Inaccurate number
#1
Exclamation 
Hi,

I am new to using hashcat however I observed that it does not do what I ask with command. The output also mentioned that I have less hashes in the file. For example, I run a brute force attack on 50000 NTLM hashes, the output says that it recovered 7% which is about 2000 /48000digest. The file has more than 48000 and when I copy and paste the recovered hashes in a excel sheet it was more than 2000. So, my question is, why do you think that happened?
 
I also tried to remove duplicate with this command "sort -u hashfile > unique.txt and the new file has the original number of hash<50000>.

My command was for 8characters but it recovered password with more and less than 8.


Here is my command "hashcat -m 1000 -a 3 hashfile.txt ?a?a?a?a?a?a?a?a -O. 

Thank you.  
Reply
#2
Hello, to display the cracked password I used the command *hashcat -m 1000 I-a 3 hashfile.txt a?a?a?a?a?a?a?a? -O --show --username.

Can you please suggest how  can I do it with notepad please

I did not know that I should sort nor unique them. Can you please tell me how to sort and unique them?

How do I check if it has space or tabs? 



Thanks for your help
Reply
#3
if you use usernames and sort the file, the hashes can still be non-unique.

there could be multiple users having the same password and hash. so the sort -u might not do what you think it does (because it doesn't get rid of the user names and therefore the hashes could still be duplicated).
Reply
#4
Ok thanks, how  do I use notepad instead of the hash potfile? And how do I sort and unique them?

I used the same command excluding --show and --username to crack 8 characters password is it correct because it cracked more and less than 8 characters.
Reply
#5
--show is not for cracking, it is used to show the already cracked passwords (AFTER cracking)

https://hashcat.net/wiki/doku.php?id=fre...ilpassword



I have no clue why you are talking about notepad... you could use any text editor (notepad++ , vim etc) to open hashcat.potfile.

You could also just look at the hashcat output directly (e.g. the command output in cmd)



the reason for you thinking that the length does not match could come from many misconceptions/facts:
- whitespace could sometimes be very difficult to spot (spaces at the end etc)
- multi-byte characters could be seen as one character, but are multiple bytes
- you might have cracked it with a different command or already before running this current job and therefore the different length comes from different attacks (rule based attacks, dictionary etc)
etc, etc, etc
Reply
#6
Thanks, you misunderstood what I meant or maybe I said it wrong. I used the word excluding before --show --username. I meant this is the command I used to crack 8 characters password:*hashcat -m 1000 - a 3 hashfile ?a?a?a?a?a?a?a?a - O.*  and when I used --show to see the cracked one and I saw password with less and more characters.

And how do I sort and unique those hashes please?

I am a little confuse, --show shows password cracked right? Do those passwords cracked are considered being the potfile?
Reply
#7
why would you need to unique the hashes ? just for testing ?

again, it depends on if you have usernames within the hash file... a line is not unique unless both the username:hash is unique , but for performance reasons hashcat of course only cares about unique hashes (not about the users).

Since you said that you use --username --show... I expect that you also need to use --username to crack the hashes, right ? I.e. hashcat -m 1000 -O -a 3 --username hashfile ?a?a?a?a?a?a?a?a

--show of course will show ALL the cracks, not only the ones from the last cracking job... therefore it could be that you are seeing all cracks that you cracked with other attacks/jobs
Reply
#8
Thanks, I just want to know how to unique them, as I mentioned before I am new to it.

Yes, I have username Whitin the hashfile. My cracked hashes shows that I have hashes with the same password. No I do not put --username when running a job. I only add it when I want to know which user has his password cracked..

You are right, the recovered numbers in the output means unique hashes and username. I used the command you gave me to get the numbers I cracked and I used the same command but I replace show by left and I added this numbers . The total is what in the file. So, Thanks again.

When doing a mask attack, do I always have to specify the number of characters? I ask that because I want to know if I can run an attack to crack all the hashes in the file instead of only 8 characters ones.
Reply
#9
(12-13-2019, 11:36 PM)Allia Wrote: When doing a mask attack, do I always have to specify the number of characters? I ask that because I want to know if I can run an attack to crack all the hashes in the file instead of only 8 characters ones.

Implement increment into your command. 

example:

Code:
hashcat -a 3 -m 1000 -i --increment-min 1 --increment-max 8 hashlist  ?a?a?a?a?a?a?a?a

This will attempt everything from 1-8 characters using all lowercase, uppercase, digits, and special characters. Change the min and max values to fit your liking and adjust the MAX length of your mask.
Reply
#10
Thank you for the answer, I am trying to run an hybrid attack it gives an error" integer overflow detected  in keyspace of wordlist: my wordlist "

I saw a past thread had a similar issue but his was with mask not a dictionarry. Below is my command.

Hashcat -m 1000 -a 6 hashfile.txt dictionarryfile.txt ?a?a?a?a?a?a?a?a -O

I do not want to do anything against your rules here, I am aware to not create duplicates but as you can see my issue is not the exact same thing. And I do not know if I should open a new thread or post it here. If I do anything wrong please let me know that I can fix it because I am not here to make noise but to learn.
Reply