Passwords
More On Foreign Hashes
This is an update on this previous post on foreign NT hashes where I got things a little wrong by believing the source encoding matters for an NT hash. It doesn’t really, let me show you why.
I spent a bit of time exploring further, in particular, I took it down to a test case. Jameel gave me his name as a password in Arabic:
Included as a picture because WordPress is messing with my UTF8.
“echo d8acd985d98ad9842031|xxd -ps -r” can give it to you straight That’s Jameel1 in Arabic. It’s encoded in UTF8 in most places, whose bytes are:
NTHashes and Encodings
If you’ve ever cracked a hash with hashcat, you’ll know that sometimes it will give you a $HEX[0011223344] style clear. This is done to preserve the raw byte value of the clear when the encoding isn’t known (or there’s a colon “:” character).
Investigation Driven by an inability to crack the majority of a certain set of hashes I suspected were in a foreign charset, I decided to have a closer look at what was going on. Let’s take a look at the following examples:
Page 1 of 1