The tool we’re going to use here is hashcat. I’ll be testing this using a ATI 6950 2GB GPU running on Kubuntu 64bit using catalyst drivers 12.2. Your mileage might vary depending on what card you’re using.
Hashcat (now known as oclhashcat-plus) comes with a few different binaries depending on what architecture you’ll be running it on.
- nVidia 32bit – use
- nVidia 64bit – use
- ATI 32bit – use
- ATI 64bit – use
We need to check the graphics drivers and librarys are all set up correctly so quickly trying running one of the example files.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | phillips321@KubuntuDesktop:/media/1TB/TABLES/tools/oclHashcat-plus-0.07$ ./oclExample0.sh oclHashcat-plus v0.07 by atom starting... Hashes: 6494 Unique digests: 6494 Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes Rules: 64 GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m0000_a0.Cayman.64.kernel (1132724 bytes) HW.Monitor.#1: 0% GPU, 46c Temp Started: Fri Mar 23 17:16:17 2012 Stopped: Fri Mar 23 17:16:20 2012 |
Looks like things are working fine ๐
As we have a pwdump output style we need to cut this down to only show the NTLM hash.
username:userid:lmhash:ntlmhash:::
1 2 3 | cat hash.txt Administrator:500:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86::: cat hash.txt | cut -d: -f4 > hash.ntlm.txt |
And now to use oclHashcat to crack the NTLM
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | $ ./oclHashcat-plus64.bin -m 1000 hash.ntlm.txt darkc0de.lst oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes Rules: 1 GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m1000_a0.Cayman.64.kernel (1100676 bytes) Scanning dictionary darkc0de.lst: 1047587 bytes (5.83%), 95782 words,Scanned dictionary darkc0de.lst: 17975864 bytes, 1707658 words, 1707658 keyspace, starting attack... 80290fc9b3c2b233769aa9d6ced8bc86:hacmebank Status.......: Cracked Input.Mode...: File (darkc0de.lst) Hash.Target..: 80290fc9b3c2b233769aa9d6ced8bc86 Hash.Type....: NTLM Time.Running.: 0 secs Time.Util....: 957.9ms/0.0ms Real/CPU, 0.0% idle Speed........: 1031.3k c/s Real, 42049.4k c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 1044861/1707658 (61.19%) Rejected.....: 56955/1044861 (5.45%) HW.Monitor.#1: 0% GPU, 45c Temp Started: Fri Mar 23 17:28:43 2012 Stopped: Fri Mar 23 17:28:44 2012 |
That’s great and all but what if we wanted to crack using a bruteforce attempt? Well we need to tell Hashcat how we want to bruteforce. Instead of using a dictionary file we must create a mask such as the following examples:
- ?l?l?l?l?l?l?l?l – 8char lowercase password
- -1 ?l?u? ?1?1?1?1?1?1?1?1 – 8char upper or lowercase password
- -1 ?l?u?d?s ?1?1?1?1?1?1?1?1 – 8char upper,lower,digits,special password
In order to create your own masks you;; need to understand the following:
- ?l is all lower case letters from a to z
- ?u is all upper case letters from a to z
- ?d is all digits from 0-9
- ?s is all special characters on a standard keyboard
- ?h is all ISO-8859 characters or โHEXโ characters
- ?D is all 8-bit characters from the German alphabet
- ?F is all 8-bit characters from the French alphabet
- ?R is all 8-bit characters from the Russian alphabet
- -1 abcdABCD -2 1234 is a custom range used like so ?2?2?2?2?1?1?1?1
Here’s a demo of cracking the password hash with a bruteforce setting a 9 character password using only lowercase letters (I’ve used the flag 2 in this example as ONE looks like a lowercase L)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | phillips321@KubuntuDesktop:$ ./oclHashcat-plus64.bin -a 3 -m 1000 hash.ntlm.txt -1 ?l ?2?2?2?2?2?2?2?2?2 oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m1000_a3.Cayman.64.kernel (190388 bytes) 80290fc9b3c2b233769aa9d6ced8bc86:hacmebank Status.......: Cracked Input.Mode...: Mask (?1?1?1?1?1?1?1?1?l) Hash.Target..: 80290fc9b3c2b233769aa9d6ced8bc86 Hash.Type....: NTLM Time.Running.: 10 mins, 8 secs Time.Util....: 544806.8ms/18270.3ms Real/CPU, 3.5% idle Speed........: 4019.6M c/s Real, 4117.4M c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 2189932462080/5429503678976 (40.33%) Rejected.....: 0/2189932462080 (0.00%) HW.Monitor.#1: 77% GPU, 85c Temp Started: Fri Mar 23 17:44:58 2012 Stopped: Fri Mar 23 17:55:07 2012 |
Bingo… PASSWORD FOUND ๐
Just to make you guys realise the speed difference when using a GPU as a cracking platform i have performed a comparison against the cracking the same an 8 character hash using a CPU (AMD x6 1055T @3.8GHz) – 104minutes on the CPU.
user1:7:7b0662e4590e238a417eaf50cfac29c3:0c341d2d5793a3afafc76f8bc3bd56a1:::
1 2 3 4 5 6 7 8 9 10 11 12 | $ /hashcat-cli64.bin -a 3 -m 1000 hash.ntlm.txt ?l?l?l?l?l?l?l?l --pw-min=8 Initializing hashcat v0.39 by atom with 8 threads and 32mb segment-size... NOTE: press enter for status-screen Added hashes from file hash.ntlm.txt: 1 (1 salts) Activating quick-digest mode for single-hash Input.Mode: Mask (?l?l?l?l?l?l?l?l) Index.....: 0/1 (segment), 208827064576 (words), 0 (bytes) Recovered.: 0/1 hashes, 0/1 salts Speed/sec.: - plains, 32.52M words Progress..: 5410536168/208827064576 (2.59%) Running...: 00:00:02:47 Estimated.: 00:01:44:14 |
Compared to 38 seconds on the GPU ๐
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | $ ./oclHashcat-plus64.bin -a 3 -m 1000 hash.ntlm.txt ?l?l?l?l?l?l?l?l --perm-min=8 oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m1000_a3.Cayman.64.kernel (190388 bytes) Status.......: Cracked Input.Mode...: Mask (?l?l?l?l?l?l?l?l) Hash.Target..: 0c341d2d5793a3afafc76f8bc3bd56a1 Hash.Type....: NTLM Time.Running.: 38 secs Time.Util....: 38030.1ms/1175.7ms Real/CPU, 3.2% idle Speed........: 4033.0M c/s Real, 4144.3M c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 153374228480/208827064576 (73.45%) Rejected.....: 0/153374228480 (0.00%) HW.Monitor.#1: 77% GPU, 54c Temp Started: Sun Mar 25 13:29:40 2012 Stopped: Sun Mar 25 13:30:18 2012 |
NTLM 5DCA4CF3F02F5D268F5E46CE41919E62
Thank you!
NTLM=7F5A3D695B4BA2BBAE7C2C55FC2BCE7E
Thanks very much
ntlm
9E1772FAAF26CD2AABB966AEFFA97F08
BC17D1D37A70ED31249AC2F86BCD211E
Thanks again!
ntlm
5E3CFA66E6FE1869F31840B1C6C6C0B5
thanks very much!
That decrypts to the following: doSyazLflesruoYtIoD
(I have been nice and reversed it so that others donโt know the password as well)
Can you send this passowrd to my new e-mail?
Thanks in advance.
how about a35fed8a6b8ec68abfc60cec49b35125 no clue what is is, it’s from
NAME*****:500:aad3b435b51404eeaad3b435b51404ee:a35fed8a6b8ec68abfc60cec49b35125:::
That decrypts to the following: doSyazLflesruoYtIoD
(I have been nice and reversed it so that others donโt know the password as well)
339C3CD54496C132FD94FD2C75110C97
can you decrypt? ๐
That decrypts to the following: yazLflesruoYtIoD
(I have been nice and reversed it so that others don’t know the password as well)
Thank you very much! it works perfectly..
c4a1b3515c2dee52662e518e65b2f845
(nt not ntlm hash)
Way go to inside pro forums for this
if any of you Proffesionals can…
then decrytpt this: c4a1b3515c2dee52662e518e65b2f845
and i will accept your proffesional profession!!!
It’s seven characters long and ends in a 2
nice comparison thanks phil
ntlm = B1EDDC1E6D0571310D5A93FE08E7FFD8
thinks!!!
–perm-min= and –perm-max is for the permutation multiplier not password length. I’d like to know how to change it to crack longer paswords. plz let me know if you find out
Well spotted, will remove it from the post.
–pw-min=8 i think controls the password length but i dont think it’s supported in oclhashcat-plus yet?