€-Symbol with Command ?b
#1
Hello everyone, my first post 😊

If I enter:

mp64.exe ?b -o Test.txt

in the maskprocessor, the Test.txt also contains the euro symbol (€).

If I now want to crack the password (one euro symbol / NTLM-Hash: 030926B781938DB4365D46ADC7CFBCB8) with the command:

hashcat.exe -m 1000 -a 3 hash.txt ?b

that doesn't work . Why?

Thx
Reply
#2
First, € is a utf-8 multibyte symbol and cannot be cracked on any hash mode with ?b. You'd need to use ?b?b?b. Second, NTLM uses utf-16 and hashcat does some very naive charset conversion that can only handle ascii.
Reply
#3
Hi undeath,

ok, i understand.
Thank you for your prompt reply.

Best.
Reply
#4
You can use the MD4 hash mode to crack your hash:

Code:
./hashcat -m900 030926B781938DB4365D46ADC7CFBCB8 euro.txt --encoding-from=utf8 --encoding-to=utf16le
Reply
#5
That's actually the funny and at the same time very difficult part of encoding.
the euro sign € can be also represented by just one byte in other encodings for instance ISO8859-15 has 0xa4 as a currency sign, see https://en.wikipedia.org/wiki/Currency_s...ypography), https://en.wikipedia.org/wiki/ISO/IEC_88...EC_8859-15.

That's probably why you see the euro sign in the maskprocessor output. but of course 1 byte passwords (euro sign ISO8859-15 encoded) are not the same as 3 bytes (UTF8) passwords.

so yeah, undeath pretty much explained it perfectly... your hash was generated with more than 1 bytes (for utf16le, as used by NTLM, it's actually 2 bytes 0xac20 !)

so now we know 0xa4 (ISO8859-15), 0xe282ac (UTF8) and 0xac20 (UTF16LE) all represent the "same" euro sign. This just shows how confusing encoding is
Reply