07-31-2017, 12:51 PM
Hello, I'm trying to find a lost password for a piece of equipment. We were able to locate a file on the file system that contains the username, realm and password hash, it is in the following format:
admin:Acme Corp monitoring server:AAAAAAAAAABBBB12345
I believe this is called Digest authentication.
I also have access to a similar device in which I know the password. The relam and username are the same, if I MD5 the three together I come out with the correct hash for that piece of equipment.
So what I would like to do is prepend "admin:Acme Corp monitoring server:" to a wordlist and then try brute force if that doesn't work.
First I thought a custom charset would be what I needed, I created a maskfile with the following contents:
This seems to work, at first it iterates through the username and realm then starts brute forcing, which is good, but I tried to use the "-i --increment-min=8" command because I know how long my test password it but it didn't seem to work.
Another problem I ran into was getting an output I tried changing the mask file to:
Hashcat cracks it quickly but I can't see where in the output it gives the password it found, I checked the potfile but it gives me a hex output that doesn't convert into the password.
Any suggestions on where to go next would be helpful.
Running Windows 10 x64 hashcat 3.5.0
admin:Acme Corp monitoring server:AAAAAAAAAABBBB12345
I believe this is called Digest authentication.
I also have access to a similar device in which I know the password. The relam and username are the same, if I MD5 the three together I come out with the correct hash for that piece of equipment.
So what I would like to do is prepend "admin:Acme Corp monitoring server:" to a wordlist and then try brute force if that doesn't work.
First I thought a custom charset would be what I needed, I created a maskfile with the following contents:
Code:
admin:Acme Corp monitoring server:?a?a?a?a?a?a?a?a
This seems to work, at first it iterates through the username and realm then starts brute forcing, which is good, but I tried to use the "-i --increment-min=8" command because I know how long my test password it but it didn't seem to work.
Another problem I ran into was getting an output I tried changing the mask file to:
Code:
admin:Acme Corp monitoring server:P@ssw0r?a
Hashcat cracks it quickly but I can't see where in the output it gives the password it found, I checked the potfile but it gives me a hex output that doesn't convert into the password.
Any suggestions on where to go next would be helpful.
Running Windows 10 x64 hashcat 3.5.0