MS Cache v2 Cracking Issue

[Wushu]

I'm trying to crack some MS Cache v2 hashes we recovered on a recent engagement, but hashcat is hanging on the "Checking for Weak Hashes...."

Hash format I'm using is $DCC2$#username#hash.

The format on the hash examples wiki page seemed to include a 4th field, but I have no idea what it is. The format I'm using above is pretty much what we got out of a dump from Metasploit. The exact format of what we got from Metasploit is:

username:$DCC2$#username#hash:fqdn:domain

Is there an issue with the format I'm using above, or is there some other issue?

[epixoip]

nothing wrong with your format, it's just a slow algorithm and you presumably have a lot of salts, so it's taking a very long time to check for empty hashes. just add "--weak-hash-threshold 0" to disable this.

[Wushu]

Good plan. I'll just disable that. I know its a slow algorithm, I just didn't expect it to take that long....its only 10 hashes and salts, and I let it run overnight on a 4 GPU server built for cracking. It was still on the "Checking for weak hashes" when I woke up 8 hours later.

[Wushu]

Something has got to be wrong with either the format I'm using or the hash itself. I just ran the hashes again and set weak-hash-threshold to 0, on a different machine than I first tried it on (this time I used my single GPU laptop). After 5 minutes, my progress was 0% - 0 hashes calculated, and my card was at 98% utilization the entire time.

[Wushu]

I ended up solving my own problem (I think). The format required me to insert "10240" after the $DCC2$, which is the iteration count of the MsCachev2 algorithm. That is in the example hashes on the wiki, but I didn't know what it was. I did a bit of research on the algorithm and saw the 10240 iteration count, and figured that inserting that into the hash format would solve my issues. Seems to be working fine now.