Posts: 5
Threads: 3
Joined: Jun 2020
Hello everyone, my first post 😊
If I enter:
mp64.exe ?b -o Test.txt
in the maskprocessor, the Test.txt also contains the euro symbol (€).
If I now want to crack the password € (one euro symbol / NTLM-Hash: 030926B781938DB4365D46ADC7CFBCB8) with the command:
hashcat.exe -m 1000 -a 3 hash.txt ?b
that doesn't work . Why?
Thx
Posts: 2,301
Threads: 11
Joined: Jul 2010
First, € is a utf-8 multibyte symbol and cannot be cracked on any hash mode with ?b. You'd need to use ?b?b?b. Second, NTLM uses utf-16 and hashcat does some very naive charset conversion that can only handle ascii.
Posts: 5
Threads: 3
Joined: Jun 2020
Hi undeath,
ok, i understand.
Thank you for your prompt reply.
Best.
Posts: 2,301
Threads: 11
Joined: Jul 2010
You can use the MD4 hash mode to crack your hash:
Code:
./hashcat -m900 030926B781938DB4365D46ADC7CFBCB8 euro.txt --encoding-from=utf8 --encoding-to=utf16le
Posts: 2,267
Threads: 16
Joined: Feb 2013
06-16-2020, 10:06 PM
(This post was last modified: 06-16-2020, 10:09 PM by philsmd.)
That's actually the funny and at the same time very difficult part of encoding.
the euro sign € can be also represented by just one byte in other encodings for instance ISO8859-15 has 0xa4 as a currency sign, see
https://en.wikipedia.org/wiki/Currency_s...ypography),
https://en.wikipedia.org/wiki/ISO/IEC_88...EC_8859-15.
That's probably why you see the euro sign in the maskprocessor output. but of course 1 byte passwords (euro sign ISO8859-15 encoded) are not the same as 3 bytes (UTF8) passwords.
so yeah, undeath pretty much explained it perfectly... your hash was generated with more than 1 bytes (for utf16le, as used by NTLM, it's actually 2 bytes 0xac20 !)
so now we know 0xa4 (ISO8859-15), 0xe282ac (UTF8) and 0xac20 (UTF16LE) all represent the "same" euro sign. This just shows how confusing encoding is
