Cracking iSCSI CHAP authentication hashes with long challenges (64+ bytes), which Hashcat's native mode 4800 cannot handle.
| Feature | Description |
|---|---|
| π¨ Dark-themed GUI | Professional tabbed interface with modern color scheme |
| π’ Long Challenge Support | Handles CHAP challenges of any length (64β1024 bytes), bypassing Hashcat mode 4800's 16-byte limit |
| π Auto-Clean Input | Paste hex values with 0x, spaces, or colons β the tool sanitizes automatically |
| π Multi-Encoding Support | ASCII, UTF-8, and UTF-16LE wordlists with automatic conversion |
| 𧩠Null-Pad Option | Optional 16-byte null padding for targets that pad passwords before hashing |
| β‘ One-Click Hashcat Launch | Generates files and launches Hashcat directly from the GUI |
| π Auto-Decode Results | Converts $HEX[...] Hashcat output back to readable plaintext automatically |
| ποΈ Cracked Password Manager | View, export, and clear previously cracked passwords across sessions |
| π Auto-Detect Hashcat | Automatically finds hashcat.exe in common locations or PATH |
| π§Ή Potfile Management | Delete potfiles before runs to avoid cached results interfering |
| π Clipboard Copy | One-click copy of recovered passwords to clipboard |
| π€ Export Results | Save cracked passwords to a text file |
| β±οΈ Live Status Monitor | Timer-based process monitoring with status bar updates |
| π‘ Tooltips | Hover help on every input field |
| π₯οΈ Resize-Aware Layout | Form resize handler keeps all elements properly positioned |
Hashcat's native mode 4800 (iSCSI CHAP authentication, MD5) only supports 16-byte CHAP challenges. However, many modern Linux iSCSI targets (TGT, LIO/TCMU, ESXi, etc.) generate longer challenges β typically 64 bytes or more.
When you try to crack these with Hashcat mode 4800, you get:
Token length exception
This happens because:
- RFC 3720 allows CHAP challenges up to 1024 bytes
- Hashcat mode 4800 was hardcoded for the legacy 16-byte challenge length
- Windows iSCSI Initiator happily accepts and uses these long challenges
- Your captured handshake is valid β Hashcat just can't ingest it
This tool converts the iSCSI CHAP capture into Hashcat mode 10 format:
MD5(password || salt)
Where:
password=CHAP_I(1-byte identifier) + your candidate passwordsalt= fullCHAP_Cchallenge (can be 64, 128, 256+ bytes)
By hex-encoding the wordlist and prepending CHAP_I to every candidate, Hashcat mode 10 computes the exact same hash as the iSCSI CHAP response β without the 16-byte limitation.
- Windows with PowerShell 5.1 or later
- Hashcat (tested with 6.2.x+)
- A wordlist (e.g.,
rockyou.txt, custom lists) - iSCSI CHAP capture data (see Getting CHAP Hashes)
- GPU with OpenCL/CUDA support (Hashcat will use CPU otherwise)
- Large wordlists for complex passwords
- Download
iSCSI_CHAP_Cracker.ps1 - Install Hashcat and ensure
hashcat.exeis in your PATH, or configure the full path in the tool - Right-click β Run with PowerShell, or execute:
.\iSCSI_CHAP_Cracker.ps1
β οΈ Note: If execution policy blocks the script, run:Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
-
Start a capture on the network interface connected to your iSCSI target
-
Filter for iSCSI protocol:
iscsi.keyvalue -
Look for the CHAP Authentication sequence:
CHAP_Cβ Challenge from target (long hex string, 128+ chars)CHAP_Rβ Response from initiator (32 hex chars = 16-byte MD5)CHAP_Iβ Identifier (usually0x01,0x02, etc.)
-
Right-click each field β Copy β Value (as hex string)
Example Wireshark fields:
iscsi.chap.c β CHAP_C (Challenge)
iscsi.chap.r β CHAP_R (Response)
iscsi.chap.i β CHAP_I (Identifier)
# Capture iSCSI traffic
sudo tcpdump -i eth0 -w iscsi.pcap port 3260
# Extract CHAP fields
tshark -r iscsi.pcap -Y "iscsi.opcode == 0x03" -T fields -e iscsi.chap.i -e iscsi.chap.c -e iscsi.chap.rSome iSCSI initiators log authentication details. Check:
Event Viewer β Applications and Services Logs β Microsoft β Windows β iSCSI- Initiator debug logs (if enabled)
| Field | Format | Example |
|---|---|---|
| CHAP_I | 1-2 hex digits | 0x01 or just 1 |
| CHAP_C | Long hex string (64β1024 bytes) | 0xb06ceb4baefc3362... (128+ chars) |
| CHAP_R | Exactly 32 hex chars (16-byte MD5) | 0x713b60dcda2cfcc4a02ece6852fdf2ad |
π‘ Tip: The tool accepts
0xprefix, spaces, colons β it auto-cleans everything.
- Paste
CHAP_I,CHAP_C,CHAP_Rinto the fields - Select wordlist via Browse button
- Choose encoding:
ASCIIβ Standard text wordlistsUTF8β Unicode wordlistsUTF16LEβ Windows-style UTF-16 (auto-converted to ASCII hex)
- Check Null-pad if your target pads passwords to 16 bytes with
0x00 - Click GENERATE FILES β creates
hash.txt+wordlist_hex.txt - Click RUN HASHCAT β launches Hashcat mode 10
- Click DECODE β converts
$HEX[...]output to readable plaintext
View, export, and clear previously cracked passwords from:
cracked.txt(output directory)hashcat.potfile(output directory + Hashcat directory)
| Setting | Description |
|---|---|
| Hashcat .exe | Path to hashcat.exe (auto-detected if in PATH) |
| Output Dir | Where generated files are saved |
| Default Encoding | Pre-selected wordlist encoding |
| Null-pad default | Auto-check null-pad option |
| Auto-delete potfile | Clear previous results before run |
| Auto-decode | Automatically decode after Hashcat finishes |
Long salts (>16 bytes) require Hashcat's pure kernel. The tool generates the command without -O. If you run Hashcat manually, omit -O:
# β
CORRECT
hashcat.exe -m 10 -a 0 --hex-wordlist --hex-salt hash.txt wordlist_hex.txt -o cracked.txt --force
# β WRONG β will fail with long challenges
hashcat.exe -m 10 -a 0 -O --hex-wordlist --hex-salt hash.txt wordlist_hex.txt- Add
-w 3for maximum GPU workload - Add
-d 1to specify a specific GPU device - Use
--potfile-disableif you don't want to save tohashcat.potfile
Initiator Target
βββββββββ ββββββ
β βββββββ CHAP_I (identifier) ββββββ> β
β <ββββ CHAP_C (random challenge) ββββ β
β β
β response = MD5(CHAP_I || password || CHAP_C)
β βββββββ CHAP_R (response) βββββββββ> β
β β
β Target verifies: MD5(CHAP_I || password || CHAP_C) == CHAP_R
Hashcat mode 10: md5($pass.$salt)
| iSCSI CHAP | Hashcat Mode 10 |
|---|---|
password = CHAP_I || user_password |
pass = hex-encoded CHAP_I || candidate |
salt = CHAP_C (full challenge) |
salt = full CHAP_C |
Hash = MD5(password || salt) |
Hash = MD5(pass || salt) |
By hex-encoding the wordlist and prepending CHAP_I, each candidate becomes the correct iSCSI CHAP password format.
This tool is provided for authorized security testing and research only. Always ensure you have permission to test target systems.
- Hashcat team for the excellent cracking engine
- GitHub issue #1773 contributors for the mode 10 workaround concept