Recently some pretty major advances have come around in the world of GPU based hash cracking. Up untill now there was not much for Linux which would utilize multi GPUs to crack password hashs. This has been changed with the release of Oclhashcat. The release of oclhashcat signifies a signifigant jump in the speed on linux based GPU systems. There is also a cpu based version called hashcat but for this article I will be reviewing oclhashcat
One of the nice things about Opencl is that it works on Nvidia and ATI based systems. As I do not have any ATI cards I will be focusing on Nvidia based systems. The steps for ATI would be the same you would just have to install the stream drivers rather than the Nvidia drivers. In order for opencl to work you are going to need the newest nvidia drivers.
You can check your driver version like this:
You can download the Nvidia drivers for your system from here
Since the newest Nvidia drivers already include the opencl libraries there is nothing else to do, opencl should be working.
As I am writing this article version 2.0 of oclhashcat has just been released.
Some of the key features include:
* Free
* Multi-GPU
* Multi-Hash
* Linux & Windows native binaries
* Uses OpenCL
* Fastest multihash MD5 cracker on NVidia cards
* Fastest multihash MD5 cracker on ATI 5xxx cards
* Supports wordlists (not limited to Brute-Force / Mask-Attack)
* Can mix wordlists with Mask-Attack to emulate Hybrid-Attacks
* Runs very cautious, you can still watch movies while cracking
* Kernel workload can be configured while cracking
* Supports pause / resume
* Supports huge numbers of hashes (4 million and more)
* Able to work in a distributed environment
* Includes hashcats entire rule engine to modify wordlists on start
* … and much more
Supported algorithms include:
* MD5
* md5($pass.$salt)
* md5($salt.$pass)
* md5(md5($pass))
* md5(md5($pass).$salt)
* SHA1
* MySQL
* MySQL4.1/MySQL5
* MD4
* NTLM
* Domain Cached Credentials
The binaries can be downloaded from here . The source is currently not available and based on comments by the author he does not plan on making it so anytime soon. Although this is a pain its still a great tool.
My test box is going to be a server we have with 4 Nvidia 295gtx’s. Since a 295 is really 2 cards in one, our test box essentially has 8 video cards.
Lets have a look at the menu:
As you can see there are quite a few options for hash cracking. For the sake of this article I will be cracking some md5 hashs from hashkiller.com.
The syntax for oclhascat is a little tricky at first but once you understand it it gets much easier. It works on a character set and a specific position for each character.
For example lets look at the built in charsets:
So for example many people commonly use a name with a birthdate or some other date of significance after it, so I could define that like ?u?l?l?l?l ?d?d?d?d. While this looks very odd what I am saying is that I want to test 9 character passwords and that I am assuming the first letter is going to be a capitol, the next 4 letters will be lowercase a-z and that the last 4 characters are numbers meaning and dates like 1948 or 2012 will be covered. This targeted method of attack can be much faster that a normal brutefore. The only major limitation I have found so far in oclhashcat is the fact that you cannot give it a range of password lengths. This is not the end of the word because the tool can be easily scripted but its of feature that should be the authors priority to implement.
Ok so lets look at a real example:
NOTE: If you are recieving the “./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)” error I am told that this is nothing to worry about and is simply a small bug in Linux.
In the example I just showed what we did was take our md5 list which I have named opencrack.txt and we ran it against the example dictionary which comes with oclhashcat. At the same time we told oclhash cat to add a bruteforce of 4 digits to the end of each word.
You can see here the number of combinations we are looking at: Summary: 1299880000 combinations
You can see here the combined speed of all your GPUs: Speed.GPU*: 2617.7M/s
(Since this attack only took nine seconds my gpus didn’t even have time to get fired up, they are about twice as fast as this normally.)
The next line shows us how many passwords were loaded and how many recovered: Recovered.: 18/5331 Digests, 0/1 Salts
As you can see we did recover 18 of the 5331 passwords with just this quick simple attack.
The next few lines give time summaries and a percentage of how far along the crack is.
Ok so lets look at some bruteforce options:
So in this attack we did a full bruteforce of a-z, A-Z, 0-9 and .-!_@ *#$+/,&?%=);(^:”[\<'`]>|{}. This is defined by giving the -1 argument for built in masks and then using that one in each of the six positions.
-1 ?l?u?d?s ?1?1?1 ?1 ?1?1
If we knew a few things about our password policy, for example that the first letter was always a capitol we could refine this attack a little like this -1 ?l?u?d?s ?u?1?1 ?1 ?1?1 and if we also knew that the last 2 places were always numbers we could -1 ?l?u?d?s ?u?1?1 ?1 ?d?d. These functions allow us to refine our attack to improve the time it takes to complete. On this particular system you can see that a full 6 character brute force only took 3 mins so for passwords of 6 chars and under I always do a full bruteforce. The same attack with 7 characters takes about 4 hours on my system so using some of the placement tricks can really speed things up.
At any point during the cracing proccess you can press “s” and get a status report:
This report will tell you the speed of the GPU’s, number of passwords recovered and estimated time to finish.
The last thing I will show is the included batchcrack script. This script is included to make up for the fact that there in no way to define a range I assume. The script runs through about 20 different attacks. The cool thing about the script is the author made every thing in variables which are easily changed.
Open the script in your favorite editor and look at the first section:
This is the default configuration. It needs to be edited to reflect the amount of GPU’s you would like to use so for me it would be GPU_DEVICELIST=1,2,3,4,5,6,7,8.
The hashmode is md5 by default but can be changed to any of the modes available:
0 = MD5
1 = md5($pass.$salt)
2 = md5($salt.$pass)
3 = md5(md5($pass))
5 = md5(md5($pass).$salt)
100 = SHA1
200 = MySQL
300 = MySQL4.1/MySQL5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials
1500 = DES
You can also change the gpu acceleration to any number between 1 and 80 where 1 is the nicest to your system and 80 is the fastest. This setting depends on if you are running a Xserver or are doing any other tasks on your computer. My box is dedicated to cracking so I use 80 for every thing.
Other options possible to change are the output file, the input dictionary and the number of GPU loops.
One other change I made to my script was to add a line to full bruteforce 7 chars. This will make the script take 4-5 hours to complete but I feel thats well worth it. I simply added the line to the bruteforce section of the script.
Ok so once our script is edited lets run it against our ist of md5’s:
(I did not include the 7 char bruteforce in this example)
As you can see there are a variety of targeted attacks in this script. We recovered 127 of 5331 passwords which is pretty good for a script which takes 10 mins to run. If we include the 7 char bruteforce line we increase our chances significantly.
Once the script is finished the cracked hash’s will be in a nice hash:password format in the outputfile:
All in all Oclhashcat is a great new tool and will be a strong contender in the GPU hash cracking field. My only 2 problems with the tools are that there is no range function (which the author has promised to fix) and that the source is not availble. For more information on oclhashcat you can visit their website, forums and IRC channel
Thank’s to pureh@ate from question-defense.com for this tutor…….it means a lot !!
One of the nice things about Opencl is that it works on Nvidia and ATI based systems. As I do not have any ATI cards I will be focusing on Nvidia based systems. The steps for ATI would be the same you would just have to install the stream drivers rather than the Nvidia drivers. In order for opencl to work you are going to need the newest nvidia drivers.
You can check your driver version like this:
1 | [root@tools ~]# cat /proc/driver/nvidia/version |
2 | NVRM version: NVIDIA UNIX x86_64 Kernel Module 195.36.15 Fri Mar 12 00:29:13 PST 2010 |
Since the newest Nvidia drivers already include the opencl libraries there is nothing else to do, opencl should be working.
As I am writing this article version 2.0 of oclhashcat has just been released.
Some of the key features include:
* Free
* Multi-GPU
* Multi-Hash
* Linux & Windows native binaries
* Uses OpenCL
* Fastest multihash MD5 cracker on NVidia cards
* Fastest multihash MD5 cracker on ATI 5xxx cards
* Supports wordlists (not limited to Brute-Force / Mask-Attack)
* Can mix wordlists with Mask-Attack to emulate Hybrid-Attacks
* Runs very cautious, you can still watch movies while cracking
* Kernel workload can be configured while cracking
* Supports pause / resume
* Supports huge numbers of hashes (4 million and more)
* Able to work in a distributed environment
* Includes hashcats entire rule engine to modify wordlists on start
* … and much more
Supported algorithms include:
* MD5
* md5($pass.$salt)
* md5($salt.$pass)
* md5(md5($pass))
* md5(md5($pass).$salt)
* SHA1
* MySQL
* MySQL4.1/MySQL5
* MD4
* NTLM
* Domain Cached Credentials
The binaries can be downloaded from here . The source is currently not available and based on comments by the author he does not plan on making it so anytime soon. Although this is a pain its still a great tool.
My test box is going to be a server we have with 4 Nvidia 295gtx’s. Since a 295 is really 2 cards in one, our test box essentially has 8 video cards.
Lets have a look at the menu:
01 | [root@tools oclHashcat-0.20]# ./oclHashcat64.bin --help |
02 | ./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin) |
03 | oclHashcat, advanced password recovery |
04 |
05 | Usage: ./oclHashcat64.bin [options] hashlist wordlist_left|mask_left wordlist_right|mask_right |
06 |
07 | Startup: |
08 | -V, --version print version |
09 | -h, --help print help |
10 | --eula print eula |
11 |
12 | Logging and Files: |
13 | --restore restore previous session |
14 | --quiet quiet mode |
15 | -o, --output-file=FILE output-file for recovered hashes |
16 | --output-format=NUM 0 = hash:pass |
17 | 1 = hash:hex_pass |
18 | 2 = hash:pass:hex_pass |
19 | -e, --salt-file=FILE salts-file for unsalted hashlists |
20 | -j, --rule-left=RULE rule applied to each word from left wordlist |
21 | -k, --rule-right=RULE rule applied to each word from right wordlist |
22 |
23 | Resources: |
24 | --restore-options=STR Skip words (left:right) per device. Seperate with comma |
25 | -d, --gpu-devicelist=STR OCL devices to use. Seperate with comma |
26 | -n, --gpu-accel=NUM workload tuning: 1=fast desktop, 80=fast crunching |
27 | --gpu-loops=NUM workload fine-tuning if -n is not precise enough |
28 |
29 | Buildin-Masks: |
30 |
31 | ?l = aeionrsdlctbmfuhkgpywjvzxq |
32 | ?u = ASERMLNDCTBIPOHKGFUJYWVXZQ |
33 | ?d = 1023985476 |
34 | ?s = .-!_@ *#$+/,&?%=);(^:"[<'`]>|{} |
35 |
36 | Custom-Masks: |
37 | -1, --custom-mask1=CS user-defineable masks |
38 | -2, --custom-mask2=CS example: |
39 | -3, --custom-mask3=CS --custom-mask3=?dabcdef |
40 | -4, --custom-mask4=CS sets mask ?3 to 0123456789abcdef |
41 |
42 | Attacks: |
43 | -m, --hash-mode=NUM number of hash-mode |
44 | 0 = MD5 |
45 | 1 = md5($pass.$salt) |
46 | 2 = md5($salt.$pass) |
47 | 3 = md5(md5($pass)) |
48 | 5 = md5(md5($pass).$salt) |
49 | 100 = SHA1 |
50 | 200 = MySQL |
51 | 300 = MySQL4.1/MySQL5 |
52 | 900 = MD4 |
53 | 1000 = NTLM |
54 | 1100 = Domain Cached Credentials |
55 | 1500 = DES |
The syntax for oclhascat is a little tricky at first but once you understand it it gets much easier. It works on a character set and a specific position for each character.
For example lets look at the built in charsets:
1 | ?l = aeionrsdlctbmfuhkgpywjvzxq |
2 | ?u = ASERMLNDCTBIPOHKGFUJYWVXZQ |
3 | ?d = 1023985476 |
4 | ?s = .-!_@ *#$+/,&?%=);(^:"[<'`]>|{} |
Ok so lets look at a real example:
01 | [root@tools oclHashcat-0.20]# ./oclHashcat64.bin opencrack.txt example.dict ?d?d?d?d |
02 | ./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin) |
03 | oclHashcat v0.20 starting... |
04 |
05 | Digests: 5331 entries, 5331 unique |
06 | Scanned: example.dict (129988) |
07 | Maskprocessor: ?d?d?d?d (10000) |
08 | Summary: 1299880000 combinations |
09 | Platforms: 1 |
10 | Platform: NVIDIA Corporation, OpenCL 1.0 CUDA 3.0.1 (8 matched) |
11 | Device #1: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
12 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
13 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
14 | Device #2: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
15 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
16 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
17 | Device #3: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
18 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
19 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
20 | Device #4: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
21 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
22 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
23 | Device #5: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
24 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
25 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
26 | Device #6: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
27 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
28 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
29 | Device #7: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
30 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
31 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
32 | Device #8: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
33 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
34 | Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes) |
35 | WARNING: words in wordlist_left < 491520. Can't gain full performance |
36 | c553b8fe622bed5e8ed62a94bc94d57d:babe1010 |
37 | acf5f893c0871f4d4b87decfcded01fd:06039000 |
38 | 3fb707242bb356b2d5782b6b1fa7a150:yen9961 |
39 | 6ee18d60785401df7af0bbc676789c76:sweetie2010 |
40 | 929f5c4d8343ded8241c2f36b5831484:mann5630 |
41 | 15a810a418b53f550bf6f5ffc0ac703e:katie1602 |
42 | 39d5dee99d8831bb979a6677c05e2aef:megan2822 |
43 | 989b3b7feef58ea4c340476f6ecc48b6:miba2102 |
44 | ef56087d70af5cc10b00622e08a56886:death9413 |
45 | 05032716992559f48cf71028ea8a36cb:temp4562 |
46 | b9d094a85dd539c4963fc8eba0ae5355:sasha1509 |
47 | ad95048b366bd4cc4047d1ef76a46706:730469 |
48 | 7e1b7f303931b88bc8faed0a42713d34:megan9569 |
49 | ff36cd6d2a64b22f2df912fa9b9c5981:20052605 |
50 | 839b2da837b9fa4f5e239a1b425f1474:Pop3434 |
51 | f7dddf41bbfd47e775a746f57af69eab:teri0814 |
52 | 9a1ff19330af5d3db35571910fdfb23d:1282244 |
53 | eb44015f12b1a1cd07f9bdb780f375bd:michele1156 |
54 | [s]tatus [p]ause [r]esume [h]elp [q]uit => |
55 | Threads...: 8 |
56 | Speed.GPU1: 327.9M/s (finished) |
57 | Speed.GPU2: 327.9M/s (finished) |
58 | Speed.GPU3: 326.3M/s (finished) |
59 | Speed.GPU4: 319.9M/s (finished) |
60 | Speed.GPU5: 329.1M/s (finished) |
61 | Speed.GPU6: 328.3M/s (finished) |
62 | Speed.GPU7: 330.2M/s (finished) |
63 | Speed.GPU8: 327.9M/s (finished) |
64 | Speed.GPU*: 2617.7M/s |
65 | Recovered.: 18/5331 Digests, 0/1 Salts |
66 | Progress..: 1299840000/1299880000 (100.00%) |
67 | Running...: 9 secs |
68 | Estimated.: 0 secs |
69 |
70 | Started: Sun Jun 20 09:29:33 2010 |
71 | Stopped: Sun Jun 20 09:29:43 2010 |
In the example I just showed what we did was take our md5 list which I have named opencrack.txt and we ran it against the example dictionary which comes with oclhashcat. At the same time we told oclhash cat to add a bruteforce of 4 digits to the end of each word.
You can see here the number of combinations we are looking at: Summary: 1299880000 combinations
You can see here the combined speed of all your GPUs: Speed.GPU*: 2617.7M/s
(Since this attack only took nine seconds my gpus didn’t even have time to get fired up, they are about twice as fast as this normally.)
The next line shows us how many passwords were loaded and how many recovered: Recovered.: 18/5331 Digests, 0/1 Salts
As you can see we did recover 18 of the 5331 passwords with just this quick simple attack.
The next few lines give time summaries and a percentage of how far along the crack is.
Ok so lets look at some bruteforce options:
01 | [root@tools oclHashcat-0.20]# ./oclHashcat64.bin opencrack.txt -n 80 -m 0 -1 ?l?u?d?s ?1?1?1 ?1?1?1 |
02 | ./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin) |
03 | oclHashcat v0.20 starting... |
04 |
05 | Digests: 5331 entries, 5331 unique |
06 | Maskprocessor: ?1?1?1 (830584) |
07 | Maskprocessor: ?1?1?1 (830584) |
08 | Summary: 689869781056 combinations |
09 | Platforms: 1 |
10 | Platform: NVIDIA Corporation, OpenCL 1.0 CUDA 3.0.1 (8 matched) |
11 | Device #1: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
12 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
13 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
14 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
15 | Device #2: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
16 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
17 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
18 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
19 | Device #3: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
20 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
21 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
22 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
23 | Device #4: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
24 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
25 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
26 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
27 | Device #5: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
28 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
29 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
30 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
31 | Device #6: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
32 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
33 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
34 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
35 | Device #7: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
36 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
37 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
38 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
39 | Device #8: GeForce GTX 295, 895MB, 1242Mhz, 30MCU |
40 | Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes) |
41 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
42 | Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes) |
43 | WARNING: words in wordlist_left < 4915200. Can't gain full performance |
44 | [s]tatus [p]ause [r]esume [h]elp [q]uit => |
45 | b18a5dd9691f569bfa14d67f921deeeb:Khzhid |
46 | 8abe43e1c718e403846ebea7393daf05:teekel |
47 | 742f40069bda6a1f547ae40ea6a9d452:mdkswc |
48 | fa053ed88aad28bbe9cc7666a3b39f19:rs_l1b |
49 | 2a4a5a32877506a37426829d71918f4b:gyvenk |
50 | 6a182f3c48123a4af5657f75b25b96be:xlriop |
51 | 0ab2c17e2bc85953e93f194debe2a032:qtyqty |
52 | 42e604cfac34630dc0ff02bd1123b7c1:10@D3D |
53 | 16bd51d25ed0c5797320e8c3afa90a22:zara<3 |
54 | ad95048b366bd4cc4047d1ef76a46706:730469 |
55 | 67b0b903b0bc55e52124a8a3fd5fa0e5:t31bh5 |
56 | 8713864611c063edd4f18e26dce4ea08:Darma6 |
57 | [s]tatus [p]ause [r]esume [h]elp [q]uit => |
58 | Threads...: 8 |
59 | Speed.GPU1: 500.1M/s (finished) |
60 | Speed.GPU2: 500.8M/s (finished) |
61 | Speed.GPU3: 501.0M/s (finished) |
62 | Speed.GPU4: 501.1M/s (finished) |
63 | Speed.GPU5: 500.6M/s (finished) |
64 | Speed.GPU6: 500.8M/s (finished) |
65 | Speed.GPU7: 501.1M/s (finished) |
66 | Speed.GPU8: 501.1M/s (finished) |
67 | Speed.GPU*: 4006.6M/s |
68 | Recovered.: 12/5331 Digests, 0/1 Salts |
69 | Progress..: 689869781056/689869781056 (100.00%) |
70 | Running...: 3 mins, 4 secs |
71 | Estimated.: 0 secs |
72 |
73 | Started: Sun Jun 20 09:51:46 2010 |
74 | Stopped: Sun Jun 20 09:54:50 2010 |
-1 ?l?u?d?s ?1?1?1 ?1 ?1?1
If we knew a few things about our password policy, for example that the first letter was always a capitol we could refine this attack a little like this -1 ?l?u?d?s ?u?1?1 ?1 ?1?1 and if we also knew that the last 2 places were always numbers we could -1 ?l?u?d?s ?u?1?1 ?1 ?d?d. These functions allow us to refine our attack to improve the time it takes to complete. On this particular system you can see that a full 6 character brute force only took 3 mins so for passwords of 6 chars and under I always do a full bruteforce. The same attack with 7 characters takes about 4 hours on my system so using some of the placement tricks can really speed things up.
At any point during the cracing proccess you can press “s” and get a status report:
01 | [s]tatus [p]ause [r]esume [h]elp [q]uit => s |
02 | Threads...: 8 |
03 | Speed.GPU1: 500.7M/s (running) |
04 | Speed.GPU2: 500.8M/s (running) |
05 | Speed.GPU3: 501.2M/s (running) |
06 | Speed.GPU4: 501.2M/s (running) |
07 | Speed.GPU5: 501.2M/s (running) |
08 | Speed.GPU6: 501.2M/s (running) |
09 | Speed.GPU7: 501.2M/s (running) |
10 | Speed.GPU8: 501.1M/s (running) |
11 | Speed.GPU*: 4008.5M/s |
12 | Recovered.: 3/5331 Digests, 0/1 Salts |
13 | Progress..: 84520227840/689869781056 (12.25%) |
14 | Running...: 33 secs |
15 | Estimated.: 2 mins, 31 secs |
The last thing I will show is the included batchcrack script. This script is included to make up for the fact that there in no way to define a range I assume. The script runs through about 20 different attacks. The cool thing about the script is the author made every thing in variables which are easily changed.
Open the script in your favorite editor and look at the first section:
1 | OUTPUT_FILE=batchcrack.out |
2 | DICT_FILE=example.dict |
3 | HASH_MODE=0 |
4 | GPU_DEVICELIST=1,2 |
5 | GPU_ACCEL=80 |
6 | GPU_LOOPS=256 |
The hashmode is md5 by default but can be changed to any of the modes available:
0 = MD5
1 = md5($pass.$salt)
2 = md5($salt.$pass)
3 = md5(md5($pass))
5 = md5(md5($pass).$salt)
100 = SHA1
200 = MySQL
300 = MySQL4.1/MySQL5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials
1500 = DES
You can also change the gpu acceleration to any number between 1 and 80 where 1 is the nicest to your system and 80 is the fastest. This setting depends on if you are running a Xserver or are doing any other tasks on your computer. My box is dedicated to cracking so I use 80 for every thing.
Other options possible to change are the output file, the input dictionary and the number of GPU loops.
One other change I made to my script was to add a line to full bruteforce 7 chars. This will make the script take 4-5 hours to complete but I feel thats well worth it. I simply added the line to the bruteforce section of the script.
01 | if [ $BRUTEFORCE -eq 1 ] |
02 | then |
03 | $ECHO Running brute-force attacks |
04 |
05 | run -1 ?l?d?u?s ?1 ?1 |
06 | run -1 ?l?d?u?s ?1?1 ?1 |
07 | run -1 ?l?d?u?s ?1?1 ?1?1 |
08 | run -1 ?l?d?u?s ?1?1?1 ?1?1 |
09 | run -1 ?l?d?u ?1?1?1 ?1?1?1 |
10 | run -1 ?l?d?s ?1?1?1 ?1?1?1 |
11 |
12 | run ?d?d?d?d ?d?d?d |
13 | run ?d?d?d?d ?d?d?d?d |
14 | run ?d?d?d?d ?d?d?d?d?d |
15 | run ?d?d?d?d ?d?d?d?d?d?d |
16 |
17 | run ?l?l?l?l ?l?l?l |
18 | run ?l?l?l?l ?l?l?l?l |
19 | run -1 ?l?d?u?s ?1?1?1?1 ?1?1?1 |
20 | $ECHO "" |
21 | fi |
(I did not include the 7 char bruteforce in this example)
01 | [root@tools oclHashcat-0.20]# ./batchcrack.sh opencrack.txt |
02 | Running mask attacks |
03 | $ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d ... RT: 12 CR: 0 / 5331 |
04 | $ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d ... RT: 13 CR: 0 / 5331 |
05 | $ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d ... RT: 13 CR: 3 / 5331 |
06 | $ ./oclHashcat64.bin ... ?l?l?l?l ?d?d?d ... RT: 12 CR: 3 / 5331 |
07 | $ ./oclHashcat64.bin ... ?l?l?l?l ?l?d?d ... RT: 13 CR: 3 / 5331 |
08 | $ ./oclHashcat64.bin ... ?d?l?l?l ?l?l?d ... RT: 13 CR: 3 / 5331 |
09 | $ ./oclHashcat64.bin ... ?d?d?l?l ?l?l?l ... RT: 14 CR: 3 / 5331 |
10 | $ ./oclHashcat64.bin ... ?d?d?d?l ?l?l?l ... RT: 13 CR: 3 / 5331 |
11 | $ ./oclHashcat64.bin ... ?d?d?d?d ?l?l?l ... RT: 13 CR: 3 / 5331 |
12 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?l?l ... RT: 13 CR: 3 / 5331 |
13 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l ... RT: 12 CR: 3 / 5331 |
14 | $ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d?d ... RT: 13 CR: 3 / 5331 |
15 | $ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d?d ... RT: 13 CR: 10 / 5331 |
16 | $ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d?d ... RT: 13 CR: 14 / 5331 |
17 | $ ./oclHashcat64.bin ... ?l?l?l?l ?d?d?d?d ... RT: 14 CR: 27 / 5331 |
18 | $ ./oclHashcat64.bin ... ?d?d?l?l ?l?l?d?d ... RT: 14 CR: 27 / 5331 |
19 | $ ./oclHashcat64.bin ... ?d?d?d?d ?l?l?l?l ... RT: 19 CR: 27 / 5331 |
20 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?l?l?l ... RT: 15 CR: 28 / 5331 |
21 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l?l ... RT: 14 CR: 30 / 5331 |
22 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?l ... RT: 13 CR: 30 / 5331 |
23 | $ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d?d?d ... RT: 14 CR: 31 / 5331 |
24 | $ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d?d?d ... RT: 16 CR: 33 / 5331 |
25 | $ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d?d?d ... RT: 17 CR: 36 / 5331 |
26 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l?l?l ... RT: 39 CR: 36 / 5331 |
27 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?l?l ... RT: 22 CR: 36 / 5331 |
28 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?l ... RT: 17 CR: 36 / 5331 |
29 | $ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d ... RT: 13 CR: 36 / 5331 |
30 | $ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d ... RT: 12 CR: 36 / 5331 |
31 | $ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d ... RT: 13 CR: 37 / 5331 |
32 | $ ./oclHashcat64.bin ... ?u?l?l?l ?d?d?d ... RT: 13 CR: 37 / 5331 |
33 | $ ./oclHashcat64.bin ... ?u?l?l?l ?l?d?d ... RT: 13 CR: 39 / 5331 |
34 | $ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d?d ... RT: 13 CR: 39 / 5331 |
35 | $ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d?d ... RT: 13 CR: 39 / 5331 |
36 | $ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d?d ... RT: 13 CR: 39 / 5331 |
37 | $ ./oclHashcat64.bin ... ?u?l?l?l ?d?d?d?d ... RT: 14 CR: 39 / 5331 |
38 | $ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d?d?d ... RT: 14 CR: 39 / 5331 |
39 | $ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d?d?d ... RT: 16 CR: 39 / 5331 |
40 | $ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d?d?d ... RT: 17 CR: 39 / 5331 |
41 |
42 | ./batchcrack.sh: line 186: i: command not found |
43 | Running combinator attacks |
44 | $ ./oclHashcat64.bin ... example.dict example.dict ... RT: 19 CR: 54 / 5331 |
45 | $ ./oclHashcat64.bin ... example.dict example.dict --rule-left=l$- ... RT: 18 CR: 54 / 5331 |
46 |
47 | Running hybrid attacks |
48 | $ ./oclHashcat64.bin ... -1 ?l?d?s?u example.dict ?1 ... RT: 12 CR: 54 / 5331 |
49 | $ ./oclHashcat64.bin ... -1 ?l?d?s?u example.dict ?1?1 ... RT: 12 CR: 56 / 5331 |
50 | $ ./oclHashcat64.bin ... -1 ?l?d example.dict ?1?1?1 ... RT: 15 CR: 63 / 5331 |
51 | $ ./oclHashcat64.bin ... -1 ?d example.dict ?1?1?1?1 ... RT: 13 CR: 70 / 5331 |
52 | $ ./oclHashcat64.bin ... -1 ?l?d?s?u ?1 example.dict ... RT: 15 CR: 71 / 5331 |
53 | $ ./oclHashcat64.bin ... -1 ?l?d?s?u ?1?1 example.dict ... RT: 14 CR: 75 / 5331 |
54 | $ ./oclHashcat64.bin ... -1 ?l?d ?1?1?1 example.dict ... RT: 15 CR: 79 / 5331 |
55 | $ ./oclHashcat64.bin ... -1 ?d ?1?1?1?1 example.dict ... RT: 14 CR: 81 / 5331 |
56 |
57 | Running brute-force attacks |
58 | $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1 ?1 ... RT: 13 CR: 81 / 5331 |
59 | $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1 ?1 ... RT: 12 CR: 81 / 5331 |
60 | $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1 ?1?1 ... RT: 13 CR: 82 / 5331 |
61 | $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1?1 ?1?1 ... RT: 15 CR: 84 / 5331 |
62 | $ ./oclHashcat64.bin ... -1 ?l?d?u ?1?1?1 ?1?1?1 ... RT: 27 CR: 91 / 5331 |
63 | $ ./oclHashcat64.bin ... -1 ?l?d?s ?1?1?1 ?1?1?1 ... RT: 43 CR: 93 / 5331 |
64 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d ... RT: 13 CR: 94 / 5331 |
65 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d ... RT: 12 CR: 96 / 5331 |
66 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?d ... RT: 14 CR: 101 / 5331 |
67 | $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?d?d ... RT: 29 CR: 127 / 5331 |
68 | $ ./oclHashcat64.bin ... ?l?l?l?l ?l?l?l ... RT: 15 CR: 129 / 5331 |
Once the script is finished the cracked hash’s will be in a nice hash:password format in the outputfile:
01 | [root@tools oclHashcat-0.20]# head -n 25 batchcrack.out |
02 | 016d36db759cbd97f97b8f44d1586020:zukt, |
03 | 01f83ed4bd86376bd9fa66e473b074f8:jfuf2009 |
04 | 027e6a2a604638adbd930b4557063c15:0129112924 |
05 | 03cc48ea3a4d1ee0414d0deadd07d023:0162645647 |
06 | 05032716992559f48cf71028ea8a36cb:temp4562 |
07 | 053f55b3c966e636577b27d29c3a6e01:fqmrrkez |
08 | 06a776ee99089aea3d42d29dcd6e7fb4:pmvntugx |
09 | 06aee226d2d65dc15ad4e12670bda119:zlnytrdx |
10 | 06bfa6e9bc34362a51e0809f4538e72d:safalala |
11 | 077e1e814d536ac7ea4d2a807139b8c3:uiclqcwd |
12 | 083097a6b9af3c8f670f5b9a7ad4f17b:9212280494 |
13 | 08571f5827caf4405af9ffb5d346f2bc:kxjfmulh |
14 | 089ebba58081b56b18563a0dc37a56c3:bgwwlpwr |
15 | 08cd4d799f69a6692295134b07582a2f:ruzwmgjk |
16 | 08d553c67a1b549fbbb6f8c105a2576f:vwyxpfbw |
17 | 091436aed7244fdb9c739d26d8d6344a:oyohrvbd |
18 | 09e752289986cf77e8970aaab3c64ad9:ptfapwwv |
19 | 0a34afb822cf799d3a4480f6fc156bd4:zurjpwxp |
20 | 0a5be673cd81a2bc3cf9fd27c620729a:qmzkkzox |
21 | 0a7b0eb41f25362dc841a01969a32d39:ybtztguo |
22 | 0ab2c17e2bc85953e93f194debe2a032:qtyqty |
23 | 0ad18ed230360f5766ec26bced48a1fd:vkydksvx |
24 | 0b281b54fbd3ec9da2c8beee878703f3:tzvhrcek |
25 | 0b9a85aca47e4b2cbb537032958d9f3c:utsnrccj |
26 | 0bbd06bbf91816b3284e5603464e4e8c:dkffsvtv |
Thank’s to pureh@ate from question-defense.com for this tutor…….it means a lot !!
No comments:
Post a Comment