Posts: 621
Threads: 57
Joined: May 2010
This is a follow up on the following thread which was closed:
http://hashcat.net/forum/thread-1204.html
So here's the hash:pass in question (from the mentioned post, not real user data):
507620db658a3d55c367cc8273e2ee24:ьфдщн
I was able to crack the hash using the password in a dictionary (UTF8 format) but when I try to crack it via bruteforce, it does not work. Here's the command line I use
Hashcat-cli64 -a 3 -m 0 hash.txt ?R?R?R?R?R
Is it me or it's not working for other people as well. Waiting for this to create a trac.
Posts: 2,936
Threads: 12
Joined: May 2012
this is because ?R is ISO-8859-5 and your characters are UTF-8. different byte sequences.
Posts: 621
Threads: 57
Joined: May 2010
(01-30-2013, 04:20 PM)epixoip Wrote: this is because ?R is ISO-8859-5 and your characters are UTF-8. different byte sequences.
But the ?R charset was meant to be able to crack Russian password, no? Are you saying that it's possible to write the same characters using ISO-8859-5, generate an MD5 hash and that this MD5 hash would be different from 507620db658a3d55c367cc8273e2ee24?
Posts: 2,301
Threads: 11
Joined: Jul 2010
> echo -n ьфдщн | md5sum
507620db658a3d55c367cc8273e2ee24 -
> echo -n ьфдщн | iconv -f UTF-8 -t ISO-8859-5 | md5sum
6cda8fbf4ea51d58118e440e1cc478e4
Posts: 621
Threads: 57
Joined: May 2010
Thanks epixoip and undeath. Now I am getting it. These 3 MD5 hashes represent the same Russian password but with different encodings:
714d5bc5daad4412e118d1bfd0c7477b Cyrillic windows 1251
507620db658a3d55c367cc8273e2ee24 UTF8
6cda8fbf4ea51d58118e440e1cc478e4 - ISO-8859-5
In order to crack these passwords you need to know the exact system's encoding. Now, I have to check something. If I am not mistaken, we can load charset from files for some Hashcat products. Which one(s) is the question.
Posts: 601
Threads: 18
Joined: Apr 2010
I've never seen passwords in that ISO-8859-5 encoding, Russian versions of Windows use 1251.
Posts: 2,936
Threads: 12
Joined: May 2012
good feedback.
i can't think of a solution for mask attacks off hand, but if you have russian wordlists in utf8 you can prepare them for use with hashcat with ''iconv -t WINDOWS-1251 wordlist >wordlist.1251'', or pipe ''iconv -t WINDOWS-1251 wordlist'' into hashcat via stdin.
Posts: 2,936
Threads: 12
Joined: May 2012
Code:
epixoip@ike:~$ echo -n ьфдщн | iconv -f UTF-8 -t ISO-8859-5 | hexdump
00000000 ec e4 d4 e9 dd
00000005
epixoip@ike:~$ echo -n ьфдщн | iconv -f UTF-8 -t windows-1251 | hexdump
00000000 fc f4 e4 f9 ed
00000005
actually it looks like with windows-1251, all of the characters are essentially iso-8859 + 0x10. so you can build a mask attack using hex charset.
Posts: 5,185
Threads: 230
Joined: Apr 2010
Btw, all hashcat version support charset files. But they must been encoded with a 8 bit based encoding. That is ISO-8859-5 and windows-1251. Just enter all the chars you like in a charset and save it with the corresponding encoding, then do -1 mycharset.chr
Posts: 621
Threads: 57
Joined: May 2010
Interesting. Putting all the characters in a charset file that was Windows-1251 encoded and using the -1 russian.charset, cracked both the hash generated by windows-1251 encoding and the ISO-8859-5 one. Now what should be the equivalent encoding for German and French.
