07-31-2020, 02:44 PM
-All passwords and hashes referred to in this post are publicly available-
Hi Everyone
Is it possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? I'm using Hashcat 6.1.1.
Here is the context:
Alex wrote a fantastic article on how to brute force MD5 hashes of passwords containing non-Latin characters: https://miloserdov.org/?p=4016. Here is a summary:
MD5 Brute Force - Works
Plaintext: нет
Plaintext hex: d0 bd , d0 b5 , d1 82
UTF-8 Encoded MD5 hash: df28b6f9df132e3be4db5b102433d3b1
hashcat -m 0 -a 3 df28b6f9df132e3be4db5b102433d3b1 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
Potfile: df28b6f9df132e3be4db5b102433d3b1:нет
Now, moving on to the NLTM hash:
NTLM Dictionary - Works
UTF-8 Encoded NTLM hash = cdef73138cf484d77ad0f9f8ade64189
hashcat -m 900 -a 0 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 WordList-utf-8.txt (#Notice hash mode has changed.)
WordList-utf-8.txt is a uft-8 encoded text file containing the characters нет
The results of the dictionary attack are as follows:
cdef73138cf484d77ad0f9f8ade64189:$HEX[3d0435044204]
We can decode the hex value at https://dencode.com/en/string
3d0435044204 (UTF-16LE) = нет
At this point, we now know that the hash has been correctly generated and that we can crack it using a dictionary attack. Let's move on to brute forcing the NTLM hash:
NTLM Brute Force - Doesn't Work
We try the same hash mode as we used for the dictionary attack:
hashcat -m 900 -a 3 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
But no luck:
Recovered........: 0/1 (0.00%) Digests
Changing the hash mode to 1000 (NTLM) also fails:
hashcat -m 1000 -a 3 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
This post refers to a similar issue, but with Office hashes: https://hashcat.net/forum/thread-8456.ht...lobal_swap
In m09600-pure.cl, I have replaced sha512_update_global_utf16le_swap with sha512_update_global_swap as suggested by Phil, but the issue persists.
Does anyone know whether it is indeed possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? And if so, what am I missing?
Thanks very much, I’ll greatly appreciate any help.
Hi Everyone
Is it possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? I'm using Hashcat 6.1.1.
Here is the context:
Alex wrote a fantastic article on how to brute force MD5 hashes of passwords containing non-Latin characters: https://miloserdov.org/?p=4016. Here is a summary:
MD5 Brute Force - Works
Plaintext: нет
Plaintext hex: d0 bd , d0 b5 , d1 82
UTF-8 Encoded MD5 hash: df28b6f9df132e3be4db5b102433d3b1
hashcat -m 0 -a 3 df28b6f9df132e3be4db5b102433d3b1 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
Potfile: df28b6f9df132e3be4db5b102433d3b1:нет
Now, moving on to the NLTM hash:
NTLM Dictionary - Works
UTF-8 Encoded NTLM hash = cdef73138cf484d77ad0f9f8ade64189
hashcat -m 900 -a 0 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 WordList-utf-8.txt (#Notice hash mode has changed.)
WordList-utf-8.txt is a uft-8 encoded text file containing the characters нет
The results of the dictionary attack are as follows:
cdef73138cf484d77ad0f9f8ade64189:$HEX[3d0435044204]
We can decode the hex value at https://dencode.com/en/string
3d0435044204 (UTF-16LE) = нет
At this point, we now know that the hash has been correctly generated and that we can crack it using a dictionary attack. Let's move on to brute forcing the NTLM hash:
NTLM Brute Force - Doesn't Work
We try the same hash mode as we used for the dictionary attack:
hashcat -m 900 -a 3 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
But no luck:
Recovered........: 0/1 (0.00%) Digests
Changing the hash mode to 1000 (NTLM) also fails:
hashcat -m 1000 -a 3 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
This post refers to a similar issue, but with Office hashes: https://hashcat.net/forum/thread-8456.ht...lobal_swap
In m09600-pure.cl, I have replaced sha512_update_global_utf16le_swap with sha512_update_global_swap as suggested by Phil, but the issue persists.
Does anyone know whether it is indeed possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? And if so, what am I missing?
Thanks very much, I’ll greatly appreciate any help.