Saturday, June 4, 2011

Cracking Password Hashes with CPU & GPU Power

UPDATE: New video at bottom...

Today I am going to tell you about a kick ass tool for cracking hashes on Windows platform that is capable of leveraging the power of your CPU or even better the power of your GPU(s)...or BOTH. I am even going to use a few pictures for a first, hope you like it. The genius developers behind Hashcat and oclHashcat just released a new version which puts everything in a nice streamlined GUI that is very simple to use and works with both NVidia (CUDA) and ATI (OpenCL) cards, or just plain old CPU power. If you're a console junkie they still have those versions available independently for download as well. You can find them all here: You can choose the one you want from the options on the left, but today I am going to be covering the wonderful new GUI that was just released (hashcat-gui_v0.4.2). I highly suggest you wonder the Hashcat site after you read through this as it is full of knowledge and well written overviews and examples. For now, I will cover some basics...

The entire suite of tools together with CPU and GPU is very powerful which helps to exponentially speed up the time to recovery and are capable of cracking the following types of hashes:
·        MD5 (and MANY variations)
·        SHA1 (and variations)
·        MySQL
·        SSHA-1
·        MD4
·        NTLM
·        Domain Cached Credentials (DCC)
·        MSSQL
·        SHA256
·        SHA-512
·        Oracle 11G
·        DES(Unix)

A few other highlights worth mentioning are that it does not require any installation (can run from USB) and it is FREE and also works on both 32 and 64 bit operating systems. The tool set is also capable of working under Linux and the console versions come pre-loaded with Backtrack 4 and 5 but I am excited and focused on the latest GUI release so I won’t be covering those as I am tired of typing out the commands (hence my excitement). The latest GUI wraps all of the previous console releases under one roof (hashcat, oclHashcat, oclHashcat-plus, and oclHashcat-lite). Now for some overview and review...

You will need to download the software from the link I gave you above and unzip the folder to wherever you would like to run it from. If you are using the GUI version then it doesn’t matter, if you are using the console version you need to navigate to that folder for it to work unless you modify your environment paths. You can just double click on the hashcat-gui64.exe or hashcat-gui32.exe, depending on your setup and it will launch the GUI. You should see this first (choose the one that fits your system);

Choose CUDA for NVidia cards and OpenCL for ATI cards or CPU if you don’t have any GPU to use. NOTE: If you select one of the GPU options it will load the CPU requirements as well so you only need to choose one option. Then it will load the GUI with all of the needed tools, and will then look like this:

Hashcat (Tab1):
Let’s begin with an overview of Hashcat first and then I will take you through the other tabs. Hashcat is the part of the tool that leverages the CPU power to crack hashes, while the rest of the tools/tabs we will cover rely on the GPU(s). You will need to place your hashes in a file so you can load it in the tool, just click on open and browse to find and load. Next you can choose to check to remove the cracked hashes or not. I like to move copies into the local Hashcat folder to work on so I have backups elsewhere and find it nice to size it down as I go through all of my variations to get an idea of what is working and what isn’t (helps if you are working on large lists). You can also change the HASH:PASS separator if you do not like the default ":", but this is not typically needed. Also I have a nice trick I will share later that works if you keep the default. Next comes the wordlists, you can add as many as you have and then arrange the order of them as well. Simply click on the "Add files" button and browse to where you keep your Dictionary files. I have used shmoosh2x64.exe to combine all of my wordlists into a single file, I suggest you find a tool that works for you to keep the number to a reasonable level or by category so you can load in the ones you want or arrange as needed after loading them all in. Next you will need to identify the mode and the hash type to use. You can change the mode to alter your word list based on the description, by bruteforce mode, or you can go a step further and use rules to alter your word lists performing a hybrid attack.

I will assume you can figure out the Hash Type drop down menu but some may have trouble with the modes so here is a quick overview of the different attack modes:
·        straight - This mode will go through your dictionary from top to bottom without altering anything, if it is on your list it will find it if not it won’t...
·        combination - This mode will combine words together in the form of word1word1, word1word2 using the defined dictionary to pair the word combinations.
·        Toggle-Case - This mode will go through your defined wordlist and will alternate the Case used on each of the words, for example: word, Word, wOrd, woRd, worD, and so on...
·        Permutation - This mode will try to extend your wordlist by attempting to try all possible combinations of words that might be created from the characters used in each word. This can be accomplished through a good rule set so I won’t cover too much of it...
·        Table-Lookup - This mode allows you to compare Hashes against pre-computed hash tables. If you have these on hand or if you have created them yourself this may be helpful to you. I tend not to use rainbow tables so I will not go into this here...
·        Bruteforce - This will try to use bruteforce to find the password by simply trying every possible combination available given the charset to use and the min and max length to try, the time needed to run through all depends on the charset used and the strength of the setup you run it on.

I advise reviewing the Hashcat site for rules files as they can be used to manipulate your wordlist and make them exponentially more valuable and effective. They also can allow you to manipulate a wordlist as defined by the rule set used. You can use this to get the same affects as the Toggle-Case, Permutations, Combination, as well as custom ones like adding 2011 to the end or beginning of each word, or maybe in the middle instead. These types of things can all be defined in the rules and then loaded in to modify your wordlist on the fly. I generally run the "Straight" words attack mode and then roll through all of my rules I have setup one by one with a much higher rate of effectiveness.
Here are some possible charsets you might want to try out if you will be Bruteforcing your way to victory. Just keep in mind how they can impact time it might take to crack cycling through all possible combinations and also why it important to keep a secure password:
·        0123456789
o   3628800 Possible Combinations
·        abcdefghijklmnopqrstuvwxyz
o   403291461126605635584000000 Possible Combinations
·        !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
·        abcdefghijklmnopqrstuvwxyz0123456789
o   3.7199332678990121746799944815084e+41 Possible Combinations
·        ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
·        abcdefghijklmnopqrstuvwxyz0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
o   2.4800355424368305996009904185692e+96 Possible Combinations
·        abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
·        abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
o   1.0873661566567430802736528525679e+146 Possible Outcomes

NOTE: Possible combinations can be derived using factorial functions: x! Where x = number of characters available to use, hence:
·        0123456789 - 10! OR 10 x 9 x 8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 = 362800 Possible Combinations

That is all the math I will bore you with for now, sorry but thought someone out there might find this interesting. Once you have identified the method that works best for you simply setup all the options and point everything to the correct files and if you have elected to have the cracked hashes removed then you might want to also check the Output "Write recovered hashes to file" and point it to where you want the output to go to. It will create a new file if needed, and will share nicely with the other tabs if you decide to use one file for all of your outputs, you can also play with the output formatting as well to put in form of HASH:PASS or HAHS:HEX_PASS or HAHS:PASS:HEX_PASS.

TRICK: If you have want to take the found passwords form the output file and add them to the word list you can write your own batch script or Perl script to remove the hash from prefix using the "hash list separator" as your indicator mark to stop removing items from each line. If that doesn’t work you can copy and paste the list online here: You can identify your hash list separator on the right hand side and then let it run. It will allow you to split the list into a separate hash file and a separate password file, which you can then add to your word list or manage as needed. See screenshot below:
 Everything so far relates to the main tab for Hashcat which relies on CPU power. This can be fine if you have a simple rule set or a small word list, but can take centuries if you have a rather complex rule set and a really large word list. For example, I am running this with the latest i7 core processor and can get speeds up at about 56 Million words a second which may take around 13 Hours if I let it go non-stop at an 8 character password with the "abcdefghijklmnopqrstuvwxyz0123456789" charset. If I wanted to start testing longer password possibilities or larger charsets it would start growing exponentially and would become unrealistic after a while. This is where it is handy to upgrade your motherboard with a few video cards and start putting them to use in cracking. The GPU cores can be used to help out the job and can achieve insanely high pass through rates. If we run the same bruteforce attack using my two GPU enabled cards (450GTS & 580GTX-ti) I can speed things up to about 800 Million Passwords a second to speed the attack time from ~13 hours to just under an hour. This makes a HUGE difference in completion time!!!

Let us now review the three (3) different GPU tools available and how and when to use them: oclHashcat/cudaHashcat, oclHashcat-plus/cudaHashcat-plus, and oclHashcat-lite/cudaHashcat-lite.

cudaHashcat/oclHashcat (Tab2):
There is cudaHashcat/oclHashcat which can be used for BruteForcing MD5, MD4, NTLM, DCC, SHA-1, and MySQL hashes. It is handy for bruteforcing a Large Hash list after exhausting all of your dictionaries. It also has the ability to apply rules to either side of the password combinations being tried (left vs. right side). This tool will take the default built in charsets or customer user defined charsets and will run much faster than any CPU bruteforce attempts. You can define the charset to use by using the mask feature and identifying the number of characters to use. You would need to define 4 on one side and 4 on the other to try all possibilities for 8 character hash. Here is a overview of what can be used to define how you want to perform this hybrid attack:
·        ?l = lowercase alpha (abcdefghijklmnopqrstuvwxyz)
·        ?u = uppercase alpha (ABCDEFGHIJKLMNOPQRSTUVWXYZ)
·        ?d = numerical digits (0123456789)
·        ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
·        ?h = ISO-8859 characters from 0xc0 - 0xff
·        ?D = 8bit characters from German alphabet
·        ?F = 8bit characters from French alphabet
·        ?R = 8bit characters from Russian alphabet
·        ?1 = number one - use custom charset 1 (uses whatever you copy into the empty field)
·        ?2 = number two - use custom charset 2
·        ?3 = number three - use custom charset 3
·        ?4 = number four - use custom charset 4

?l?l?l?l ?l?l?l?l would define a password of 8 characters in length using all lowercase alphabet as charset to try all possibilities: aaaaaaaa-zzzzzzzz.

The custom charset can be used as needed, but I find them helpful to add specific combinations to the end or beginning of the passwords being used in the word list, for example you could define custom1 as 1, custom2 as 2, custom3 as 3, and custom4 as 4 and to define the last 4 characters as 1234, which depending on your placement can create a whole new dictionary. I have found ending with 123 has very high success rates on real life samples.

               ?l?l?l?l ?1?2?3?4 would define a password of 8 characters and would fix 1234 as the last four characters of each password attempted, from aaaa1234-zzzz1234. Hopefully you can see how this can be helpful when all dictionary attempts have been exhausted and/or you have some helpful information to help you narrow down the possibilities to be used - since you can define the placement and characters to be used in the attempts.

If you decide to use a dictionary instead of masks you can also combine rules to them as well on a left and right side basis, same as masks and custom charsets above, just fill out the details for the mandatory fields. I tend to reserve my dictionaries for the next tab though, so I will not cover that part here. The last thing to complete before running the GPUs at things is the Resources section. You will need to define the GPU(s) to be used. If they are all the same type then do nothing and it will use them all together, however if you have a mix match of cards like I do (due to budget reasons) then you can simpy define them using comma separated values. I use two different cards and it will only use one by default so I change the GPU devices to state "1,2" to instruct it to use both GPU #1 and GPU #2. You will find better results if you run the same type of cards, but this is a perfectly acceptable and working alternative for those that grow on a budget or over time. If you do a little research or are more familiar with your GPU then you can tweak your heart out with the workload tuning and GPU loops but the defaults will be fine for the average users. Finally choose to write your output file to where you want in the desired format and you can start the GPU attacks on your hash list. You will notice the command used is also displayed next to the start button if you want to learn the commands to do things from the console. This is also very helpful if you pause an attack and need to pick things up later, as the commands can be rather long and you can simply copy and paste it to where you need it. Once you hit start the command prompt should open and show the running status, you can the "S" button to show the status at any given time.

oclHashcat-plus/cudaHashcat-plus (tab3):
This was also formerly known as oclHashcat+/cudaHashcat+ and has recently been changed to the new name. This GPU tool is used to replace the outdated CPU cracker that we originally all came to love and known as Hashcat, and is very good for single or large lists of MD5, MD4, NTLM, DCC, and DES hashes. This takes your Dictionary and Password files and runs the same attacks on them that Hashcat would, but instead of using the CPU it uses the GPU power, which results in exponentially faster results.
Like on tab1 for Hashcat we will need to point it to our Hash list file, choose to remove cracked hashes or not, point it to your dictionary or password files (as many as you have or need - haven't hit the limit yet), identify hash type. Now you can’t choose attack modes here but you can point it at your rules files which will do way more than the default attack modes will ever do, so not much loss here. If you want to let the tool auto-generate rules based on the developer’s statistical analysis you can do that as well and define how many rules to generate. As done on the oclHashcat/cudaHashcat you will need to define your GPU cards to use in the attack if they are not of the same kind and adjust any of the other parameters if you are advanced enough to know what you are doing. Choose to write the output and format type if desired and that is it. As before it will open the command prompt for you and start running the dictionary attacks off the GPU devices identified.
Once it is running it will look similar to before, and you can use the "S" for up to date status check, "h" for help dialogue, or "q" to quit:
oclHashcat-lite/cudaHashcat-lite (tab4):
This GPU tool is a bit more precise and can only be used on a single hash at a time, but is capable of cracking MD5, SHA-1,MySQL > 4, NTLM< and Domain Cached Credentials (DCC) hashes at extremely fast rates.
This can be very handy when you have a high priority hash and want to focus everything you have on it to Bruteforce it. You will also need to define the mask to use if desired or you can simple provide the charset to use and the min and max parameters for password length. You can also instruct the tool to take charset in hex form by checking the available box.
As done for the previous tabs you will need to identify your GPU devices and tweak any advanced parameters you want. Lastly identify if you want to write the output to file and where and you are ready to fire away.
This completes the overview and review of the latest release from the Hashcat team for Hashcat-GUI-v0.4.2. I hope you have enjoyed this review and I hope you find this tool very useful in your hash cracking adventures. If you want to speed things up you can also run one attack from the GPU tools while simultaneously running an attack from the CPU powered Hashcat tab. I use this method regularly to allow the CPU to handle the small rule sets I have and let the more complex rules run through the GPU to save time. You can also let Bruteforcing of smaller length attempts run on CPU while running anything over 7 characters long on the GPUs to save yourself some time. Enjoy and follow up with the makers of the tool as it is being updated all the time and they never seem to stop amazing me. If you have a small problem or need some help please feel free to comment or drop me a line and I will do what I can to help out with GUI or console problems. This was not meant to be an end all be all of tutorials or overview, but I do think it is very helpful and quite amazing tool and wanted to share it with the world. Have fun cracking...

UPDATE - Here is the video I made to accompany the article above:

1 comment:

  1. Using RentalCars you can discover affordable car rentals from over 49000 locations globally.