Posts: 5
Threads: 2
Joined: May 2024
I was hoping to get a list of hashes that do not work well with --remove. Right now, I know if I try to feed hashcat a hashlist using --remove with hashes straight from something like an NTDS file, it errors out. I was hoping to try and get a list of hashes that do not work well with it for future reference. Please let me know if you know of any particular hashes/formats that do not work well with the --remove option.
Side note, I am trying to automate some stuff and having it error is not good. Trying to find a list that I can then warn if used.
Posts: 407
Threads: 2
Joined: Dec 2015
This really should not be happening with any modes, what error are you seeing?
Posts: 5
Threads: 2
Joined: May 2024
11-04-2024, 01:43 PM
(This post was last modified: 11-04-2024, 02:00 PM by ZerkerEOD.
Edit Reason: Adding additional context
)
Chick3nman, I get the "Use of --remove is not supported in native hashfile-format mode." error. The hash is a straight pull from NTDS which looks like 'Administrator:500:LM:NT::: (status=Enabled)'. Without the --remove though, it handles the hash fine. Also if I remove everything after the last colon i.e. (status=Enabled), I still get the error.
Posts: 407
Threads: 2
Joined: Dec 2015
Ahhh, this is for the special file format handling for NT:LM and shadow files. If you want to avoid that issue, you need to load the hashes in their raw format, so just the NT hash alone, or LM hash alone. Only NT, LM, and a few of the crypt(3) hashes are capable of alternative file formats like that. Specifically meant to allow loading of pwdump and shadow file formats. This is a convenience feature but I would suggest simply parsing the hashes into their individual formats instead to avoid behavior like this.
Posts: 5
Threads: 2
Joined: May 2024
(11-05-2024, 01:55 AM)Chick3nman Wrote: Ahhh, this is for the special file format handling for NT:LM and shadow files. If you want to avoid that issue, you need to load the hashes in their raw format, so just the NT hash alone, or LM hash alone. Only NT, LM, and a few of the crypt(3) hashes are capable of alternative file formats like that. Specifically meant to allow loading of pwdump and shadow file formats. This is a convenience feature but I would suggest simply parsing the hashes into their individual formats instead to avoid behavior like this.
That is what I was figuring. Do you know of a list of hashes that have different formats that don't work well with --remove?
Posts: 407
Threads: 2
Joined: Dec 2015
There is no list but it should really only be those few mentioned. Perhaps the left over binary file formats as well.
