Encoding problem?
#1
Hi guys, maybe you can help me.

I'm playing with NTLM hashes and i got some unexpected results. I created a file with the hashes ( i generate them in windows, then extracted with mimikatz) below.

ce4f24280e84005c7fe6321d5ad17740
f82df3f90fb55ce458b582489e4c264c
807b2aeaebc79738fca58b366e4b5a7c

I generated a dictionary with the following words (are solution for each hash respectively). *Unix command "file" indicate that the wordlist file is in "UTF-8" format.

š
č
ň

the hex results for each letter respectively are:
c5a1
c48d
c588

then i tried the follow commands without success.

hashcat -a 3 -m 1000 /tmp/my.hashes ?b?b   
hashcat -a 3 -m 1000 /tmp/my.hashes --hex-charset c5a1 [tried with the different hex code]

then i tried with john the ripper with the follow command and it works.

./john --format=nt --wordlist=/tmp//test.wordlist /tmp/my.hashes
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Remaining 1 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidates left, minimum 24 needed for performance.
š (?)
1g 0:00:00:00 DONE (2019-06-10 23:15) 33.33g/s 100.0p/s 100.0c/s 200.0C/s š..ň


What do i have to add to my command?,
Thanks!
Reply
#2
known limitation of utf16le conversion in kernel, use this:

Code:
hashcat -m 900 --encoding-to utf16le /tmp/my.hashes /tmp//test.wordlist
Reply