Parsing a Potfile
#1
I've a potfile containing a large number of successfully cracked hashes of various types from several months of multiple users work.

Is there a way of extracting either the hash or the plain from the potfile using hashcat without needing the original hashlist? --show obviously requires the original hashlist to perform the job.

Or does anyone have a potfile parser suggestion?
#2
just open the file in a text editor? The format is just hash:plain.

Just did it on a Hashcat v4.2.1 I have locally:

Code:
> cat .hashcat/hashcat.potfile
d0763edaa9d9bd2a9516280e9044d885:monkey

left is the m5 hash to crack, right is the plain.
#3
OP is looking for ways do to this in bulk, not one at a time.

I'm not aware of a generic tool for slicing and dicing potfiles. I think most people roll their own. But there are enough interesting angles to it that making a generic tool might be useful.

On Unixlikes, 'cut' can be used, with ':' as the separator - but depending on how old the potfile is, some passwords that contain ':' may be in there that are not HEX-encoded. So asking for all fields after the first field:

Code:
cut -d\: -f2- hashcat.potfile

... will get you the plains, and asking for just the first field:

Code:
cut -d\: -f1 hashcat.potfile

... will get you the hashes.

I'm not clear if you're looking to separate hashes out by type or not. I'm not aware of a clean way to do this, other than by recracking each set and sifting them. MDXfind prepends each hash with its hash type, and its accompanying tool mdsplit separates the resulting hashes out by hash type. But there is only partial overlap between the hash types supported by the two tools.

You may also want to convert the HEX-encoded passwords. See undeath's Perl script here to do that:

https://hashcat.net/forum/thread-3522.html
~
#4
(12-11-2018, 03:23 PM)DanielG Wrote: just open the file in a text editor? The format is just hash:plain.

Just did it on a Hashcat v4.2.1 I have locally:

Code:
> cat .hashcat/hashcat.potfile
d0763edaa9d9bd2a9516280e9044d885:monkey

left is the m5 hash to crack, right is the plain.

Unfortunately what you suggest isn't sufficient... As royce says below I'm trying to do this with a large text file collected over a long period of time. plus...

(12-11-2018, 05:55 PM)royce Wrote: On Unixlikes, 'cut' can be used, with ':' as the separator - but depending on how old the potfile is, some passwords that contain ':' may be in there that are not HEX-encoded. So asking for all fields after the first field:

Code:
cut -d\: -f2- hashcat.potfile

... will get you the plains, and asking for just the first field:

Code:
cut -d\: -f1 hashcat.potfile

... will get you the hashes.

Unfortunately neither will cut do the job.

Mainly because the hash contains ':' in some cases.

E.g. NetNTLMv2 and v1 are the most common offenders in my list.

So cut -d":" -f2- nets me mostly hash with a plain appended to the end.

I'm having a bash at regexin'g out some hash types in python at the moment or at least that's how i'm going about it, was wondering if there was a tool I had missed in my googling.

Grabbing hashes out by type would be nice, but only a nicety. If a quicker "just plains" "just hashes" method existed I would be happy with that for now.

P.S. Thanks Royce for that perl script to decode the hex passwords! that was my next challenge so I appreciate the heads up Smile
#5
You'll probably have to invent something, then, based on principles like:

* If a hash:plain pair has more than one colon and isn't HEX-encoded, separate it out into its own file, then use a 'rev | cut | rev' pipeline to extract the plains
* For all other hash:plain pairs where the hash is of fixed length, separate them out by length of hash, and extract the plains
* Recrack them all with mdxfind, then use mdsplit to pull out the ones that are verified
* Figure out how to process the remainder
~
#6
?

$ cat hashcat.potfile | sed 's/[^:]*://'