Quantcast
Channel: hashcat Forum - All Forums
Viewing all 8175 articles
Browse latest View live

1080 TI - new best bang for buck?

March 1, 2017, 1:12 am
Search

Hashes getting skipped

March 1, 2017, 5:56 am
$
0
0
I'm a new registered user, but I've been learning a lot from the forums over the last couple of years, so let me start off by saying thank you to everyone who works on this project. 

I have a system with two AMD Pro Duos that I use for demo purposes at my school, and I'm running the attack against a large file of NTLM hashes.  I've recently found that some hashes are not getting identified by hashcat during bruteforce runs, but are later showing up as a result of combinator or appending/prepending attacks.  

Steps taken: 

1) quick bruteforce with NTLM up to 12 characters and confirmed they dump to the potfile
2) append/prepend attack
3) combinator attack

I'm seeing passwords that are less than 12 chars and composed of u/l/d show up in steps 2 & 3 that should've easily been caught by the bruteforce attack.

What am I missing?

Hashcat error

March 1, 2017, 12:36 pm

hashcat v3.40

March 3, 2017, 8:18 am
$
0
0

Welcome to hashcat v3.40 release!

The major changes are the following:
There's also a ton of bugfixes thanks to some very good reports from the users and others found while adding hashcat to the Coverity CI. 

From a performance perspective, there should be no changes to v3.20/v3.30, here's a detailed comparison: https://docs.google.com/spreadsheets/d/1...1439721324

I recommend upgrading even if you did not face any errors with older versions.

Thanks to everyone who contributed to this release!!!


Download here: https://hashcat.net/hashcat/


Features:
  • Added support for loading hccapx files
  • Added support for filtering hccapx message pairs using --hccapx-message-pair
  • Added support for parsing 7-Zip hashes with LZMA/LZMA2 compression indicator set to a non-zero value
  • Added support for decompressing LZMA1/LZMA2 data for -m 11600 = 7-Zip to validate the CRC
  • Added support for automatic merge of LM halfes in case --show and --left is used
  • Added support for showing all user names with --show and --left if --username was specified
  • Added support for GPU temperature management on cygwin build

Algorithms:
  • Added hash-mode  1411 = SSHA-256(Base64), LDAP {SSHA256}
  • Added hash-mode  3910 = md5(md5($pass).md5($salt))
  • Added hash-mode  4010 = md5($salt.md5($salt.$pass))
  • Added hash-mode  4110 = md5($salt.md5($pass.$salt))
  • Added hash-mode  4520 = sha1($salt.sha1($pass))
  • Added hash-mode  4522 = PunBB
  • Added hash-mode  7000 = Fortigate (FortiOS)
  • Added hash-mode 12001 = Atlassian (PBKDF2-HMAC-SHA1)
  • Added hash-mode 14600 = LUKS
  • Added hash-mode 14700 = iTunes Backup < 10.0
  • Added hash-mode 14800 = iTunes Backup >= 10.0
  • Added hash-mode 14900 = Skip32
  • Added hash-mode 15000 = FileZilla Server >= 0.9.55

Fixed Bugs:
  • Fixed a problem within the Kerberos 5 TGS-REP (-m 13100) hash parser
  • Fixed clEnqueueNDRangeKernel(): CL_UNKNOWN_ERROR caused by an invalid work-item count during weak-hash-check
  • Fixed cracking of PeopleSoft Token (-m 13500) if salt length + password length is >= 128 byte
  • Fixed cracking of Plaintext (-m 99999) in case MD4 was used in a previous session
  • Fixed DEScrypt cracking in BF mode in case the hashlist contains more than 16 times the same salt
  • Fixed duplicate detection for WPA handshakes with the same ESSID
  • Fixed nvapi datatype definition for NvS32 and NvU32
  • Fixed overflow in bcrypt kernel in expand_key() function
  • Fixed pointer to local variable outside scope in case -j or -k is used
  • Fixed pointer to local variable outside scope in case --markov-hcstat is not used
  • Fixed recursion in loopback handling when session was aborted by the user
  • Fixed rule 'O' (RULE_OP_MANGLE_OMIT) in host mode in case the offset + length parameter equals the length of the input word
  • Fixed rule 'i' (RULE_OP_MANGLE_INSERT) in host mode in case the offset parameter equals the length of the input word
  • Fixed string not null terminated inside workaround for checking drm driver path
  • Fixed string not null terminated while reading maskfiles
  • Fixed truncation of password after position 32 with the combinator attack
  • Fixed use of option --keyspace in combination with -m 2500 (WPA)
  • Fixed WPA/WPA2 cracking in case eapol frame is >= 248 byte

Workarounds added:
  • Workaround added for AMDGPU-Pro OpenCL runtime: AES encrypt and decrypt Invertkey function was calculated wrong in certain cases
  • Workaround added for AMDGPU-Pro OpenCL runtime: RAR3 kernel require a volatile variable to work correctly
  • Workaround added for Apple OpenCL runtime: bcrypt kernel requires a volatile variable because of a compiler optimization bug
  • Workaround added for NVidia OpenCL runtime: RACF kernel requires EBCDIC lookup to be done on shared memory

Technical:
  • Building: Add SHARED variable to Makefile to choose if hashcat is build as static or shared binary (using libhashcat.so/hashcat.dll)
  • Building: Removed compiler option -march=native as this created problems for maintainers on various distributions
  • Building: Removed the use of RPATH on linker level
  • Building: Replaced linking of CRT_glob.o with the use of int _dowildcard
  • Commandline: Do some checks related to custom-charset options if user specifies them
  • CPU Affinity: Fixed memory leak in case invalid cpu Id was specified
  • Dispatcher: Fixed several memory leaks in case an OpenCL error occurs
  • Events: Improved the maximum event message handling. event_log () will now also internally make sure that the message is properly terminated
  • File Locking: Improved error detection on file locks
  • File Reads: Fixed memory leak in case outfile or hashfile was not accessible
  • File Reads: Improved error detection on file reads, especially when getting the file stats
  • Files: Do several file and folder checks on startup rather than when they are actually used to avoid related error after eventual intense operations
  • Hardware Management: Bring back kernel exec timeout detection for NVidia on user request
  • Hardware Monitor: Fixed several memory leaks in case hash-file writing (caused by --remove) failed
  • Hardware Monitor: Fixed several memory leaks in case no hardware monitor sensor is found
  • Hardware Monitor: In case NVML initialization failed, do not try to initialiaze NVAPI or XNVCTRL because they both depend on NVML
  • Hash Parsing: Added additional bound checks for the SIP digest authentication (MD5) parser (-m 11400)
  • Hash Parsing: Make sure that all files are correctly closed whenever a hash file parsing error occurs
  • Helper: Added functions to check existence, type, read- and write-permissions and rewrite sources to use them instead of stat()
  • Keyfile handling: Make sure that the memory is cleanly freed whenever a VeraCrypt/TrueCrypt keyfile fails to load
  • Mask Checks: Added additional memory cleanups after parsing/verifying masks
  • Mask Checks: Added integer overflow detection for a keyspace of a mask provided by user
  • Mask Increment: Fixed memory leak in case mask_append() fails
  • OpenCL Device: Do a check on available constant memory size and abort if it's less than 64kB
  • OpenCL Device Management: Fixed several memory leaks in case initialization of an OpenCL device or platform failed
  • OpenCL Header: Updated CL_* errorcode to OpenCL 1.2 standard
  • OpenCL Kernel: Move kernel binary buffer from heap to stack memory
  • OpenCL Kernel: Refactored read_kernel_binary to load only a single kernel for a single device
  • OpenCL Kernel: Remove "static" keyword from function declarations; Causes older Intel OpenCL runtimes to fail compiling
  • OpenCL Kernel: Renumbered hash-mode 7600 to 4521
  • OpenCL Runtime: Added a warning about using Mesa OpenCL runtime
  • OpenCL Runtime: Updated AMDGPU-Pro driver version check, do warn if version 16.60 is detected which is known to be broken
  • Outfile Check: Fixed a memory leak for failed outfile reads
  • Restore: Add some checks on the rd->cwd variable in restore case
  • Rule Engine: Fixed several memory leaks in case loading of rules failed
  • Session Management: Automatically set dedicated session names for non-cracking parameters, for example: --stdout
  • Session Management: Fixed several memory leaks in case profile- or install-folder setup failed
  • Sessions: Move out handling of multiple instance from restore file into separate pidfile
  • Status screen: Do not try to clear prompt in --quiet mode
  • Tests: Fixed the timeout status code value and increased the runtime to 400 seconds
  • Threads: Restored strerror as %m is unsupported by the BSDs
  • Wordlists: Disable dictstat handling for hash-mode 3000 as it virtually creates words in the wordlist which is not the case for other modes
  • Wordlists: Fixed memory leak in case access a file in a wordlist folder fails
  • WPA: Changed format for outfile and potfile from essid:mac1:mac2 to hash:mac_ap:mac_sta:essid
  • WPA: Changed format for outfile_check from essid:mac1:mac2 to hash

- atom

Hashcat is not giving me a username with the hash

March 3, 2017, 3:39 pm
$
0
0
Hello

I am currently cracking around 11k hashes (NTLM)

When I am cracking passwords I sometimes get the username with the hash and sometimes I do not. 

user:hash:plain text is the format I would like.

Currently getting hash:plain

The username are from a domain so... Domain.com\user (is this the reason why i am not getting the user)

The command I am entering in is 
hashcat64.exe -a 3 -m 1000 --session=all --username --show  --force -o "D:\Hashcat\Hashcat GUI\req_results_found1000.txt" --outfile-format=3 -w 2 --gpu-temp-abort=90 -i --increment-min=4 --increment-max=10 "D:\req_results.txt" "D:\Hashcat\hashcat-3.30\masks\rockyou-7-2592000.hcmask"

Fan control in Linux

March 4, 2017, 7:48 am
$
0
0
Has anyone had success in controlling their PWM fans from within Linux?

I am using Ubuntu 14, but can't do this.  It is most likely due to my hardware configuration.  I don't have my fans wired directly to the motherboard.  I have my fans wired to a Corsair H100i CPU cooler instead.

Controlling fans with Linux software is sometimes accomplished with these packages (at least in Ubuntu).

lm-sensors
fancontrol

Are there any particular vendors of motherboards that allow for software control of fan speeds from within the OS?

Or are hardware based PWM controllers for case fans preferred?

Where is sha1(LinkedIn) ?

March 5, 2017, 12:40 pm

WPA/WPA2: How the hash is generated

March 5, 2017, 3:26 pm
$
0
0
Hi

______________________________________________________________________
Networks detected: 1BSSID=b4:ee:b4:fe:33:8b ESSID=HOTFiber-1255 (Length: 13)
--> STA=78:4f:43:10:7b:64, Message Pair=0, Replay Counter=0
--> STA=78:4f:43:10:7b:64, Message Pair=2, Replay Counter=0
--> STA=48:e9:f1:9d:73:97, Message Pair=0, Replay Counter=4
--> STA=34:fc:ef:de:aa:24, Message Pair=0, Replay Counter=4
--> STA=34:fc:ef:de:aa:24, Message Pair=2, Replay Counter=4
--> STA=48:e9:f1:9d:73:97, Message Pair=2, Replay Counter=0
Written 6 WPA Handshakes
Converted by hashC.co.uk
______________________________________________________________________

FOUND 4 UNIQ HASHES:
16450dbe240e410657e933042e78cf3f:b4eeb4fe338b:48e9f19d7397:HOTFiber-1255
8955827633067ee56d0d81cb761071e2:b4eeb4fe338b:784f43107b64:HOTFiber-1255
d41217732a6a31f5735fc08065aaa885:b4eeb4fe338b:34fcefdeaa24:HOTFiber-1255
eb78f2dde751d67f6c00b9923e387e56:b4eeb4fe338b:48e9f19d7397:HOTFiber-1255


Question:
how those hashes:
16450dbe240e410657e933042e78cf3f
8955827633067ee56d0d81cb761071e2
d41217732a6a31f5735fc08065aaa885
eb78f2dde751d67f6c00b9923e387e56

are being generated?
Search

Avoid character occurrance in brute force attack

March 5, 2017, 3:27 pm
$
0
0
Hi, I'm trying to brute forcing my wpa's captured .cap file and, in order to boost the process 
I though to set some "filters" to the hashcat process, letting it jump the charset combination with 2 or more 
sequential occurrance of the same character.

Since I know my password is a ten digit password with no sequential occurrance of the same number,
hashcat should process something like:
1010101010
1231231231 
....

but NOT something like:
1101100100
1122333123
....

Now, the basic command for a brute force attack, i think it should be: 
m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d  

How do I get, in this command, a "rule" for filtering and deleting combination 
with sequential occurrance of the same number?

Thanks for your help, sorry if something's wrong, but I'm not an expert and these are my first steps with hashcat

P.S. I know is possible to get hashcat works with gpu for boosting process, but my gpu is too old

Ryzen OpenCL benchmarks?

March 6, 2017, 7:01 am
$
0
0
I know the numbers will not compare to GPU's in any real form but for those who are looking to build a modest (1-4) GPU cluster it might be worthwhile to know what kind of numbers the new Ryzen r7 chips are putting up in hashcat, as well as any support for them or even lack of current support for that matter. I intend to purchase a few 1080Ti's for a new build in the next 4-6 weeks and am hoping someone can put up their benchmarks if Ryzen is supported to dictate my purchase from 1800x or 6800k.

R9 290x benchmark crashing at scrypt

March 6, 2017, 7:25 pm
$
0
0
hi!

I have my usual R9 290x (watercooled) and I was running benchmarks with version 3.30 and 3.40 

Using latest AMD drivers: 17.2.1, Windows 10 

The benchmarks on both the 3.30 and 3.40 crash exactly when scrypt is being benchmarked. The error is "Hash64.exe has stopped working". 

Any ideas what could it be?

970m vs 290x: benchmarks

March 6, 2017, 7:30 pm
$
0
0
I have a 970m in a laptop, and a r9 290x desktop, I ran version 3.30 on both, and got these results: 

R9 290x: 
Md5: 13043 Mh/sec
SHA1: 4704 Mh/sec

970M: 
Md5: 6626 Mh/sec
SHA1: 2301 Mh/sec
 
Does it make sense that the r9 290x is twice as fast, or there is something wrong?

hashcat-3.40

March 6, 2017, 10:39 pm
$
0
0
Hi I am very new to all this so please excuse any dumb/stupid questions I may ask
I am trying to recover a Itunes backup password for encrypted file so I can backup  without encryption
I haveve used perl
perl ./itunes_backup2hashcat.pl Manifest.plist Manifest2.plist
received this output
$itunes_backup$*9*8daef7bda5c7b08aed4c75f21399ee705a6982b67e05d4132c4ccc605bab4ae688e5090bcfc53cbe*10000*68bcba5f7d414dc99e228f87bc4fcf0fa7445832**
then used
hashcat32 -a 3 -m 14700  $itunes_backup$*9*8daef7bda5c7b08aed4c75f21399ee705a6982b67e05d4132c4ccc605bab4ae688e5090bcfc53cbe*10000*68bcba5f7d414dc99e228f87bc4fcf0fa7445832** ?a?a?a?a?a?a

and receive this error
* Device #1: Intel's OpenCL runtime (GPU only) is currently broken
             We need to wait for an update of their OpenCL drivers
             You can use --force to override this but do not post error reports if you do so
No devices found/left

Can anyone advise me what this means and what I should do

Many Thanks
Harleynt

New parameter: --nonce-error-corrections

March 7, 2017, 10:12 am
$
0
0
I just wanted to do quick writeup on the new --nonce-error-corrections feature for WPA/WPA2 cracking in hashcat v3.40+x. 

Afaik hashcat is the first WPA/WPA2 cracker that addresses this feature but everyone who is using tcpdump, wireshark, tshark, airodump, besside or pyrit to capture the handshake should continue reading.

In a perfect world a valid AP Nonce / Replay-Count combinations for M1 looks like this (over time):
  • NONCE = 0x.......1a, RC = 1
  • NONCE = 0x.......1b, RC = 2
  • NONCE = 0x.......1c, RC = 3
The problem is the real world. On here, not all AP do it like that. While we were validating some of the captures from the users who reported problems we found out that there's some AP which do the following instead:
  • NONCE = 0x.......1a, RC = 1
  • NONCE = 0x.......1b, RC = 1
  • NONCE = 0x.......1c, RC = 1
That alone wouldn't be a problem, because it does not hinder a valid connection from a station to the AP. The problem is only for us who capture the handshake from the air (Note: The time between those packets can be less than a second). Such a case can occur if, for example because of bad signal, the station missed the first M1 from the AP. So this is a physical problem, not a problem of the protocol or the software.

For us who are passively capturing all the packets from air we'd think we got all the packets if, for example, the entire M1-M4 handshake has been recorded (with the correct RC!). From now on we assume the client was able to connect to the station and save the handshake. So everything looks fine. The problem is, with the changed behavior of the AP as described above this technique is flawed! 

The problem is if the first packet M1 was _not_ received by the station (but by us who capture the traffic) and at the same time a second packet M1 (Note: also M1) was received by the station (but this time not by us). From a passive side, we have no way to find out about this case just by looking at M2, M3 and M4. This leads us to the main problem: We can never crack the password, even with the correct passphrase!

The good news is, if the packets we've captured are of type 0, 1, 2 or 5 (which is usually the case) we can correct this error with almost no overhead using latest hashcat beta. Since the process of validating the handshake (which involves the use of the AP nonce) happens after the PBKDF2 computation it will not affect the cracking performance much. We will simply add a few virtual nonce's (with the goal to hit the correct one) on the fly, you will not notice it. Another good news is that we know that we will always have to count upwards, because whenever a client receives a new M1 packet it has to drop the older one.

The new parameter --nonce-error-corrections gives the user a way to configure the number of virtual nonce's generated inside the kernel. The default is set to 16 but if you want to turn it off you can set it to 0. The value 16 means, do an additional 16 tries of the validation, each time with the AP nonce increased by one. 

The result is the following:
  • ./hashcat -m 2500 large_test1.hccapx wordlist.txt --nonce-error-corrections  0, cracked: 1898/13933
  • ./hashcat -m 2500 large_test1.hccapx wordlist.txt --nonce-error-corrections 16, cracked: 1911/13933
  • ./hashcat -m 2500 large_test2.hccapx wordlist.txt --nonce-error-corrections  0, cracked: 2021/12437
  • ./hashcat -m 2500 large_test2.hccapx wordlist.txt --nonce-error-corrections 16, cracked: 2026/12437
Maybe we'll do a 3.41 release just for that feature, not sure yet.

- atom

how to crack multiple hashtype in the same time

March 7, 2017, 8:30 pm
$
0
0
I see some can crack mutilple hashtype on hashcat by the same,can any one tell me how to do it?
I have see hashcat help,the parameter -m can only input one number,why can some crack mutilple hashtype?
There cracked output like these:
substr(sha1($pass)),0,32) --1
3d4f2bf07dc1be38b20cd6e469a107:111111
md5(md5(pass)) Big Grinouble md5 --1
928da4df568e076f6767582a0570c93a5e:N4B135

It can output the hashtypes and numbers of hash.
Search

3DES (hc 3.40): K1 == K3 and K1 != K2 possible?

March 5, 2017, 11:19 pm
$
0
0
Hi,
Thanks for the new version. Mode 14000 (des) works well. For mode 14100 (3des), is it possible to implement K1=K3, and K1 is independent to k2?
Thanks.

hybrid attack much slower in newer version of hashcat??

March 8, 2017, 2:04 am
$
0
0
Hi all, why is the hybrid attack much slower than straight or brute force attacks on newer versions of hashcat?? i mean on versions <0.08 all these gave comparable speeds but on newer versions the speed difference is of the order of thousands!! for eg, on WPA hash cracking my R7 260x give about 66000 hashes per minute on bruteforcing or straight dictionary  attacking a single hash but gives only 95 hpm on hybrid mask+dict or vice versa, similar result is also seen on other hash types. i know the dictionary has to be large to create more work for the gpu and increasing the dict size does increase the speed to some extent but whats the point in using a very large dictionary when i know that a 10-100 word dictionary with some masks will give me much faster results, and these used to work on older versions(older versions do not work on my new card r7 260x, my earlier card was a hd5670, cpu is amd athlon II X4 @ 2.6 GHz)

Facebook Username Password.

March 8, 2017, 3:57 am
$
0
0
Hello Everyone! i am new to this and learning alot about hashcat and all of the stuff in general but i want to know can i crack the password of a facebook user?? 

i have there email address, there username, and i know there starting word of the pass. all these info will it help me or is it just not possible??? like can i use mask attack or something?

need some help please

March 8, 2017, 5:06 am
$
0
0
HELP 

I have no idea what i am doing really, but have been struggling with this for a few hours

""OpenCL Platform #1: Advanced Micro Devices, Inc.

================================================
* Device #1: Spectre, 1535/2559 MB allocatable, 8MCU
* Device #2: AMD A10-7800 Radeon R7, 12 Compute Cores 4C+8G , skipped

Hash 'hash.txt': Line-length exception
No hashes loaded

Started: Wed Mar 08 12:54:25 2017
Stopped: Wed Mar 08 12:54:26 2017

C:\Users\Maxim\Desktop\hashcat-3.40>"


I have looked on the wiki and checked the line length help! And have tried a varied amount of modes! Is it as simple as finding the right mode. Or have i configured it all wrong. 

I have used a hash identifier to try and find out but it is MD5 so could be a few no?

When i am making my hash.txt file i am declaring the hash's like this : 

e4820b[b]45eacxxxxxxxxxxxxxxxxxe84be
[/b]
23170acc0xxxxxxxxxxxxxxxx988ab033fe
665e5bcb[b]xxxxxxxxxxxxxxxx[/b]628bb15e

or should there be some sort of syntax at the end of each hash!

Sorry hope this makes sense

MM

PC upgrade -new MB & PSU

March 8, 2017, 12:12 pm
$
0
0
Thanks to premiere of gtx 1080 Ti im planning to upgrade my PC to second (and some time later third) card.
Current setting:

  i5-4690k
  MB - z97 - Mini itx (one pcie 3.0 x16)
  16gb ram
  GTX 1080 FE
  PSU – 650W gold

As you can see this is not, in any case, good machine for HC  but – 1080FE is 1080FE J.
Since it is 1150 socket I can't see a point to upgrade to z270. Upgrade to X99 would best choice but it is far more expensive.   
Here is what I come up with:

  i5-4690k
  MB – ASrock Z97 extreme 4 (3 slots pcie)  (x8/x4/x4) http://www.asrock.com/mb/Intel/Z97%20Ext...dex.pl.asp
  16GB ram
  GTX 1080 FE and GTX 1080 Ti FE
  PSU – Seasonic PRIME Platinum 1200W (SSR-1200PD)

Here comes questions:
1.      PSU - will it be enough for 3 cards  1x GTX 1080 + 2x 1080 TI (TDP apx 1000W)? Any other/better options?
2.      What do you thing about MB? This ASrock is the best one I find.

Thank you in advance for any response.
Viewing all 8175 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>