The tool we’re going to use here is hashcat. I’ll be testing this using a ATI 6950 2GB GPU running on Kubuntu 64bit using catalyst drivers 12.2. Your mileage might vary depending on what card you’re using.
Hashcat (now known as oclhashcat-plus) comes with a few different binaries depending on what architecture you’ll be running it on.
- nVidia 32bit – use
- nVidia 64bit – use
- ATI 32bit – use
- ATI 64bit – use
We need to check the graphics drivers and librarys are all set up correctly so quickly trying running one of the example files.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | phillips321@KubuntuDesktop:/media/1TB/TABLES/tools/oclHashcat-plus-0.07$ ./oclExample0.sh oclHashcat-plus v0.07 by atom starting... Hashes: 6494 Unique digests: 6494 Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes Rules: 64 GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m0000_a0.Cayman.64.kernel (1132724 bytes) HW.Monitor.#1: 0% GPU, 46c Temp Started: Fri Mar 23 17:16:17 2012 Stopped: Fri Mar 23 17:16:20 2012 |
Looks like things are working fine π
As we have a pwdump output style we need to cut this down to only show the NTLM hash.
username:userid:lmhash:ntlmhash:::
1 2 3 | cat hash.txt Administrator:500:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86::: cat hash.txt | cut -d: -f4 > hash.ntlm.txt |
And now to use oclHashcat to crack the NTLM
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | $ ./oclHashcat-plus64.bin -m 1000 hash.ntlm.txt darkc0de.lst oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes Rules: 1 GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m1000_a0.Cayman.64.kernel (1100676 bytes) Scanning dictionary darkc0de.lst: 1047587 bytes (5.83%), 95782 words,Scanned dictionary darkc0de.lst: 17975864 bytes, 1707658 words, 1707658 keyspace, starting attack... 80290fc9b3c2b233769aa9d6ced8bc86:hacmebank Status.......: Cracked Input.Mode...: File (darkc0de.lst) Hash.Target..: 80290fc9b3c2b233769aa9d6ced8bc86 Hash.Type....: NTLM Time.Running.: 0 secs Time.Util....: 957.9ms/0.0ms Real/CPU, 0.0% idle Speed........: 1031.3k c/s Real, 42049.4k c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 1044861/1707658 (61.19%) Rejected.....: 56955/1044861 (5.45%) HW.Monitor.#1: 0% GPU, 45c Temp Started: Fri Mar 23 17:28:43 2012 Stopped: Fri Mar 23 17:28:44 2012 |
That’s great and all but what if we wanted to crack using a bruteforce attempt? Well we need to tell Hashcat how we want to bruteforce. Instead of using a dictionary file we must create a mask such as the following examples:
- ?l?l?l?l?l?l?l?l – 8char lowercase password
- -1 ?l?u? ?1?1?1?1?1?1?1?1 – 8char upper or lowercase password
- -1 ?l?u?d?s ?1?1?1?1?1?1?1?1 – 8char upper,lower,digits,special password
In order to create your own masks you;; need to understand the following:
- ?l is all lower case letters from a to z
- ?u is all upper case letters from a to z
- ?d is all digits from 0-9
- ?s is all special characters on a standard keyboard
- ?h is all ISO-8859 characters or βHEXβ characters
- ?D is all 8-bit characters from the German alphabet
- ?F is all 8-bit characters from the French alphabet
- ?R is all 8-bit characters from the Russian alphabet
- -1 abcdABCD -2 1234 is a custom range used like so ?2?2?2?2?1?1?1?1
Here’s a demo of cracking the password hash with a bruteforce setting a 9 character password using only lowercase letters (I’ve used the flag 2 in this example as ONE looks like a lowercase L)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | phillips321@KubuntuDesktop:$ ./oclHashcat-plus64.bin -a 3 -m 1000 hash.ntlm.txt -1 ?l ?2?2?2?2?2?2?2?2?2 oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m1000_a3.Cayman.64.kernel (190388 bytes) 80290fc9b3c2b233769aa9d6ced8bc86:hacmebank Status.......: Cracked Input.Mode...: Mask (?1?1?1?1?1?1?1?1?l) Hash.Target..: 80290fc9b3c2b233769aa9d6ced8bc86 Hash.Type....: NTLM Time.Running.: 10 mins, 8 secs Time.Util....: 544806.8ms/18270.3ms Real/CPU, 3.5% idle Speed........: 4019.6M c/s Real, 4117.4M c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 2189932462080/5429503678976 (40.33%) Rejected.....: 0/2189932462080 (0.00%) HW.Monitor.#1: 77% GPU, 85c Temp Started: Fri Mar 23 17:44:58 2012 Stopped: Fri Mar 23 17:55:07 2012 |
Bingo… PASSWORD FOUND π
Just to make you guys realise the speed difference when using a GPU as a cracking platform i have performed a comparison against the cracking the same an 8 character hash using a CPU (AMD x6 1055T @3.8GHz) – 104minutes on the CPU.
user1:7:7b0662e4590e238a417eaf50cfac29c3:0c341d2d5793a3afafc76f8bc3bd56a1:::
1 2 3 4 5 6 7 8 9 10 11 12 | $ /hashcat-cli64.bin -a 3 -m 1000 hash.ntlm.txt ?l?l?l?l?l?l?l?l --pw-min=8 Initializing hashcat v0.39 by atom with 8 threads and 32mb segment-size... NOTE: press enter for status-screen Added hashes from file hash.ntlm.txt: 1 (1 salts) Activating quick-digest mode for single-hash Input.Mode: Mask (?l?l?l?l?l?l?l?l) Index.....: 0/1 (segment), 208827064576 (words), 0 (bytes) Recovered.: 0/1 hashes, 0/1 salts Speed/sec.: - plains, 32.52M words Progress..: 5410536168/208827064576 (2.59%) Running...: 00:00:02:47 Estimated.: 00:01:44:14 |
Compared to 38 seconds on the GPU π
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | $ ./oclHashcat-plus64.bin -a 3 -m 1000 hash.ntlm.txt ?l?l?l?l?l?l?l?l --perm-min=8 oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m1000_a3.Cayman.64.kernel (190388 bytes) Status.......: Cracked Input.Mode...: Mask (?l?l?l?l?l?l?l?l) Hash.Target..: 0c341d2d5793a3afafc76f8bc3bd56a1 Hash.Type....: NTLM Time.Running.: 38 secs Time.Util....: 38030.1ms/1175.7ms Real/CPU, 3.2% idle Speed........: 4033.0M c/s Real, 4144.3M c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 153374228480/208827064576 (73.45%) Rejected.....: 0/153374228480 (0.00%) HW.Monitor.#1: 77% GPU, 54c Temp Started: Sun Mar 25 13:29:40 2012 Stopped: Sun Mar 25 13:30:18 2012 |
Leave a Reply
You must be logged in to post a comment.