oclHashcat-plus silently truncates password candidates to 15 characters
#1
While conducting a pentest, I needed to crack a super-admin hash, so I ran oclHashcat-plus on a small wordlist with very efficient rules, no luck.

Just to be sure, I gave john the ripper a shot as it does not have exactly the same mangling rules as hashcat. The password turned out to be admin123admin123.

The reason why oclHashcat-plus did not crack it is because it truncates every password candidate to 15 characters, whatever the hash type.

IMHO, users should be aware about this limitation. Maybe a warning statement when oclhashcat starts (among the startup info lines), or somewhere in the --help output would be truely beneficial for everyone.

Cheers


Messages In This Thread
oclHashcat-plus silently truncates password candidates to 15 characters - by lanjelot - 08-27-2011, 09:09 PM