Posts: 5
Threads: 1
Joined: Sep 2016
I'm brute forcing crc32 check sums and they have many collisions. For e.g. following strings have the same crc32.
[.ERM*]
[B6In]
[^y#Hz]
[cho "]
So, is there a way that I can get all the collisions for a given checksum?
Currently hashcat gives only the first one in the results
I'm executing this -
Code: hashcat64.exe -a 3 -m 11500 hashes.txt ?a?a?a?a?a
Posts: 929
Threads: 4
Joined: Jan 2015
09-11-2016, 06:43 AM
(This post was last modified: 09-11-2016, 07:07 AM by royce.
Edit Reason: fork customization
)
I don't know of a way to do this with hashcat today.
But the "jumbo" edition of John the Ripper has a "hidden" option (--keep-guessing) that will do this.
For CRC32, the source file has to be assembled in a particular way, as documented here:
http://openwall.info/wiki/john/hash-formats
Here is a working example.
$ cat crc32.hash
user_x:$crc32$00000000.bb0e6e9b:::dummy
$ ./john --fork=4 --format=crc32 --keep-guessing crc32.hash
Using default input encoding: UTF-8
Loaded 1 password hash (CRC32 [CRC32 32/64 CRC-32C SSE4.2])
Node numbers 1-4 of 4 (fork)
Note: Will keep guessing even after finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
dhtchm (user_x)
ikiotid (user_x)
B6In (user_x)
... etc. Adjust the "fork" value for your number of CPUs/cores, of course.
~
Posts: 5
Threads: 1
Joined: Sep 2016
09-11-2016, 10:47 AM
(This post was last modified: 09-11-2016, 11:13 AM by jj.)
(09-11-2016, 06:43 AM)royce Wrote: I don't know of a way to do this with hashcat today.
But the "jumbo" edition of John the Ripper has a "hidden" option (--keep-guessing) that will do this.
For CRC32, the source file has to be assembled in a particular way, as documented here:
http://openwall.info/wiki/john/hash-formats
Here is a working example.
$ cat crc32.hash
user_x:$crc32$00000000.bb0e6e9b:::dummy
$ ./john --fork=4 --format=crc32 --keep-guessing crc32.hash
Using default input encoding: UTF-8
Loaded 1 password hash (CRC32 [CRC32 32/64 CRC-32C SSE4.2])
Node numbers 1-4 of 4 (fork)
Note: Will keep guessing even after finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
dhtchm (user_x)
ikiotid (user_x)
B6In (user_x)
... etc. Adjust the "fork" value for your number of CPUs/cores, of course.
Is there a way by which we can resume the hashcat from where it stopped when it cracked the hash?
I'm getting this error when trying to use restore :/
ERROR: Restore file '<directory>/hashcat.restore': No such file or directory
Posts: 5
Threads: 1
Joined: Sep 2016
I made a python script to do the work.
Code: import re
import subprocess
import math
import os
with open('hashes.txt','r') as f:
hashes=f.readlines()
hashes=list(map(str.strip,hashes))
def status(hash):
with open(hash[:8]+'.txt','r')as f:
lines=f.readlines()
for line in lines:
if re.match('Status\.\.\.\.\.\.\.\.\.: \w*',line):
s=re.match('Status\.\.\.\.\.\.\.\.\.: \w*',line).group()
break
print s[17:]
if s[17:]=='Exhausted':
return 0
else:
return 1
def offset(hash):
keyspace=int(subprocess.check_output(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500','--keyspace','?a?a?a?a?a']))
print int(keyspace)
with open(hash[:8]+'.txt','r')as f:
lines=f.readlines()
for line in lines:
if re.match('Progress\.\.\.\.\.\.\.:.*',line):
progress=re.match('Progress\.\.\.\.\.\.\.: .*',line).group()
progress=float(progress[-8:].strip(' ()%'))/100
break
print progress
off=int(math.ceil(progress*keyspace))
return off
def cracks(hash):
with open(hash[:8]+'.txt','r')as f:
lines=f.readlines()
for line in lines:
if re.search(re.escape(hash)+'.*',line):
crack=re.search(re.escape(hash)+'.*',line).group()
break
return crack
def main():
for hash in hashes:
print hash
f1=open(hash[:8]+' cracked.txt','a')
subprocess.call(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500',hash, '?a?a?a?a?a' ,'--potfile-disable'],stdout=open(str(hash[:8])+'.txt','w'))
f1.write(cracks(hash)+'\n')
while (status(hash)):
off=offset(hash)
print(off)
subprocess.call(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500','-s',str(off),hash, '?a?a?a?a?a' ,'--potfile-disable'],stdout=open(str(hash[:8])+'.txt','w'))
try:
f1.writelines(cracks(hash)+'\n')
except:
print 'Exhausted'
os.remove(str(hash[:8])+'.txt')
if __name__ == '__main__':
main()
Posts: 929
Threads: 4
Joined: Jan 2015
09-11-2016, 03:55 PM
(This post was last modified: 09-11-2016, 03:55 PM by royce.
Edit Reason: grammar
)
When using masks, hashcat uses the same sequence of passwords every time.
I haven't read your script thoroughly, but how does the script teach hashcat that it shouldn't just stop at the first one it finds every time? Just disabling the potfile would not be sufficient, I think.
Are you successfully getting collisions with this wrapper?
~
Posts: 929
Threads: 4
Joined: Jan 2015
Ah, you're using the offset - nice!
~
Posts: 5
Threads: 1
Joined: Sep 2016
(09-11-2016, 04:39 PM)royce Wrote: Ah, you're using the offset - nice!
Yep, the script worked. I was able to get all the collisions. It uses the -s option. I'm calculating the offset by multiplying progress % to keyspace. This is done until the keyspace is exhausted.
Posts: 5,185
Threads: 230
Joined: Apr 2010
You can do what --keep-guessing is doing by adding OPTS_TYPE_PT_NEVERCRACK to the hashconfig->opts_type for mode 11500 in src/interface.c
Posts: 5
Threads: 1
Joined: Sep 2016
(09-12-2016, 12:22 AM)atom Wrote: You can do what --keep-guessing is doing by adding OPTS_TYPE_PT_NEVERCRACK to the hashconfig->opts_type for mode 11500 in src/interface.c
Adding an option would be nice for future?
Posts: 5,185
Threads: 230
Joined: Apr 2010
If you want it added as option please open an issue on github
|
