10-11-2020, 06:20 PM
no, this is not how it works, you can't brute-force 16 random bytes. You need to apply the full algorithm to your input.
so while -m 2611 is md5 (md5 ($pass) . $salt)
you use a hash list with
hash:$salt_2
and manually construct $pass to be your password candidate concatenated with the $salt_1
of course best or user-fiendliest would be if hashcat would support the whole algorithm with hash:$salt1:$salt2 format, but this is not currently supported and also makes little sense because very few applications use this algo (as far as I know)
so while -m 2611 is md5 (md5 ($pass) . $salt)
you use a hash list with
hash:$salt_2
and manually construct $pass to be your password candidate concatenated with the $salt_1
of course best or user-fiendliest would be if hashcat would support the whole algorithm with hash:$salt1:$salt2 format, but this is not currently supported and also makes little sense because very few applications use this algo (as far as I know)