Remove doesn't work on dictionnary attack ?
#1
Hi,

I'm using hashcat for dictionnary attack and charset attack. No problem at all when I'm using --remove for charset attack. But for dictionnary attack... It doesn't remove any hash at all. There is only one instance for each hash.

For example, I'm using, for dictionnary attack : 

Code:
hashcat-cli64.bin -m 0 md5_0.hash dictionary.txt -o md5outfile --remove

But it doesn't remove any hash at all from md5_0.hash file.

If I use

Code:
hashcat-cli64.bin -a 3 -1 ?d --increment hash_file.hash ?1?1?1?1?1 --remove --outfile=md5outfile
then there is no problem, all found hashes are removed from the hash_file.hash file.

Am I doing something wrong ?


Thanks for your help.
#2
First, please make sure that you use the newest release version of cpu hashcat (0.50).

It is important that your md5_0.hash file is uniqued, so no duplicate hashes (use sort -u md5_0.hash | sponge md5_0.hash for instance to unique it).

Please also try with the included examle hashes/words.
cd [download_folder_of_cpu_hashcat]
cp examples/A0.M0.hash .
./hashcat-cli64.bin --remove -m 0 -o md5outfile A0.M0.hash examples/A0.M0.word

Does this produce an empty A0.M0.hash file ? (check with ls -l A0.M0.hash)

P.S. also make sure you did understand the topics covered by the faq (about --remove etc) for instance https://hashcat.net/wiki/frequently_aske...as_cracked
#3
I'm using the latest release of cpu hashcat : hashcat-0.50.

I'm certain that my md5_0.hash file is uniqued (can't find what sponge is ?) : 


Code:
root:~/hashcat-0.50# cat md5_0.hash
098f6bcd4621d373cade4e832627b4f6
3ed7dceaf266cafef032b9d5db224717
900150983cd24fb0d6963f7d28e17f72
092e974799a5b3b8771f3a2549e9e7b6
21232f297a57a5a743894a0e4a801fc3



Code:
root:~/hashcat-0.50# sort -u md5_0.hash
092e974799a5b3b8771f3a2549e9e7b6
098f6bcd4621d373cade4e832627b4f6
21232f297a57a5a743894a0e4a801fc3
3ed7dceaf266cafef032b9d5db224717
900150983cd24fb0d6963f7d28e17f72


I tried with the included example :


Code:
root:~/hashcat-0.50# ./hashcat-cli64.bin --remove -m 0 -o md5outfile A0.M0.hash examples/A0.M0.word


This copy of hashcat will expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcat v0.50 with 1 threads and 32mb segment-size...

Added hashes from file A0.M0.hash: 102 (1 salts)


All hashes have been recovered

Input.Mode: Dict (examples/A0.M0.word)
Index.....: 1/1 (segment), 102 (words), 2769 (bytes)
Recovered.: 102/102 hashes, 1/1 salts
Speed/sec.: - plains, 96 words
Progress..: 102/102 (100.00%)
Running...: 00:00:00:01
Estimated.: --:--:--:--


Started: Tue Dec  1 16:56:17 2015
Stopped: Tue Dec  1 16:56:18 2015

root:~/hashcat-0.50# ./hashcat-cli64.bin --remove -m 0 -o md5outfile A0.M0.hash examples/A0.M0.word


This copy of hashcat will expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcat v0.50 with 1 threads and 32mb segment-size...



No hashes loaded


I don't really understand what's going on... Am I really missing something this huge ?


Thanks for your help.
#4
(12-01-2015, 06:01 PM)Autrui Wrote:
Code:
No hashes loaded

It seems that it worked for you too: If it says "No hashes loaded" the file "md5_0.hash" is probably empty (and therefore the --remove did work)
You can also just open the file "md5_0.hash" and check if it is empty (for this particular example or if it has less hashes for the general case,  i.e. if at least one hash cracked).

So everything seems good. I don't really understand what you think is not working correctly.
It even works with your example hash file.
#5
It worked, but  for the A0.M0.hash file. If I do it for my md5_0.hash file I have this :

Code:
root:~/hashcat-0.50# ./hashcat-cli64.bin --remove -m 0 -o md5outfile md5_0.hash dictionary.txt


This copy of hashcat will expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcat v0.50 with 1 threads and 32mb segment-size...

Added hashes from file md5_0.hash: 5 (1 salts)

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Dict (dictionary.txt)
Index.....: 1/1 (segment), 14 (words), 97 (bytes)
Recovered.: 4/5 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 14/14 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Started: Tue Dec  1 17:15:22 2015
Stopped: Tue Dec  1 17:15:22 2015
root:~/hashcat-0.50# ./hashcat-cli64.bin --remove -m 0 -o md5outfile md5_0.hash dictionary.txt


This copy of hashcat will expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcat v0.50 with 1 threads and 32mb segment-size...

Added hashes from file md5_0.hash: 5 (1 salts)

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Dict (dictionary.txt)
Index.....: 1/1 (segment), 14 (words), 97 (bytes)
Recovered.: 4/5 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 14/14 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Started: Tue Dec  1 17:15:24 2015
Stopped: Tue Dec  1 17:15:24 2015

Which is not really what I expect... Nothing is removed from the md5_0.hash file :/
And I really don't understand why it works for the example file, but not for my file...
#6
Have you actually checked the hash file? Hashcat saves your progress (in a .pot file, generally in C:\Users\username\) and I'm pretty sure it'll give that kind of output, even when the hashes themselves have been removed from the file.
#7
Yup, I've checked the file, after the dictionary attack and the charset attack. I've also deleted the pot file, to see if it has something to do with it, but no change... The content of the md5_0.hash file is the same with 10 dictionary attack, but changes after the first charset attack :/
#8
I can't reproduce the problem here; no matter what I try.

Maybe you have some special setup: for instance a remote drive (not a local disk), the file/directory does not have write permissions etc.

A useful test would be to download a fresh copy of hashcat from https://hashcat.net/hashcat and create fresh copies of the files (hash file, dictionary file etc) without cp'ing them and test it again.
Maybe you can also test with a different computer (again without copying everything, prefer fresh copies of the files) such that we can exclude that the problem lies on that particular setup.
#9
Reproduced, gonna investigate.