Please note, this is a STATIC archive of website hashcat.net from October 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

NTLM hash with russian charset
#1
here is the NTLM hash - 801e1482cfedbaa88812cdb106afa7a7
passworsd which i set - нфмфыдщму
command - cudahashcat64 -m 1000 -a 0 ntlm.txt pas.txt
I tried cp1251, co866 coding in pass file, tried using -1 charsets/..../ru_1251.hcchr with -a 3 type attack but programs didn't find salt
In Others programs like EGB Cain and Abel this passwords is match.

What did I wrong? Please test this hash with this password in hashcat program
#2
Yep, can reproduce on -a 3 and -a 0.
NTLM matches the password, for sure.
#3
(06-16-2015, 07:31 AM)Rolf Wrote: Yep, can reproduce on -a 3 and -a 0.
NTLM matches the password, for sure.

Thanks for fast reply. Have you any thoughts why hashcat doesn't work in my case?
I launched it via cmd on Windows 7 , tried change charset in cmd - 1251, 866 ,65001, maybe here the deal with OS?
#4
I'll just quote Philipp here
Code:
[10:33:47] <philsmd> the problem is encoding which oclHashcat doesn't do at all (because normally the operating system can handle this)
[10:33:55] <philsmd> but for -m 1000 it is different
[10:33:59] <philsmd> because the *algorithm* says
[10:34:07] <philsmd> convert the input to utf16-le
[10:34:45] <philsmd> and oclHashcat/hashcat does not fully (or say it doesn't follow the standard) support it
[10:35:17] <philsmd> it is a hack, due to performance etc

Also, this was fun (had to save this in cp866, otherwise fail):
Code:
ighashgpu.exe -t:md4 -max:9 -unicode -fun -u:нфмыдщу h:801E1482CFEDBAA88812CDB106AFA7A7
****************************************************************
***      MD4/MD5/SHA1 GPU Password Recovery v0.94.17.1       ***
***    For ATI RV 7X0 cards and nVidia 'CUDA' ones (G80+)    ***
***      (c) 2009-2013 Ivan Golubev, https://golubev.com      ***
***             see "readme.htm" for more details            ***
****************************************************************
*** Any commercial use of this program is strictly forbidden ***
****************************************************************

Found 1 CUDA device(s)
Starting brute-force attack, Charset Len = 7, Min passlen = 4, Max passlen = 9
Charset (unicode) [???????]
Charset in HEX: 043d 0444 043c 044b 0434 0449 0443
Starting from [????]
Hash type: MD4, Hash: 801e1482cfedbaa88812cdb106afa7a7
Device #0: [GeForce GTX TITAN] 928.00 Mhz 2688 SP
Hardware monitoring enabled, threshold temperature is 90°C.
CURPWD:  DONE: 00.87% ETA: 0s CURSPD: 2511.2M
Found password: [нфмфыдщму], HEX: 043d 0444 043c 0444 044b 0434 0449 043c 0443
Processed 1 018 429 440 passwords in 1s.
Thus, 1 917 946 214 password(s) per second in average.

Have fun and very productive day!

As mentioned here, there is no true UTF-16(LE) support in oclhc.
Bottom line: developers know about the issue.
#5
So basically this string is hashed with md4:
Code:
$HEX[3d0444043c0444044b04340449043c044304]

You can also test it like this (attention with -m 900 instead of -m 1000):
Code:
$ hex2bin 3d0444043c0444044b04340449043c044304 > dict.txt
$ ./oclHashcat64.bin --quiet -m 900 801e1482cfedbaa88812cdb106afa7a7 dict.txt
801e1482cfedbaa88812cdb106afa7a7:$HEX[3d0444043c0444044b04340449043c044304]

Note: instead of hex2bin you could just use
Code:
echo 3d0444043c0444044b04340449043c044304 | xxd -p -r
if you want.

The reason for the missed crack can be easily seen here.
This is how oclHashcat tries to crack it (oclHashcat doesn't mess with encoding!):
Code:
$ perl -e 'use Encode; use Digest::MD4 q (md4_hex); print md4_hex (encode ("UTF-16LE", pack ("H*", "EDF4ECF4FBE4F9ECF3"))) . "\n";'
83d1adcd5f3557b0ea7cb88c23e78acf
$ hex2bin EDF4ECF4FBE4F9ECF3 > dict.txt
$ ./oclHashcat64.bin --quiet -m 1000 83d1adcd5f3557b0ea7cb88c23e78acf dict.txt
83d1adcd5f3557b0ea7cb88c23e78acf:$HEX[edf4ecf4fbe4f9ecf3]

But this is how the ntlm algorithm works (encoding is important):
Code:
$ perl -e 'use Encode; use Digest::MD4 q (md4_hex); use encoding 'cp1251'; print md4_hex (encode ("UTF-16LE", pack ("H*", "EDF
4ECF4FBE4F9ECF3"))) . "\n";'
801e1482cfedbaa88812cdb106afa7a7

The most important part is the "use encoding 'cp1251'". But as said, oclHashcat doesn't care about encoding and does not fully support utf-16 as mentioned (amongst others) here: https://hashcat.net/forum/thread-3729.html - the suggested feature request by atom was "No new algorithm, add true support for utf-16".
#6
As a workaround, you can use the -m 900 type:

Quote:root@et:~/oclHashcat-1.37# ./oclHashcat64.bin -m 900 801e1482cfedbaa88812cdb106afa7a7 -a 3 3d0444043c0444044b04340449043c044304 --hex-charset
oclHashcat v1.37 starting...

Device #1: Hawaii, 4032MB, 1000Mhz, 44MCU
Device #2: Hawaii, 4032MB, 1000Mhz, 44MCU
Device #3: Juniper, 256MB, 850Mhz, 10MCU
Device #4: Juniper, 256MB, 850Mhz, 10MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Scalar-Mode
* Raw-Hash
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4098/m00900_a3.Hawaii_1729.3_1729.3 (VM)_1434313735.kernel (134016 bytes)
Device #1: Kernel ./kernels/4098/markov_le_v1.Hawaii_1729.3_1729.3 (VM)_1434313735.kernel (36176 bytes)
Device #2: Kernel ./kernels/4098/m00900_a3.Hawaii_1729.3_1729.3 (VM)_1434313735.kernel (134016 bytes)
Device #2: Kernel ./kernels/4098/markov_le_v1.Hawaii_1729.3_1729.3 (VM)_1434313735.kernel (36176 bytes)
Device #3: Kernel ./kernels/4098/m00900_a3.Juniper_1729.3_1729.3_1434313735.kernel (270532 bytes)
Device #3: Kernel ./kernels/4098/markov_le_v1.Juniper_1729.3_1729.3_1434313735.kernel (42708 bytes)
Device #4: Kernel ./kernels/4098/m00900_a3.Juniper_1729.3_1729.3_1434313735.kernel (270532 bytes)
Device #4: Kernel ./kernels/4098/markov_le_v1.Juniper_1729.3_1729.3_1434313735.kernel (42708 bytes)


ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of your GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=fre...full_speed


INFO: approaching final keyspace, workload adjusted

801e1482cfedbaa88812cdb106afa7a7:$HEX[3d0444043c0444044b04340449043c044304]

Session.Name...: oclHashcat
Status.........: Cracked
Input.Mode.....: Mask (3d0444043c0444044b04340449043c044304) [18]
Hash.Target....: 801e1482cfedbaa88812cdb106afa7a7
Hash.Type......: MD4
Time.Started...: 0 secs
Speed.GPU.#1...: 0 H/s
Speed.GPU.#2...: 0 H/s
Speed.GPU.#3...: 0 H/s
Speed.GPU.#4...: 0 H/s
Speed.GPU.#*...: 0 H/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1/1 (100.00%)
Rejected.......: 0/1 (0.00%)
HWMon.GPU.#1...: 0% Util, 44c Temp, 20% Fan
HWMon.GPU.#2...: 0% Util, 43c Temp, 20% Fan
HWMon.GPU.#3...: 0% Util, 42c Temp, 39% Fan
HWMon.GPU.#4...: 0% Util, 44c Temp, 41% Fan

Started: Tue Jun 16 11:58:56 2015
Stopped: Tue Jun 16 11:58:57 2015
#7
To our poor users: use this if you're not dealing with Latin(ASCII) characters.
#8
Thanks very mush. All works.
#9
One more question . If i create file with russian abc which in hex format and then define --custom-charset1=russian_abc_hex.txt and use this command
-m 900 -a 3 --custom-charset1= russian_abc_hex.txt --hex-charset ntlm.txt ?1?1?1?1?1?1?1?1?1
where ntlm.txt is file with hash then it doesn't works. How define mask with all possible russian symbols?
#10
The mask needs to be 18 characters, as unicode characters are two bytes long.