Quantcast
Channel: hashcat Forum - All Forums
Viewing all 8191 articles
Browse latest View live

Do not try to write --keyspace yourself

$
0
0
Keyspace is not the number of words in a wordlist:

Quote:$ wc -l rockyou.txt 
14344391 rockyou.txt
$ ./hashcat --keyspace rockyou.txt 
14344384

So 14344391 != 14344384.

It's also dynamic when it comes to masks:

Quote:$ ./hashcat --keyspace -a 3 ?a
1
$ ./hashcat --keyspace -a 3 ?a?a
95
$ ./hashcat --keyspace -a 3 ?a?a?a
9025
$ ./hashcat --keyspace -a 3 ?a?a?a?a
857375
$ ./hashcat --keyspace -a 3 ?a?a?a?a?a
81450625

So you think you see the logic? Now this:

Quote:$ ./hashcat --keyspace -a 3 ?a?a?a?a?a?a
81450625
$ ./hashcat --keyspace -a 3 ?a?a?a?a?a?a?a
81450625

It's on a limit? No it's not!

Quote:$ ./hashcat --keyspace -a 3 ?a?a?a?a?a?a?a?a
7737809375

And it changes over time:

v3.6.0:

Quote:$ ./hashcat --keyspace rockyou.txt 
14343296

v4.0.x:

Quote:$ ./hashcat --keyspace rockyou.txt 
14344384

So 14343296 != 14344384.

The morale of this: Don't try to emulate how it works, just use --keyspace

Cracking pdf file with arabic password using hashcat

$
0
0
I have been doing some test on password strength using arabic passwords and try to crack it using hashcat and when i used a non salted hash like a custom generated md5 hash and tried using --hex-charset parameter and it works like a charm but when i try it on pdf files it is not working i even decreased the password to 1 character
in case you are wondering: My assumptions are:

1.maybe the pseudo random salt generator takes chars from the password itself
2.the password hashing algorithm stores the password in unknown charset format when the password is from non-English chars

So my question is:

1.is there another workaround on this(is it possible)?
2.if my 2nd guess is correct please tell me what charset?

hashcat 4.0.1 more slow than 3.6 (GT 740M)

$
0
0
Im using Nvidia GT 740M, so, using hashcat 3.4, i got 40000H/s with workload = 3. When I use hashcat 4.0.1, i got 10000H/s.... using a weak hardware it is hard, reducing your capabilities its terrible....

Bruteforce + rules

$
0
0
Consider the following scenario: you have to crack a md5 hash which belong to a password which has a lenght of 16 characters with the following format:

$password = $word . $word;
# password is the duplicated word (word concatenate with itself)
# e.g. if word='guy12345' then password='guy12345guy12345'

As you can imagine, it is very difficult to crack a 16-char password, but a 8-char password can be broken in a few days.

I know there is a rule for duplicate a word, but I don't know how to use it in a bruteforce attack, because the word is not in a dictionary (it is composite for lowcase, uppercase, numbers and special characters). If I try it, hashcat says rules cannot be used in attack mode 3...

An alternative could be use maskprocessor to generate a dictionary with '?a?a?a...?a' and then use a pipe to pass it like input to hashcat running with that rule. Well, I tryed it, but it is increeeeeeedibly slow.

So, is there any option to use rules with bruteforce attacks? If there isn't, will you develop it? It would be really useful...

Correct cmd for 7z file using brute force

$
0
0
Howdy
I am trying to recover the password for a 7z file that I lost the pwd for.

I am not using a wordlist. 

I have to specify upper case, lower case numbers and several symbols such as ! or @, etc. 

I've tried running this cmd and I know it's wrong. can anyone help me? I've read several threads, examples, and I'm not sure how to specify the right charset. The password might be 9 characters long and I can't remember any parts of it. 

/hashcat -a 3 -m 11600 mfilehash.txt 

To get the hash for the file I used 7z2hashcat

Is that the best option? The file is large and I really need to recover it. 

Thx to everyone in advance!

Use dictionary word anywhere in the mask

$
0
0
Hello,

I can't find the answer to this question in the wiki but maybe I'm not searching with the proper terms.

I'm trying to find out how a specific 8 hex digit hash/checksum is generated by a closed-source program.

I'm pretty sure the build number of the program (e.g. "104") or maybe the full version number (e.g. "2.1.104") is part of the input when this checksum is generated.

Question:
How would I use the string "104" as a dictionary word in hashcat without specifying its position in the mask, so that hashcat increments in the following way:
104?a
?a104
?a104?a
104?a?a
?a?a104
?a104?a?a
?a?a104?a
?a?a?a104
104?a?a?a
?a?a104?a?a
...

I've looked at hashcat's rule-based attacks but I don't see anything about this type of rule. Is this even possible?

I understand that hashcat was designed to crack passwords. Are there better tools out there to help guess the input strings of checksums when I have a plaintext file that I know part of which were used to generate the checksums but don't know exactly which parts?

Hashes from hostapd-wpe - MSCHAPv2 - Challenge and Response

$
0
0
Hello everyone!

Could you please help me to crack MSchapv2 captured using hostapd-wpe ?

#Test hash#

mschapv2: Tue Nov 21 14:48:49 2017
username: marcelo
challenge: a1:47:b6:b5:6a:44:9a:cb
response: aa:32:4b:a7:e0:ce:25:d9:79:6d:a1:d9:6a:f5:80:14:e1:e7:9f:01:6f:3c:02:8f
jtr NETNTLM: marcelo:$NETNTLM$a147b6b56a449acb$aa324ba7e0ce25d9796da1d96af58014e1e79f016f3c028f mschapv2: Tue Nov 21 14:49:16 2017

Hi guys does anyone know how to crack mschapv2? I've tried using -m 5500, but my hash (string) is not compatible, it seems I'm missing a 3rd part of it. I basically have challenge and response.

The closest I got was to this threat https://hashcat.net/forum/archive/index....-2563.html, but still did not find how to convert my hash to hash cat format. 

They say execute the command below, but where should I pass my string (challenge and response)?

perl -ne '/(.*?):\$.*?\$(.*?)\$(.*)/; print "$1::::$3:$2\n";'

Thanks everyone.

what the hash is this?

$
0
0
the hash is $1$string1$string2
len(string2) =22

when i ran hashcat should be against string2? or a mix of string1+string2? (i presume the string1 is "salt"?)

Thanks,
V

newbie mask help

$
0
0
I lost my password for a veracrypt container and have a good idea what the basis for the password may be.  I created a hcmask file containing my masks:
Code:
hashcat99?l
hashcat99*?l
password98?l
hashCat97?l
hashcat99*?l
password98*?l
hashCat97*?l
Hashcat99?l
Hashcat99*?l
Password98?l
HashCat97?l
Hashcat99*?l
Password98*?l
HashCat97*?l
hashcat99?u
hashcat99*?u
password98?u
hashCat97?u
hashcat99*?u
password98*?u
hashCat97*?u
Hashcat99?u
Hashcat99*?u
Password98?u
HashCat97?u
Hashcat99*?u
Password98*?u
HashCat97*?u
?u?l,hashcat99?1?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99*?1?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98?1?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98*?1?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99*?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98*?1?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99*?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98*?1?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99*?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98?1?1?1?1?1?1?1?1?1?1?1
?u?l,password98*?1?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99?1?1?1?1?1?1?1?1?1?1
?u?l,hashcat99*?1?1?1?1?1?1?1?1?1?1
?u?l,password98?1?1?1?1?1?1?1?1?1?1
?u?l,password98*?1?1?1?1?1?1?1?1?1?1

Ran the attack:
Code:
hashcat64 -a 3 -m 13721 -o PasswordHits.txt hash13 masks/mayo.hcmask --force

and the program paused with the following output:

Code:
hashcat (v4.0.1) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) HD Graphics 530, 808/3235 MB allocatable, 24MCU
* Device #2: Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit

Password length minimum: 0
Password length maximum: 64

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

Resumed

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

Resumed

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

I read the morework FAQ but do not understand why the attack pauses itself. when I Resume , it just pauses again.

Raking writeup

$
0
0
Credit on this first goes to atom for doing the hard work of sorting through all the crap rules, this rule wouldn't have existed without him.

https://github.com/evilmog/evilmog/wiki/...ated2.rule

So I'm pretty sure this hasn't been talked about much so I'm finally doing a writeup about it. Hashcat has this lovely mode called -g or generate random rules. Originally when it came out we had no control over the seed and this was pre hashcat open source but I digress.
Raking is the art of generating random rules when all else fails and is normally an attack of last resort. Now if you have a massive idle cluster it's also handy as a research project to make highly effective rules. The process works something like this.


1) Take big wordlist like hashes.org or the toryhunt Have I been Pwned list or something with a lot of hashes, it can even be a collection of active directory passwords, I don't care but this will be what you 'train' the raking process against

2)Setup an NFS share for all your cluster nodes to send output to

3) Load all your candidate dictionaries into a directory

4) Setup a shellscript to continually execute hashcat in a loop with -g 100000 (you may want to play with this number) and --debug-mode=4 --debug-file to the nfs/debug/$nodename, --outfile-format=2 to output straight plains, --outfile to the nfsdir/induct/$hostname, --loopback 1 to force it to run inductions of new hashes it cracks from other cluster nodes, --induction-dir to nfs/induct and --potfile-disable so we can catch weird hits, then setup dicts/* with your dictionaries for that node, -w for your workload profile etc

5) Harvest the debug files for rules and wordlists, also the induction will feed plaintexts cracked back into the system to crack with more generated rules

Once all of this is done you just need to cleanup the debug files, you may also want to change the seed on generated but that should work. The debug file format in this case is baseword:rule:processed word, which means you can collect basewords, you can collect the rules, and then even the effective processed word for things like cutb.

You will want to run these through optimize_rules from hashcat utils and take the top n by count to make an effective ruleset.

This is exactly how generated2.rule was made, 6 months of solid raking only occasionally taking a node out of the pool to do other work. You can also use some of these techniques like induction to make nodes work across by using different rule files and wordlists but adding in passwords cracked by other nodes, say you have prince going and you have something else with an insane ruleset or a -g 100000 and want to test the new inductions against those rules you can make a password cracking cluster exhibit emergent behavior.

In corporate style engagements or those where you are going for 90%+ this is another tool to add you your list. Its extremely inefficient but I call it the infinite monkey theory of password cracking.

Another newbie question

$
0
0
Didn't want to hijack that other topic, so i created a new one because my problem is similar but different nonetheless:

I have an encrypted VeraCrypt Volume (non-hidden) and I somehow must've managed to sneak in the same typo TWICE when I last changed the pw yesterday Sad 

So I have a general idea what the pw is, only there must be a typo in it somewhere. I don't remember which encryption algorithm I used since it didn't really matter to me (so I suspect it's probably the one VeraCrypt uses by default) but I DO know the PIM I used, no chance of a typo there.

I don't know anything on how to use hashcat, but it was suggested to me as a tool that might be able to help me recover my encrypted files. If anybody could give me a step-by-step guide how to do it, I would be really grateful Wink

bitcoin hash not started

$
0
0
Hello, i create bitcoin hash of wallet.dat or use standart example hash. After i create hash file and put the hash code. Run parameters:
Code:
hashcat64.exe -m 11300 -a 3 examplebit.hash
pause
Programm started, but brutforce not work. Screenshot.

.png   aaaaaaaaaaaaaaaa.png (Size: 26.12 KB / Downloads: 2)
After 5 min

.png   bbbbbbbbbbbbb.png (Size: 25.9 KB / Downloads: 2)
Whats problem?
Standart examples all work on video card!

Combined attack with four words

$
0
0
Hi,

I want to use combined attack with hashcat, I suspect the password (for WiFi) to be a combination of word1,word2,word3,word4 but with three to four repetition. E.g: word1word2word1 or word1word2word3word4
I need a command for that please
Thank you

6 x rx480 ? is this good???

$
0
0
hello guys i am new here i wonder:

i have 


8gb ram 
6 S[b]apphire RX480 GDDR5 8GB NITRO+ 256Bit AMD Radeon DX12[/b]
120 gb ssd
cpu 3.2ghz
windows 10

is this good hardware configuration for runing hashcat?
please tell me what is this conf capable for. what can i do with this using hashcat

Thanks
 

Wildcard in hash

$
0
0
Does hashcat support wildcards in a hash? I have an descrypt hash, with the first character possibly corrupted. Can I perform a brute -force attack in this case? Thank you.

proper use of increment option

$
0
0
I'm using hashcat installed via homebrew on my macbook pro 10.11.6 on a series of WPA hccapx files, and I want to use the `--increment` options. the syntax i'm using is

Code:
hashcat -m 2500 -a3 --increment --increment-min 8 --increment-max 10 /Users/ldawg/crack/Dumps/DumpLogAAA-2.hccapx ?d?d?d?d?d?d?d?d?d?d?d

i've tried rotating the switches, removing --increment-min 8, inserting = signs after min and max, and reducing the mask to only eight ?d?d?d?d?d?d?d?d. Each time, I get the same results, namely:

"Password length minimum: 8
Password length maximum: 63"

The output suggests the min-max options aren't recognized, but apart from that, the commands work fine and return no errors. It's as if the min-max options don't work for me. This isn't just on my mac, but on my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux too I get the same results. I've read the pertinent FAQs and scoured the forum for --increment usage. I tend not to think this functionality is broken, so please forgive my ignorance and help me better understand the proper syntax.

LUKS benchmarks and estimated times

$
0
0
I've been reading the docs, example benchmarks, and running hashcat locally against the LUKS header of my usb drive that contains some valuable data. The password is at least 10 characters, so I know this is a challenge. I'm trying to figure out if it is worth it to try and crack it, or if I should let it go. I've investigated cloud options like Google- and it seems like the Tesla GPUs they offer aren't great for cracking. The benchmarks I've seen posted for various GPUs don't include LUKS (mode 14600 doesn't seem to be in the default benchmarking list)

I'm pretty sure the password doesn't contain any real words, so narrowing it down with rules, etc will be hard.

It's hard to figure out how long cracking this thing might take on any given GPU/set of GPUs
Here's the output of cryptSetup:

Code:
sudo cryptsetup luksDump /dev/sdb2
LUKS header information for /dev/sdb2

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 4096
MK bits:        256
MK digest:      bb 49 14 91 26 e1 be 4e 45 2c 9e 81 15 95 45 43 14 1d 9c eb 
MK salt:        09 b3 d0 c4 15 8e cb 0b 4c 20 02 39 a3 71 7c 67 
                61 5c 3a ef 8b 3f f9 87 fb d5 bc 03 b9 eb ca 21 
MK iterations: 18750
UUID:          4f85fbe5-2d73-47e4-a59f-3ae3b080d913

Key Slot 0: ENABLED
Iterations:          75125
Salt:                3d cd 01 61 14 4b 33 a4 70 b7 a7 ca 5d ee 53 54 
                      db 82 f9 69 df cd 21 42 7f 6f 56 20 1f 45 9e cc 
Key material offset: 8
AF stripes:            4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

I'm willing to drop some cash on a cracking rig, or pay someone to use theirs, but I'm having a hard time figuring out how crackable this thing is. Running it locally on my macbook pro seems to suggest it will take many thousands of years, which isn't promising :[

About to buy hardware

$
0
0
Hello

I am new to this forum and the hashcat software.
I wold love to make a low budget rig that i can upgrade when i have some more money.

What GPU shold i take?
I was thinking about the GeForce 1080 or GeForce 1080 ti (only 1 yet)

What motherboard shold i take?
Maybe something big? so i can later on buy a few more GPUs

What CPU shold i take?
Shold a i5 Exeon get the job done? and shold my motherboard have 1 or 2 cpu sockets?

The Powah!
How about this one? so far i am only planning on using 1 GPU, but it wold be handy to have a good one so it doesnt become useless when i get another GPU.

RAM?
How much ram shold i take? and how many slots shold i use / save for later?

Storage HDD/SSD?
I don't think i need a SSD for this, a hughe but slow HDD shold get the job done?

Wich OS shold i use?
It wold be nice to use the rig as a rendering farm / cracking rig or even Miner.
The goal is NOT to make it a miner, but its always fun to play around and test out new things.
Anyways, remotely connecting to the rig is also something nice i like.

Hopefully u can help me, i just can't wait to get started!

4.01 ERROR "Restore value is greater than keyspace" after pause/checkpoint

$
0
0
Hello.
Have error "Restore value is greater than keyspace" after trying to resume session "my". But haven't if make that after 5-10 minutes after first start. If it will work 1-2-3 hours, after that will paused+resumed or checkpointed+resumed, i will get error.


Basic info:
Code:
* Device #1: This hardware has outdated CUDA compute capability (3.0).
            For modern OpenCL performance, upgrade to hardware that supports
            CUDA compute capability version 5.0 (Maxwell) or higher.
nvmlDeviceGetCurrPcieLinkWidth(): Not Supported
nvmlDeviceGetClockInfo(): Not Supported
nvmlDeviceGetClockInfo(): Not Supported
nvmlDeviceGetTemperatureThreshold(): Not Supported
nvmlDeviceGetTemperatureThreshold(): Not Supported
nvmlDeviceGetUtilizationRates(): Not Supported

Code:
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 670, 512/2048 MB allocatable, 7MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

Password length minimum: 0
Password length maximum: 8

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

Restore value is greater than keyspace.

my start batch:
Code:
hashcat64.exe -a 3 -m 1500 SOme1.1HasHes --session my
pause

my resume batch:
Code:
hashcat64.exe --session my --restore
pause
It was checkpointed on ~10% of 8/8 symbol hashes.  Can somebody explain me what problem and how to resume job? Don't want waste time again.. If you also advise something useful, I will also be grateful. 
Thanks and regards!
(sorry for my English, google translate used)

.zip   SOme1.1HasHes.zip (Size: 5.7 KB / Downloads: 1)

http authentication

$
0
0
hi
i have a http authentication and i want to crack with hashcat with SIP 11400 attack.
but i dont know how to order the data
 the data for the example is:
Digest username="Mufasa",
                    realm="testrealm@host.com",
                    nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                    uri="/dir/index.html",
                    qop=auth,
                    nc=00000001,
                    cnonce="0a4f113b",
                    response="6629fae49393a05397450978507c4ef1",
                    opaque="5ccc069c403ebaf9f0171e9517f40e41"

                   method : GET
the password for example is "Circle Of Life"

if i understand the sip and http authentication is the same algoritm
HA1=MD5(username:realm:password)HA2=MD5(method:digestURI)response=MD5(HA1:nonce:HA2)

can u help me?
Viewing all 8191 articles
Browse latest View live