oclHashcat-plus

Description

oclHashcat-plus is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.

Note: Please use oclHashcat instead, plus is deprecated.

Background

The main problem with the first GPGPU hashcat version oclHashcat was to do with it’s architecture. It was designed for doing Combinator attack. That worked well with fast algorithms but in combination with slow (modern, highly iterated and salted) algorithms,that was an inefficient strategy.

As a consequence, people still used the CPU-based hashcat for serious hash-cracking. This is because it is possible to work with simple dictionary-based attacks. To be able to do dictionary-based attacks on a GPU, it was neccessary to deal with the architecture problem of oclHashcat first. The only solution was a complete new approach. This second oclHashcat version, which is designed for dictionary-based attacks, is called “oclHashcat-plus”.

Notes about simple dictionary attack on GPU:

  • Fast algorithms like MD4, MD5 or NTLM do work with simple dictionary attacks on a GPU, but this is not very efficient. It takes longer to transfer the wordlist data to GPU global memory rather than to just attack them on the CPU.

  • Slow algorithms like md5crypt (1000 iterations), phpass (up to 8k iterations) or WPA/WPA2 (16k iterations) can efficiently run on a GPU. The reason for this is that they are designed to slow down cracking performance itself. In this case, and unlike the fast algorithms, the time to copy the wordlist to GPU global memory is of no consequence.

An additional major feature of oclHashcat-plus is the GPU-based rule engine. With this it is possible to do Rule-based attack.

  • Fast algorithms make use of the GPU-based rule engine to increase GPU utilization. Using this strategy, simple dictionary-based attacks become efficient on the GPU again. The rule-engine on a GPU is very fast. Depending on the rule itself, you can reach nearly the same speed as with a combinator attack in oclHashcat. This is an absolutely unique feature against all other hash crackers.

  • Slow algorithms make use of the CPU-based rule engine to increase wordlist size. This way you can use even the very small dictionaries like “common4.txt” or “mil-dict.txt”. They are virtually expanded in memory by the CPU-based rule engine. This fits perfectly in the situation above in that the time to copy the wordlist to GPU global memory is of no consequence.

As a result, oclHashcat-plus is a lot more like the original CPU-based hashcat.

The first official release was v0.02, released on 30.01.2011.

Another important release was v0.06, released on 16.09.2011: It was the first version that supported the WPA/WPA2 algorithm.

With release of v0.07, oclHashcat-plus replaced regular oclHashcat when it ported Brute-Force Attack, Mask Attack, Combination Attack and Hybrid Attack.

Usage

Syntax

oclHashcat-plus [options]... hash|hashfile|hccapfile [dictionary|mask|directory]...

Options

oclHashcat-plus, advanced password recovery

=======
Options
=======

* General:

  -m,  --hash-type=NUM               Hash-type, see references below
  -a,  --attack-mode=NUM             Attack-mode, see references below
  -V,  --version                     Print version oclHashcat-plus 
  -h,  --help                        Print help oclHashcat-plus 
       --eula                        Print EULA oclHashcat-plus 
       --quiet                       Suppress output oclHashcat-plus 

* Misc:

       --hex-salt                    Assume salt is given in hex
       --hex-charset                 Assume charset is given in hex
       --force                       Ignore warnings oclHashcat-plus 
       --status                      Enable automatic update of the status-screen oclHashcat-plus 
       --status-timer=NUM            Seconds between status-screen update oclHashcat-plus 

* Markov:

       --markov-hcstat               Specify hcstat file to use, default is hashcat.hcstat
       --markov-disable              Disables markov-chains, emulates classic brute-force
       --markov-classic              Enables classic markov-chains, no per-position enhancement
  -t,  --markov-threshold=NUM        Threshold when to stop accepting new markov-chains

* Session:

       --runtime=NUM                 Abort session after NUM seconds of runtime
       --session=STR                 Define specific session name oclHashcat-plus 
       --restore                     Restore session from --session oclHashcat-plus 
       --restore-timer=NUM           Save restore file each NUM seconds 

* Files:

  -o,  --outfile=FILE                Define outfile for recovered hash oclHashcat-plus 
       --outfile-format=NUM          Define outfile-format for recovered hash, see references below
  -p,  --seperator=CHAR              Define seperator char for hashlists and outfile
       --show                        Show cracked passwords only oclHashcat-plus 
       --left                        Show un-cracked passwords only oclHashcat-plus 
       --username                    Enable ignoring of usernames in hashfile
       --remove                      Enable remove of hash once it is cracked
       --disable-potfile             Do not write potfile

* Resources:

  -c,  --segment-size=NUM            Size in MB to cache from the wordfile
       --cpu-affinity=STR            Locks to CPU devices, seperate with comma
       --gpu-async                   Use non-blocking async calls (NV only)
  -d,  --gpu-devices=STR             Devices to use, separate with comma
  -n,  --gpu-accel=NUM               Workload tuning: 1, 8, 40, 80, 160
  -u,  --gpu-loops=NUM               Workload fine-tuning: 8 - 1024
       --gpu-temp-disable            Disable temperature and fanspeed readings and triggers
       --gpu-temp-abort=NUM          Abort session if GPU temperature reaches NUM degrees celsius
       --gpu-temp-retain=NUM         Try to retain GPU temperature at NUM degrees celsius (AMD only)

* Rules:

  -j,  --rule-left=RULE              Single rule applied to each word from left dict
  -k,  --rule-right=RULE             Single rule applied to each word from right dict
  -r,  --rules-file=FILE             Rules-file, multi use: -r 1.rule -r 2.rule
  -g,  --generate-rules=NUM          Generate NUM random rules
       --generate-rules-func-min=NUM Force NUM functions per random rule min
       --generate-rules-func-max=NUM Force NUM functions per random rule max

* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets
  -2,  --custom-charset2=CS          Example:
  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef
  -4,  --custom-charset4=CS          Sets charset ?1 to 0123456789abcdef

* Increment:

  -i,  --increment                   Enable increment mode oclHashcat-plus 
       --increment-min=NUM           Start incrementing at NUM oclHashcat-plus 
       --increment-max=NUM           Stop incrementing at NUM oclHashcat-plus 

==========
References
==========

* Outfile Formats:

    1 = hash[:salt]
    2 = plain
    3 = hash[:salt]:plain
    4 = hex_plain
    5 = hash[:salt]:hex_plain
    6 = plain:hex_plain
    7 = hash[:salt]:plain:hex_plain

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz
   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
   ?d = 0123456789
   ?a = ?l?u?d?s
   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
   ?h = 8 bit characters from 0xc0 - 0xff
   ?D = 8 bit characters from german alphabet
   ?F = 8 bit characters from french alphabet
   ?R = 8 bit characters from russian alphabet

* Attack modes:

    0 = Straight
    1 = Combination
    3 = Brute-force
    6 = Hybrid dict + mask
    7 = Hybrid mask + dict

* Generic hash types:

    0 = MD5
   10 = md5($pass.$salt)
   20 = md5($salt.$pass)
   30 = md5(unicode($pass).$salt)
   40 = md5($salt.unicode($pass))
  100 = SHA1
  110 = sha1($pass.$salt)
  120 = sha1($salt.$pass)
  130 = sha1(unicode($pass).$salt)
  140 = sha1($salt.unicode($pass))
  300 = MySQL
  400 = phpass, MD5(WordPress), MD5(phpBB3)
  500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
  900 = MD4
 1000 = NTLM
 1100 = Domain Cached Credentials, mscash
 1400 = SHA256
 1410 = sha256($pass.$salt)
 1420 = sha256($salt.$pass)
 1500 = descrypt, DES(Unix), Traditional DES
 1600 = md5apr1, MD5(APR), Apache MD5
 1700 = SHA512
 1710 = sha512($pass.$salt)
 1720 = sha512($salt.$pass)
 1800 = sha512crypt, SHA512(Unix)
 2100 = Domain Cached Credentials2, mscash2
 2400 = Cisco-PIX MD5
 2500 = WPA/WPA2
 2600 = Double MD5
 3000 = LM
 3100 = Oracle 7-10g, DES(Oracle)
 3200 = bcrypt, Blowfish(OpenBSD)
 5000 = SHA-3(Keccak)
 5100 = Half MD5
 5200 = Password Safe SHA-256
 5300 = IKE-PSK MD5
 5400 = IKE-PSK SHA1
 5500 = NetNTLMv1-VANILLA / NetNTLMv1+ESS
 5600 = NetNTLMv2
 5700 = Cisco-IOS SHA256

* Specific hash types:

   11 = Joomla
   21 = osCommerce, xt:Commerce
  101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
  111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
  112 = Oracle 11g
  121 = SMF > v1.1
  122 = OSX v10.4, v10.5, v10.6
  131 = MSSQL(2000)
  132 = MSSQL(2005)
  141 = EPiServer 6.x
 1722 = OSX v10.7
 2611 = vBulletin < v3.8.5
 2711 = vBulletin > v3.8.5
 2811 = IPB2+, MyBB1.2+

Default Values

Attribute Value Note
–version false
–help false
–eula false
–quiet false
–show false
–left false
–username false
–remove false
–force false
–outfile NULL
–outfile-format 3
–runtime 0
–hex-salt false
–hex-charset false
–segment-size 1
–gpu-async false
–gpu-devices NULL
–gpu-accel 0 *
–gpu-loops 0 *
–gpu-watchdog 90
–rules-file NULL
–generate-rules 0
–generate-rules-func-min 1
–generate-rules-func-max 4
–hash-type 0
–increment 0
–increment-min 1
–increment-max 15

* Indicates that the value is dependent on the algorithm and GPU platform vendor (see below)

Supported algorithms and GPU defaults

Hash-Type –gpu-accel (NVidia) –gpu-loops (NVidia) –gpu-accel (AMD) –gpu-loops (AMD)
MD5 8 128 40 128
Joomla 8 128 40 128
osCommerce, xt:Commerce 8 128 40 128
SHA1 8 64 40 64
nsldap, SHA-1(Base64), Netscape LDAP SHA 8 64 40 64
nsldaps, SSHA-1(Base64), Netscape LDAP SSHA 8 64 40 64
Oracle 11g 8 64 40 64
SMF > v1.1 8 64 40 64
OSX v10.4, v10.5, v10.6 8 64 40 64
MSSQL(2000) 8 64 40 64
MSSQL(2005) 8 64 40 64
MySQL > v4.1 8 32 40 32
phpass, MD5(WordPress), MD5(phpBB3) 1 64 16 64
md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 1 64 16 64
MD4 8 128 40 128
NTLM 8 128 40 128
Domain Cached Credentials, mscash 8 64 40 64
SHA256 8 32 40 32
descrypt, DES(Unix), Traditional DES 1 8 8 8
md5apr1, MD5(APR), Apache MD5 1 64 16 64
SHA512 8 32 40 32
OSX v10.7 8 32 40 32
Domain Cached Credentials2, mscash2 1 64 16 64
Cisco-PIX MD5 8 128 40 128
WPA/WPA2 1 64 16 128
Double MD5 8 64 40 64
vBulletin < v3.8.5 8 64 40 64
vBulletin > v3.8.5 8 32 40 32
IPB2+, MyBB1.2+ 8 32 40 32
LM 1 8 8 8
Oracle 7-10g, DES(Oracle) 1 8 8 8

Supported attack modes

Dictionary loading

The reason behind the special loading of the dictionary is that some kernels require all plaintexts to be of the same length to process them efficiently.

Brute-force crackers usually do not have this problem because the length of the generated plaintext is always the same. But it’s not so in wordlists. Usually the words in wordlists are not sorted by their length. So the idea was oclHashcat-plus would cache each of the loaded words once, and store them into specific buffers. Each word-length has one unique buffer. If a word has the length 8; it sorts it into buffer number 8. Then, if buffer 8’s threshold is reached, it processes them and clears it afterwards. This is why it is so hard for oclHashcat-plus to have a restore / resume position.

Hint: You can optimize your wordlists for oclhashcat-plus usage. You just need to sort them by their length. It is recommended that you generate seperate wordlists sorted by their length. The hashcat-utils ship with a tool called: “splitlen”, which was written for this task.

Example

cyborg@cyborg:~$ oclhashcat+ --session blah2 -m 1500 aaNpkmTlsw1HA wordlist1 -r oclhashcat+/rules/cyborg-30000.rule

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 30000
Applicable Optimizers:

  • Zero-Byte
  • Precompute-Final-Permutation
  • Not-Iterated
  • Single-Hash
  • Single-Salt
  • Scalar-Mode

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Tahiti, 3020MB, 1070Mhz, 32MCU
Device #1: Kernel oclHashcat-1.01/kernels/4098/m1500_a0.Tahiti_1348.5_1348.5 (VM).kernel (482876 bytes)
Device #1: Kernel oclHashcat-1.01/kernels/4098/bzero.Tahiti_1348.5_1348.5 (VM).kernel (30480 bytes)

Cache-hit dictionary stats wordlist1: 7 bytes, 1 words, 30000 keyspace

aaNpkmTlsw1HA:murph0

Session.Name…: blah2
Status………: Cracked
Rules.Type…..: File (oclHashcat-1.01/rules/rockyou-30000.rule)
Input.Mode…..: File (wordlist1)
Hash.Target….: aaNpkmTlsw1HA
Hash.Type……: descrypt, DES(Unix), Traditional DES
Time.Started…: Sat Apr 26 13:47:48 2014 (1 sec)
Speed.GPU.#1…: 1473 H/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 464/30000 (1.55%)
Rejected…….: 0/464 (0.00%)
WARN: ADL_Overdrive5_Temperature_Get(): -5

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?