The Brain not working as expected (or is it me?)
#1
First of all, i read the full announcement regarding the brain and THOUGHT i understand it, but seems not...
https://hashcat.net/forum/thread-7903.html

so i started some tests using brain server and client with client-features=3. i used a very basic setup (md5 to crack and a simple dictionary)

first run (one matching pw in dict-1.txt)
Code:
.\hashcat64.exe -z --brain-client-features=3 -a 0 -m 0 .\hash-1.txt .\dict-1.txt
Recovered........: 1/5 (20.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 10/10 (100.00%)
Rejected.........: 0/10 (0.00%)

worked as expected

second run (added one new matching pw to dict -> dict2.txt
Code:
.\hashcat64.exe -z --brain-client-features=3 -a 0 -m 0 .\hash-1.txt .\dict-2.txt
Recovered........: 2/5 (40.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 11/11 (100.00%)
Rejected.........: 10/11 (90.91%)

worked as expected, rejected 10 old already testet pw , just using the new one, recovered one new hash, perfekt

now i simulated some other work, blabla, my dict is evolving to dict-3 and now im getting a new hashlist from somewhere else (hash-2.txt) with some already known pw (potfile to the rescue) but also some new hashes with "old" pw within dict-3.txt

Code:
.\hashcat64.exe -z --brain-client-features=3 -a 0 -m 0 .\hash-2.txt .\dict-3.txt
Recovered........: 3/10 (30.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 12/12 (100.00%)
Rejected.........: 11/12 (91.67%)

not working as i expected, brain rejected 11 pw from dict-3 but these pw where never testet against this new file hash-2.txt

i thought the brain stores a hash of the input file, to track attacks versus that file but seems not?

so how can i achieve, that the brain tracks attacks but also recognize new files the correct way?
Reply
#2
Can you show also the server logs ? do the IDs change ?
Reply
#3
(05-08-2020, 11:27 AM)philsmd Wrote: Can you show also the server logs ? do the IDs change ?

do u mean this?

Code:
1588925438.782727 |  0.01s |  0 | Generated authentication password: 
1588925438.790691 |  0.01s |  0 | Brain server started
1588926224.533265 | 785.74s |  0 | Connection from 127.0.0.1:52041
1588926224.537165 |  0.00s |  1 | Session: 0xbc75b2c2, Attack: 0x2156ff62, Kernel-power: 393216
1588926224.836517 |  0.30s |  1 | R |    0.06 ms | Offset: 0, Length: 10, Overlap: 0
1588926224.852119 |  0.02s |  1 | L |    0.01 ms | Long: 0, Inc: 10, New: 10
1588926224.856018 |  0.00s |  1 | C |    0.02 ms | Attacks: 1
1588926224.860895 |  0.00s |  1 | C |    4.74 ms | Hashes: 10
1588926225.599553 |  0.74s |  1 | Disconnected
1588926341.339809 | 115.74s |  0 | Wrote 80 bytes from session 0xbc75b2c2 in 0.49 ms
1588926341.340785 |  0.00s |  0 | Wrote 16 bytes from attack 0x2156ff62 in 0.38 ms
1588926398.528107 |  57.19s |  0 | Connection from 127.0.0.1:52102
1588926398.532008 |  0.00s |  1 | Session: 0xbc75b2c2, Attack: 0x90999a54, Kernel-power: 393216
1588926399.069792 |  0.54s |  1 | R |    0.08 ms | Offset: 0, Length: 11, Overlap: 0
1588926399.108801 |  0.04s |  1 | L |    0.01 ms | Long: 10, Inc: 11, New: 1
1588926399.111726 |  0.00s |  1 | C |    0.01 ms | Attacks: 1
1588926399.111726 |  0.00s |  1 | C |    0.00 ms | Hashes: 1
1588926399.573458 |  0.46s |  1 | Disconnected
1588926642.524029 | 242.95s |  0 | Wrote 88 bytes from session 0xbc75b2c2 in 0.47 ms
1588926642.525005 |  0.00s |  0 | Wrote 16 bytes from attack 0x90999a54 in 0.47 ms
1588928652.603860 | 2010.08s |  0 | Connection from 127.0.0.1:53385
1588928652.607761 |  0.00s |  1 | Session: 0xbc75b2c2, Attack: 0x62397987, Kernel-power: 393216
1588928652.872984 |  0.27s |  1 | R |    0.06 ms | Offset: 0, Length: 12, Overlap: 0
1588928652.888585 |  0.01s |  1 | L |    0.01 ms | Long: 11, Inc: 12, New: 1
1588928652.892486 |  0.00s |  1 | C |    0.02 ms | Attacks: 1
1588928652.892486 |  0.00s |  1 | C |    0.00 ms | Hashes: 1
1588928654.633645 |  1.74s |  1 | Disconnected
1588928750.851845 |  96.22s |  0 | Wrote 96 bytes from session 0xbc75b2c2 in 0.42 ms
1588928750.852820 |  0.00s |  0 | Wrote 16 bytes from attack 0x62397987 in 0.45 ms
Reply
#4
could you please try with latest beta version from https://hashcat.net/beta/ ? just to make sure we are testing with the same version / code.
Reply
#5
same workflow as above

Code:
Recovered........: 1/5 (20.00%) Digests
Progress.........: 10/10 (100.00%)
Rejected.........: 0/10 (0.00%)

Code:
Recovered........: 2/5 (40.00%) Digests
Progress.........: 11/11 (100.00%)
Rejected.........: 10/11 (90.91%)

Code:
Recovered........: 3/10 (30.00%) Digests
Progress.........: 12/12 (100.00%)
Rejected.........: 11/12 (91.67%)

Brain-Server

Code:
Session: 0xbc75b2c2, Attack: 0x929e9cd4
Session: 0xbc75b2c2, Attack: 0x16388999
Session: 0xbc75b2c2, Attack: 0x72bb22f1

it seems The Brain did not recognize the new file / session correctly, am i right?
Reply
#6
I currently can't reproduce to get an identical session ID with different hash lists.

could you please provide your full server and client commands and also the hash lists (PM is also okay, or even a similar generated example that leads to the same problem).

do you use --potfile-disable ? are there duplicate hashes, are some hashes already in the potfile ?
please give a full example with commands that we can try to reproduce. Thank you very, very much Smile
Reply
#7
setup
windows 10 1903 (18362.778) , hashcat beta, new directory, no old potfile

starting server
Code:
.\hashcat.exe --brain-server

"generating my hashes and dict"

i know it is forbidden to post hashes so u have to generate it for yourself (easy enough md5)

the files are input:hash (--username option)

hash-1.txt
Code:
7:
123:
abc:
1234567890:
abcdef:
hash-2.txt
Code:
7:
123:
abc:
1234567890:
abcdef:
0:
5:
test1:
test2:
test3:

my sample dicts are also quite simple

dict-1.txt
Code:
0
1
2
3
4
5
6
7
8
9
dict-2.txt
Code:
0
1
2
3
4
5
6
7
8
9
123
dict-3.txt
Code:
0
1
2
3
4
5
6
7
8
9
123
1234567890

used client commands

Code:
.\hashcat.exe -z --brain-password=*insert autogenerated pw* --brain-client-features=3 --username -a 0 -m 0 .\hash-1.txt .\dict-1.txt
.\hashcat.exe -z --brain-password=** --brain-client-features=3 --username -a 0 -m 0 .\hash-1.txt .\dict-2.txt
.\hashcat.exe -z --brain-password=** --brain-client-features=3 --username -a 0 -m 0 .\hash-2.txt .\dict-3.txt

the potfile starts empty and after each run 1 pw is found/added (7, 123, 1234567890)
Reply
#8
wow, thanks.

I can reproduce now and suspect the bug is located here:
https://github.com/hashcat/hashcat/blob/...ain.c#L119

the index out_idx is never increased (no out_idx++) therefore we currently incorrectly only check the last hash in the sorted list. What a strange/nasty bug.

Will discuss this problem with other devs, most importantly with atom, and we will try to fix it soon and build a new beta for testing (not yet available, will propably give an announcement here, if I do not forget).

Thanks for reporting. What a nice find !



update: should be fixed now with this new commit https://github.com/hashcat/hashcat/commi...11bb684787 , thanks again and would of course be great if you could test the new version (from github or any beta >= hashcat-5.1.0+1795 from https://hashcat.net/beta/). Thx
Reply
#9
will try it tomorrow when im back...
Reply
#10
hashcat (v5.1.0-1795-g08ea0002)
setup as above

Code:
Recovered........: 1/5 (20.00%) Digests
Progress.........: 10/10 (100.00%)
Rejected.........: 0/10 (0.00%)


Code:
Recovered........: 2/5 (40.00%) Digests
Progress.........: 11/11 (100.00%)
Rejected.........: 0/11 (0.00%)


Code:
Recovered........: 5/10 (50.00%) Digests
Progress.........: 12/12 (100.00%)
Rejected.........: 0/12 (0.00%)


Serverlog
Code:
Session: 0x81039c62, Attack: 0x0ebd08bb
Session: 0x83810334, Attack: 0x2dfbaaf5
Session: 0xf4ab8a45, Attack: 0x13cd2111

plz be aware, that run 2 is now not working as expected (new session-id on hash-1.txt, not dropping already used pw)
run 2 should have the same session-id like run 1 but with different attack-id as i understand the brain

im really not that deep into c, so i can not really see how session-id is calculated (i see some vars regarding hashes and salts, a loop etc.) so i can only guess, maybe the already found pw is excluded, so hash-1.txt get a new session-id.
Reply