Running into issues with max mask length
#1
I have an MD5 hash I'm trying to crack, the password is 256 bytes long with 1-7 bytes in the range 0x00-0xFF, followed by a known salt, and the remainder of the 256 bytes is filled with null (0x00) bytes.


I have been trying to create a mask for this, but since I have to work with null bytes I'm force to use --hex-charset. This means that my mask will require 2 characters for each byte, which puts the length of my masks at 512 characters each, and it seems Hashcat won't process any mask over 256 characters long.


Since the salt isn't a concern right now, I'll ignore it for now and use `da8e187436ef310167021504d28c9b68` as an example hash. That's 0x41 (ASCII letter a) followed by 255 0x00 bytes and hashed.

Code:
md5(b'A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')



My plan was to write a mask with the following structure (?2 refers to my custom charset, which is just 0x00)

Code:
?b?2?2?2?2?2?2?2......   (and so on for the full 256 bytes)
?b?b?2?2?2?2?2?2......
?b?b?b?2?2?2?2?2......
?b?b?b?b?2?2?2?2......
?b?b?b?b?b?2?2?2......
?b?b?b?b?b?b?b?2......

For the salted version I would just put the salt bytes after the ?b's.


This would work fine and shouldn't take long to run, but unfortunately since two characters are needed for each byte I'm hitting the 256 mask character limit when I still have 256 more padding characters ("?2"*128) to add.

Is there any other way to apply null padding in order to fill out the full 256 byte array, or maybe another way of writing this altogether?
Reply
#2
this attack works:
Code:
hashcat -m10 $(python -c 'print("da8e187436ef310167021504d28c9b68"+":"+"00"*255)') -a3 '?b' --hex-salt

although hashcat's mask parser should probably be patched to allow for corresponding masks
Reply
#3
I honestly haven't tried this before, but instead of trying to load it all into a mask, you might also be able to just do a hybrid attack (mask + wordlist), where the wordlist is just one line with your remaining salt+padding in it (using --hex-wordlist). You'd have to do a separate attack for each byte length.
~
Reply
#4
There seems to be a bug with how hashcat processes hcmask files.

On the CLI this works:
Code:
hashcat -m0 da8e187436ef310167021504d28c9b68 -a3 "?b$(for x in $(seq 255) ; do echo -n 00; done)" --hex-charset

but when I do this:
Code:
echo "?b$(for x in $(seq 255) ; do echo -n 00; done)" > test.hcmask
hashcat -m0 da8e187436ef310167021504d28c9b68 -a3 test.hcmask --hex-charset

hashcat's status claims the mask is only 255 characters in total and fails to crack the hash. (as a side note, in the first example hashcat's status claims the mask is 511 characters long, lol)
Reply
#5
I should have mentioned that I'm running this on Windows, so it could be a platform specific issue. I don't actually get any error messages, trying to both inline and use a maskfile results in the process exhausting but no results are added to the outfile unlike when I use a mask <256 characters.

Thanks for the other suggestions, I'll try them out and get back to you.

Here's the output of the initial methods, using a mask file first and inline second. You will notice Guess.Mask gives slightly different info, one reports the length as 511 and the other cuts it off at 255.

Code:
.\hashcat64.exe --potfile-disable -m 0 da8e187436ef310167021504d28c9b68 -a 3 --hex-charset -o outfile
.txt mask.hcmask
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1070, 2048/8192 MB allocatable, 15MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: MD5
Hash.Target......: da8e187436ef310167021504d28c9b68
Time.Started.....: Wed Oct 09 18:04:12 2019 (0 secs)
Time.Estimated...: Wed Oct 09 18:04:12 2019 (0 secs)
Guess.Mask.......: ?b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [255]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  132.1 kH/s (0.23ms) @ Accel:256 Loops:64 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 256/256 (100.00%)
Rejected.........: 0/256 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:192-256 Iteration:0-64
Candidates.#1....: $HEX[8200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000] -> $HEX[ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000]
Hardware.Mon.#1..: Temp: 44c Fan:  0% Util: 38% Core:1506MHz Mem:3802MHz Bus:16

Started: Wed Oct 09 18:04:09 2019
Stopped: Wed Oct 09 18:04:13 2019

Code:
.\hashcat64.exe --potfile-disable -m 0 da8e187436ef310167021504d28c9b68 -a 3 --hex-charset -o outfile
.txt ?b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1070, 2048/8192 MB allocatable, 15MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: MD5
Hash.Target......: da8e187436ef310167021504d28c9b68
Time.Started.....: Wed Oct 09 18:01:37 2019 (0 secs)
Time.Estimated...: Wed Oct 09 18:01:37 2019 (0 secs)
Guess.Mask.......: ?b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [511]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  198.0 kH/s (0.08ms) @ Accel:256 Loops:64 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 256/256 (100.00%)
Rejected.........: 0/256 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:192-256 Iteration:0-64
Candidates.#1....: $HEX[82000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000] -> $HEX[ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000]
Hardware.Mon.#1..: Temp: 44c Fan:  0% Util: 14% Core:1506MHz Mem:3802MHz Bus:16

Started: Wed Oct 09 18:01:34 2019
Stopped: Wed Oct 09 18:01:38 2019
PS F:\Downloads\hashcat-5.1.0>
Reply
#6
I couldn't seem to get the hybrid attack to work, maybe I was doing something wrong. The dict.txt file contained '00' * 510, which is all of the padding needed for this hash.
Code:
.\hashcat64.exe -m 0 -o outfile.txt --potfile-disable -a 7 da8e187436ef310167021504d28c9b68 ?b dict.txt --hex-wordlist --hex-charset

I added some invalid hex into the dictionary file to see what would happen, and strangely no errors were thrown despite having --hex-wordlist and --hex-charset, so perhaps it wasn't reading any of it as hex for some reason?


The python method worked perfectly, here's the Windows version for anyone coming to the thread in future.

Code:
.\hashcat64.exe -m 10 -o outfile.txt --potfile-disable $(python -c "print('da8e187436ef310167021504d28c9b68'+':'+'00'*255)") -a 3 "?b" --hex-salt

Thank you both for your help!
Reply
#7
this problem should be fixed with recent commits: https://github.com/hashcat/hashcat/commi...a52a1cb772

please test the beta at https://hashcat.net/beta/ and report back

Thanks for the detailed issue report
Reply