Finding all the collisions for a given hash
#1
I'm brute forcing crc32 check sums and they have many collisions. For e.g. following strings have the same crc32.
[.ERM*]
[B6In]
[^y#Hz]
[cho "]

So, is there a way that I can get all the collisions for a given checksum?
Currently hashcat gives only the first one in the results
I'm executing this -
Code:
hashcat64.exe -a 3 -m 11500 hashes.txt ?a?a?a?a?a
#2
I don't know of a way to do this with hashcat today.

But the "jumbo" edition of John the Ripper has a "hidden" option (--keep-guessing) that will do this.

For CRC32, the source file has to be assembled in a particular way, as documented here:

http://openwall.info/wiki/john/hash-formats

Here is a working example.

$ cat crc32.hash
user_x:$crc32$00000000.bb0e6e9b:::dummy


$ ./john --fork=4 --format=crc32 --keep-guessing crc32.hash
Using default input encoding: UTF-8
Loaded 1 password hash (CRC32 [CRC32 32/64 CRC-32C SSE4.2])
Node numbers 1-4 of 4 (fork)
Note: Will keep guessing even after finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
dhtchm (user_x)
ikiotid (user_x)
B6In (user_x)

... etc. Adjust the "fork" value for your number of CPUs/cores, of course.
~
#3
(09-11-2016, 06:43 AM)royce Wrote: I don't know of a way to do this with hashcat today.

But the "jumbo" edition of John the Ripper has a "hidden" option (--keep-guessing) that will do this.

For CRC32, the source file has to be assembled in a particular way, as documented here:

http://openwall.info/wiki/john/hash-formats

Here is a working example.

$ cat crc32.hash
user_x:$crc32$00000000.bb0e6e9b:::dummy


$ ./john --fork=4 --format=crc32 --keep-guessing crc32.hash
Using default input encoding: UTF-8
Loaded 1 password hash (CRC32 [CRC32 32/64 CRC-32C SSE4.2])
Node numbers 1-4 of 4 (fork)
Note: Will keep guessing even after finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
dhtchm           (user_x)
ikiotid          (user_x)
B6In             (user_x)

... etc. Adjust the "fork" value for your number of CPUs/cores, of course.

Is there a way by which we can resume the hashcat from where it stopped when it cracked the hash?
I'm getting this error when trying to use restore :/
ERROR: Restore file '<directory>/hashcat.restore': No such file or directory
#4
I made a python script to do the work.

Code:
import re
import subprocess
import math
import os

with open('hashes.txt','r') as f:
   hashes=f.readlines()
   hashes=list(map(str.strip,hashes))


def status(hash):
   with open(hash[:8]+'.txt','r')as f:
       lines=f.readlines()
   for line in lines:
       if re.match('Status\.\.\.\.\.\.\.\.\.: \w*',line):
           s=re.match('Status\.\.\.\.\.\.\.\.\.: \w*',line).group()
           break
   print s[17:]
   if s[17:]=='Exhausted':
       return 0
   else:
       return 1

def offset(hash):
   keyspace=int(subprocess.check_output(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500','--keyspace','?a?a?a?a?a']))
   print int(keyspace)
   with open(hash[:8]+'.txt','r')as f:
       lines=f.readlines()
   for line in lines:
       if re.match('Progress\.\.\.\.\.\.\.:.*',line):
           progress=re.match('Progress\.\.\.\.\.\.\.: .*',line).group()
           progress=float(progress[-8:].strip(' ()%'))/100
           break
   print progress
   off=int(math.ceil(progress*keyspace))
   return off
def cracks(hash):
   with open(hash[:8]+'.txt','r')as f:
       lines=f.readlines()
   for line in lines:
       if re.search(re.escape(hash)+'.*',line):
           crack=re.search(re.escape(hash)+'.*',line).group()
           break
   return crack

def main():
   for hash in hashes:
       print hash
       f1=open(hash[:8]+' cracked.txt','a')
       subprocess.call(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500',hash, '?a?a?a?a?a' ,'--potfile-disable'],stdout=open(str(hash[:8])+'.txt','w'))
       f1.write(cracks(hash)+'\n')
       while (status(hash)):
           off=offset(hash)
           print(off)
           subprocess.call(['hashcat64.exe', '-a' ,'3' ,'-m' ,'11500','-s',str(off),hash, '?a?a?a?a?a' ,'--potfile-disable'],stdout=open(str(hash[:8])+'.txt','w'))
           try:
               f1.writelines(cracks(hash)+'\n')
           except:
               print 'Exhausted'
       os.remove(str(hash[:8])+'.txt')

if __name__ == '__main__':
   main()    
#5
When using masks, hashcat uses the same sequence of passwords every time.

I haven't read your script thoroughly, but how does the script teach hashcat that it shouldn't just stop at the first one it finds every time? Just disabling the potfile would not be sufficient, I think.

Are you successfully getting collisions with this wrapper?
~
#6
Ah, you're using the offset - nice!
~
#7
(09-11-2016, 04:39 PM)royce Wrote: Ah, you're using the offset - nice!

Yep, the script worked. I was able to get all the collisions. It uses the -s option. I'm calculating the offset by multiplying progress % to keyspace. This is done until the keyspace is exhausted.
#8
You can do what --keep-guessing is doing by adding OPTS_TYPE_PT_NEVERCRACK to the hashconfig->opts_type for mode 11500 in src/interface.c
#9
(09-12-2016, 12:22 AM)atom Wrote: You can do what --keep-guessing is doing by adding OPTS_TYPE_PT_NEVERCRACK to the hashconfig->opts_type for mode 11500 in src/interface.c

Adding an option would be nice for future?
#10
If you want it added as option please open an issue on github