Show all line information in cracked hashes
#1
Hey,

so from an AD Dump, I've got the following information in a txt file, that I'm currently trying to crack with hashcat

Code:
domain\username:1476:SOMEHASH:SOMEHASH:Disabled=False,Expired=False,PasswordNeverExpires=True,PasswordNotRequired=False,PasswordLastChanged=200704041414,LastLogonTimestamp=201409080813,IsAdministrator=True,IsDomainAdmin=True,IsEnterpriseAdmin=False::

domain\anotherusername:1889:SOMEHASH:SOMEHASH:Disabled=True,Expired=False,PasswordNeverExpires=False,PasswordNotRequired=False,PasswordLastChanged=201908011129,LastLogonTimestamp=201805080659,IsAdministrator=False,IsDomainAdmin=False,IsEnterpriseAdmin=False::


For cracking, I use something like 

Code:
hashcat -m 1000 pwdump.txt

Then, I figured, I can use 

Code:
hashcat -m 1000 pwdump.txt --user --show 

to show the already cracked hashes, together with the username..

My question is: Is there any way to display the whole line in the cracked output? I'm mainly interesting in the "LastLogonTimestamp", so I can sort the output by that value to know the relevance of the cracked password (a user, which last logged in 2015 will have an expired password, so not of worth)..

Can I somehow do this? Ideally, I'd receive something like

Code:
domain\username:1476:SOMEHASH:SOMEHASH:Disabled=False,Expired=False,PasswordNeverExpires=True,PasswordNotRequired=False,PasswordLastChanged=200704041414,LastLogonTimestamp=201409080813,IsAdministrator=True,IsDomainAdmin=True,IsEnterpriseAdmin=False::MYCRACKEDPASSWORD

domain\anotherusername:1889:SOMEHASH:SOMEHASH:Disabled=True,Expired=False,PasswordNeverExpires=False,PasswordNotRequired=False,PasswordLastChanged=201908011129,LastLogonTimestamp=201805080659,IsAdministrator=False,IsDomainAdmin=False,IsEnterpriseAdmin=False::MYCRACKEDPASSWORD
Reply
#2
Select

-outfile-format=

- [ Outfile Formats ] -

# | Format
===+========
1 | hash[Confusedalt]
2 | plain
3 | hex_plain
4 | crack_pos
5 | timestamp absolute
6 | timestamp relative
Reply
#3
(11-18-2022, 03:17 PM)marc1n Wrote: Select

-outfile-format=

- [ Outfile Formats ] -

  # | Format
===+========
  1 | hash[Confusedalt]
  2 | plain
  3 | hex_plain
  4 | crack_pos
  5 | timestamp absolute
  6 | timestamp relative

How do I use this? Can I also use it with the --show option? Or do I have to run it while cracking? 

I tried

Code:
hashcat -m 1000 pwdump.txt --show --user --outfile-format=2

but it looks the same as before..
Reply