The tool we’re going to use here is hashcat. I’ll be testing this using a ATI 6950 2GB GPU running on Kubuntu 64bit using catalyst drivers 12.2. Your mileage might vary depending on what card you’re using.
Hashcat (now known as oclhashcat-plus) comes with a few different binaries depending on what architecture you’ll be running it on.

  • nVidia 32bit – use
  • nVidia 64bit – use
  • ATI 32bit – use
  • ATI 64bit – use

We need to check the graphics drivers and librarys are all set up correctly so quickly trying running one of the example files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
phillips321@KubuntuDesktop:/media/1TB/TABLES/tools/oclHashcat-plus-0.07$ ./oclExample0.sh
oclHashcat-plus v0.07 by atom starting...
Hashes: 6494
Unique digests: 6494
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes
Rules: 64
GPU-Loops: 128
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m0000_a0.Cayman.64.kernel (1132724 bytes)
HW.Monitor.#1:  0% GPU, 46c Temp
Started: Fri Mar 23 17:16:17 2012
Stopped: Fri Mar 23 17:16:20 2012

Looks like things are working fine πŸ™‚
As we have a pwdump output style we need to cut this down to only show the NTLM hash.
username:userid:lmhash:ntlmhash:::

1
2
3
cat hash.txt
Administrator:500:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::
cat hash.txt | cut -d: -f4 > hash.ntlm.txt

And now to use oclHashcat to crack the NTLM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ ./oclHashcat-plus64.bin -m 1000 hash.ntlm.txt darkc0de.lst
oclHashcat-plus v0.07 by atom starting...
Hashes: 1
Unique digests: 1
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 128
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m1000_a0.Cayman.64.kernel (1100676 bytes)
Scanning dictionary darkc0de.lst: 1047587 bytes (5.83%), 95782 words,Scanned dictionary darkc0de.lst: 17975864 bytes, 1707658 words, 1707658 keyspace, starting attack...
80290fc9b3c2b233769aa9d6ced8bc86:hacmebank
Status.......: Cracked
Input.Mode...: File (darkc0de.lst)
Hash.Target..: 80290fc9b3c2b233769aa9d6ced8bc86
Hash.Type....: NTLM
Time.Running.: 0 secs
Time.Util....: 957.9ms/0.0ms Real/CPU, 0.0% idle
Speed........:  1031.3k c/s Real, 42049.4k c/s GPU
Recovered....: 1/1 Digests, 1/1 Salts
Progress.....: 1044861/1707658 (61.19%)
Rejected.....: 56955/1044861 (5.45%)
HW.Monitor.#1:  0% GPU, 45c Temp
Started: Fri Mar 23 17:28:43 2012
Stopped: Fri Mar 23 17:28:44 2012

That’s great and all but what if we wanted to crack using a bruteforce attempt? Well we need to tell Hashcat how we want to bruteforce. Instead of using a dictionary file we must create a mask such as the following examples:

  • ?l?l?l?l?l?l?l?l – 8char lowercase password
  • -1 ?l?u? ?1?1?1?1?1?1?1?1 – 8char upper or lowercase password
  • -1 ?l?u?d?s ?1?1?1?1?1?1?1?1 – 8char upper,lower,digits,special password

In order to create your own masks you;; need to understand the following:

  • ?l is all lower case letters from a to z
  • ?u is all upper case letters from a to z
  • ?d is all digits from 0-9
  • ?s is all special characters on a standard keyboard
  • ?h is all ISO-8859 characters or β€œHEX” characters
  • ?D is all 8-bit characters from the German alphabet
  • ?F is all 8-bit characters from the French alphabet
  • ?R is all 8-bit characters from the Russian alphabet
  • -1 abcdABCD -2 1234 is a custom range used like so ?2?2?2?2?1?1?1?1

Here’s a demo of cracking the password hash with a bruteforce setting a 9 character password using only lowercase letters (I’ve used the flag 2 in this example as ONE looks like a lowercase L)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
phillips321@KubuntuDesktop:$ ./oclHashcat-plus64.bin -a 3 -m 1000 hash.ntlm.txt -1 ?l ?2?2?2?2?2?2?2?2?2
oclHashcat-plus v0.07 by atom starting...
Hashes: 1
Unique digests: 1
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 128
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m1000_a3.Cayman.64.kernel (190388 bytes)
80290fc9b3c2b233769aa9d6ced8bc86:hacmebank
Status.......: Cracked
Input.Mode...: Mask (?1?1?1?1?1?1?1?1?l)
Hash.Target..: 80290fc9b3c2b233769aa9d6ced8bc86
Hash.Type....: NTLM
Time.Running.: 10 mins, 8 secs
Time.Util....: 544806.8ms/18270.3ms Real/CPU, 3.5% idle
Speed........:  4019.6M c/s Real,  4117.4M c/s GPU
Recovered....: 1/1 Digests, 1/1 Salts
Progress.....: 2189932462080/5429503678976 (40.33%)
Rejected.....: 0/2189932462080 (0.00%)
HW.Monitor.#1: 77% GPU, 85c Temp
Started: Fri Mar 23 17:44:58 2012
Stopped: Fri Mar 23 17:55:07 2012

Bingo… PASSWORD FOUND πŸ™‚

Just to make you guys realise the speed difference when using a GPU as a cracking platform i have performed a comparison against the cracking the same an 8 character hash using a CPU (AMD x6 1055T @3.8GHz) – 104minutes on the CPU.
user1:7:7b0662e4590e238a417eaf50cfac29c3:0c341d2d5793a3afafc76f8bc3bd56a1:::

1
2
3
4
5
6
7
8
9
10
11
12
$ /hashcat-cli64.bin -a 3 -m 1000 hash.ntlm.txt ?l?l?l?l?l?l?l?l --pw-min=8
Initializing hashcat v0.39 by atom with 8 threads and 32mb segment-size...
NOTE: press enter for status-screen
Added hashes from file hash.ntlm.txt: 1 (1 salts)
Activating quick-digest mode for single-hash
Input.Mode: Mask (?l?l?l?l?l?l?l?l)
Index.....: 0/1 (segment), 208827064576 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, 32.52M words
Progress..: 5410536168/208827064576 (2.59%)
Running...: 00:00:02:47
Estimated.: 00:01:44:14

Compared to 38 seconds on the GPU πŸ™‚

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ ./oclHashcat-plus64.bin -a 3 -m 1000 hash.ntlm.txt ?l?l?l?l?l?l?l?l --perm-min=8
oclHashcat-plus v0.07 by atom starting...
Hashes: 1
Unique digests: 1
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 128
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m1000_a3.Cayman.64.kernel (190388 bytes)
Status.......: Cracked
Input.Mode...: Mask (?l?l?l?l?l?l?l?l)
Hash.Target..: 0c341d2d5793a3afafc76f8bc3bd56a1
Hash.Type....: NTLM
Time.Running.: 38 secs
Time.Util....: 38030.1ms/1175.7ms Real/CPU, 3.2% idle
Speed........:  4033.0M c/s Real,  4144.3M c/s GPU
Recovered....: 1/1 Digests, 1/1 Salts
Progress.....: 153374228480/208827064576 (73.45%)
Rejected.....: 0/153374228480 (0.00%)
HW.Monitor.#1: 77% GPU, 54c Temp
Started: Sun Mar 25 13:29:40 2012
Stopped: Sun Mar 25 13:30:18 2012

Leave a Reply