Incorrect results
#1
Hello, I hope somebody can help me out here cause im just really confused. I have a NTLM hash that I am trying to crack. Now I already know the answer to the hash so I generated a custom word list through cupp that gave me about 6000 options. I made sure the answer was in there and ran it through hashcat. Now it will say hash cracked but its not the correct answer, its about two words away from the correct answer in my word list. So i went ahead and created a much smaller list about 10 words and put the answer down at the bottom. I cleared the potfile and re ran my scan. It gave me the wrong result again this time with the first word in my word list.

Im at a loss here and not sure where to go, now thinking back on it I did the same thing with a wifi password it said it cracked it but when i tried to use the password it gave me i could not connect. Any help would be appreciated.
#2
I only once had this occur when trying to crack an 'empty' hash.
So for NTLM this is 31d6cfe0d16ae931b73c59d7e0c089c0, just checking in the unlikely case your hash is also 31d6cfe0d16ae931b73c59d7e0c089c0.
#3
(11-28-2018, 10:36 PM)DanielG Wrote: I only once had this occur when trying to crack an 'empty' hash.
So for NTLM this is 31d6cfe0d16ae931b73c59d7e0c089c0, just checking in the unlikely case your hash is also 31d6cfe0d16ae931b73c59d7e0c089c0.

No this is the hash im working with E4ADA99DEF7BEDB65A847384648358CA
#4
Please provide the exact command you ran and the files (wordlists) you used. What hardware are you using? What hashcat version are you using? Are you able to reproduce the problem with a different hash (eg the one from https://hashcat.net/wiki/doku.php?id=example_hashes)?
#5
sure. I tried the commands multiple ways, ill put down a few that i tried but all gave me same results. Also going off memory a bit here because I was doing this on a virtual box image of the most up to date version of The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux.
hashcat -m 1000 -a 1 --force E4ADA99DEF7BEDB65A847384648358CA '/Desktop/cupp/padawans.txt'
Here i just used the hash directly. Next time i tried it in a saved file


hashcat -m 1000 -a 1 --force 'root/Desktop/hashpadawan' '/root/Desktop/cupp/padawans.txt'
then it said cracked so i ran 
hashcat -m 1000 -a 1 --force 'root/Desktop/hashpadawan' '/root/Desktop/cupp/padawans.txt' --show
Here is where it really started..it told me for the first time that it was cracked and it was 2 words away in my wordlist.

Now i cleared the potfile and tried again with a much smaller wordlist

hashcat -m 1000 -a 1 --force 'root/Desktop/hashpadawan' '/root/Desktop/smallword'
hashcat -m 1000 -a 1 --force 'root/Desktop/hashpadawan' '/root/Desktop/smallword' --show

Now it said cracked again but this time used the first word in my smaller wordlist and was different from the first word from my first word list.

My version number is v4.2.1
No i have not tried the hash that is on the website, may have to try it out tomorrow. All i did to ensure that it was indeed incorrect results was going to an online NTLM hash generator inserting my known answer and verifying that this is indeed the hash, then i would take what hashcat was saying was the correct hash and getting something completely different.

I was trying to crack a different hash before all this but it was an LM hash, I again had the answer before i started and even though the word was in my wordlist it would not crack it. I gave up on that one then got stuck on the one we are currently discussing. Thanks for the assistance, i hope we can figure it out, prob user error.
#6
with version 5 I get
e4ada99def7bedb65a847384648358ca P@d@w@n5
#7
why are you using --force? Did you read the associated warning?
#8
(11-29-2018, 12:28 AM)3Pi0 Wrote: with version 5 I get
e4ada99def7bedb65a847384648358ca P@d@w@n5

was this using the same commands I used? If so thats great!
#9
(11-29-2018, 01:22 AM)undeath Wrote: why are you using --force? Did you read the associated warning?

I used -- force because i always get this error. 
Not a native Intel OpenCL runtime. Expect massive speed loss.
You can use --force to override, but do not report related errors.

Ya i guess its prob user error here i guess this may cause my issue. Any help then on what i can do to run it without -- force and get rid of this error?
#10
don't run inside a vm and install the appropriate opencl runtime for your device.