<![CDATA[hashcat Forum - Feature Requests]]> https://hashcat.net/forum/ Sun, 19 Apr 2026 04:45:41 +0000 MyBB <![CDATA[[oclHashcat-plus] Multiple Dicts in Hybrid Attack]]> https://hashcat.net/forum/thread-2078.html Sat, 16 Feb 2013 15:01:55 +0000 TrAnn3l]]> https://hashcat.net/forum/thread-2078.html
Thanks for reading Wink]]>
Thanks for reading Wink]]> <![CDATA[!!!README FOR BUG/FEATURE REQUESTS!!!]]> https://hashcat.net/forum/thread-2070.html Thu, 14 Feb 2013 00:41:27 +0000 radix]]> https://hashcat.net/forum/thread-2070.html
Search for like bugs before you post a new one.

All bug/feature requests should be logged via Github:

oclHashcat
Hashcat

You will need to create a github account if you do not already have one.

Bug reports should contain AT LEAST:

Operating system and arch: IE
windows 7 x86

Version of the driver installed: IE
Catalyst 12.8

version you are using: IE
hashcat-0.42

The command: IE
hashcat-cli32.exe -m 100 hashes dictionary -g 100

The error: IE
crashes and spits out a bunch of strange code

Attach:
any dumps, or debugging info from the screen, take a screenshot, add clinfo output (for ocl).

Bug reports not following this format will be closed and ignored until posted in the correct format.]]>
Search for like bugs before you post a new one.

All bug/feature requests should be logged via Github:

oclHashcat
Hashcat

You will need to create a github account if you do not already have one.

Bug reports should contain AT LEAST:

Operating system and arch: IE
windows 7 x86

Version of the driver installed: IE
Catalyst 12.8

version you are using: IE
hashcat-0.42

The command: IE
hashcat-cli32.exe -m 100 hashes dictionary -g 100

The error: IE
crashes and spits out a bunch of strange code

Attach:
any dumps, or debugging info from the screen, take a screenshot, add clinfo output (for ocl).

Bug reports not following this format will be closed and ignored until posted in the correct format.]]> <![CDATA[[oclHashcat-lite] WPA/WPA2]]> https://hashcat.net/forum/thread-2026.html Fri, 01 Feb 2013 20:43:12 +0000 Kuci]]> https://hashcat.net/forum/thread-2026.html oclHashcat-lites site we can see, that descrypt has speed of 19400 k c/s on NVidia gtx560Ti, which is as fast as my graphics card.
What do you think ?]]> oclHashcat-lites site we can see, that descrypt has speed of 19400 k c/s on NVidia gtx560Ti, which is as fast as my graphics card.
What do you think ?]]> <![CDATA[Add ntlm v1/v2 challenge respose (netntlm, netntlmv2) support to hashcat plus]]> https://hashcat.net/forum/thread-2011.html Wed, 30 Jan 2013 03:45:41 +0000 vima]]> https://hashcat.net/forum/thread-2011.html
We have been using oclhashcat-plus for several months now to do GPU cracking of passwords obtained during pentests, and it works great!

During this period however, theres one hash type that we continually find ourselves capturing that hashcat doesnt support - NTLM challenge response hashes. We often grab these using something like the SMB capture module from Metasploit, and have always had to resort to using John the Ripper to crack them, as there is no GPU based cracker that we are aware of that will do the job. Attempting to crack these hashes using CPU when you have an 8 GPU system sitting idle is the definition of pain.

Consequently, Id like to request that support be added for NTLM challenge response version 1 and 2 (known in john as netntlm and netntlmv2) in oclHashcat-plus.


References for these protocols are here:
http://en.wikipedia.org/wiki/NTLM
http://davenport.sourceforge.net/ntlm.html

I'll provide a quick summary of the generation of NTLMv1, since that the bit Im most interested in at the moment. Im happy to also do this for NTLMv2 if it will help and youre interested in implementing it.

Hash creation requires a password ('hashcat' in the example below) and a variable 8 byte challenge (0x1122334455667788 is used in the example below) which is provided by the server to the client during the auth process. NTLMv1 usually generates two hashes, one based on LM hashes, and the other based on NTLM ones, although if LM hashes are disabled (e.g. via domain policy) then you wont get anything useful for the LM portion. I'll cover the generation of the NTLM version of the hash below (this is what is implemented as netntlm in john). The generation of the LM hash in NTLMv1 (implemented in john as netlm) is exactlty the same, but uses the LM hash in place of the NTLM one.

Step 1

The client converts the password (hashcat) to a NTLM hash by Unicoding the password and running it though MD4:
Code:
hashcat -> b4b9b02e6f09a9bd760f388b67351e2b

Step 2

5 null bytes are appended to the hash to take it to 21 bytes:
Code:
b4b9b02e6f09a9bd760f388b67351e2b0000000000

Step 3

The value is then split in 3 x 56 bit parts:
Code:
b4b9b02e6f09a9
bd760f388b6735
1e2b0000000000

Step 4

Each 56 bit part is odd parity adjusted to result in 3 x 64 bit parts. (Convert to binary, break into 8 x 7 bit chunks, append an odd parity bit to each chunk to result in 8 x 8 bit chunks. Then concatenate the chunks into 64 bit parts.) :

Code:
b4b9b02e6f09a9 -> b55d6d04e6792652
bd760f388b6735 -> bcba83e6895b9d6b
1e2b0000000000 -> 1f15c10101010101

Step 5

Each of these values is then used as a key to DES encrypt the 8 byte challenge (for this example a value of 1122334455667788 is used) resulting in 3 ciphertext blocks:

Code:
b55d6d04e6792652 KEY-> DES(1122334455667788) -> 51a539e6ee061f64
bcba83e6895b9d6b KEY-> DES(1122334455667788) -> 7cd5d48ce6c68665
1f15c10101010101 KEY-> DES(1122334455667788) -> 3737c5e1de26ac4c

Step 6

The ciphertext blocks are then concatenated together to provide the final result:

Code:
51a539e6ee061f647cd5d48ce6c686653737c5e1de26ac4c


Let me know if any clarification is needed]]>
We have been using oclhashcat-plus for several months now to do GPU cracking of passwords obtained during pentests, and it works great!

During this period however, theres one hash type that we continually find ourselves capturing that hashcat doesnt support - NTLM challenge response hashes. We often grab these using something like the SMB capture module from Metasploit, and have always had to resort to using John the Ripper to crack them, as there is no GPU based cracker that we are aware of that will do the job. Attempting to crack these hashes using CPU when you have an 8 GPU system sitting idle is the definition of pain.

Consequently, Id like to request that support be added for NTLM challenge response version 1 and 2 (known in john as netntlm and netntlmv2) in oclHashcat-plus.


References for these protocols are here:
http://en.wikipedia.org/wiki/NTLM
http://davenport.sourceforge.net/ntlm.html

I'll provide a quick summary of the generation of NTLMv1, since that the bit Im most interested in at the moment. Im happy to also do this for NTLMv2 if it will help and youre interested in implementing it.

Hash creation requires a password ('hashcat' in the example below) and a variable 8 byte challenge (0x1122334455667788 is used in the example below) which is provided by the server to the client during the auth process. NTLMv1 usually generates two hashes, one based on LM hashes, and the other based on NTLM ones, although if LM hashes are disabled (e.g. via domain policy) then you wont get anything useful for the LM portion. I'll cover the generation of the NTLM version of the hash below (this is what is implemented as netntlm in john). The generation of the LM hash in NTLMv1 (implemented in john as netlm) is exactlty the same, but uses the LM hash in place of the NTLM one.

Step 1

The client converts the password (hashcat) to a NTLM hash by Unicoding the password and running it though MD4:
Code:
hashcat -> b4b9b02e6f09a9bd760f388b67351e2b

Step 2

5 null bytes are appended to the hash to take it to 21 bytes:
Code:
b4b9b02e6f09a9bd760f388b67351e2b0000000000

Step 3

The value is then split in 3 x 56 bit parts:
Code:
b4b9b02e6f09a9
bd760f388b6735
1e2b0000000000

Step 4

Each 56 bit part is odd parity adjusted to result in 3 x 64 bit parts. (Convert to binary, break into 8 x 7 bit chunks, append an odd parity bit to each chunk to result in 8 x 8 bit chunks. Then concatenate the chunks into 64 bit parts.) :

Code:
b4b9b02e6f09a9 -> b55d6d04e6792652
bd760f388b6735 -> bcba83e6895b9d6b
1e2b0000000000 -> 1f15c10101010101

Step 5

Each of these values is then used as a key to DES encrypt the 8 byte challenge (for this example a value of 1122334455667788 is used) resulting in 3 ciphertext blocks:

Code:
b55d6d04e6792652 KEY-> DES(1122334455667788) -> 51a539e6ee061f64
bcba83e6895b9d6b KEY-> DES(1122334455667788) -> 7cd5d48ce6c68665
1f15c10101010101 KEY-> DES(1122334455667788) -> 3737c5e1de26ac4c

Step 6

The ciphertext blocks are then concatenated together to provide the final result:

Code:
51a539e6ee061f647cd5d48ce6c686653737c5e1de26ac4c


Let me know if any clarification is needed]]> <![CDATA[[hashcat] Add -j and -k parameters]]> https://hashcat.net/forum/thread-1974.html Sun, 20 Jan 2013 22:41:17 +0000 Kuci]]> https://hashcat.net/forum/thread-1974.html <![CDATA[thoughts on hashcat-plus v0.12 w64 radeon6670]]> https://hashcat.net/forum/thread-1936.html Fri, 11 Jan 2013 11:23:42 +0000 falcon111]]> https://hashcat.net/forum/thread-1936.html 2. Default session restore file should include something unique, like pid or something. Thas way i can pause one copy and run another without bothering with session names.
On --restore you can search for the stored sessions, if there is one only session - restore it, if their number!=1 - give error.
3. Being paused, hashcat updates restore file
4. Sometimes console hangs. I can press 's' key and there's no reaction from the program, but calculations seems to go on though.
5. Runs ended with "Exhausted" sometimes showing time estimated > 10 years.
6. Feature request: attack by dictionary, containing bruteforce masks, so i can specify probable masks in one file and check them all in one run. At this moment i have to write bat-files of several hashcat runs.
7. As i understand, hashcat can't process dictionaries with masks on both ends of the words. Hybrid attacks can add bruteforce masks to one side of the password only, making impossible to find something like 12word34 combinations.
The way i see hybrid attack - add new macros (?w for example) for a dictionary word, then specify dictionary and mask something like ?d?d?w?d?d.
8. Sometimes hashcat crashes on start with no console output.
9. Don't really understand why every run hashcat shows something like NOTE: autotuned --gpu-accel from 32 to 24. Numbers mostly different every run. Not sure why it autotunes parameters, i've specified manually, what --gpu-accel switch for then?

PS: 1, 2: Second thought on restore session filename. It can be generated on the base of hash-filename. When cracking hash.md5, session name will be hash.md5.restore. It's even better than placing files in temp folder.]]> 2. Default session restore file should include something unique, like pid or something. Thas way i can pause one copy and run another without bothering with session names.
On --restore you can search for the stored sessions, if there is one only session - restore it, if their number!=1 - give error.
3. Being paused, hashcat updates restore file
4. Sometimes console hangs. I can press 's' key and there's no reaction from the program, but calculations seems to go on though.
5. Runs ended with "Exhausted" sometimes showing time estimated > 10 years.
6. Feature request: attack by dictionary, containing bruteforce masks, so i can specify probable masks in one file and check them all in one run. At this moment i have to write bat-files of several hashcat runs.
7. As i understand, hashcat can't process dictionaries with masks on both ends of the words. Hybrid attacks can add bruteforce masks to one side of the password only, making impossible to find something like 12word34 combinations.
The way i see hybrid attack - add new macros (?w for example) for a dictionary word, then specify dictionary and mask something like ?d?d?w?d?d.
8. Sometimes hashcat crashes on start with no console output.
9. Don't really understand why every run hashcat shows something like NOTE: autotuned --gpu-accel from 32 to 24. Numbers mostly different every run. Not sure why it autotunes parameters, i've specified manually, what --gpu-accel switch for then?

PS: 1, 2: Second thought on restore session filename. It can be generated on the base of hash-filename. When cracking hash.md5, session name will be hash.md5.restore. It's even better than placing files in temp folder.]]> <![CDATA[WPA/WPA2 in hashcat]]> https://hashcat.net/forum/thread-1931.html Wed, 09 Jan 2013 15:07:17 +0000 Kuci]]> https://hashcat.net/forum/thread-1931.html <![CDATA[HMAC for oclHashcat-*]]> https://hashcat.net/forum/thread-1927.html Tue, 08 Jan 2013 17:28:10 +0000 fuzztester]]> https://hashcat.net/forum/thread-1927.html
Just wondering if its in the plan to get these working so we can use GPUs to crack them.]]>
Just wondering if its in the plan to get these working so we can use GPUs to crack them.]]> <![CDATA[distributed computing for hashcat (cpu)]]> https://hashcat.net/forum/thread-1906.html Fri, 04 Jan 2013 17:25:47 +0000 forumhero]]> https://hashcat.net/forum/thread-1906.html
Not that I'm a programmer by any stretch of the imagination but can see this being a good alternative than rewriting Plus to support >15 character passwords and still have somewhat ok speed -- depending on your number of cpus of course.

I know there are other tools out there that can do this already but thought it would be a great addition to cpu hashcat. Personally I find hashcat far easier to use and understand.]]>
Not that I'm a programmer by any stretch of the imagination but can see this being a good alternative than rewriting Plus to support >15 character passwords and still have somewhat ok speed -- depending on your number of cpus of course.

I know there are other tools out there that can do this already but thought it would be a great addition to cpu hashcat. Personally I find hashcat far easier to use and understand.]]> <![CDATA[Linux & GPL]]> https://hashcat.net/forum/thread-1893.html Wed, 02 Jan 2013 16:32:43 +0000 moujik]]> https://hashcat.net/forum/thread-1893.html
  1. remove MS Windows support from Hashcat;
  2. change the Hashcat license to GNU GPLv3;
  3. remove Hashcat binaries from the site;
  4. release Hashcat only as a Linux source code package (maybe even on GitHub).
The argument is that thread Big Grin]]>
  1. remove MS Windows support from Hashcat;
  2. change the Hashcat license to GNU GPLv3;
  3. remove Hashcat binaries from the site;
  4. release Hashcat only as a Linux source code package (maybe even on GitHub).
The argument is that thread Big Grin]]> <![CDATA[Adding HMAC-SHA256 to oclHashcat*]]> https://hashcat.net/forum/thread-1892.html Wed, 02 Jan 2013 15:26:24 +0000 Kuci]]> https://hashcat.net/forum/thread-1892.html <![CDATA[NTLMv2 Request]]> https://hashcat.net/forum/thread-1849.html Wed, 19 Dec 2012 12:20:56 +0000 Jimmy]]> https://hashcat.net/forum/thread-1849.html Greetings from Australia, saw your interview on Hak5 which brought me
here, i was wondering whether you would be able to crack 4 NTLMv2 hashs for me?
Thanks you]]> Greetings from Australia, saw your interview on Hak5 which brought me
here, i was wondering whether you would be able to crack 4 NTLMv2 hashs for me?
Thanks you]]> <![CDATA[add MSCHAPV2 support]]> https://hashcat.net/forum/thread-1846.html Tue, 18 Dec 2012 23:58:56 +0000 thesle3p]]> https://hashcat.net/forum/thread-1846.html <![CDATA[WPA MAC Privacy]]> https://hashcat.net/forum/thread-1820.html Sun, 09 Dec 2012 16:14:15 +0000 Hash-IT]]> https://hashcat.net/forum/thread-1820.html
I understand there is a way for people to find the physical location of the AP using Google or similar.

I wonder if this request may help with this problem ?

Atom, would it be possible for you to make a feature in hashcat-plus or a standalone tool to encrypt the .hccap file ? The idea is this special new feature would allow the user to make their .hccap file as normal but then encrypt it using hashcat-plus so they can then freely distribute it publicly.

People offering to help crack will also have the new version of hashcat-plus (with this feature). They would accept the "secure.hccap" file, decrypt it (automatically and internally within hashcat-plus) and start work cracking it as normal. The helpers have no knowledge of the password to open the .hccap file.

Obviously the feature where the user can see the MAC would be obscured. This way the person who captured the .hccap can feel able to distribute it knowing that people helping cannot ever see the MAC address's. When the password is found only the password is displayed.

The only problem I can think of is if someone could view what was happening in RAM and so see the MACs. However I am not sure how that is possible with GPU RAM so I will hope someone more knowledgeable than me will answer that.

I suppose a further enhancement to this would be that the ESSID is also hidden.

I guess the encryption could be to a hashcat-plus GnuPG public key and the secret key would be within the hashcat-plus binary ?


Thank you. Smile]]>
I understand there is a way for people to find the physical location of the AP using Google or similar.

I wonder if this request may help with this problem ?

Atom, would it be possible for you to make a feature in hashcat-plus or a standalone tool to encrypt the .hccap file ? The idea is this special new feature would allow the user to make their .hccap file as normal but then encrypt it using hashcat-plus so they can then freely distribute it publicly.

People offering to help crack will also have the new version of hashcat-plus (with this feature). They would accept the "secure.hccap" file, decrypt it (automatically and internally within hashcat-plus) and start work cracking it as normal. The helpers have no knowledge of the password to open the .hccap file.

Obviously the feature where the user can see the MAC would be obscured. This way the person who captured the .hccap can feel able to distribute it knowing that people helping cannot ever see the MAC address's. When the password is found only the password is displayed.

The only problem I can think of is if someone could view what was happening in RAM and so see the MACs. However I am not sure how that is possible with GPU RAM so I will hope someone more knowledgeable than me will answer that.

I suppose a further enhancement to this would be that the ESSID is also hidden.

I guess the encryption could be to a hashcat-plus GnuPG public key and the secret key would be within the hashcat-plus binary ?


Thank you. Smile]]> <![CDATA[New Algorithm md5(md5($salt).md5($pass))]]> https://hashcat.net/forum/thread-1811.html Thu, 06 Dec 2012 01:36:33 +0000 alfonzo1955]]> https://hashcat.net/forum/thread-1811.html