"?a" charset not exploring full keyspace (solved)
#1
I'm totally new to hashcat, but in my experimenting with hybrid wordlist + mask attacks I'm not cracking some of the hashes I would expect to. I've determined that this is because the mask part isn't using all of the charset that I'm expecting.

To simplify and confirm this behavior I created a list of hashes from "a", "A", "1", "!" and ran a mask attack with a single "?a" as the input. This results in only cracking the hashes for "a" and "1".

command
hashcat.exe -m 0 -o test.txt -a 3 test.hash ?a

I also notice that it says it's only making 32 guesses, which should be more if it's going through letters, numbers and symbols.

I think that a work around could be to just create a custom charset, but I'd rather learn what to expect from the built in's better.

In short: is there a reason why the "?a" built in charset wouldn't go through all of the other (non-hexish) built in charsets?


.png   hashcat.PNG (Size: 32.41 KB / Downloads: 7)
Reply
#2
Can you post your test hashes so we can reproduce your results?

(09-08-2022, 11:09 PM)SuperColin Wrote: I'm totally new to hashcat, but in my experimenting with hybrid wordlist + mask attacks I'm not cracking some of the hashes I would expect to. I've determined that this is because the mask part isn't using all of the charset that I'm expecting.

To simplify and confirm this behavior I created a list of hashes from "a", "A", "1", "!" and ran a mask attack with a single "?a" as the input. This results in only cracking the hashes for "a" and "1".

command
hashcat.exe -m 0 -o test.txt -a 3 test.hash ?a

I also notice that it says it's only making 32 guesses, which should be more if it's going through letters, numbers and symbols.

I think that a work around could be to just create a custom charset, but I'd rather learn what to expect from the built in's better.

In short: is there a reason why the "?a" built in charset wouldn't go through all of the other (non-hexish) built in charsets?
Reply
#3
(09-08-2022, 11:28 PM)pdo Wrote: Can you post your test hashes so we can reproduce your results?

Here they are:

0cc175b9c0f1b6a831c399e269772661
7fc56270e7a70fa81a5935b72eacbe29
c4ca4238a0b923820dcc509a6f75849b
9033e0e305f247c0c3c80d0c7848c8b3

But shouldn't the number of guesses higher?
Reply
#4
Works as expected on my system.  Hmm, what's going on for you

Code:
c4ca4238a0b923820dcc509a6f75849b:1
0cc175b9c0f1b6a831c399e269772661:a
7fc56270e7a70fa81a5935b72eacbe29:A
9033e0e305f247c0c3c80d0c7848c8b3:!

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: test.txt
Time.Started.....: Thu Sep  8 17:38:11 2022 (0 secs)
Time.Estimated...: Thu Sep  8 17:38:11 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?a [1]
Guess.Queue......: 1/1 (100.00%)
Speed.#3.........:  349.3 kH/s (0.02ms) @ Accel:1024 Loops:95 Thr:1 Vec:4
Recovered.Total..: 4/4 (100.00%) Digests
Progress.........: 95/95 (100.00%)
Rejected.........: 0/95 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#3...: Salt:0 Amplifier:0-95 Iteration:0-95
Candidate.Engine.: Device Generator
Candidates.#3....: s ->
Hardware.Mon.SMC.: Fan0: 33%
Hardware.Mon.#3..: Temp: 42c

Started: Thu Sep  8 17:38:05 2022
Stopped: Thu Sep  8 17:38:13 2022

(09-08-2022, 11:30 PM)SuperColin Wrote:
(09-08-2022, 11:28 PM)pdo Wrote: Can you post your test hashes so we can reproduce your results?



Here they are:



0cc175b9c0f1b6a831c399e269772661

7fc56270e7a70fa81a5935b72eacbe29

c4ca4238a0b923820dcc509a6f75849b

9033e0e305f247c0c3c80d0c7848c8b3



But shouldn't the number of guesses higher?
Reply
#5
Your test hashes are correct, which is a good start. However I've noticed your command doesn't match the screenshot you've uploaded. For example: the screenshot shows Optimized Kernel while your command is missing the -O parameter.
Please post your full command.

Yes you are correct that the guesses should be 95 and they are on my tests. Any chance you have used -t 32 in your command?
Reply
#6
Ok so I figured it out. I had some other flags on that I thought didn't effect the actual output and it seems like the issue was the "-t 32" flag I had on, which makes even more sense as I'm typing this out...

I actually deleted them out of the OP to reduce noise, but here was my full original command:

hashcat.exe ^
-m 0 ^
-t 32 ^
-o test.txt ^
--runtime=60 ^
--hook-threads=6 ^
--hwmon-temp-abort=99 ^
--potfile-disable ^
--increment ^
-O ^
-a 3 test.hash ?a

Deleting the -t flag fixed the issue and increased the number of guesses to 95, so that's better. I don't even know what I thought it did, but maybe this will help someone in the future, thanks for being my rubber ducky lol Smile
Reply
#7
(09-08-2022, 11:43 PM)hops Wrote: Any chance you have used -t 32 in your command?

 
This was the issue, thank you!
Reply
#8
FWIW, your temperature abort should be well below 99, that's really much too hot.
~
Reply
#9
(09-09-2022, 05:09 AM)royce Wrote: FWIW, your temperature abort should be well below 99, that's really much too hot.

Thanks for the advice, what would you suggest for an average desktop rig with a single GPU?
Reply