Encoding: Recovered password seems wrong
#1
Hello,
I want to understand how hashcat handles multibyte character encoding.

my OS: Ubuntu 22.04.1
hashcat: v6.2.6

I made a simple test with "aá" and the NTLM hash:
$ echo -n "aá" | iconv -f UTF-8 -t UTF-16LE | openssl dgst -md4 -provider legacy
8fdba81f5a363a5b13c653cbe1325d60 (confirmed with https://crackstation.net/)

In UTF-16LE (used on Windows and NTLM) "aá" has a total of 4 bytes:
$ echo -n "aá" | iconv -f UTF-8 -t UTF-16LE | xxd
00000000: 6100 e100

So, I was expecting this command to work (brute force with 4 bytes):
hashcat -m1000 -a3 8fdba81f5a363a5b13c653cbe1325d60 ?b?b?b?b
but it results in "Recovered: 0" (zero) 😒

However, this one works (notice: only 2 bytes):
hashcat -m1000 -a3 8fdba81f5a363a5b13c653cbe1325d60 ?b?b
and it displays this as solution: $HEX[61e1] (which is wrong, it should be 6100 e100) 🤔

Why is the 4-byte attack not working?
Is the 2-byte solution showing a result on a different encoding (other than UTF-8, or UTF-16LE)?
Reply


Messages In This Thread
Encoding: Recovered password seems wrong - by digicromo - 01-12-2023, 05:32 PM