I guess this is just because you didn't test with the correct password candidate.
hashcat only tries the passwords that you tell it to run.
Maybe this specific hash is harder to crack and you need to use some rules (-r) or use a small mask attack (-a 3).
btw: the hash from the hostapd-wpe github project: https://github.com/OpenSecurityResearch/...#L120-L130 i.e. formatted like this (masked with X)
password: bradtest
... cracks perfectly fine!
this also doesn't use any client challenge, but it still cracks perfectly fine.
You could also easily set up a test system and try to create and dump your own hashes, but I guess it's better to just keep cracking
BTW: I think my answers above (I just noticed it now) could be a little bit confusing about when the domain is used within the algorithm... only -m 5600 (netntlmv2) uses the domain within the algorithm (while -m 5500 does not):
see https://github.com/hashcat/hashcat/blob/...pm#L33-L34
hashcat only tries the passwords that you tell it to run.
Maybe this specific hash is harder to crack and you need to use some rules (-r) or use a small mask attack (-a 3).
btw: the hash from the hostapd-wpe github project: https://github.com/OpenSecurityResearch/...#L120-L130 i.e. formatted like this (masked with X)
Code:
jdslfkjs::::2d00XXXX5606XXdXXXX0fXXc86be1XXXX04ca8240XX7cf0:bcXX6cXXXX3926epassword: bradtest
... cracks perfectly fine!
this also doesn't use any client challenge, but it still cracks perfectly fine.
You could also easily set up a test system and try to create and dump your own hashes, but I guess it's better to just keep cracking
BTW: I think my answers above (I just noticed it now) could be a little bit confusing about when the domain is used within the algorithm... only -m 5600 (netntlmv2) uses the domain within the algorithm (while -m 5500 does not):
see https://github.com/hashcat/hashcat/blob/...pm#L33-L34