To crack passwords with Russian symbols
#1
Hello. Help me, please. I have read a lot of to topics into this forum, but I can't understand how to crack passwords with Russian symbols.
For instance, I have the test NTLM hash from the SAM file. The password is "2ц". How can I make a hashcat to crack a password?
I tried on this way "hashcat -a 3 -m 1000 e:\testvmhash.txt -1 charsets/standard/Russian/ru_cp1251.hcchr ?1?1", but it's doesn't work.

Thanks in advance.
Reply
#2
This is a limitation of hashcat's UTF16-based kernels. See https://github.com/hashcat/hashcat/issues/2121

In the case of NTLM you can work around it by using the MD4 kernel with forced UTF-16LE encoding. See --encoding-to and --encoding-from options.
Reply
#3
Ок. If I understood right my request should look as:
hashcat -a 3 -m 1000 e:\testvmhash.txt -1 charsets/standard/Russian/ru_cp1251.hcchr ?d?1 --encoding-to=UTF-16LE
but it doesn't work anyway.
What kind charsets do I need choose i my case?
Reply
#4
You need to use the MD4 (900) hash mode, not NTLM (1000) in that case. And you probably need to specify the --encoding-from option.
Reply
#5
(11-27-2019, 03:42 PM)undeath Wrote: You need to use the MD4 (900) hash mode, not NTLM (1000) in that case. And you probably need to specify the --encoding-from option.
I tried it but it doesn't work also. What about charset? Maybe is the problem is in it?
I want to notice that hashcat does the operation so quickly even I'm putting a password 10 symbol length and use the above request. I think I do something wrong...
Reply
#6
your command should probably look like this:

hashcat -a 3 -m 900 e:\testvmhash.txt -1 charsets/standard/Russian/ru_cp1251.hcchr ?d?1 --encoding-to=utf16le --encoding-from=cp1251

If that doesn't work, what's hashcat's output?
Reply
#7
(11-27-2019, 04:34 PM)undeath Wrote: your command should probably look like this:

hashcat -a 3 -m 900 e:\testvmhash.txt -1 charsets/standard/Russian/ru_cp1251.hcchr ?d?1 --encoding-to=utf16le --encoding-from=cp1251

If that doesn't work, what's hashcat's output?

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: MD4
Hash.Target......: 28d04ccdb00e22ee19dca313722571e9
Time.Started.....: Wed Nov 27 16:43:48 2019 (0 secs)
Time.Estimated...: Wed Nov 27 16:43:48 2019 (0 secs)
Guess.Mask.......: ?1?d [2]
Guess.Charset....: -1 charsets/standard/Russian/ru_cp1251.hcchr, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1062.5 kH/s (0.06ms) @ Accel:64 Loops:67 Thr:1024 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 670/670 (100.00%)
Rejected.........: 0/670 (0.00%)
Restore.Point....: 10/10 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-67 Iteration:0-67
Candidates.#1....: $HEX[e032] -> $HEX[ff37]
Hardware.Mon.#1..: Temp: 38c Fan:  0% Util:  1% Core:1657MHz Mem:4513MHz Bus:16

Started: Wed Nov 27 16:43:44 2019
Stopped: Wed Nov 27 16:43:49 2019

I would like to specify I mean it work but I can't get right result.
Reply
#8
I'm pretty sure the --encoding-from and --encoding-to only works correctly with -a 0, i.e. only works with dictionary attacks.

The solution for this problem is quite easy, but also not perfectly ideal... the problem is that every 2nd byte could be a 00 byte, but it won't be a 00 byte if a multi-byte characters is used (yeah, that's confusing and encoding is challenging !!!).

This works with -a 3
Code:
echo -e "\x32\xd1\x86" > pass.txt
./hashcat --stdout pass.txt --encoding-to utf16le > chars.txt
cat chars.txt | ./tools/test.pl passthrough 900 > hash.txt
./hashcat -m 900 -a 3 -1 chars.txt hash.txt --increment ?1?1?1?1?1?1

result is (hash masked as per forum rules):
13edXXXe66580c90XXXXfad6b0XXX7fb:$HEX[32004604]


There are some caveats here... you should be aware that all tools here have some limitations... let's start from the .hcchr file.. it cannot really deal with the new line character 0a, but you can use --hex-charset for that... test.pl also doesn't assume 0a in the input , it's a newline for it... and also for hashcat itself it would be more "safe" to use the $HEX[] notation, just to be 100% sure the right input is applied (when dealing with some strange encodings it's always difficult to exactly be sure beforehand which chars are in the input/output)

btw 32d186 is the hex converted and UTF-8 encoded 2ц password, which is 32004604 in utf16le (note the missing 00 after the 46, that's why -m 1000 fails, but it's a known limitation)
Reply
#9
Thanks for the correction, philsmd!

In that case it's probably easiest to use stdin for the attack, like this:

Code:
hashcat --stdout -a3 -1 charsets/standard/Russian/ru_cp1251.hcchr '?1?d'| hashcat -m900 28d04ccdb00e22ee19dca313722571e9 --encoding-to=utf16le --encoding-from=cp1251

But this will greatly limit the cracking speed compared to "normal" attacks, especially for a fast hash mode like md4.
Reply