nOOb help
#8
all values from the output of your command you run on macOS are base64 encoded and they need to be base64-decoded and hex-encoded

on linux (and most likely also on macOS) you can do something like this:

Code:
echo [base64text] | base64 --decode | xxd -p | tr -d '\n'


where the [base64text] is the input you want to base64-decode (with base64 --decode) and hex-encode (with xxd). All new lines need to be removed of course (with tr -d '\n' for instance).

(btw: you could in theory use online converters instead of running the command line command from above, but because the intermediate steps are binary you really need a base64 to hexadecimal converter. I prefer using the command line. This also has the advantage that you are doing everything locally (on your command line) and won't need to send your maybe sensitive data to any online service)

if you have really cracked the hash you would see something like this:

Code:
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts

on your status display (when you hit 's' while hashcat is running or within the output after hashcat has quit)

My assumption is that you are confusing this line with:

Code:
Candidates.#1....: $Hex[2321676f7468] -> $Hex[042a0337c2a156616d6f732103]

this line, instead, does only display *some* candidates that hashcat is *trying*, but this doesn't mean that they were successfull in cracking the hash. You can consider these passwords as just some "random" password that hashcat is currenty testing.

If you instead really cracked a hash you will see Recovered 1/1 (100%) and see the crack (hash:password pair) directly in your hashcat output (at the beginning of the line and *not* within the status display), e.g. something like this:

Code:
$ml$32894$f75ad5635a1bad19b0ae22efd80f1765a....:[password]

where the $ml$... string will of course be the correct hash and instead of [password] there will be the successfully cracked plain text password.

If this didn't happen, you didn't crack the hash!

you can also test (or let's call it double check) if the hash was already cracked by running --show (of course you must also double check if the crack that will be outputed is really the *same* hash and not some other test hash etc).

Code:
hashcat -m 7100 --show hash.txt

btw: hashcat will actually also refrain from cracking hashes again if they were already cracked and therefore are present in your .potfile (the default .potfile is called hashcat.potfile, the session name can be changed with --session). This means that you could, alternatively, also look into the hashcat.potfile to see if the hash was already cracked (it's a normal text file and you could open it with any text editor, notepad++ etc).


Finally, I would highly recommend that you test your whole cracking process with an account/plist/hash for which you know the password. If you know the password you can test if all of your steps are correct by testing them on the hash for which you know the password.
Again, the only particular steps with this hash mode is that you need to use hexadecimal characters for the salt and entropy/digests and that the entropy shouldn't be longer than 128 hexadecimal characters and therefore you should/need to truncate it to 64 bytes (64 * 2 = 128 and therefore only use the first 128 hexadecimal characters from the start of "entropy")
Reply


Messages In This Thread
nOOb help - by mh1 - 01-04-2019, 01:19 AM
RE: nOOb help - by philsmd - 01-04-2019, 11:09 AM
RE: nOOb help - by mh1 - 01-04-2019, 01:08 PM
RE: nOOb help - by Banaanhangwagen - 01-04-2019, 04:34 PM
RE: nOOb help - by mh1 - 01-06-2019, 12:17 AM
RE: nOOb help - by Banaanhangwagen - 01-07-2019, 12:32 PM
RE: nOOb help - by mh1 - 01-20-2019, 01:37 AM
RE: nOOb help - by philsmd - 01-20-2019, 10:03 AM
RE: nOOb help - by mh1 - 01-21-2019, 12:49 AM
RE: nOOb help - by Jefferson - 01-21-2019, 01:12 PM
RE: nOOb help - by mh1 - 01-22-2019, 10:28 PM
RE: nOOb help - by undeath - 01-23-2019, 12:20 PM
RE: nOOb help - by mh1 - 01-26-2019, 11:53 PM