bug in 0.40b4

[panda]

A bug exists in hashcat 0.40b4 whereby all cracked hashes aren't removed from the target hashlist when using the "--remove" flag. This results in the perception that hashcat is not cracking all hashes on an initial run, as subsequent runs report new cracked hashes.

eg.

Code:

$ sort -R /tmp/countries.dic | head -n 200 > /tmp/1.txt
$ sort -R /tmp/webster-dictionary.dic | head -n 20000 >> /tmp/1.txt
$ sort -R /tmp/Antworth.dic | head -n 2000 >> /tmp/1.txt

$ python /tmp/str2ntlm.py /tmp/1.txt > /tmp/2.txt ## converts cleartext to ntlm

$ ./hashcat-cli64.bin -m 1000 /tmp/2.txt --remove -o /tmp/3.txt ../CMIYC/dics/Antworth.dic

Output (1st run):

Code:

Added hashes from file /tmp/2.txt: 22200 (1 salts)
Input.Mode: Dict (../CMIYC/dics/Antworth.dic)
Index.....: 1/1 (segment), 89200 (words), 879064 (bytes)
Recovered.: 2009/22200 hashes, 0/1 salts
Speed/sec.: 968.31k plains, 968.31k words
Progress..: 89200/89200 (100.00%)
Running...: 00:00:00:01
Estimated.: --:--:--:--
Started: Wed May 16 11:52:01 2012
Stopped: Wed May 16 11:52:02 2012

Output (2nd run):

Code:

Added hashes from file /tmp/2.txt: 20191 (1 salts)
Input.Mode: Dict (../CMIYC/dics/Antworth.dic)
Index.....: 1/1 (segment), 89200 (words), 879064 (bytes)
Recovered.: 1/20191 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 89200/89200 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
Started: Wed May 16 11:52:03 2012
Stopped: Wed May 16 11:52:04 2012

NOTE: The hash is cracked in the initial run, but just not removed from the target hashlist.

Code:

$ tail -n 1 /tmp/3.txt
58f184406477292cbe05f2647ed8ae51:somalia
$ grep 'somalia' /tmp/3.txt
58f184406477292cbe05f2647ed8ae51:somalia
58f184406477292cbe05f2647ed8ae51:somalia

[M@LIK]

Yup, I noticed something similar in v0.39.

[undeath]

did you uniq the hash file before?

[panda]

Yes. I dont show it in the test example above, but in "production" the hashes are uniq and the problem persists.