Correct syntax for oclHashcat when piping dictionary from samba share
#1
I am running the following command:

Code:
dylan@hashcat:~/crack/oclHashcat-1.33$ smbclient \\\\xaelah\\wordlists -E -Udylan%qwe -c "get 18_in_1 /dev/fd/1" 2>/dev/null' |  oclHashcat64.bin -m 2500 -a3 ~/crack/captures/papabear.hccap

It runs perfect, the problem I am running into is that I am unable to check status, pause, bypass or execute any of the commands that are typically available.

I then press ctrl ^ c to kill the process or kill it from another terminal. At that point it then prints out the normal status message. I am thinking that this is due to some sort of bash shell issue. Can anyone shed any light on this? I have spent a long time googling and trying different escape strategeis so I am not looking for a simple walk-through, I am happy to do the work but just have hit a dead end.

Below is the output from the terminal to give you an idea of what I am dealing with.

Code:
dylan@hashcat:~/crack/oclHashcat-1.33$ 'smbclient \\\\xaelah\\wordlists -E -Udylan%qwe -c "get 18_in_1 /dev/fd/1" 2>/dev/null' |  oclHashcat64.bin -m 2500 -a3 ~/crack/captures/papabear.hccap
-bash: smbclient \\\\xaelah\\wordlists -E -Udylan%qwe -c "get 18_in_1 /dev/fd/1" 2>/dev/null: No such file or directory
oclHashcat v1.33 starting...

Device #1: Pitcairn, 2005MB, 975Mhz, 16MCU
Device #2: Pitcairn, 2005MB, 1100Mhz, 20MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4098/m02500.Pitcairn_1573.4_1573.4 (VM).kernel (258848 bytes)
Device #1: Kernel ./kernels/4098/markov_le_v1.Pitcairn_1573.4_1573.4 (VM).kernel (35072 bytes)
Device #1: Kernel ./kernels/4098/amp_a3_v1.Pitcairn_1573.4_1573.4 (VM).kernel (13624 bytes)
Device #2: Kernel ./kernels/4098/m02500.Pitcairn_1573.4_1573.4 (VM).kernel (258848 bytes)
Device #2: Kernel ./kernels/4098/markov_le_v1.Pitcairn_1573.4_1573.4 (VM).kernel (35072 bytes)
Device #2: Kernel ./kernels/4098/amp_a3_v1.Pitcairn_1573.4_1573.4 (VM).kernel (13624 bytes)

[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
^c
Session.Name...: oclHashcat
Status.........: Aborted
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3) [8]
Hash.Target....: Papa Bear (00:23:31:e4:65:8b <-> 58:23:8c:be:5d:a7)
Hash.Type......: WPA/WPA2
Time.Started...: Mon Mar 16 17:43:16 2015 (3 secs)
Time.Estimated.: Thu Jul 21 09:11:09 2016 (1 year, 127 days)
Speed.GPU.#1...:    61773 H/s
Speed.GPU.#2...:    82882 H/s
Speed.GPU.#*...:   144.7 kH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 481280/5533380698112 (0.00%)
Skipped........: 0/481280 (0.00%)
Rejected.......: 0/481280 (0.00%)
Restore.Point..: 10240/89248075776 (0.00%)
HWMon.GPU.#1...: 61% Util, 26c Temp, 40% Fan
HWMon.GPU.#2...: 37% Util, 31c Temp, 40% Fan

Started: Mon Mar 16 17:43:16 2015
Stopped: Mon Mar 16 17:43:26 2015
dylan@hashcat:~/crack/oclHashcat-1.33$
#2
No, it certainly doesn't run perfectly. Your command pipeline isn't doing what you think it's doing. Look at the output.

Problem 1: your whole smbclient command is failing. It is erroring out with "No such file or directory."

Problem 2: you're specifying -a 3 with a pipe. Pipe implies wordlist attack, but then you're explicitly telling hashcat to do a mask attack. This means everything being piped into hashcat will be ignored, as it will simply do a mask attack with the default mask.

Problem 3: because you've opened a pipe, stdin is not attached to the virtual terminal. That is why you can't check status / pause / bypass / etc.
#3
Great thank you for the input it has been very helpful. After I would kill my hascat command I was WRONGLY assuming that the data HC was using was coming from my SMB connection. I see now how incorrect I was. What is strange is that if i remove the pipe and everything to the right of it, the SMB command runs great.

But this input is EXACTLY what I needed, I am gonna dig thought it for a while and get back to you guys in hopes this post will help someone in the future.
#4
I was able to resolve my issue, I removed the attack option and now it updates the status of the attempt without me doing anything. I assume that is normal with a stdin attack. I also removed the single quote character from around my smbclient command. Is there no way to pause the attack and quit so I can resume later? Also anyone have advice on the best way to use
Code:
screen
with the below command?

Code:
smbclient -E \\\\xaelah\\wordlists -Udylan%qwe -c "get 18_in_1 /dev/fd/1" 2>/dev/null | ./oclHashcat64.bin -m 2500 ~/captures/papabear.hccap

The above is my new command
#5
You can pause if you do not use stdin. Btw 18 in 1 wordlist is crap
#6
Lol I completely agree about 18 in 1. What I have done is write a little script to delete all characters that are not valid, delete lines shorter than 8 characters, sort the file and then merge them with my master file. I started with 18 in 1 so it just happens to have remained my master file. But I am ALWAYS looking for more dictionaries, please tell me what you recommend!!!! Also I figured out my screen issue so never mind on that. Guess I just need more word lists now Smile

Happy hashing!
#7
rockyou.txt
hashes.org found list
#8
Thank you sir! I quite being lazy and just searched the forum myself. But thank you I hadn't been to hashes.org yet so I will explore there!