08-27-2011, 09:09 PM
While conducting a pentest, I needed to crack a super-admin hash, so I ran oclHashcat-plus on a small wordlist with very efficient rules, no luck.
Just to be sure, I gave john the ripper a shot as it does not have exactly the same mangling rules as hashcat. The password turned out to be admin123admin123.
The reason why oclHashcat-plus did not crack it is because it truncates every password candidate to 15 characters, whatever the hash type.
IMHO, users should be aware about this limitation. Maybe a warning statement when oclhashcat starts (among the startup info lines), or somewhere in the --help output would be truely beneficial for everyone.
Cheers
Just to be sure, I gave john the ripper a shot as it does not have exactly the same mangling rules as hashcat. The password turned out to be admin123admin123.
The reason why oclHashcat-plus did not crack it is because it truncates every password candidate to 15 characters, whatever the hash type.
IMHO, users should be aware about this limitation. Maybe a warning statement when oclhashcat starts (among the startup info lines), or somewhere in the --help output would be truely beneficial for everyone.
Cheers