Help with Russian again
#1
This is a follow up on the following thread which was closed:

http://hashcat.net/forum/thread-1204.html

So here's the hash:pass in question (from the mentioned post, not real user data):

507620db658a3d55c367cc8273e2ee24:ьфдщн

I was able to crack the hash using the password in a dictionary (UTF8 format) but when I try to crack it via bruteforce, it does not work. Here's the command line I use

Hashcat-cli64 -a 3 -m 0 hash.txt ?R?R?R?R?R

Is it me or it's not working for other people as well. Waiting for this to create a trac.
#2
this is because ?R is ISO-8859-5 and your characters are UTF-8. different byte sequences.
#3
(01-30-2013, 04:20 PM)epixoip Wrote: this is because ?R is ISO-8859-5 and your characters are UTF-8. different byte sequences.
But the ?R charset was meant to be able to crack Russian password, no? Are you saying that it's possible to write the same characters using ISO-8859-5, generate an MD5 hash and that this MD5 hash would be different from 507620db658a3d55c367cc8273e2ee24?
#4
> echo -n ьфдщн | md5sum
507620db658a3d55c367cc8273e2ee24 -
> echo -n ьфдщн | iconv -f UTF-8 -t ISO-8859-5 | md5sum
6cda8fbf4ea51d58118e440e1cc478e4
#5
Thanks epixoip and undeath. Now I am getting it. These 3 MD5 hashes represent the same Russian password but with different encodings:

714d5bc5daad4412e118d1bfd0c7477b Cyrillic windows 1251
507620db658a3d55c367cc8273e2ee24 UTF8
6cda8fbf4ea51d58118e440e1cc478e4 - ISO-8859-5

In order to crack these passwords you need to know the exact system's encoding. Now, I have to check something. If I am not mistaken, we can load charset from files for some Hashcat products. Which one(s) is the question.
#6
I've never seen passwords in that ISO-8859-5 encoding, Russian versions of Windows use 1251.
#7
good feedback.

i can't think of a solution for mask attacks off hand, but if you have russian wordlists in utf8 you can prepare them for use with hashcat with ''iconv -t WINDOWS-1251 wordlist >wordlist.1251'', or pipe ''iconv -t WINDOWS-1251 wordlist'' into hashcat via stdin.
#8
Code:
epixoip@ike:~$ echo -n ьфдщн | iconv -f UTF-8 -t ISO-8859-5 | hexdump
00000000  ec e4 d4 e9 dd
00000005
epixoip@ike:~$ echo -n ьфдщн | iconv -f UTF-8 -t windows-1251 | hexdump
00000000  fc f4 e4 f9 ed
00000005

actually it looks like with windows-1251, all of the characters are essentially iso-8859 + 0x10. so you can build a mask attack using hex charset.
#9
Btw, all hashcat version support charset files. But they must been encoded with a 8 bit based encoding. That is ISO-8859-5 and windows-1251. Just enter all the chars you like in a charset and save it with the corresponding encoding, then do -1 mycharset.chr
#10
Interesting. Putting all the characters in a charset file that was Windows-1251 encoded and using the -1 russian.charset, cracked both the hash generated by windows-1251 encoding and the ISO-8859-5 one. Now what should be the equivalent encoding for German and French.