Problem with Hashcat and mscash2
#1
hi folks and thanks for letting me be part of the forum Smile


i am trying to use hashcat on windows 8.1 x64
for penetrationtesting in the company where i am one of the sysadmins i have extracted a domain cached credential and my file is in this format (one per line)

user:hash:domainname:domainshortcut(i dont know what this field is):::

i am using the hashcat gui from hashkiller.co.uk
after i load the file and set up everything it is generating me this command:

hashcat64.exe -a 0 -m 2100 --session=all -p : --status --status-timer=60 -o "mycashfile.txt_found2100.txt" --outfile-format=3 -w 2 --gpu-temp-abort=80 "mycashfile.txt" "rockyou.txt"


when i run this command i get this error:

WARNING: Hashfile 'mycashfile.txt' on line 1 (user:hash:domainname:domainshortcut::Smile
: Line-length exception
WARNING: Hashfile 'mycashfile.txt' on line 2 (user:hash:domainname:domainshortcut::Smile
: Line-length exception
WARNING: Hashfile 'mycashfile.txt' on line 3 (user:hash:domainname:domainshortcut::Smile
: Line-length exception
WARNING: Hashfile 'mycashfile.txt' on line 4 (user:hash:domainname:domainshortcut::Smile
: Line-length exception
Parsed Hashes: 4/4 (100.00%)

ERROR: No hashes loaded

i have tried format mscash and mscash2

i have also tried using JTR with mscash2 and there its parsing the hashes so they are ok. i guess there is an error in my syntax.


any help would be appreciated Smile
#2
Here's an example -m 2100 hash:

$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f
#3
thanks for the tip.
so far here is where i am:

since its a test i know one of the passwords so i have put it in my worldlist around line 2000
to verify if it will actually work.

i made 2 test files:

file1 is containing the hash as i had it already in this format:
user:hash:domain:domain-short:::

in file2 i used the test hash you gave me and exchanged username und hash with the known one from file1
$DCC2$10241#username#hash
my hash and your testhash have the same length

on my following tests with JTR and hashcat i used format mscash2 on all tests

JTR and file1: process is starting and after a moment its succesfully showing me the password
JTR and file2: process is starting but no password is found

hashcat and file1: process is starting but no password is found
hashcat and file2: same error as in 1st post for sure


seems like hashcat and JTR have a different understanding of the format mscash2??

so the question is how can i dump DCC in the format hashcat needs?

i dumped the hashes i use now with the secretdump.py from here https://github.com/CoreSecurity/impacket

then i also tried the cachedump in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux
http://tools.The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali).org/password-attacks/creddump
but there i get an error which seems to be a known bug
https://github.com/moyix/creddump/issues/5


so how can i dump the DCC in the format needed by hashcat?

thanks so much in advance already Smile
#4
Why 10241? If you use 10241 it will not work. Both JtR and hashcat use the $DCC2$ format.
#5
because the example you gave me was
$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f 
and so i exchanged just user and hash and let the rest as it was.
what is the 10240 anyway?
even if i tried it like that
$DCC2$#user#hash
or also
$DCC2$user#hash
it did not work

edit: now i see what you mean. i changed it back to 10240 but still same error