04-08-2020, 12:42 AM
Hello,
Running on bash version 4.4.20, when i run:
hashcat -m 16500 hashes.txt <(cat wordlist)
I get:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: JWT (JSON Web Token)
Hash.Target......: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY2MiOiI2MT...ygih0E
Time.Started.....: Tue Apr 7 23:36:42 2020 (0 secs)
Time.Estimated...: Tue Apr 7 23:36:42 2020 (0 secs)
Guess.Base.......: File (/dev/fd/63)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 0 H/s (0.00ms) @ Accel:512 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-1
Candidates.#1....: [Copying]
Hardware.Mon.#1..: Temp: 47c Util: 0% Core:1493MHz Mem:3504MHz Bus:16
And even though the actual password is included in the list, hashcat cannot find it.
The same stands true for using process substitution for the hashes (e.g. <(cat hashes.txt))
More on process substitution: https://tldp.org/LDP/abs/html/process-sub.html
Summary: Bash creates a pipe with two file descriptors, --fIn and fOut--. The stdin of the enclosed command connects to fOut (dup2(fOut, 0)), then Bash passes a /dev/fd/fIn argument to echo. On systems lacking /dev/fd/<n> files, Bash may use temporary files. (Thanks, S.C.)
Running on bash version 4.4.20, when i run:
hashcat -m 16500 hashes.txt <(cat wordlist)
I get:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: JWT (JSON Web Token)
Hash.Target......: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY2MiOiI2MT...ygih0E
Time.Started.....: Tue Apr 7 23:36:42 2020 (0 secs)
Time.Estimated...: Tue Apr 7 23:36:42 2020 (0 secs)
Guess.Base.......: File (/dev/fd/63)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 0 H/s (0.00ms) @ Accel:512 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-1
Candidates.#1....: [Copying]
Hardware.Mon.#1..: Temp: 47c Util: 0% Core:1493MHz Mem:3504MHz Bus:16
And even though the actual password is included in the list, hashcat cannot find it.
The same stands true for using process substitution for the hashes (e.g. <(cat hashes.txt))
More on process substitution: https://tldp.org/LDP/abs/html/process-sub.html
Summary: Bash creates a pipe with two file descriptors, --fIn and fOut--. The stdin of the enclosed command connects to fOut (dup2(fOut, 0)), then Bash passes a /dev/fd/fIn argument to echo. On systems lacking /dev/fd/<n> files, Bash may use temporary files. (Thanks, S.C.)