Brute Forcing LM/NTLM with non ASCII Characters
#1
-All passwords and hashes referred to in this post are publicly available-

Hi Everyone

Is it possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? I'm using Hashcat 6.1.1.

Here is the context:

Alex wrote a fantastic article on how to brute force MD5 hashes of passwords containing non-Latin characters: https://miloserdov.org/?p=4016. Here is a summary:

MD5 Brute Force - Works
Plaintext: нет
Plaintext hex: d0 bd , d0 b5 , d1 82
UTF-8 Encoded MD5 hash: df28b6f9df132e3be4db5b102433d3b1
hashcat -m 0 -a 3 df28b6f9df132e3be4db5b102433d3b1 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
Potfile: df28b6f9df132e3be4db5b102433d3b1:нет

Now, moving on to the NLTM hash:

NTLM Dictionary - Works
UTF-8 Encoded NTLM hash = cdef73138cf484d77ad0f9f8ade64189
hashcat -m 900 -a 0 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189  WordList-utf-8.txt (#Notice hash mode has changed.)

WordList-utf-8.txt is a uft-8 encoded text file containing the characters нет

The results of the dictionary attack are as follows:

cdef73138cf484d77ad0f9f8ade64189:$HEX[3d0435044204]

We can decode the hex value at https://dencode.com/en/string
3d0435044204 (UTF-16LE) = нет

At this point, we now know that the hash has been correctly generated and that we can crack it using a dictionary attack. Let's move on to brute forcing the NTLM hash:

NTLM Brute Force - Doesn't Work
We try the same hash mode as we used for the dictionary attack:
hashcat -m 900 -a 3 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2

But no luck:
Recovered........: 0/1 (0.00%) Digests

Changing the hash mode to 1000 (NTLM) also fails:
hashcat -m 1000 -a 3  --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2

This post refers to a similar issue, but with Office hashes: https://hashcat.net/forum/thread-8456.ht...lobal_swap

In m09600-pure.cl, I have replaced sha512_update_global_utf16le_swap with sha512_update_global_swap as suggested by Phil, but the issue persists.

Does anyone know whether it is indeed possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? And if so, what am I missing?

Thanks very much, I’ll greatly appreciate any help.
Reply
#2
if you want to change kernel files that are using sha512_update_global_utf16le_swap into kernel files that use sha512_update_global_swap (without utf16le), you would need to change it for every attack type you need (all the OpenCL/m01000_a* kernel files, and do not forget to remove the kernel cache folder kernels/ before testing). When changing the kernel, you also need to change the input (with the correct encoding provided by the user, if hashcat shouldn't convert it internally).


This command works for me with -a 3:
Code:
hashcat -m 900 -a 3 --hex-charset THE_HASH_HERE 3d0435044204
note: that --encoding-to and --encoding-from only works for the -a 0 attack type


you could also use custom charsets if you like:
Code:
hashcat -m 900 -a 3 --hex-charset -1 3d3542 -2 04 THE_HASH_HERE ?1?2?1?2?1?2

Yeah, encoding is difficult to understand and the whole input and algorithm must be correct, otherwise it just won't crack.
Reply
#3
It works! :-) Thanks VERY much Phil. I've been at this for days. I can't express my gratitude enough! Thanks again.
Reply