Dictionary character limit?
#1
Heart 
Hey all,
Was just wondering if hashcat has an input/dictionary character limit?  

My dictionary only contains one line - a string that is 536 chars long, and I am trying to run the hybrid+mask attack (a6).  I've tried everything I can think of, but when I run it I get this result:

> hashcat64 -m 100 -a 6 hashtarget string ?a?a?a?a

results in:

Dictionary cache built:
* Filename..: string
* Passwords.: 1
* Bytes.....: 537
* Keyspace..: 0
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: SHA1
Hash.Target......: d490335ecf40a4d2602d0910f40371f5d56e472b
Time.Started.....: Sat Oct 28 17:19:16 2017 (0 secs)
Time.Estimated...: Sat Oct 28 17:19:16 2017 (0 secs)
Guess.Base.......: File (string), Left Side
Guess.Mod........: Mask (?a?a?a?a) [4], Right Side
Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 1/1 (100.00%)
Speed.Dev.#2.....:        0 H/s (0.00ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Candidates.#2....: [Copying]
HWMon.Dev.#2.....: Temp: 62c Fan: 24% Util: 54% Core:1265MHz Mem:3505MHz Bus:16

--- So it says it's loading (string) on the left side, and doing a mask on the right side, but nothing happens...

Appreciate any help or guidance you can give! Big Grin
-Cheers.
Reply
#2
Please update to hashcat v4.0.0, then you will see the reason.
Reply
#3
Hey Atom, thanks for the quick response!

Hmm, I still can't see what I'm doing wrong. 
There was a warning about timeouts, so I disabled that, and a notice about unoptimized OpenCL kernels selected, but appending -O didn't change anything.

I'm stuck!
Reply
#4
There is one string that is 536 charakters long in you dictionary? Means: only one word in your dictionary? And the password is 536+ characters long? Correct?
Reply
#5
Yes that is correct.

Maybe I'm not thinking about this correctly. What I am trying to do is combine a string (left side) and a mask (right side) to create a "hybrid" combination of words which should be SHA1 encrypted and compared to the hashtarget, like this:
string+aaaaa
string+aaaab
string+aaaac
etc.


Is this not the correct way of doing it?
> hashcat64.exe -m 100 -a 6 hashtarget string ?a?a?a?a?a



Appreciate your help guys!
Reply
#6
Ok, first of all: hashcat cannot proceed passwords of that length. The limit has been raised with ver. 4.0 to 256 characters.

So let me get this straight again: You are looking for a password of a length of 541 characters and you have the first 536 characters. Just the last 5 are gone.

May I ask from which situation his occurs?
Reply
#7
Rats, I was hoping to leverage my GPU to make this easier, haha! Understandable as this case is fairly specific.

The situation often occurs in web development.  Specifically - protecting a set of variables which are present as plain-text in the URL field of the browser.

Example URL:
https://mysite.com/purchase/?item=25&price=50.00&hashvalue=56722d7e851770c6661770c8a64a88ee6b864a8f

Normally a user would be able to manipulate the URL variables, but the addition of a hashvalue which is calculated by taking the URL variables and appending a secret-key (which is then SHA1 encrypted) prevents a user from tampering with them.  The server-side script runs the same operation to compare if the hashvalue(s) match.  If they don't - it means that a variable was changed in the URL so an error message is thrown.

In the above example I used the secret-key: mySecret
So hashvalue = encrypt_with_SHA1(?item=25&price=50.00mySecret)
>
56722d7e851770c6661770c8a64a88ee6b864a8f

As always, the secret-key (mySecret) is unknown to us, that's what I'm trying to find.

I have successfully tested this with a variable string < 256 chars.
Reply
#8
(11-04-2017, 08:25 AM)knightwolf Wrote: Rats, I was hoping to leverage my GPU to make this easier, haha! Understandable as this case is fairly specific.

The situation often occurs in web development.  Specifically - protecting a set of variables which are present as plain-text in the URL field of the browser.

Example URL:
https://mysite.com/purchase/?item=25&price=50.00&amp;hashvalue=56722d7e851770c6661770c8a64a88ee6b864a8f

Normally a user would be able to manipulate the URL variables, but the addition of a hashvalue which is calculated by taking the URL variables and appending a secret-key (which is then SHA1 encrypted) prevents a user from tampering with them.  The server-side script runs the same operation to compare if the hashvalue(s) match.  If they don't - it means that a variable was changed in the URL so an error message is thrown.

In the above example I used the secret-key: mySecret
So hashvalue = encrypt_with_SHA1(?item=25&price=50.00mySecret)
>
56722d7e851770c6661770c8a64a88ee6b864a8f

As always, the secret-key (mySecret) is unknown to us, that's what I'm trying to find.

I have successfully tested this with a variable string < 256 chars.

If you know what the secret is, couldn't you just create a file with it appended to the string, and use something to work out the hash, such as hashmyfiles?

Oops, just saw that you don't know the secret. You could potentially use something like:

echo -n string | sha1sum | awk '{print toupper($1)}'

and maybe test it against the hash you're after (where "string" is the string plus your generated secret). A quick bash script to cycle through the possibilities could do it if there's only five characters.
Reply
#9
(11-04-2017, 08:25 AM)knightwolf Wrote: So hashvalue = encrypt_with_SHA1(?item=25&price=50.00[b]mySecret)
Please don't refer to hashing as "encryption". Those are two completely different things.

(11-06-2017, 01:11 AM)Tasselhoff Wrote: If you know what the secret is, couldn't you just create a file with it appended to the string, and use something to work out the hash
Of course you can, but he tries to find the secret.
Reply
#10
Quote:
(11-06-2017, 01:11 AM)Tasselhoff Wrote: If you know what the secret is, couldn't you just create a file with it appended to the string, and use something to work out the hash
Of course you can, but he tries to find the secret.

Yup, I edited. Depending on the character set used in the secret it could be a relatively quick operation to iterate through in bash. You could even break the set into separate scripts based on, say, the first character and run them in parallel. You wouldn't get the parallelism of a GPU, but the problem set is relatively small (e.g. 26^5 for lower case only, IIRC).
Reply