Hashcat 0.43 not successfully decrypting SHA512 unix hash
#1
Hi,

I downloaded hashcat 0.43 for Windows to do some testing and found some issues with it. I hope the report is useful and perhaps you can help me. (Otherwise I'll have to revert back to a perl script...)

Here's the situation. I have a Unbuntu system named ubuntu-1 for which the uname -a output can be found here:

Linux ubuntu-1.home 2.6.31-22-generic #73-Ubuntu SMP Fri Feb 11 17:36:01 UTC 2011 i686 GNU/Linux

On this system, I've setup a user named test who's password is 123456. The shadow entry for the user can be found below:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

E:\Temp\passwd>type shadow-ubuntu-1-test.txt
test:$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/:15130:0:99999:7:::

and the password list file:

E:\Temp\passwd\hashcat-gui\hashcat-0.43>type ..\..\wordlists\test-wordlist.txt
123456


Problem 1
=======

The CLI help mentions parameters which hashcat-cli32.exe does not recognize:

E:\Temp\passwd\hashcat-gui\hashcat-0.43>hashcat-cli32.exe --help
hashcat, advanced password recovery

Usage: hashcat [options] hashfile [mask|wordfiles|directories]

=======
Options
=======

* General:

-m, --hash-type=NUM Hash-type, see references below
-a, --attack-mode=NUM Attack-mode, see references below

Commands and responses:

E:\Temp\passwd\hashcat-gui\hashcat-0.43>hashcat-cli32.exe --hash-type=1800 --attack-mode=0 ..\..\shadow-ubuntu-1-test.txt ..\..\wordlists\test-wordlist.txt
hashcat-cli32.exe: unknown option -- hash-type=1800

E:\Temp\passwd\hashcat-gui\hashcat-0.43>hashcat-cli32.exe --hash-type 1800 --attack-mode 0 ..\..\shadow-ubuntu-1-test.txt ..\..\wordlists\test-wordlist.txt
hashcat-cli32.exe: unknown option -- hash-type


Problem 2
=======

hashcat doesn't handle shadow entries apparently:

E:\Temp\passwd\hashcat-gui\hashcat-0.43>hashcat-cli32.exe -m 1800 -a 0 ..\..\shadow-ubuntu-1-test.txt ..\..\wordlists\test-wordlist.txt
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Skipping line: test:$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/:15130:0:99999:7::: (line length exception
)
No hashes loaded


No problem, so I stripped the hash into a format hashcat did apparently accept:

E:\Temp\passwd\hashcat-gui\hashcat-0.43>type ..\..\shadow-ubuntu-1-test-stripped.txt
$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/

But then...


Problem 3
=======

hashcat does not appear to be able to decrypt the password successfully.

E:\Temp\passwd\hashcat-gui\hashcat-0.43>hashcat-cli32.exe -m 1800 -a 0 ..\..\shadow-ubuntu-1-test-stripped.txt ..\..\wordlists\test-wordlist.txt
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Added hashes from file ..\..\shadow-ubuntu-1-test-stripped.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

Input.Mode: Dict (..\..\wordlists\test-wordlist.txt)
Index.....: 1/1 (segment), 1 (words), 8 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Tue Mar 12 21:01:54 2013
Stopped: Tue Mar 12 21:01:55 2013

What's the deal here? Is this a bug in hashcat?

I look forward to hearing from you & great work. I especially look forward to having my GPU do the heavy lifting. Wink

E.
#2
1. This is typical unix commandline parameter syntax. You have to remove the = char between key and value to make it work.

hashcat-cli32.exe --hash-type 1800 --attack-mode 0 ..\..\shadow-ubuntu-1-test.txt ..\..\wordlists\test-wordlist.txt

2. Correct and thats fine Smile You found the solution yourself.

3. Something is wrong with your hash. Might have happend when copy/paste it. Take a look at the hex-dump:

Quote:root@sf:~/crackers# xxd x
0000000: 2436 2444 4e52 6c45 4b57 6d24 7445 6364 $6$DNRlEKWm$tEcd
0000010: 446a 4575 7859 4a46 6141 3431 6571 3152 DjEuxYJFaA41eq1R
0000020: 6f34 5348 6f74 336f 7633 5348 654c 6f34 o4SHot3ov3SHeLo4
0000030: 4c51 714b 4e74 7a6a 4843 4e45 7854 356b LQqKNtzjHCNExT5k
0000040: 4544 384b 7049 477a 515a 7274 3735 3873 ED8KpIGzQZrt758s
0000050: e280 8b61 2f57 7743 6e51 7367 5253 3830 ...a/WwCnQsgRS80
0000060: 4548 5254 2f0a EHRT/.

As you can see at offset 0x0000050 there are some high-ascii utf8 values.
#3
I've reconstructed your hash by hand:

Quote:$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/

As you can see here, it cracks fine now:

Quote:root@sf:~/hashcat-0.44# cat > hash
$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/
root@sf:~/hashcat-0.44# echo 123456 > dict
root@sf:~/hashcat-0.44# ./hashcat-cliXOP.bin -m 1800 hash dict
Initializing hashcat v0.44 by atom with 8 threads and 32mb segment-size...

Added hashes from file hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/:123456
All hashes have been recovered
#4
Hi atom,


Great support!

First thing I noticed when you demonstrated the fix on your end is that you're using version 0.44 whereas I'm on 0.43. This may be of importance. Second, it looks like the high UTF-8 characters are the result of posting the hash to the forum. When comparing the fixed hash with the one I logged in the forum post, after copying and pasting the fixed one, an additional character is visible:

Original: $6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/
Fixed : $6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758s?a/WwCnQsgRS80EHRT/

From the forum post's HTML:

<blockquote><cite>Quote:</cite>$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758s​a/WwCnQsgRS80EHRT/</blockquote>

this character was added: & # 8 2 0 3 ;​ between 's' and 'a'. This is probably from the high UTF-8 byte stream you noticed at offset 0x50: e280 8b.

Checking the data locally from file 'shadow-ubuntu-1-test-stripped.txt' with a hex editor:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000 24 36 24 44 4E 52 6C 45 4B 57 6D 24 74 45 63 64 $6$DNRlEKWm$tEcd
00000010 44 6A 45 75 78 59 4A 46 61 41 34 31 65 71 31 52 DjEuxYJFaA41eq1R
00000020 6F 34 53 48 6F 74 33 6F 76 33 53 48 65 4C 6F 34 o4SHot3ov3SHeLo4
00000030 4C 51 71 4B 4E 74 7A 6A 48 43 4E 45 78 54 35 6B LQqKNtzjHCNExT5k
00000040 45 44 38 4B 70 49 47 7A 51 5A 72 74 37 35 38 73 ED8KpIGzQZrt758s
00000050 61 2F 57 77 43 6E 51 73 67 52 53 38 30 45 48 52 a/WwCnQsgRS80EHR
00000060 54 2F 0A T/.

shows no high UTF-8 characters at offset 0x50.

Just to make sure that I'm not messing up, I have triple-checked the hashes on ubuntu-1 using MD5 hashes:

root@ubuntu-1:/home/erwin/Documents/source/md5# ./md5 /etc/shadow
2F879E6B0665C70766EA4CEA10E70C0D /etc/shadow

E:\Temp\passwd>md5 shadow-ubuntu-1.txt
2F879E6B0665C70766EA4CEA10E70C0D shadow-ubuntu-1.txt (Original cut & paste generated file tested with when I reported the problem.)

E:\Temp\passwd>md5 shadow.copied
2F879E6B0665C70766EA4CEA10E70C0D shadow.copied (File copied from ubuntu-1 once more to triple check.)

Just to make absolutely sure that the hash is correct, here's the output of the grep command for user test:

root@ubuntu-1:~# grep test /etc/shadow
test:$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/:15130:0:99999:7:::

I'm attaching my test files to this message so you can work with these if you like. I would appreciate it if you could look into it further. Also, I ran the command with the parameter format you suggested and it still didn't recognize the --hash-type option:

E:\Temp\passwd\hashcat-gui\hashcat-0.43>hashcat-cli32.exe --hash-type 1800 --attack-mode 0 ..\..\shadow-ubuntu-1-test.txt ..\..\wordlists\test-wordlist.txt
hashcat-cli32.exe: unknown option -- hash-type

Might I have a bad copy of hashcat? MD5 hash is below:

E:\Temp\passwd\hashcat-gui\hashcat-0.43>md5 hashcat-cli32.exe
6BEB279C2FBAF16D8E03C66EE9649300 hashcat-cli32.exe

OK, thanks for your help and look forward to reading your results.

P.S. Can't attach a file to my post:

Error Attaching File
The file upload failed. Please choose a valid file and try again. Error details: There was a problem moving the uploaded file to its destination.

Will try some other way: https://www.wetransfer.com/downloads/f74...756/61ecb5
#5
Just did some final (before going to sleep) verification testing using cryptcrack.pl (http://blog.hacker.dk/wp-content/uploads...ptcrack.pl)

root@ubuntu-1:~/Documents# echo 123456 | ./cryptcrack.pl -f shadow-ubuntu-1-test.txt
Read 1 hashes from file
Spawning 4 threads
0.201 keys per second.
FOUND: 123456 ($6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/)
No hashes left to crack


Cracked passwords:
---------------
123456 ($6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/)
#6
Haven't heard back from you yet. Just thought I'd also check with hashcat for Linux:

root@ubuntu-1:~/Documents# ./hashcat-cli32.bin -m 1800 shadow-ubuntu-1-test-stripped.txt test-wordlist-unix.txt -o result
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Added hashes from file shadow-ubuntu-1-test-stripped.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

Input.Mode: Dict (test-wordlist-unix.txt)
Index.....: 1/1 (segment), 1 (words), 7 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Wed Mar 13 15:04:26 2013
Stopped: Wed Mar 13 15:04:26 2013

Could you please also run this test with 0.43 (Windows or Linux) just to confirm there really is a problem?
#7
Added another user (test2) on my Ubuntu system and had a go a both hashes using hashcat-cli32.bin renamed to hashcat-cli32-0.43.bin because I also tested 0.42. Results are the same. None of the hashes are cracked.

root@ubuntu-1:~/Documents# cat test-wordlist-unix.txt
123456

root@ubuntu-1:~/Documents# cat shadow
test:$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/:15130:0:99999:7:::
test2:$6$EmsvsJgk$XQwi2CHcKll/kROYcnkhBYTAweqYuc7aQY0wmOxVTTPkColB9zmiQMvCgOlBNXYCWkqWr3pzX5a0JSFGSe5Uu1:15776:0:99999:7:::

root@ubuntu-1:~/Documents# cat shadow-stripped
$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/
$6$EmsvsJgk$XQwi2CHcKll/kROYcnkhBYTAweqYuc7aQY0wmOxVTTPkColB9zmiQMvCgOlBNXYCWkqWr3pzX5a0JSFGSe5Uu1

root@ubuntu-1:~/Documents# ./hashcat-cli32-0.43.bin -m 1800 shadow-stripped test-wordlist-unix.txt -o result
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Added hashes from file shadow-stripped: 2 (2 salts)

NOTE: press enter for status-screen

Input.Mode: Dict (test-wordlist-unix.txt)
Index.....: 1/1 (segment), 1 (words), 7 (bytes)
Recovered.: 0/2 hashes, 0/2 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Wed Mar 13 15:25:51 2013
Stopped: Wed Mar 13 15:25:51 2013

root@ubuntu-1:~/Documents# cat result
cat: result: No such file or directory

root@ubuntu-1:~/Documents# cat test-wordlist-unix.txt | ./cryptcrack.pl -f shadow
Read 2 hashes from file
Spawning 4 threads
0.201 keys per second.
FOUND: 123456 ($6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/)
FOUND: 123456 ($6$EmsvsJgk$XQwi2CHcKll/kROYcnkhBYTAweqYuc7aQY0wmOxVTTPkColB9zmiQMvCgOlBNXYCWkqWr3pzX5a0JSFGSe5Uu1)
No hashes left to crack


Cracked passwords:
---------------
123456 ($6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/)
123456 ($6$EmsvsJgk$XQwi2CHcKll/kROYcnkhBYTAweqYuc7aQY0wmOxVTTPkColB9zmiQMvCgOlBNXYCWkqWr3pzX5a0JSFGSe5Uu1)
#8
cannot reproduce.

Code:
epixoip@db:~/hashcat-0.43$ echo '$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/' >test.hash

epixoip@db:~/hashcat-0.43$ echo '123456' >test.dic

epixoip@db:~/hashcat-0.43$ ./hashcat-cli64.bin -m 1800 test.hash test.dic
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Added hashes from file test.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/:123456
All hashes have been recovered
#9
Just tested the same hash on 32 bit ubuntu and 32 bit windows 7 (w/ cygwin) w/ both v43 and latest beta.
I instead CAN reproduce the problem, seems to be an odd 32bit-specific problem!?

WIN:
Code:
C:\Users\philsmd\hashcat-0.43>cat test
#!/bin/sh
echo '$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/' >test.hash
echo 123456 >test.dic
hashcat-cli32.exe -m 1800 test.hash test.dic

Linux:
Code:
$ cat test
#!/bin/sh
echo '$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/' >test.hash
echo 123456 >test.dic
./hashcat-cli32.bin -m 1800 test.hash test.dic

Output is (for all my tests almost the same except time):
Code:
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Added hashes from file test.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

Input.Mode: Dict (test.dic)
Index.....: 1/1 (segment), 1 (words), 7 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Thu Mar 14 09:46:49 2013
Stopped: Thu Mar 14 09:46:49 2013

@atom, could you have a look at this one and let me know if I should help you in testing w/ x32?

EDIT: it seems that the forum here adds the "strange" utf-8 character when posting, but the hash should be correct in the test file (double checked it!)
#10
Interesting twist. I fired up my Windows 2012 server (64bit) and ran the 64 bit version of hashcat. (hashcat-cli64)

64 bit results
==========

PS C:\Users\administrator\Documents> .\hashcat-cli64.exe -m 1800 hash dict
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Added hashes from file hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/:123456
All hashes have been recovered


32 bit results
==========

BTW, the hash and dict files were also tested using the 32bit version of the hashcat utility with these results:

root@bt:~# cat dict
123456
root@bt:~# cat hash
$6$DNRlEKWm$tEcdDjEuxYJFaA41eq1Ro4SHot3ov3SHeLo4LQqKNtzjHCNExT5kED8KpIGzQZrt758sa/WwCnQsgRS80EHRT/
root@bt:~# ./tools/hashcat-0.43/hashcat-cli32.bin -m 1800 hash dict
Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size...

Added hashes from file hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

Input.Mode: Dict (dict)
Index.....: 1/1 (segment), 1 (words), 7 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Thu Mar 14 14:27:38 2013
Stopped: Thu Mar 14 14:27:39 2013


Conclusion
========

As suggested in the previous post, the 32 bit version of hashcat 0.43 seems to be affected. 64 bit works just fine. The commandline option --hash-type is still not functioning, however. (--hash-mode works just fine, but that is not the option name specified in the --help text.)