NetNTLMv2 Cyrillic symbols issue
#1
Hi!
I'm trying to crack NetNtlmv2 hash with known password

test::test-PC:1122334455667788:EE8BE66E931EE5F78502E43AB0755EB7:0101000000000000B74CFB6137A6D101B672CD72950FCF320000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C000800300030000000000000000000000000300000EFD2A20880C73783FE82407EB41E4B3FE2D57CF015812BDC3DBC367618B9B8E30A0010000000000000000000000000000000000009001C0063006900660073002F0064006100750074006F0076002D00700063000000000000000000

password is cyrillic "a" (unicode 0430)

when i try method described here hashcat didn't manage to recover this pass.

Then i tried to run hashcat using mask ?b?b --incremental

Useless again. 

Password was successfully cracked using john.

Hashcat successfully crack hashes with latin passwords, for example 

test::test-PC:1122334455667788:66B41928700FEA503B80D86372FE1164:0101000000000000206CC1C437A6D101A0D0BEE8D9BE72C80000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C00080030003000000000000000000000000030000037DE47151778061BAA06DCDCE4F1ACAB2B85419749F92F70F4921AAA5677A3F80A0010000000000000000000000000000000000009001C0063006900660073002F0064006100750074006F0076002D00700063000000000000000000:te

Am I right that there is some issue with non latin symbols in netntlmv2 method in hashcat?
#2
Something is not right here. I created a wordlist with various encodings of that character (UTF8, UTF16LE, Windows 1251, ISO 8859-5) and cannot crack the hash you provided with Hashcat or JTR. So I do not think the password for that hash is what you say it is.

If JTR did indeed crack that hash, can you provide the plaintext from john.pot as hex?
#3
I can provide it a bit later (far away from home right now)

john cracked this hash with default settings on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux with cmd
"john --format=netntlmv2 --encoding=CP1251 --incremental=lanman hash.txt"
#4
john.pot

$NETNTLMv2$TESTtest-PC$1122334455667788$ee8be66e931ee5f78502e43ab0755eb7$0101000000000000b74cfb6137a6d101b672cd72950fcf320000000002000a0073006d006200310032000100140053004500520056004500520032003000300038000400160073006d006200310032002e006c006f00630061006c0003002c0053004500520056004500520032003000300038002e0073006d006200310032002e006c006f00630061006c000500160073006d006200310032002e006c006f00630061006c000800300030000000000000000000000000300000efd2a20880c73783fe82407eb41e4b3fe2d57cf015812bdc3dbc367618b9b8e30a0010000000000000000000000000000000000009001c0063006900660073002f0064006100750074006f0076002d00700063000000000000000000:а

and last line in hex
00000270: 30 30 30 30 3A D0 B0 0A 00000:Р°
#5
The linked site from rura works for the most algorithm like MD5, WPA, etc, but you can't crack 8bit passwords on algorithms which do the unicode conversion inside the algorithm itself. In that case the zero bytes are always added. This would require a kernel change to make it possible