading, it looked like using the --hex-wordlist option would take care of this, but the candidate hex doesn't look anything like the wordlist hex.

For the word otoño:

Code:
hashcat-5.1.0$ xxd test

0000000: 6f74 6fc3 b16f 0a                        oto..o.

Code:
~/hashcat-5.1.0$ ./hashcat64.bin -m 1000 BC4A371BBA2211148EBCDEE649C561FC test -w 4 -O --hex-wordlist
...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: bc4a371bba2211148ebcdee649c561fc
Time.Started.....: Fri May 10 14:21:57 2019 (0 secs)
Time.Estimated...: Fri May 10 14:21:57 2019 (0 secs)
Guess.Base.......: File (test)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#3.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#4.........:     4922 H/s (0.01ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#*.........:     4922 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#4...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: [Copying]
Candidates.#2....: [Copying]
Candidates.#3....: [Copying]
Candidates.#4....: $HEX[8d9e38] -> $HEX[8d9e38]
Hardware.Mon.#1..: Temp: 37c Fan: 27% Util: 42% Core:1657MHz Mem:4513MHz Bus:16
Hardware.Mon.#2..: Temp: 42c Fan: 27% Util: 42% Core:1657MHz Mem:4513MHz Bus:16
Hardware.Mon.#3..: Temp: 44c Fan: 28% Util: 42% Core:1657MHz Mem:4513MHz Bus:16
Hardware.Mon.#4..: Temp: 41c Fan: 27% Util: 42% Core:1657MHz Mem:4513MHz Bus:16

Started: Fri May 10 14:21:49 2019
Stopped: Fri May 10 14:21:59 2019
Reply
#2
as the name of the option suggests, it expects all lines in the wordlist to be hex-encoded. What exactly did you expect the option to "take care of"?
Reply
#3
I see, I misunderstood. However, I changed to to hex encoding, then ran it again. The candidates are correct this time, but the crack still failed.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: bc4a371bba2211148ebcdee649c561fc
Time.Started.....: Fri May 10 15:12:49 2019 (1 sec)
Time.Estimated...: Fri May 10 15:12:50 2019 (0 secs)
Guess.Base.......: File (test)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     4379 H/s (0.01ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#3.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#4.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#*.........:     4379 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#4...: Salt:0 Amplifier:0-0 Iteration:0-1
Candidates.#1....: otoño -> otoño
Reply
#4
indeed that doesn't seem to work.

Code:
echo 'otoño' | hashcat -m 1000 bc4a371bba2211148ebcdee649c561fc
and
Code:
echo 'otoño' | hashcat -m 1000 bc4a371bba2211148ebcdee649c561fc --encoding-from=utf-8

can't crack the hash.

but you can workaround it using mode 900:
Code:
echo 'otoño' | hashcat -m 900 bc4a371bba2211148ebcdee649c561fc --encoding-from=utf-8 --encoding-to=utf-16le
this will crack the hash

No idea how to get mode 1000 to work correctly though.
Reply
#5
(05-10-2019, 08:26 PM)undeath Wrote:
Code:
echo 'otoño' | hashcat -m 900 bc4a371bba2211148ebcdee649c561fc --encoding-from=utf-8 --encoding-to=utf-16le
this will crack the hash

It does indeed, but comes out as: bc4a371bba2211148ebcdee649c561fc:$HEX[6f0074006f00f1006f00]
which is some sort of two-byte unicode (UCS-2?). Is there a switch to convert it to an unencoded form?

I've tried various mashups of iconv and xxd, but none give it back correctly (mangles the ñ)
Reply
#6
as the command line indicates, this is utf-16le.

Code:
echo 6f0074006f00f1006f00 | xxd -r -p | iconv --from=utf-16le
Reply
#7
(05-10-2019, 10:31 PM)undeath Wrote: as the command line indicates, this is utf-16le.

Code:
echo 6f0074006f00f1006f00 | xxd -r -p | iconv --from=utf-16le

That worked, thanks!
Reply