What am I doing wrong?
#1
I'm working my way through a module on HTB.  One of the questions is a crack a MD5 hash.  I was using hashcat on Windows instead of my linux VM so I'd have the benefit of the GPU (I'm impatient).  The hash would not crack though.  Even once I viewed the solution and tried the exact command.  I then tried running in the linux VM using CPU and the hash cracked.  What did I do wrong?

Output running from windows:
Code:
C:\hashcat-6.2.6>hashcat -a 3 -m 0 1e293d6X12d074X0fdXX844XX03X00dd '?u?l?l?l?l?d?s'
hashcat (v6.2.6) starting

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
CUDA API (CUDA 12.9)
====================
* Device #1: NVIDIA GeForce RTX 4060, 7099/8187 MB, 24MCU

OpenCL API (OpenCL 3.0 CUDA 12.9.90) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 4060, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1475 MB

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 1e293d6X12d074X0fdXX844XX03X00dd
Time.Started.....: Sat Jul 05 14:08:17 2025 (0 secs)
Time.Estimated...: Sat Jul 05 14:08:17 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: '?u?l?l?l?l?d?s' [9]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10853.3 MH/s (5.25ms) @ Accel:256 Loops:338 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 3920854080/3920854080 (100.00%)
Rejected.........: 0/3920854080 (0.00%)
Restore.Point....: 5800080/5800080 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:338-676 Iteration:0-338
Candidate.Engine.: Device Generator
Candidates.#1....: 'Exuzq4 ' -> 'Zvqxq6{'
Hardware.Mon.#1..: Temp: 75c Fan: 31% Util: 98% Core:2745MHz Mem:8251MHz Bus:8

Started: Sat Jul 05 14:08:15 2025
Stopped: Sat Jul 05 14:08:19 2025

Output running from linux VM:
Code:
# hashcat -a 3 -m 0 1e293d6X12d074X0fdXX844XX03X00dd '?u?l?l?l?l?d?s'
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz, 6943/13950 MB (2048 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Cracking performance lower than expected?               

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

1e293d6X12d074X0fdXX844XX03X00dd:MXXXX5!                 
                                                         
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 1e293d6X12d074X0fdXX844XX03X00dd
Time.Started.....: Sat Jul  5 13:29:28 2025 (8 secs)
Time.Estimated...: Sat Jul  5 13:29:36 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?u?l?l?l?l?d?s [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 62513.3 kH/s (1.29ms) @ Accel:1024 Loops:32 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 469696512/3920854080 (11.98%)
Rejected.........: 0/469696512 (0.00%)
Restore.Point....: 24576/223080 (11.02%)
Restore.Sub.#1...: Salt:0 Amplifier:6112-6144 Iteration:0-32
Candidate.Engine.: Device Generator
Candidates.#1....: Brlrg9! -> Dikyt8_
Hardware.Mon.#1..: Util: 36%

Started: Sat Jul  5 13:29:15 2025
Stopped: Sat Jul  5 13:29:37 2025
Reply
#2
Cmd doesn't recognise the single quotes, only double quotes, so it's trying the literal string of 'MXXXXX5!' (with the quotes) instead of MXXXXX5!. So either exchange them for double quotes " or use powershell, which does recognise single quotes

Candidates.#1....: 'Exuzq4 ' -> 'Zvqxq6{'
Reply
#3
(07-05-2025, 10:04 PM)penguinkeeper Wrote: Cmd doesn't recognise the single quotes, only double quotes, so it's trying the literal string of 'MXXXXX5!' (with the quotes) instead of MXXXXX5!. So either exchange them for double quotes " or use powershell, which does recognise single quotes

Candidates.#1....: 'Exuzq4 ' -> 'Zvqxq6{'

That did it.  Thanks!  I knew it was going to be something stupid and simple.
Reply