mode 10500 dictionary attack fails

[victorPV]

Hello,

Dictionary attack in mode 10500 on the standard test hash (password "hashcat") fails to find the password even in relatively short wordlists: any dictionary longer than 20-25 words returns "Exhausted" although "hashcat" is on the list. 

Other modes don't seem to have this issue: I tested dictionary attacks in modes 0, 10600, 10700 with dictionaries up to 1 million words - all good. 

I'm running v6.2.4 from command line on a windows machine with the following options: 
>>hashcat.exe -m 10500 pdf10500hash.txt dict30.txt --potfile-disable

Any ideas? Thanks

[slyexe]

not having any issues with the example hash adding the word "hashcat" to rockyou.txt. Also tried with a wordlist of 40 words and never had any issues. Maybe you have a space at the end of the word hashcat within your dictionary? Tried both with brute force and dictionary and no issues.

windows 10
hashcat 6.2.5

[victorPV]

not having any issues with the example hash adding the word "hashcat" to rockyou.txt. Also tried with a wordlist of 40 words and never had any issues. Maybe you have a space at the end of the word hashcat within your dictionary? Tried both with brute force and dictionary and no issues.

windows 10
hashcat 6.2.5

I go from "Cracked" to "Exhausted" merely by adding a few words to the list. The only difference is that I use 6.2.4 but hard to believe that such a fundamental flaw is a matter of version. No issues with brute force.

Attaching a sample 16-word dictionary that works (Cracked), and a 29-word dictionary that doesn't (Exhausted). It's the dictionary size, not the specific words or the order that matter, as far as I could tell.

[Snoopy]

i would assume that your hash and password is already in your potfile and therefore hashcat doenst "crack" it anymore

if it is inside you should delete your potfile and run again, your option --potfile-disable is after your dict but it should be following these command style,

hashcat options hash dict/mask

so maybe this option ist ommitted, anyway --potfile-disable says do not WRITE to potfile but maybe it still reads from your potfile

[victorPV]

i would assume that your hash and password is already in your potfile and therefore hashcat doenst "crack" it anymore

if it is inside you should delete your potfile and run again, your option --potfile-disable is after your dict but it should be following these command style,

hashcat options hash dict/mask

so maybe this option ist ommitted, anyway --potfile-disable says do not WRITE to potfile but maybe it still reads from your potfile

Existing cracked hashes in potfile don’t result in “Exhausted” dictionary.

Also, I’m reporting a problem that is specific to mode 10500.

[Snoopy]

? well no see attached picture, known hashes are skipped, unknown ( i added some gargabe hash ) are tried and the attack with dict exhaustes because there are no more passes to test

Exhausted just means that all passwords (or masks) given where tested, nothing more, and if the hahs/password is already in potfile it is skipped, the attack exhaustes everytime when hashcat finishes his run

[victorPV]

? well no see attached picture, known hashes are skipped, unknown ( i added some gargabe hash ) are tried and the attack with dict exhaustes because there are no more passes to test

Exhausted just means that all passwords (or masks) given where tested, nothing more, and if the hahs/password is already in potfile it is skipped, the attack exhaustes everytime when hashcat finishes his run

Here's what I get when a potfile with a cracked hash is present:

OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 620, 1568/3216 MB (804 MB allocatable), 24MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 32

INFO: All hashes found in potfile! Use --show to display them.

Started: Mon Jan 24 19:31:38 2022
Stopped: Mon Jan 24 19:31:39 2022

In any case, I'm referring to a problem that occurs with dictionaries longer than 20-25 words, in mode 10500 only:
Hashcat doesn't find the password although it's in the dictionary. Reproduced on two different Windows 10 machines, with both v6.2.4 and v6.2.5

[Snoopy]

using the example hash 10500 (hashcat) and your provided dictfiles, windows 10 with hashcat

v6.2.5
dict15 -> cracked
deleted pot
dict30 -> cracked

v6.2.4
dict15 -> cracked
deleted pot
dict30 -> cracked

for 99.99% there is something wrong with your command line and/or setup textfiles

can you upload your hashfile and pm me the link (im off to cinema now but will check later)? i tried even forcing hashcat to use just plain cpu instead of gpu no difference 6.2.4 and 6.2.5 still cracks this hash with dict15 and dict30

[victorPV]

using the example hash 10500 (hashcat) and your provided dictfiles, windows 10 with hashcat

v6.2.5
dict15 -> cracked
deleted pot
dict30 -> cracked

v6.2.4
dict15 -> cracked
deleted pot
dict30 -> cracked

for 99.99% there is something wrong with your command line and/or setup textfiles

can you upload your hashfile and pm me the link (im off to cinema now but will check later)? i tried even forcing hashcat to use just plain cpu instead of gpu no difference 6.2.4 and 6.2.5 still cracks this hash with dict15 and dict30

Thanks. 
My hashfile contains the example hash for mode 10500, so attached below.
Command line is simply:
hashcat -m 10500 pdf10500hash.txt dict30.txt 
(--potfile-disable -O -D or any other options don't seem to matter)

[Snoopy]

well im sry but i really cannot reproduce this failure, hc 6.2.4 and 6.2.5 with all combinations dict15 dict30 works as expected

the only thing i noticed about your setup when reading again your whole thread

Code:

OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) UHD Graphics 620, 1568/3216 MB (804 MB allocatable), 24MCU

i know that normally hashcat gives an error about using intel opencl with integrated gpu because the intel opencl runtime for GPU is/was? known to be broken, im not sure which version(s) was affected but im quite sure that i saw this error message with opencl 3.0 for intel gpu (i cannot check because i dont have any intel laptop right now) 

changes.txt for 6.2.4 tells -> Workaround added for Intel OpenCL runtime: GPU support is broken, skip the device unless user forces to enable it

so "normally" hashcat should tell you DONT USE OPENCL ON INTEL GPU BECAUSE INTEL FUCKED THIS UP AND ITS BROKEN (unless you add -f (force))

i would assume that this could be the reason for your failure, but i cannot check

EDIT:

found an old thread where this 3.0 opencl gpu intel 620 was marked as broken/unstable

see https://hashcat.net/forum/archive/index....10280.html

so yeah, i think its a software/hardware problem (intel) but not related to hahscat itself