Teraflops
Yield Farmer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Most wordlists are encoded using UTF-8, and it has become the de-facto standard encoding for most websites globally. Just because it's the standard for web-facing encoding, doesn't mean that encoding was used when the hash was generated. This post aims to help those trying to crack some of those harder to crack hashes originating from foreign countries.
This is not intended for those new to hashcat. Example hashcat commands only show parameters relevant to the attack method for increased readability.
Essential reading: https://www.blackhillsinfosec.com/cracking-passwords-with-umlauts/
The below examples are using German + Windows-1252 (cp-1252) encoding, extending what is discussed in the Black Hills Infosec article. The same principles can be applied to most other languages and encodings.
Basic Attack Methods:
1) Convert wordlist encoding and perform dictionary attack
iconv german.txt -f utf-8 -t windows-1252 > german-1252.txt
hashcat -m 0 -a 0 md5_unfound.txt german-1252.txt
2) Pipe encoded wordlist for dictionary attack
iconv german.txt -f utf-8 -t windows-1252 | hashcat -m 0 -a 0 md5_unfound.txt
3) Convert wordlist encoding and perform combinator attack (referencehttps://hashcat.net/wiki/doku.php?id=combinator_attack)
iconv german.txt -f utf-8 -t windows-1252 > german-1252.txt
hashcat -m 0 -a 1 md5_unfound.txt german-1252.txt german-1252.txt
The above attacks will only get you the most basic passwords, but we can build on the idea to generate more likely password candidates:
4) Hybrid attack with encoded wordlist (referencehttps://hashcat.net/wiki/doku.php?id=hybrid_attack)
hashcat -m 0 -a 6 md5_unfound.txt german-1252.txt '?d?d?d?d?d?d' --increment
hashcat -m 0 -a 6 md5_unfound.txt german-1252.txt '?s?d?d?d?d' --increment
hashcat -m 0 -a 6 md5_unfound.txt german-1252.txt '?d?d?d?d?s'
5) Rule based attack with encoded wordlist (referencehttps://hashcat.net/wiki/doku.php?id=rule_based_attack). For built-in rules, the T0XIC*, dive, and d3ad0ne rules generally perform well on foreign languages and various encodings.
hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt german-1252.txt
-or-
iconv german.txt -f utf-8 -t windows-1252 | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
Advanced Attack Methods:
These attacks use hashcat's prince processor, a separate optimized process outside of hashcat for chaining words together. Think of it like a combinator attack on steroids. Available for download from https://github.com/hashcat/princeprocessor.
6) Prince Processor as combinator + rule (referencehttps://hashcat.net/wiki/doku.php?id=princeprocessor)
pp64.bin --elem-cnt-min=1 --elem-cnt-max=4 --pw-min=4 --pw-max=20 german-1252.txt | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
7) Purple Rain Attack (referencehttps://www.netmux.com/blog/purple-rain-attack). Suited mainly for fast hashes.
iconv german.txt -f utf-8 -t windows-1252 | shuf | pp64.bin --elem-cnt-min=1 --elem-cnt-max=4 --pw-min=4 --pw-max=20 | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
My personal favorite on fast hashes (ie MD5 / NTLM) is to use a simple rule and hashcat's stdout functionality to first modify the wordlist before being fed into prince processor. Although best64.rule is used below, I recommend building a custom rule that prepends and appends special characters, toggles characters (mainly T0 to uppercase/lowercase first char), and does basic leetspeak replacements. It lends itself especially well to foreign language attacks where limited dictionaries are available.
8) Hashcat stdout + Purple Rain (An UberFuck Fav)
iconv german.txt -f utf-8 -t windows-1252 | shuf | hashcat --stdout -r best64.rule | pp64.bin --elem-cnt-min=1 --elem-cnt-max=4 --pw-min=4 --pw-max=20 | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
Notes and Tips:
On non-American originating hashes, it's common to see more numeric plaintext passwords, or passwords ending in 6-10 digits. For these foreign hash lists, I normally first run ahttps://hashcat.net/wiki/doku.php?id=mask_attackwith digits incrementing to a length of 10, then a hybrid attack, and lastly rule based attacks. Because character encoding differences might only affect a portion of words, you might still be able to crack some hashes, but you won't see any of the plaintext passwords using the special characters you'd expect for a language - like umlauts for German (ü) or the cedilla for Portuguese (ç). When you notice this, it's time to try different encodings.
Generic foreign language dictionaries don't always perform well when used in hashcat. I recommend usinghttps://digi.ninja/projects/cewl.phpto scrape relevant websites using the targeted language *in addition to* the generic dictionaries. Any found passwords for that language should be kept in a separate file for later use. Continually merge the dictionaries, scraped words, and found passes into a new wordlist and encode in the common charsets for the language (ie German = UTF-8, Windows-1252, ISO-8859-15, ISO-8859-1).
Wordlist Sources:
This is not intended for those new to hashcat. Example hashcat commands only show parameters relevant to the attack method for increased readability.
Essential reading: https://www.blackhillsinfosec.com/cracking-passwords-with-umlauts/
The below examples are using German + Windows-1252 (cp-1252) encoding, extending what is discussed in the Black Hills Infosec article. The same principles can be applied to most other languages and encodings.
Basic Attack Methods:
1) Convert wordlist encoding and perform dictionary attack
iconv german.txt -f utf-8 -t windows-1252 > german-1252.txt
hashcat -m 0 -a 0 md5_unfound.txt german-1252.txt
2) Pipe encoded wordlist for dictionary attack
iconv german.txt -f utf-8 -t windows-1252 | hashcat -m 0 -a 0 md5_unfound.txt
3) Convert wordlist encoding and perform combinator attack (referencehttps://hashcat.net/wiki/doku.php?id=combinator_attack)
iconv german.txt -f utf-8 -t windows-1252 > german-1252.txt
hashcat -m 0 -a 1 md5_unfound.txt german-1252.txt german-1252.txt
The above attacks will only get you the most basic passwords, but we can build on the idea to generate more likely password candidates:
4) Hybrid attack with encoded wordlist (referencehttps://hashcat.net/wiki/doku.php?id=hybrid_attack)
hashcat -m 0 -a 6 md5_unfound.txt german-1252.txt '?d?d?d?d?d?d' --increment
hashcat -m 0 -a 6 md5_unfound.txt german-1252.txt '?s?d?d?d?d' --increment
hashcat -m 0 -a 6 md5_unfound.txt german-1252.txt '?d?d?d?d?s'
5) Rule based attack with encoded wordlist (referencehttps://hashcat.net/wiki/doku.php?id=rule_based_attack). For built-in rules, the T0XIC*, dive, and d3ad0ne rules generally perform well on foreign languages and various encodings.
hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt german-1252.txt
-or-
iconv german.txt -f utf-8 -t windows-1252 | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
Advanced Attack Methods:
These attacks use hashcat's prince processor, a separate optimized process outside of hashcat for chaining words together. Think of it like a combinator attack on steroids. Available for download from https://github.com/hashcat/princeprocessor.
6) Prince Processor as combinator + rule (referencehttps://hashcat.net/wiki/doku.php?id=princeprocessor)
pp64.bin --elem-cnt-min=1 --elem-cnt-max=4 --pw-min=4 --pw-max=20 german-1252.txt | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
7) Purple Rain Attack (referencehttps://www.netmux.com/blog/purple-rain-attack). Suited mainly for fast hashes.
iconv german.txt -f utf-8 -t windows-1252 | shuf | pp64.bin --elem-cnt-min=1 --elem-cnt-max=4 --pw-min=4 --pw-max=20 | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
My personal favorite on fast hashes (ie MD5 / NTLM) is to use a simple rule and hashcat's stdout functionality to first modify the wordlist before being fed into prince processor. Although best64.rule is used below, I recommend building a custom rule that prepends and appends special characters, toggles characters (mainly T0 to uppercase/lowercase first char), and does basic leetspeak replacements. It lends itself especially well to foreign language attacks where limited dictionaries are available.
8) Hashcat stdout + Purple Rain (An UberFuck Fav)
iconv german.txt -f utf-8 -t windows-1252 | shuf | hashcat --stdout -r best64.rule | pp64.bin --elem-cnt-min=1 --elem-cnt-max=4 --pw-min=4 --pw-max=20 | hashcat -m 0 -a 0 -r dive.rule md5_unfound.txt
Notes and Tips:
On non-American originating hashes, it's common to see more numeric plaintext passwords, or passwords ending in 6-10 digits. For these foreign hash lists, I normally first run ahttps://hashcat.net/wiki/doku.php?id=mask_attackwith digits incrementing to a length of 10, then a hybrid attack, and lastly rule based attacks. Because character encoding differences might only affect a portion of words, you might still be able to crack some hashes, but you won't see any of the plaintext passwords using the special characters you'd expect for a language - like umlauts for German (ü) or the cedilla for Portuguese (ç). When you notice this, it's time to try different encodings.
Generic foreign language dictionaries don't always perform well when used in hashcat. I recommend usinghttps://digi.ninja/projects/cewl.phpto scrape relevant websites using the targeted language *in addition to* the generic dictionaries. Any found passwords for that language should be kept in a separate file for later use. Continually merge the dictionaries, scraped words, and found passes into a new wordlist and encode in the common charsets for the language (ie German = UTF-8, Windows-1252, ISO-8859-15, ISO-8859-1).
Wordlist Sources:
Loading…
weakpass.com
Loading…
packetstormsecurity.com
You must upgrade your account or reply in the thread to view hidden text.