Cracking Passwords with Umlauts
Carrie Roberts // *Guest Blog
You have a password hash you would like to crack for a password that contains an Umlaut. You know, the two dots over a letter as is commonly seen in the German language.
For our example here, we have the Windows password hash of the password “Möm Rülez!” I know, I know, it’s not German, but just work with it. This password hash information was extracted from an Active Directory domain controller using the method described in the Domain Password Audit Tool (DPAT) Documentation.
dpatdomain.local\larry:1603:aad3b435b51404eeaad3b435b51404ee:ecd382f6949d712f7f81982242755cc3:::
The domain name is “dpatdomain.local”, the username is “larry”, and the Relative ID (RID) number is “1603”. The next 32 characters (aad3b435b51404eeaad3b435b51404ee) are the LAN Manager (LM) hash. It is an older, weaker hashing algorithm maintained for backward compatibility. Windows stores the value shown here, which is simply the hash of a blank password when it has been configured to not store these weaker hashes. In this case, only the next hash value is a true representation of the password.
The next hash value (ecd382f6949d712f7f81982242755cc3) is known as the NT (New Technology) or NTLM hash. It is a stronger hash that requires more computing resources to crack.
To get started with password cracking, we copy and paste our password containing umlauts into a text file called wordlist.txt. We will use wordlist.txt as our word list during password cracking. First, we try John the Ripper (JtR) for password cracking as follows:
john hashes.ntds -w=wordlist.txt --format=NT
Everything works as expected and the password is cracked because this password was included in the wordlist (wordlist.txt).
Now let’s try the same thing with the Hashcat password cracking tool.
hashcat -m 1000 -a 0 hashes.ntds wordlist.txt
Here the “-m 1000” parameter specifies the password type of NTLM, and the “-a 0” parameter specifies that a simple wordlist is used for password guesses.
To our dismay, Hashcat does not crack the password.
We can take a closer look at our wordlist file using the xxd tool to show the bytes of the file.
The password is represented by the hex characters 4dc3b66d2052c3bc6c657a21. Notice the use of two bytes for each of the umlaut characters.
Conversely, the image below shows the password converted from ASCII to hex (4df66d2052fc6c657a21) using a different character encoding.
To get Hashcat to crack the password properly, we need to fix the encoding mismatch. We could do this by creating our password list in Notepad on Windows and choosing ANSI for the encoding type as shown at the bottom of this image.
Or we could convert our wordlist with the iconv tool on Linux:
iconv wordlist.txt -f utf-8 -t windows-1252 > wordlist-ansi.txt
The “-f” parameter specifies what encoding we are converting from, while the “-t” parameter specifies the encoding we are converting to. The encoding names are confusing and inconsistent but windows-1252, cp1252 and ANSI are often used to refer to the same encoding. Now, running Hashcat again with the new wordlist (wordlist-ansi.txt) shows that we have cracked the password.
hashcat -m 1000 -a 0 hashes.ntds wordlist-ansi.txt
However, it displays the password in an interesting way, giving the password in hex inside of a $HEX[ ] tag.
Ah, yes, we recognize those hex characters (4df66d2052fc6c657a21) from our earlier investigation. Let’s convert that hex back to ascii and confirm it is the password we expect.
Now we have successfully cracked the password of “Möm Rülez!” using Hashcat.
We have demonstrated how to crack this special password with JtR and Hashcat using a dictionary attack, but what if we want to brute force the password? For the brute forcing method, only the Hashcat solution will be shown in this blog post.
The following command defines character set one (-1) as the German special characters, and character set two (-2) as all upper (?u), lower (?l), and special (?s) characters in addition to character set one. The long row of ten “?2” values tells Hashcat to crack all possible 10-character combinations using this character set. The “-a 3” parameter specifies that the Brute-force attack mode be used instead of a dictionary attack.
hashcat -m 1000 -a 3 hashes.ntds -1 /usr/share/hashcat/charsets/special/German/de_ISO-8859-1-special.hcchr -2 ?1?u?l?s ?2?2?2?2?2?2?2?2?2?2
Unfortunately, brute-forcing a 10-character password using this character set is not likely to complete in your lifetime, but it does give some insight into how to include umlauts in the character set.
An alternative method is to define the umlauts in hex, directly on the command line, using the “–hex-charset” parameter as shown below. Here we have specified that the ö (f6) and the ü (fc) be included in the character set, along with all upper, lower, and special characters.
hashcat -m 1000 -a 3 hashes.ntds --hex-charset -1 ?l?u?sf6fc ?1?1?1?1?1?1?1?1?1?1
Happy cracking and please reach out if you have additional ideas or suggestions.
*Thank you to Carrie Roberts for another terrific guest blog.
You can learn more from Carrie in her classes!
Check them out here:
Attack Emulation Tools: Atomic Red Team, CALDERA and More
Available live/virtual and on-demand!