Optimizing WPA recovery

February 20, 2020, 6:58 am

Hi there
Got stuck on optimizing recovery process for multiple handshakes with the same ssid name.
I've read some forum posts here and got lost at all. Could anyone explain me in simple words is there any way to run recovery for multiple wpa/wpa2 items (with the same ssid) with no speed loss?
My sniffer spat out around 50 handshakes in a couple of weeks for the ap I need and I don't know now which one is correct. I tried Passcape utility and it was running at ~380 Kp/s on my gtx2060 for all of them simultaneously! But I need to do the same using the Hashcat. I know it has different modes for that. The question is how to automate loading an hccapx file with more than one items and run them all simultaneously with no speed loss? Any advice/link would be appreciated.

Thanks
P.S. Here's some scarce info how it works from the Passcape site. Lack of details though.

↧

Kerberoasting not working

February 20, 2020, 1:56 pm

≫ Next: Couple of questions

≪ Previous: Optimizing WPA recovery

Hi,
today I tried the Kerberoasting attack for the first time in my lab. I created a new account and set a spn as follows:

setspn -a fs01/SVC_SQLService.tealtest.de:1433 tealtest\sql_svc

Then I saved the hash with rubeus:

Rubeus.exe kerberoast /outfile:.\hash.txt

I tried to crack the hash with the current hashcat version:

hashcat64.exe -m 13100 -O C:\hash.txt C:\realpw.txt --force

The wordlist contains only the correct password but nevertheless hashcat does not succeed.

The password of the account is Test123. which can also be confirmed with rubeus:

v1.5.0
[+] STUPENDOUS => svc_sql:Test123.
[*]Saved TGT into svc_sql.kirbi

I googled and tried now for hours. Any advice?

Thanks Alex

↧

Couple of questions

February 20, 2020, 6:34 pm

≫ Next: Kerberos AS-REP Cracking

≪ Previous: Kerberoasting not working

Mmm, I was not here some time, and I see some things changed so I can't follow this up. I read a little bit but I'm not sure so I need some help here.

As far as I can see now is popular some kind of PMKID attack, which I understand is working with new WPA3 protocol ?

Ok, I don't need that for now, is old hccapx format still supported ? Working well on Windows 7 with both AMD and Nvidia cards ?

Whether it was planned a rescission of hccapx format in near future ?

Thanks.

↧

Kerberos AS-REP Cracking

February 21, 2020, 7:15 am

≫ Next: Paid Rules Assistance?

≪ Previous: Couple of questions

Just looking to understand how the cracking of kerberos AS-REP encrypted data works if anyone can explain?

I'm talking about mode -m 18200 and as an example the input for a password of "password123" looks like this:

Code:
$krb5asrep$23$jsmith@SCRM.LOCAL:83ef5dfc031383cf195504c9e07a8733$b70396f4f51eecea3ac23e23c5115ff2b2786eae8211b42e5425f084ed9ed0928468c6f835c92a1da427343f857f5941a610a39661008ce67063d4f79e30b461b47361e7ded199002cb63848b5c00e008fd2cc3f454dc91adad12d94bcba67cc8bf06b7f8807643af587971c129db103a14edde927f470fdbc3a477bf9d1ec22a57a029dbfdf4c6fc075234721ffe96e6513685fbc84ff727d9f6ad1870d3e1534bbabecd888c93f37f57bdcd31baac44a0d5be93cbe7464c637b510b75fd061c315a1251534007223d032c94a70aa96241520e298781f04229bd46f828ea2588a34416060ea4f41

If I've understood the Kerberos RFC correctly (https://tools.ietf.org/html/rfc4120) then the actual data contained in this cipher is:

Code:
EncKDCRepPart  ::= SEQUENCE {

          key            [0] EncryptionKey,

          last-req        [1] LastReq,

          nonce          [2] UInt32,

          key-expiration  [3] KerberosTime OPTIONAL,

          flags          [4] TicketFlags,

          authtime        [5] KerberosTime,

          starttime      [6] KerberosTime OPTIONAL,

          endtime        [7] KerberosTime,

          renew-till      [8] KerberosTime OPTIONAL,

          srealm          [9] Realm,

          sname          [10] PrincipalName,

          caddr          [11] HostAddresses OPTIONAL

  }

So I'm just curious how exactly does hashcat know when it has got the correct password?

I believe the sname property mentioned above will contain the same principal name that is being passed in to hashcat right before the hash (jsmith@SCRM.LOCAL in my example). So is hashcat comparing that passed in value to the decrypted sname value with each cracking attempt?

I had a quick look at the hashcat source code here: https://github.com/hashcat/hashcat/blob/...le_18200.c

But although I can usually follow C/C++ ok for the most part, here I can't see where its actually doing anything like what I mentioned above. In fact all it seems to do is just parse the input and set some properties. Doesn't seem like it actually checks anything or decrypts anything at all, so I must be missing something. Is there somewhere else in the source code that handles that, and if so how do I find it?

Sorry for probably very noob question and thanks in advance

↧

Paid Rules Assistance?

February 21, 2020, 5:34 pm

≫ Next: Newer windows build

≪ Previous: Kerberos AS-REP Cracking

Hello,

Hashcat looks to be a great utility. With it I hope to be able to recover my buddy's will after he lost the password in a cellular phone (single point of) failure. It saves retyping dozens of pages of information.

The current goal is to recover the password that is partially known. It is a combination of three words in pseudo-1337 ( i/1, e/@ and o/0). Can Hashcat be set to combinator with three or more dictionaries? I am aware of the technical documentation here: https://hashcat.net/wiki/doku.php?id=rule_based_attack .

I understand there are paid utilities to decrypt the files (Office 2007 spreadsheet and word documents). Due to the sensitive nature of the material, sharing the files is not desirable. Failing deciphering the rules document (a daunting task), will someone assist with or minimally point to a means to design a rules file for compensation?

T. I. A.

silekonn

↧

Newer windows build

February 22, 2020, 5:18 pm

≫ Next: is bcrypt´s benchmark showing bcrypt itterations or bcrypt-hashes per second?

≪ Previous: Paid Rules Assistance?

I'm using version 5.1.0 on Windows and when I try to use mode -m 19900 it says this is an unrecognised mode. So I figured I must need to update to a newer version but it looks like there are no newer binary releases than 5.1 which was released back in 2018.

So I tried downloading from github and building myself with cygwin, following the instructions in the readme.

Build went fine but when I try and run it (either from the cygwin terminal or from cmd.exe) I get this:

Code:
hashcat (v5.1.0-1705-gfdde629d) starting...

/usr/bin/OpenCL/: No such file or directory

I'm assuming this needs more than just creating a directory to get it working properly, but before I go looking into all that I'm just wondering why this behaves so differently to the hashcat32.exe or hashcat64.exe that I originally downloaded? Like how were the originals built so that they didn't need cygwin, and why is this version requiring a folder to exist that the original 5.1.0 version I was using didn't need?

Are there any plans to build another main release any time soon that "just works" on Windows in the same way that the 5.1.0 release on the main website does?

Thanks

↧

is bcrypt´s benchmark showing bcrypt itterations or bcrypt-hashes per second?

February 23, 2020, 10:23 am

≫ Next: Cisco IE1000 Switch

≪ Previous: Newer windows build

is bcrypt´s benchmark showing bcrypt itterations or bcrypt hashes per second?

If I run the benchmark it advertises:

sudo hashcat -w 4 -b -m 3200
[sudo] password for gpu-user:
hashcat (v4.0.1) starting in benchmark mode...

* Device #1: GeForce GTX 1660, 1486/5944 MB allocatable, 22MCU

Benchmark relevant options:
===========================
* --workload-profile=4

Hashmode: 3200 - bcrypt $2*$, Blowfish (Unix)

Speed.Dev.#1.....: 9308 H/s (148.01ms)

Does H/s now stand for brypt itterations or for bcrypt hashes?

Since it just says $2*$ I think it is single itterations and not bcrypt-hashes the cost factor usually comes behind this like $2a$05$ which would be 32 itterations.

Now any post I find about the topic bcrypt benchmarks is saying it being bcrypt-hashes and not itterations and that the bcrypt cost factor for the benchmarks is 5 so my GPU would produce 32 x 9308 itterations per second.

I searched this forum and many others all containging that info

https://hashcat.net/forum/thread-1737-po...ml#pid9885

https://security.stackexchange.com/quest...ing-bcrypt

and many more

But now when I benchmark using a own list of hashes I get results that are pretty way off the expected result.

$2a$16$ is 65536 itterations
$2a$05$ is 32 itterations

so $2a$16$ should take 2048 times as long as $2a$05$

if this is really not itterations but cost 05 bcrypt hashes :
Speed.Dev.#1.....: 9308 H/s (148.01ms)
then with cost 16 I should expect about 4.5 cracks per second

but if I try it out it takes much longer:

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: bcrypt2.hash
Time.Started.....: Sun Feb 23 19:11:30 2020 (3 mins, 53 secs)
Time.Estimated...: Sun Feb 23 19:15:23 2020 (0 secs)
Guess.Base.......: File (bcrypt.dict)
Guess.Queue......: 1/1 (100.00%)

Speed.Dev.#1.....: 0 H/s (2.30ms)

Speed.Dev.#*.....: 0 H/s
Recovered........: 0/6 (0.00%) Digests, 0/6 (0.00%) Salts
Progress.........: 6/6 (100.00%)
Rejected.........: 0/6 (0.00%)
Restore.Point....: 0/1 (0.00%)

Candidates.#1....: donotqwerty -> donotqwerty

HWMon.Dev.#1.....: Temp: 38c Fan: 0% Util: 99% Core:1920MHz Mem:4001MHz Bus:1

Started: Sun Feb 23 19:11:16 2020
Stopped: Sun Feb 23 19:15:25 2020

^^^4 minutes for 6 hashes and hashcat itself also predicted that time.

But that means the benchmark is really showing itterations not bcrypt hashes or am I doing something wrong?

Here is a list of hashes for reference to test with: pwd: donotqwerty

$2a$16$LUC0WkK3L0G3XRGzMESxM.SPr.9H2xbFZd0/TcPiDeZaKOHYdOAj.
$2a$16$LUC0WkK3L0GzKhG0MESxM.G2oEJ5e/jFG9SK/BTVwFPld3zzNh9Dq
$2a$16$LUC0WkK3L0GvLBG2MESxM.5SqCgupzwRWdvb4InyqaNQZ.0lOxkY2
$2a$16$LUC0WkK3L0HkMBGzMESxM.gK./1N1w4r1K7gBACC3AqMpcfENjTKG
$2a$16$LUC0WkK3L0G0KBG1MESxM.dGwt6319Yvs0WPcsZNO8EKcYlmyTeMS
$2a$16$LUC0WkK3L0GuLhG1MESxM.RIt88qOJI0neRUlTfvgbR.xbLkQylTy
$2a$16$LUC0WkK3L0HgWRG1MESxM.dwboQwJ4KSKZZ.I6L99s2WaHRwThWZy
$2a$16$LUC0WkK3L0HfWxG0MESxM.LuKqkJxHknX5tCnjX8jk1qsk74RiMza
$2a$16$WhO0WkK3L0HfWxG0MESxM.5uuR58CfZHQGRzJH.xV5j5QPEF6h2nm
$2a$16$LUC0WkK3L0GyLBGzMESxM.zj8Ctlna.0ohtsTNqYq5X9efQFNlq16
$2a$16$WhO0WkK3L0G0KBG1MESxM.ci3qsEPlbHDF4hM0U/9PnChJ17Hx3Ty
$2a$16$WhO0WkK3L0GuLhG1MESxM.UWfFTz7eZ/uILApJ0vz/WfgrEtgd6dS
$2a$16$LUC0WkK3L0G3KBGyMESxM.KbBRpZEzYlZoEAAzu65C.LX8kG6R3BO
$2a$16$WhO0WkK3L0GvLBG2MESxM.Z.hN68vIuUTwFGINMPDqHCNplkrXx8u
$2a$16$LUC0WkK3L0HjWRGyMESxM.XuRqN5YMlFbEfIjm/w6bJAYakY0urGa
$2a$16$WhO0WkK3L0HgWRG1MESxM.dMQhGL3geG30IhDdqJXFhh4MenzBPEm
$2a$16$KES0W0K3L0HgWRG1MESxM.Wcsc312AsLEX/X9jNZewPeJQcqTO/EO
$2a$16$WhO0WkK3L0GzKhG0MESxM.TS2rSVnKgFh5.lQkC4bOSUKXwKseZM6
$2a$16$KES0W0K3L0GvLBG2MESxM.rUs9T67pS/czQa4dOICEcqakXUiu4wi
$2a$16$WhO0WkK3L0G3KBGyMESxM.N4SM1qI2mydC93K0UrbWaWl34JbhqEq
$2a$16$WhO0WkK3L0G3XRGzMESxM.AY2zf08kfeD4yfrX4QjCqa5Vyegqk8G
$2a$16$WhO0WkK3L0GyLBGzMESxM.5PSKuFfAHjN8yXjosP62TPEVhx.EmhC
$2a$16$WhO0WkK3L0HkMBGzMESxM.J6hPiei0dsfjLD9n7tBiZ1KHNJI3j32
$2a$16$WhO0WkK3L0HjWRGyMESxM.fAh4M1165P15as4Dv.NfWdEp/ciZ.rC
$2a$16$KES0W0K3L0HjWRGyMESxM.rpF8yYT9Z85abps4z3XZDFNMVeWH67m
$2a$16$KES0W0K3L0G3XRGzMESxM.MsQGUbw3LtrJq39.qkrWCWzdv6jumdi
$2a$16$KES0W0K3L0GyLBGzMESxM.vp4EFRoG29gqeE6Xv3jeVo4AX/3gY6a
$2a$16$KES0W0K3L0G0KBG1MESxM.2uoDfWUXt4STz66JWbUanqxxQFNUXBS
$2a$16$KES0W0K3L0HfWxG0MESxM.YaECNz7zfYrJ70vIMHygCgOvrjets4W
$2a$16$KES0W0K3L0GuLhG1MESxM.lxaOGz9IwrW79qDz1HjpSRR/hY.W4X2
$2a$16$KES0W0K3L0GzKhG0MESxM.sbY4KKilGbg88wrNJoNhnnFFhVZx2w6
$2a$16$KES0W0K3L0HkMBGzMESxM.8QaZsmK0tPA.PWsgk9UJc0bmwk7CyhW
$2a$16$Lhe0W0K3L0HkMBGzMESxM.Uh30WIy1Y1bFBIFq/C5G.kkDjoxX1wu
$2a$16$Lhe0W0K3L0HfWxG0MESxM.QXrWFLtogGOHPzFLoCnl4Slk4sKYV7G
$2a$16$KES0W0K3L0G3KBGyMESxM.s/i96CaSw3qC2cE4gxHUcvO76oW5ote
$2a$16$Lhe0W0K3L0GzKhG0MESxM.edY4jmBh7C0PpM1Rm2zHd8EPgWED6Z.
$2a$16$Lhe0W0K3L0GvLBG2MESxM.atTe7hxK9YR4/2MT/3q8nju4viNLxA2
$2a$16$Lhe0W0K3L0HgWRG1MESxM.Fqu4cfgZMnhzdKpP8A7fqOjd2UdKFEy
$2a$16$Lhe0W0K3L0G0KBG1MESxM.bmfbNqF4JM12vjl6hyfp0udjbzKGuEC
$2a$16$Lhe0W0K3L0GuLhG1MESxM.FLs8bFaLMx5ruGVzsDF2QXQhcOhwPJO
$2a$16$WxG0W0K3L0GuLhG1MESxM.Cysi.DSjijSpJV9g/14ZzgTTXArTqt6
$2a$16$WxG0W0K3L0HgWRG1MESxM.omisrYv./894pfHZ6psnl8vwotFITZi
$2a$16$Lhe0W0K3L0G3XRGzMESxM.25RjYBn59fZR43A0ayShhf11NnWraIy
$2a$16$WxG0W0K3L0G0KBG1MESxM.lKM1OXfKncMePiSdZ376zTvb2mDoNH6
$2a$16$Lhe0W0K3L0GyLBGzMESxM.GlD8AK/Gr6jMrzNp8IwaTZ8WjrxLi1a
$2a$16$Lhe0W0K3L0HjWRGyMESxM.ShmTNbpqDIU6dg64WKW/k5BWjpy0ldC
$2a$16$Lhe0W0K3L0G3KBGyMESxM.1XRZj33u.SUl.S6hMTxHmKhZmGI.X8q
$2a$16$WxG0W0K3L0GvLBG2MESxM.PO8B5jfUp4/6M.PXLfcIl44U1HtBna.
$2a$16$KUK0XEK3L0GvLBG2MESxM.0oJY8HD8eNN2WXhR/1OQkvbo5V0r8jm
$2a$16$WxG0W0K3L0HjWRGyMESxM./JPy85AyKBwh6G7o5FiotVmJT5Uq4lm
$2a$16$WxG0W0K3L0HfWxG0MESxM.aydvgZkAwqSIymqwE.PjEY1WzSe1Xhy
$2a$16$WxG0W0K3L0G3KBGyMESxM.sMx/SLU1xAOS693U.FF8ZIFFhA3SYBW
$2a$16$WxG0W0K3L0GzKhG0MESxM.QWAX74ATaoTvEKpQZBRqXlOo2iwxQvu
$2a$16$WxG0W0K3L0HkMBGzMESxM.k.GMSVczKSxJ4jqqiAtpb4Co.e/LsQC
$2a$16$WxG0W0K3L0G3XRGzMESxM.pMPXCxYJiUHnjPGxK20r5rAip9tq3qW
$2a$16$WxG0W0K3L0GyLBGzMESxM.BhB4mrNXeAR.sqQ0X.qa6fQT2p7vY7C
$2a$16$KUK0XEK3L0GyLBGzMESxM.eAU94sKC7jqQ20u10B5Aw.ihMUY.Y/u
$2a$16$KUK0XEK3L0HkMBGzMESxM.2DP.P8ulwWMgh9ZMBycWMqGyMPwiZa2
$2a$16$KUK0XEK3L0HgWRG1MESxM.arv73YCvaG7mzmRDoH/YIfZxHia/jBy
$2a$16$KUK0XEK3L0G3XRGzMESxM.Y/.dpWnmsow2iuQLJuUYCij2cDzsST.
$2a$16$KUK0XEK3L0G0KBG1MESxM.ZxnPKJxTuW8FyQ.IyKynjjUJgkRSlrO
$2a$16$KUK0XEK3L0GuLhG1MESxM.fAH5iXMLW8TU0UzMoD4//QH75ZzQinu
$2a$16$KUK0XEK3L0HfWxG0MESxM.zBHDxn0RMvl5zuIPfIcqgmuIZjj6phW
$2a$16$KUK0XEK3L0GzKhG0MESxM.VEVmYg/jacbP7knlt37mZoCxl89jftG
$2a$16$LxW0XEK3L0GzKhG0MESxM.bBwN9/lB5xkVb0Sct4.2ZPFd7uQGrP.
$2a$16$LxW0XEK3L0GuLhG1MESxM.Z10Rv4LnTBPo0nIZaRLYY.7c3oO8xbW
$2a$16$KUK0XEK3L0HjWRGyMESxM.Zdzva40aFWFGqquM4ovFRfIi3lGg.Lu
$2a$16$LxW0XEK3L0HfWxG0MESxM.7AiSD9YjRfVtPRg/eVmB13i9gvIFium
$2a$16$LxW0XEK3L0GvLBG2MESxM.aIeZDqrseyaRTQQnPEAVuGiljXyL9zK
$2a$16$KUK0XEK3L0G3KBGyMESxM.A1OcBryNdulXWdPnzvg7nkaOagk80AS
$2a$16$LxW0XEK3L0HgWRG1MESxM.upDcIj2jtl3rDmM29FYARPrghFiyHPW
$2a$16$LxW0XEK3L0G0KBG1MESxM.BkJVHbxbGrVDekzpXEHziA0UPkJqDCi
$2a$16$XB.0XEK3L0G0KBG1MESxM.1.hrG.44/LQLsUFxfjQYo7zmpG46xwq
$2a$16$XB.0XEK3L0GvLBG2MESxM.wi6YknwyGxbNgmvxZS6Lz4dmh/2TF.y
$2a$16$LxW0XEK3L0HkMBGzMESxM.dtVATyW/hVegd0aAjkflHfIy3V2GV4S
$2a$16$XB.0XEK3L0HgWRG1MESxM.SkozobMzY5ieLoSwd3O3jlJUJuY7Agu
$2a$16$LxW0XEK3L0GyLBGzMESxM.umc3r37WDQ132sq3W3oi4D12rLZiTtC
$2a$16$LxW0XEK3L0G3XRGzMESxM.tZF.RyVnrpihEUdxW1l2KH5Z.kNP1EK
$2a$16$LxW0XEK3L0HjWRGyMESxM.XZ46yQRHskc08Yjzq40ealEqcJLkjpm
$2a$16$LxW0XEK3L0G3KBGyMESxM.AL2QngIUHGc1cl9FZgIvxji0J9F.gXG
$2a$16$XB.0XEK3L0G3KBGyMESxM.RoyZmp2Qep2/25F11ElsH7PK9NGrnjG
$2a$16$XB.0XEK3L0GyLBGzMESxM.X.doMWt4m1M/PD.IAKQw4zPK22y/15W
$2a$16$XB.0XEK3L0GuLhG1MESxM.TCZPHTeSLah48RmDQwyCgfTICUS16cG
$2a$16$XB.0XEK3L0HjWRGyMESxM.oqHlC4U4590HYsIYNBwZgPLaJi5tT7S
$2a$16$XB.0XEK3L0GzKhG0MESxM..BxMjrNMv1fL1dSq2.M.cbc3U4mYHDi
$2a$16$XB.0XEK3L0HfWxG0MESxM.WiUX3SVRjcnd3Wgrm0vACcnvnMXBnrG
$2a$16$XB.0XEK3L0HkMBGzMESxM.P96kzkJtXeuAXF2zeXopTb1UO0hRvxG
$2a$16$XB.0XEK3L0G3XRGzMESxM.OVArDDa0HKhEilzR18fUqWW5untwoT2
$2a$16$KkC0XUK3L0G3XRGzMESxM.KhJSGzT9nZ4D4cNNHNHeUNhHJAeHayK
$2a$16$KkC0XUK3L0GzKhG0MESxM.mCUYcNag3E0jmNK6rKuLxRdB2wnBxzG
$2a$16$KkC0XUK3L0GvLBG2MESxM.rWSOeV0scM0hl7Sny3jfZUITFekaLoC
$2a$16$KkC0XUK3L0HkMBGzMESxM.Dg0OXUcGFSOJCRA0i.zG85kdflPZ/8.
$2a$16$KkC0XUK3L0HgWRG1MESxM.VdMRPGp.ofsUjOXDcyJSA3ud85KwPhm
$2a$16$KkC0XUK3L0G0KBG1MESxM.UIJA/UHZagXUf2iiZAggNauDORhdOca
$2a$16$KkC0XUK3L0GuLhG1MESxM.LVC2bGzhHIpA0/R4AbAure4ddFMnJUC
$2a$16$KkC0XUK3L0HfWxG0MESxM.Elzvv6SGMA3Ou5kpmFoO0teR0e0c2Jq
$2a$16$MBO0XUK3L0HfWxG0MESxM.pk.b6auiXNcvsvzdk1RtL4VjgnFzWA6
$2a$16$MBO0XUK3L0G0KBG1MESxM.tnHjeAYi9p8QR010.XQStTwKCmhZ7LC
$2a$16$KkC0XUK3L0GyLBGzMESxM.kxjMCBLYc1GvYGJvJV0k6si3zsEltom
$2a$16$MBO0XUK3L0GuLhG1MESxM.diCt1bWUFR/O3iV/B6yyXzzsY24LyB6
$2a$16$KkC0XUK3L0HjWRGyMESxM.HUx2TE3Q.gvJo3zVTVrEXKFUQmnaSx6
$2a$16$KkC0XUK3L0G3KBGyMESxM.YN584OuVJHdGMXkZnMqt1pfpwvq54ke
$2a$16$MBO0XUK3L0GvLBG2MESxM.9oDw.B9Wy0KlRMuc1GAopVLsmW2b4hG
$2a$16$MBO0XUK3L0HgWRG1MESxM.VEYRy14ees3v3InzBenaID1dbgbwLHa
$2a$16$XES0XUK3L0HgWRG1MESxM.wJ9zIQHMcayiCpGLc70W5ZIdt8jTSXS
$2a$16$MBO0XUK3L0G3KBGyMESxM.rfUBdjd.YynLc9RdqGwP6i54V7/8cxy
$2a$16$MBO0XUK3L0GzKhG0MESxM.Mhs641ayVHg5Nno8YTsIrwy5EOl6sS6
$2a$16$XES0XUK3L0GvLBG2MESxM.eafPiO7tFSQBQk5jq87VkOUHzCj6N8S
$2a$16$MBO0XUK3L0HkMBGzMESxM.rkWAJc2SpMpLZWAI3o30DKJMLzPsEgm
$2a$16$MBO0XUK3L0G3XRGzMESxM.rFBBIfQ4IClC.Kev9StQostaJa64eGi
$2a$16$MBO0XUK3L0GyLBGzMESxM.4c9jHx3WPO2PfSyKkvBVaPyvsQE2D9a
$2a$16$MBO0XUK3L0HjWRGyMESxM.rs8WrQq5EOFlFYkk/wFHtXD1ms2pZFC
$2a$16$XES0XUK3L0HjWRGyMESxM.w01bbV.AZ.b6I8Ni7BPbhrBBdBzgkUW
$2a$16$XES0XUK3L0G0KBG1MESxM..qaoPNKLqErfczmlCzfeDJ.BDTrjlPO
$2a$16$XES0XUK3L0GyLBGzMESxM.Gvm43HyIx586TGO1ESwx/aKd2.l/Mxm
$2a$16$XES0XUK3L0G3XRGzMESxM.8Oi3aZFzAFuAG6S7z0jplx/ZenczjXq
$2a$16$XES0XUK3L0HfWxG0MESxM.hzNJMd2iiVRz4oKQ60Wga89miSe1JFu
$2a$16$XES0XUK3L0GuLhG1MESxM.czhBKtK9nD/rhSCd.MDzEcjC2.a05NW
$2a$16$XES0XUK3L0GzKhG0MESxM./awG1y7Xxlm7raG0M9dFHanJbmMbdlC
$2a$16$XES0XUK3L0HkMBGzMESxM.ZhpdqZfjfoAwkoejes7GR9Plujl5oXy

↧

Cisco IE1000 Switch

February 23, 2020, 6:06 pm

≫ Next: Keys

≪ Previous: is bcrypt´s benchmark showing bcrypt itterations or bcrypt-hashes per second?

Does anyone know the password encryption used for the Cisco IE1000 swtiches?

From the running config:

username admin privilege 15 password encrypted f4938f70f013e8a70bee2fc24ba411157042e4ed5cd5db72d19f8d763b7f1880bcaf71378c29ade98af6726366d1f602445f255d6ab59929968e57760155cee1

I thought it was SHA2-512 however using -m 1700 does not find the known password

Cheers

↧

Keys

February 24, 2020, 8:21 am

≫ Next: How to crack Keepass2 passcode, help me

≪ Previous: Cisco IE1000 Switch

Comrades, please tell me what commands are sent to display the status and so on when a message appears in the terminal:

Code:
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

I would like to reassign the keys on the keyboard in order to conveniently manage the process, but I can not understand what exactly is passed to the console window to execute the command, not exactly the letter S. thank You

↧

How to crack Keepass2 passcode, help me

February 25, 2020, 5:07 am

≫ Next: How crack this hash?

≪ Previous: Keys

I don't know the command to do this, and "--help's" output isn't helping too much. The part that's really confusing is how can I put in rules for the brute-force, like which kind of characters and ones I know of, etc, since I partially know the password, but I forgot a few parts (3-6 characters of a single kind), so I wonder how I can find the remaining bits. I don't mind if it takes a day or so.
tks

↧

How crack this hash?

February 25, 2020, 12:12 pm

≫ Next: why the Alphabetic charset is so slow

≪ Previous: How to crack Keepass2 passcode, help me

I have this hash md5(md5($salt).md5(md5($pass))). And i don know how crack it

Code:
88e4f8dca2a012b07ad501f29f9babdd:r6I<~

19321c3263dc45c6673d9fe1f406adbe:Gnn#j

f9866b8990e629890c112eb1c6d597bd:%(Tc4

fc5f7cfebc7679d476e0216e763cae41:&SoPZ

a9c6dbf981cef2b5eebf8464a2ed145c:OfFcW

381d308ecdd7efee5d27efac89c82629:sFT+[

9d067b3ddb5b7b232ecb8d7789633a0a:WM*S4

98728acf3eabb8883bd2f1b5fe8b9cad:[Rj9v

388bacead259164cd312a959de43930a:`Gt><

4d8375660a029f39c8f763fd1a090cf0:R+/?h

7af2563488264041e978fd4a0ffa8102:o+8),

377ba8d6502c9e552eca2155b0578532:PPV)7

d66623ecc3640838d0f846cbceb0a8aa:S19vR

↧

why the Alphabetic charset is so slow

February 25, 2020, 7:17 pm

≫ Next: What is pw_len of the pw type ?

≪ Previous: How crack this hash?

i have noted that the alphabetic charsets are significally slower than the alpha numeric ones... why's that? is there anything that can be done ???

↧

What is pw_len of the pw type ?

February 26, 2020, 2:36 am

≫ Next: Partial mask increment

≪ Previous: why the Alphabetic charset is so slow

Hi all,

When looking at the source code of Hashcat I noticed that the candidate passwords are stored in a type called pw (defined line 1643 of OpenCL/inc_types.h).
This type is simple, the code is this

Code:
typedef struct pw

{

    u32 i[64];

    u32 pw_len;

} pw_t;

However, each character of the candidate password is only 1 byte right ? I read somewhere on an old thread that pw.i[0] would hold the first 4 characters of the candidate password, etc ... In that case, what is pw_len ? is it the length of the array of the length in chars ?
Suppose my password is "hashcat" (7 chars long), we sould have something like
pw.i[0] = hash
pw.i[1] = cat0 (I'm guessing that all "unused" bytes are null bytes)
pw.i[2] = 0 ...
in that case is pw_len 2 or 7 ?

I'm trying to implement FNV1 as an exercise and for this algorithm I need to iterate over every byte of data. If pw_len is the length of the pw.i array, is there another way to get the length in bytes of the candidate password ?

Thanks a lot in advance

↧

Partial mask increment

February 28, 2020, 4:16 am

≫ Next: SHA256

≪ Previous: What is pw_len of the pw type ?

I need a partial increment for a mask, but I don't know how to do that.

-1 ?u -2 ?l?l?l?l -3 ?d?d

I only need to increment mask -2 (4 to 8 characters - `Aaaaa00 ~ Aaaaaaaaa00` )

Can this be done using a mask or do I need rules ?

Any help much appreciated!

↧

SHA256

February 28, 2020, 3:23 pm

≫ Next: Maskprocessor | Hashcat syntax question

≪ Previous: Partial mask increment

Hi,
I tried several commands and fail,I need something strong decryption.

SHA 256
Password possible ( 64 chars) may be something like this : a-z 0-9

Brute-force

can someone make like a "script" that i could copy and just change my files or something cause everytime when i try i just get "hashfile is empty or corrupted"

this was my command

"hashcat64.exe -m 1400 -a 0 -o hash.txt cracked.txt"

↧

Maskprocessor | Hashcat syntax question

February 29, 2020, 4:08 am

≫ Next: Geokeys thanks to hashcat

≪ Previous: SHA256

Hi,

Thanks in advance for any help with this.
I'm very new to Hashcat and playing around with my gear cracking hashes. I regularly get the message about 'creating more work....parallelization power'. So tonight I tried to get the maskprocessor command working, but no luck.

Gear = Win10, GTX 980Ti

I've read through the doc's, the forum and I don't have the know how to get it going. This is the command I've tried:

Code:
..\maskprocessor-0.73\mp64.exe -i 7:20 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a | hashcat64.exe -m0 -O --status  .\HASHES\unfound.txt -o Found.txt

This command runs, but my Speed drops down to 427 kH/s and in the Candidates: *(RT -> -K$%
This makes me feel like it's only throwing 4 digit passwords at the hash, when in fact it should be starting with 7 digit candidates?

Whereas, my previous command:

Code:
hashcat64.exe -m0 -a3 -O --status --increment --increment-min 7 --increment-max 20 .\HASHES\unfound.txt ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a -o Found.txt

Speed: 11552 MH/s with a mask of 7 and an ETA of 1:39hr

I thought by running an mp and pipe, that I might be able to improve my results.
Or am I just reading it all wrong Tongue

So my questions are, should I be using an mp and pipe (faster results)?
What would the correct syntax?
Basically trying to brute force passwords between 7 - 20 digits on an MD5 hash.

Thanks again Smile

↧

Geokeys thanks to hashcat

February 29, 2020, 3:06 pm

≫ Next: wordlist creates

≪ Previous: Maskprocessor | Hashcat syntax question

I created an alternative to seed phrases to make ECDSA keys for crypto currencies rememberable, verbally transferable and recoverable.

https://github.com/oscar-davids/geokeytool

An essential part of it is to brute force to the right entropy of a key which would have been a really hard job to accomplish if there would not be everything there already in hashcat.

I am curious what you guys think of it and thanks for anyone who helped me on this forum with my questions around how to scale bcrypt hashing!

Thank You all!

↧

wordlist creates

February 29, 2020, 11:14 pm

≫ Next: clSetKernelArg(): CL_INVALID_MEM_OBJECT

≪ Previous: Geokeys thanks to hashcat

I want to create a password list
wordlist1 + wordlist2
Which program do I have to use

Please help me
thank you

↧

clSetKernelArg(): CL_INVALID_MEM_OBJECT

March 2, 2020, 11:41 am

≫ Next: Kerberos AS-REP Cracking

≪ Previous: wordlist creates

Hello!

i am new to this forum and dont have any experience with hashcat.

So i got a wallet.dat, got a hash from it with btc2john.py , and now i want to get the password from it via hashcat but all the time a get :

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

clSetKernelArg(): CL_INVALID_MEM_OBJECT

Started: Mon Mar 02 20:25:30 2020
Stopped: Mon Mar 02 20:25:34 2020

i would appreciate any kind of help
Best Regards
Abravarietas

↧

Kerberos AS-REP Cracking

February 21, 2020, 7:15 am

≫ Next: Deep Learning on wordlist.

≪ Previous: clSetKernelArg(): CL_INVALID_MEM_OBJECT

Code:
$krb5asrep$23$jsmith@SCRM.LOCAL:83ef5dfc031383cf195504c9e07a8733$b70396f4f51eecea3ac23e23c5115ff2b2786eae8211b42e5425f084ed9ed0928468c6f835c92a1da427343f857f5941a610a39661008ce67063d4f79e30b461b47361e7ded199002cb63848b5c00e008fd2cc3f454dc91adad12d94bcba67cc8bf06b7f8807643af587971c129db103a14edde927f470fdbc3a477bf9d1ec22a57a029dbfdf4c6fc075234721ffe96e6513685fbc84ff727d9f6ad1870d3e1534bbabecd888c93f37f57bdcd31baac44a0d5be93cbe7464c637b510b75fd061c315a1251534007223d032c94a70aa96241520e298781f04229bd46f828ea2588a34416060ea4f41

If I've understood the Kerberos RFC correctly (https://tools.ietf.org/html/rfc4120) then the actual data contained in this cipher is:

Code:
EncKDCRepPart  ::= SEQUENCE {

          key            [0] EncryptionKey,

          last-req        [1] LastReq,

          nonce          [2] UInt32,

          key-expiration  [3] KerberosTime OPTIONAL,

          flags          [4] TicketFlags,

          authtime        [5] KerberosTime,

          starttime      [6] KerberosTime OPTIONAL,

          endtime        [7] KerberosTime,

          renew-till      [8] KerberosTime OPTIONAL,

          srealm          [9] Realm,

          sname          [10] PrincipalName,

          caddr          [11] HostAddresses OPTIONAL

  }

↧