Using newline character as part of mask attack

[ajaxdecbe]

I have a MD5 hash which is computed as follows.

hash = md5(username\npassword);

As you see there is a new line character (\n) between the username and password. I know the user name and trying to recover the password. Here is the hashcat syntax I am trying with a known username and known three character password without success. 

.\hashcat64 -a 3 -m 0 --hex-charset -1  0a hash.txt username?1?a?a?a -O

What am I doing wrong here?

[philsmd]

if you use --hex-charset every character you specify must be specified in hexadecimal.
Therefore you must use:

Code:

hashcat64 -a 3 -m 0 -O --hex-charset -1 0a hash.txt 757365726e616d65?1?a?a?a

or (a little shorter):

Code:

hashcat64 -a 3 -m 0 -O --hex-charset hash.txt 757365726e616d650a?a?a?a

i.e. also the chars "u", "s", "e", "r", "n", "a", "m", "e", must be converted to 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d and 0x65 respectively.

Furthermore, you also need to consider that for some operating system a new line is \r\n instead of just \n.

BTW: you are probably using the wrong hash mode altogether: if you want to attack a salted hash, you should use the corresponding hash mode, see: https://hashcat.net/wiki/example_hashes.

For instance for md5 ($salt . $pass) where the salt is your "username\n" substring, you should use -m 20 = md5($salt.$pass)

also note: that there is also a --hex-salt option, therefore you can also add the \n within the hash file very easily.

[royce]

[heh, yeah - what philsmd said. ]
Are you getting an error, by any chance?

I think if you use --hex-charset, hashcat expects the other literals in the mask to either also be hex or else to be mask chars. Otherwise, you get:

Code:

Invalid hex character detected in mask user?1pass

So this works (-3 used to visually more easily distinguish between ?l and the custom mask):

Code:

$ echo -n '757365720a70617373' | xxd -p -r
user
pass[no newline]
$ echo -n '757365720a70617373' | xxd -p -r |  md5sum
c67110f0e2285e0c7fe4e540006f1691  -

$ hashcat --quiet -a 3 -m 0 --hex-charset -3 0a c67110f0e2285e0c7fe4e540006f1691 '?1?1?1?1?3?1?1?1?1'

c67110f0e2285e0c7fe4e540006f1691:$HEX[757365720a70617373]

And this works:

Code:

hashcat --quiet --potfile-path=/dev/null -a 3 -m 0 --hex-charset -1 0a c67110f0e2285e0c7fe4e540006f1691 '75736572?170617373'
c67110f0e2285e0c7fe4e540006f1691:$HEX[757365720a70617373]

[ajaxdecbe]

@royce & @philsmd

Thanks for your help. I was able to validate known password/hash matches with the below syntax. Trying now for the passwords that I don't know.

hashcat64 -a 3 -m 0 -O --hex-charset -1 0a hash.txt 757365726e616d65?1?a?a?a


What is the advantage of using m 20 instead of m 0?

If I were to use m 20, is the below syntax correct?

hashcat64 -a 3 -m 20 -O --hex-salt hash.txt ?a?a?a

where hash.txt will contain c67110f0e2285e0c7fe4e540006f1691:757365720a706173730a

[ajaxdecbe]

Guys, following up on this thread on my previous question. Can someone would be kind enough to tell the difference between -m 0 and -m 20 in a mask attack?

[royce]

Regardless of attack, -m 0 is unsalted and -m 20 is salted. If this concept isn't familiar, search a bit for "password" and "salting".

[DanielG]

What is the advantage of using m 20 instead of m 0?

I also read in another post (trying to find it at the moment) that -m 20 has some optimisations making it slightly faster than using -m 0 with your own prefix.

[ajaxdecbe]

Regardless of attack, -m 0 is unsalted and -m 20 is salted. If this concept isn't familiar, search a bit for "password" and "salting".

Thanks. @royce.

I am quite aware of what it salting is and its impact it has on passwords with the randomness it introduces. I assume you are implying -m 20 has built in optimizations for better performance. The place where I am looking for help in getting the syntax right while using -m 20. Can you provide an example?

[undeath]

yes, performance is better with m20 if you have a static prefix.

hash format is usually

Code:

hexhash:salt

[ajaxdecbe]

yes, performance is better with m20 if you have a static prefix.

hash format is usually

Code:

hexhash:salt

hashcat64 -a 3 -m 20 -O --hex-salt hash.txt ?a?a?a


where hash.txt was in the form of hashalt. Salt was given in pure hex. But this was exhuasting for a known set of password/hash/salt pairs.

Am I missing something here?