Combining a custom hex charset with the standard charsets
#1
Hi,

I am trying to learn how to crack hashes of words containing the Swedish characters "åäöÅÄÖ". Using this forum I have found most pieces of the puzzle. I have successfully worked myself up from cracking a single Swedish character using a custom hex charset to cracking the word/name "Älvsjö" which contains regular letters combined with two Swedish characters in known positions. The problem is that I so far have not been able to figure out how to crack the same word/name "Älvsjö" when I pretend that the positions and numbers of the Swedish characters are unknown.

I learned how to create the custom hex charset from another post here. I started with getting the hex values using this tool. They are:

å = c3a5 
ä = c3a4 
ö = c3b6 
Å = c385 
Ä = c384 
Ö = c396

From that I conclude that the custom hex charset I need is "-1 c3 -2 a5a4b6858496".

I also hashed "Älvsjö" using the this MD5 tool and the output is "3454a37f3585a38f2816c1fd4247f2b0".

So, in the scenario where I know the positions of the two Swedish characters the Hashcat command becomes "hashcat64.exe 3454a37f3585a38f2816c1fd4247f2b0 -m 0 --hex-charset -1 c3 -2 a5a4b6858496 -a 3 ?1?2?a?a?a?a?1?2 -O". This works. 

To the problem. To crack the same MD5 hash "3454a37f3585a38f2816c1fd4247f2b0" pretending to not know how many Swedish characters and the positions of them I somehow need to test both the custom hex charset and the standard charset "?a" for every position in the assumed length of the hashed word. I need to nestle the charsets or similar...

What am I doing wrong? How would the mask look? If I need to change the custom hex charset, to what do I change it too? Is there a better approach to this? 

I am using Hashcat version 5.1.0.

Thanks for your help!
Reply
#2
You have to use a list of masks that represent all possible character positions in the target. This is of course not ideal; if hashcat had support for multibyte characters, all of these workarounds wouldn't be necessary. But adding such support is ... non-trivial.
~
Reply
#3
(01-31-2019, 06:27 PM)royce Wrote: You have to use a list of masks that represent all possible character positions in the target. This is of course not ideal; if hashcat had support for multibyte characters, all of these workarounds wouldn't be necessary. But adding such support is ... non-trivial.

Thanks. 

Reading up on this I think the format in the mask file in this case would be as below. This does not cause errors in Hashcat but it also does not configure Hashcat to treat the custom charsets as hex. Not surprisingly, the hash is not cracked.

When creating the mask file I formatted it to crack the letters "åb" which corresponds to the MD5 hash "41eae93b64181adaf6b3737efc9627e7".

?a
c3,a5a4b6858496,?1?2
c3,a5a4b6858496,?a?1?2
c3,a5a4b6858496,?1?2?a

In order to try to include the flag "--hex-charset" I tried the command "hashcat64.exe 41eae93b64181adaf6b3737efc9627e7 -m 0 -a 3 --hex-charset maskfile.hcmask" which actually worked. 

Is this the correct way to do this? Also, how come Hashcat knows which charset in the mask file to treat as hex when the flag "--hex-charset" is set on "global" level and not per required line in the mask file?
Reply
#4
My favorite way to brute-force using a non-english charset is using a pipe. It therefore works only for slow hashes! If you want to BF in utf8 as described above you can do:

1. Make a charset file including the special character
2. Save it as ISO-8859-x (depending on your language)
3. Verify the encoding as ISO using the "file" command (on linux)

Quote:hashcat -a 3 -1 charsetfile.iso ?1?1?1?1?1 --stdout | hashcat -m 2500 handshake.hccapx --encoding-from iso-8859-x --encoding-to utf-8
Reply
#5
Ooh, that's brilliant!
~
Reply