Hi folks, about a week ago I reset my VeraCrypt password. Long story short: see my username.

After a week reading the forum, wiki, and googling up on password cracking, I'm almost ready to launch a years-long attack. But I could use some expert advice on designing an optimal ruleset or mask.

Some details: the password is likely 20 characters long. I believe it consists of a 32-character set, which includes some letters of both cases, a symbol and several numbers. It was based on a line of text that was right in front of me, which is why I didn't bother to write it down. I think I must've forgotten which case was used where (so I need to include a toggle attack), and I may have made a typo or accidentally held down the shift button. Is there a way I can account for all these factors in a single attack? Or should I break it down and do several simultaneously?

Since it isn't connected to anything online, I can provide the hash and/or the suspected password if that'd be relevant.

I've tried creating a dict file using crunch. This doesn't seem to have enough limiters. Using a more limited pattern with variations in only the last 6 characters, I ended up with a 6GB file; hashcat estimated that attack alone would take almost 2 years on my system (yay integrated graphics!).

How to disable the output of hacked hashes in the console window? And just to show statistics
The window was calm and only showed statistics

I have one of these cards (Radeon HD 7950) that I have never used and I'm trying to get it running in Ubuntu.  I just built a new system its looking like this card is not supported any more?  If it is supported, are there specific versions of OS / Hashcat / Drivers that I need?

Hi ,
i tried to to recover password from WPA2 hashes but whenever i am running hashcat getting separator issue.
Tried to check multiple thread but no luck. Can anyone help me in this.

below is the command and output

----------------------------------------------------------------------------------------------------------------------------------------
#hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?l?l?l?l?l?l?l' --force
hashcat (v4.2.1) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 512/1480 MB allocatable, 1MCU

Hash 'test.16800': Separator unmatched
No hashes loaded.


-----------------------------------------------------------------------------------------------------------------------------------------

Hi, I´ve read a lot and searched... is there a way to just throttle the process to keep a maximum temp? 

For example, a command to force the GPU to remain at 80c or less? I can´t find anything!!!

Thanks in advance.

Core i7-6700@2.60GHz
GTX 1070
16 GB Ram

Hello,

I am having trouble getting hashcat to recognize my GPU. I have downloaded the latest drivers from here:

https://www.amd.com/en/support/graphics/...on-hd-6850

They are installed and working properly. My machine is running Windows 7 ultimate 64. 

I gave up on trying to get the NVIDIA drivers to install on my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux laptop, too much of a hassle. 


Any help would be appreciated.

Hello,
    I have a very simple university project that involves creating a MD5 4-char long string hash and then cracking it using brute force/masked attack, very simple premise, did the code in java for hashing and used hashcat 4.2 for brute forcing but the second one just won't work... obviously a mistake on my end since the example templates works fine. 
The hash i'm using is supposed to be MD5, 128-bit long, using ?l?d for charset since the passwords only use those characters and they are 4 char long, so should be very easy to do.
    So lets see: the code for hashcat I used is :
               ./hashcat -m 0 -a 3 -1 ?l?d -O -o=crackedHashes.txt (hash dir) ?1?1?1?1 --potfile-disable
Got this output:


Also I did try to run it with ?h?h?h?h mask
the crackedHashes.txt just isn't generated! and I disabled potfile and enabled it, deleted it, cleaned it, nothing!

These are the hashes, for what I researched, they are supposed to be regular MD5.

5259ee4a034fdeddd1b65be92debe731
4e40beaf133b47b8b0020881b20ad713
58d17e8b3add72032cf54a2f865e3dc4
d39336da4df51fae43b4ecd5848c1356

This is the java function used to hash the strings:

   public static String MD5(String txt) throws NoSuchAlgorithmException {
       MessageDigest m=MessageDigest.getInstance("MD5");
       m.update(txt.getBytes(),0,txt.length());
       return new BigInteger(1,m.digest()).toString(16);
    }

They are just test hashes so their meaning is useless...
Any clue as to why this is happening? Feels like a rookie mistake and I'm just noobing it out

Hello, new to this great forum

I'm trying to figure out a way to optimize an attempt to recover my Truecrypt password. Been doing this with hashcat for a year or so but no success.

* I have used a password with about 30 possible known words in combination. ex (dog, cat, 5000, frog, 12)
* Maybe there is also spaces between every word but maybe not.
* There are NO words used more than one time in the password.
* There are NO spaces in a row but maybe between the words. ("catdog12" or  "cat dog 12")
* The length of the password is between 15-30 characters.
* Since some words are long and some short it would be possible to exclude a lot of combinations.

I'm trying with "hashcat64 -a0 -m6211 badluck.tc mywordlist.txt"

I use OTFBrutusGUI to build different password lists. Up to about 50GB in size. I like the wordlist building that it does and I'm also used to that program since I used it before GPU-truecypt was possible.

Would be so great to get some advice on my project to find the password.


Thanks in advance!

Im trying to get a SHA1 with salt (110) cracked. But i only get this: 

plz help!

Hi,

does anyone have any performance data for BLAKE2b (64-bit version) on hashcat?

I've seen a couple of references to it in source code revision, but that's about it.

Thanks.

Hey I'm new to cracking and Linux (especially The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux) and things are going really slow and I've googled for hours not finding an answer and maybe you can help me?

Command used: hashcat -a 0 -m 1800 hashes.txt ss100.txt
(Where the hashes are salted sha-512 and the wordlist are 220k regular words)

This is the text I get.

hashcat (v4.2.1) starting...

* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 860M, 1011/4046 MB allocatable, 5MCU

OpenCL Platform #2: The pocl project
====================================
* Device #2: pthread-Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz, skipped.

Hashes: 81 digests; 77 unique digests, 77 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Uses-64-Bit

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

INFO: Removed 2 hashes found in potfile.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D VENDOR_ID=32 -D CUDA_ARCH=500 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
Dictionary cache built:
* Filename..: ss100.txt
* Passwords.: 221599
* Bytes.....: 2485174
* Keyspace..: 221599
* Runtime...: 1 sec

Cracking performance lower than expected?        

* Append -O to the commandline.
  This lowers the maximum supported password- and salt-length (typically down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Update your OpenCL runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: hashes.txt
Time.Started.....: Thu Oct 25 12:06:03 2018 (27 secs)
Time.Estimated...: Thu Oct 25 12:57:34 2018 (51 mins, 4 secs)
Guess.Base.......: File (ss100.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:     5377 H/s (11.92ms) @ Accel:64 Loops:32 Thr:32 Vec:1
Recovered........: 2/77 (2.60%) Digests, 2/77 (2.60%) Salts
Progress.........: 143360/17063123 (0.84%)
Rejected.........: 0/143360 (0.00%)
Restore.Point....: 0/221599 (0.00%)
Candidates.#1....: A-aktie -> attesterats
HWMon.Dev.#1.....: Temp: 54c Util: 99% Core:1097MHz Mem:2505MHz Bus:16


What is wrong? Best Regards from John

Test results for Web publishing:
---------------------------------------------
Hashcat 4.0.1,GTX 1070 Ti 
Hashmode: 0 - MD5
Speed.Dev.#1.....: 23360.6 MH/s (27.23ms)
Speed.Dev.#2.....: 23842.0 MH/s (26.73ms)
Speed.Dev.#3.....: 23729.3 MH/s (26.77ms)
Speed.Dev.#4.....: 23735.5 MH/s (26.83ms)
Speed.Dev.#5.....: 23672.9 MH/s (26.89ms)
Speed.Dev.#*.....:   118.3 GH/s

Hashcat 3.4.0,GTX 1080TI  8GB
Hashmode: 0 - MD5
32445.9 MH/s

My job:
-------------------------------------
Hashcat 4.0.1,GTX 1080TI 4GB

Command:hashcat64.exe -m 0 -a 3 ?a?a?a?a?a?a?a?a -O md5.txt

Session..........: hashcat
Status...........: Running
Hash.Type........: MD5
Hash.Target......: be7d821296f7e8dfb20ea057ac9b6980
Time.Started.....: Fri Oct 26 09:07:44 2018 (18 secs)
Time.Estimated...: Wed Oct 31 11:31:31 2018 (5 days, 2 hours)
Guess.Mask.......: ?a?a?a?a?a?a?a?a [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 15056.2 MH/s (6.84ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 275045679104/6634204312890625 (0.00%)
Rejected.........: 0/275045679104 (0.00%)
Restore.Point....: 0/7737809375 (0.00%)
Candidates.#1....: p_Yerane -> PfQ{\523
HWMon.Dev.#1.....: Temp: 41c Fan: 33% Util: 44% Core:1911MHz Mem:5005MHz Bus:4

Why does my speed differ so much from the network test results? Is there something wrong with my command-line statement?

Dictionary attack is working with --hex-salt i get correct $HEX[310032003300340035003600] 123456 as result
But when i do brute-force with the same hash and salt i get no result, here is my syntax
Is my brute-force syntax wrong cause dictonary is working?

Hello,

I'm trying to figure out a mask attack to use with hashcat where the hash is of a password known to be 10 characters long, of a-zA-Z0-9, beginning with 3 digits.

I've looked at the mask attack page, but I can't seem to figure it out.

Maybe it's
It appears correct to me, but I'm not sure yet.

Thanks!

Hello Guys,
I write a thesis to review the security in windows systems starting with LM-Hash.
For showing the weakness of the LM-Algorithm I create a 14 char random password without numbers.
The first part i successfully obtained with help of rainbow tables and now i want to obtain the second part.
The netntlm.pl script which uses John is much too slow for it. It runs 8 hours until I canceled it.

So i created a file with all upper/lower case possibilites first (with echo{a,A}..etc)

The benchmark says that i have the power to calculate 11873 MH/s (AMD R9 390)


My calculation is that hashcat should be able to crack the remaining 7 chars in under an hour:
85(- 10 numbers)^7 / 11873000000 H/s  = time in second
85^7/11873000000= 2700 s

passwordpossibilites.txt= All Lower/Uppercase possibilites of M%RFOFT

But when i start the hybrid attack
hashcat64.exe -m 5500 hash.txt -a  6 passwordpossibilites.txt ?a?a?a?a?a?a?a

the status said that it tooks 26 years.

I then tried the example hash for netlmv1 from wiki. Pure bruteforcing is done in seconds and when i try a hybrid attack it tooks 189 days.

test.txt simple contains an 'h' (first capitol of 'hashcat')
hashcat64.exe -m 5500 hash.txt -a 6 test.txt ?a?a?a?a?a?a

What did i'm wrong im confused. I also tried to create "more work" which the program suggests :

hashcat64.exe -a 6 test.txt ?a?a?a?a?a?a | hashcat64.exe -m 5500 hash.txt

but then the estimated time is always 0 sec.

I hope someone can help me here 

Greetings
Marsupilami

For some reason I can't get hashcat to start or do anything. No matter what command I throw at it, it just says "hashcat (v4.2.1) starting..." and then dies, can't even get it to produce an error. Output below:


c:\hashcat>hashcat64 -a 0 -m 9400 hash.txt pass.txt
hashcat (v4.2.1) starting...


c:\hashcat>hashcat64 -I
hashcat (v4.2.1) starting...


c:\hashcat>




I have verified that my GPU driver is up to date and that I have the latest hashcat files. I'm trying to run it on Windows 10 x64. I feel like I'm missing something simple because what's odd is if I use the The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) app from the Windows store, that at least detects the CPU and runs.

I admit, I am a n00b, so if any more info is needed to help troubleshoot, I'll try my best to provide it. I'm at a loss for what to try next since I've never had issues with any of the other machines I use hashcat on. Any help is greatly appreciated. System info is below in case it helps. 


OS = Windows 10 Education 64-bit (10.0, Build 17134)
CPU = Intel(R) Core(TM) i7-7700k
GPU = GeForce GTX 1080 Hydrocopper
GPU Driver = GeForce Game Ready Driver Version: 416.34

Hi all !

I'm use:
hashcat64 -m 14100 A8AC874BC6632F6F:bbbbbbbbbbbbbbbb -a 3 --hex-charset ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1 -1 charsets/DES_full.charset

i'm get:
hashcat (v4.2.1-47-g6e1aec0) starting...
* Device #9: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.
OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) Celeron(R) CPU G3930 @ 2.90GHz, skipped.
OpenCL Platform #2: Advanced Micro Devices, Inc.
================================================
* Device #2: Ellesmere, 3840/4096 MB allocatable, 36MCU
* Device #3: Ellesmere, 4048/8192 MB allocatable, 36MCU
* Device #4: Ellesmere, 3840/4096 MB allocatable, 36MCU
* Device #5: Ellesmere, 3840/4096 MB allocatable, 36MCU
* Device #6: Ellesmere, 3840/4096 MB allocatable, 36MCU
* Device #7: Ellesmere, 3840/4096 MB allocatable, 36MCU
* Device #8: Ellesmere, 3840/4096 MB allocatable, 36MCU
* Device #9: Intel(R) Celeron(R) CPU G3930 @ 2.90GHz, skipped.
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Minimum password length supported by kernel: 24
Maximum password length supported by kernel: 24
Watchdog: Temperature abort trigger set to 90c
Integer overflow detected in keyspace of mask: ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
Started: Sat Oct 27 11:03:27 2018
Stopped: Sat Oct 27 11:03:51 2018

Hi guys ,


EDIT : i forgot to mention this is an old mining rig i just bough used

After 5-6 format i finally got rocm to cooperate . reading the FAQ ... etc

I can now run hashcat and it see the gpu , but it only see 1 . there are 5 gpu in the machine

Now my understanding is that before with amd driver we had to do this command to for hashcat to see them all


I was hoping somone can enlight me on that. thanks


the card are RX470 and RX570 and the cpu G4400
ubuntu 18.04

Hi guys

I am starting another thread as my last one end up as apparently i can't use rocm because my cpu does not have enough lane connected directly to the cpu / mb conf.


ref
https://github.com/RadeonOpenCompute/ROCm/issues/589


Now i just bough 3x cheap used mining rig  of 6 gpu each.

My goal was to cluster then with octopolis and used it for netntlm and ntlm / wpa.

now what are my alternative ?

Are theses assumption right ?:

run linux with older version of hashcat that support amdgpu pro ( what version support it ?)
use windows ? ( doest it support clustering ? )


my rigs are g4400 ,
1 asus prime z210 p
2 asus prime h270

18 RX570

i am a little bit discourage
Any suggestion would be greatly appreciated

---

Welcome to hashcat v5.0.0!

Download binaries or sources: https://hashcat.net/hashcat/

---

This release is mostly about two new major features:

• The hashcat brain
  
• Slow candidates
  

Before we go into the long read of these new featues, here's all the other changes that come along with this release:

---

Algorithms:

• Added hash-mode 17300 = SHA3-224
  
• Added hash-mode 17400 = SHA3-256
  
• Added hash-mode 17500 = SHA3-384
  
• Added hash-mode 17600 = SHA3-512
  
• Added hash-mode 17700 = Keccak-224
  
• Added hash-mode 17800 = Keccak-256
  
• Added hash-mode 17900 = Keccak-384
  
• Added hash-mode 18000 = Keccak-512
  
• Added hash-mode 18100 = TOTP (HMAC-SHA1)
  
• Removed hash-mode 5000 = SHA-3 (Keccak)
  

---

Improvements:

• Added additional hybrid "passthrough" rules, to enable variable-length append/prepend attacks
  
• Added a periodic check for read timeouts in stdin/pipe mode, and abort if no input was provided
  
• Added a tracker for salts, amplifier and iterations to the status screen
  
• Added option --markov-hcstat2 to make it clear that the new hcstat2 format (compressed hcstat2gen output) must be used
  
• Allow bitcoin master key lengths other than 96 bytes (but they must be always multiples of 16)
  
• Allow hashfile for -m 16800 to be used with -m 16801
  
• Allow keepass iteration count to be larger than 999999
  
• Changed algorithms using colon as separators in the hash to not use the hashconfig separator on parsing
  
• Do not allocate memory segments for bitmap tables if we don't need it for example, in benchmark mode
  
• Got rid of OPTS_TYPE_HASH_COPY for Ansible Vault
  
• Improved the speed of the outfile folder scan when using many hashes/salts
  
• Increased the maximum size of edata2 in Kerberos 5 TGS-REP etype 23
  
• Make the masks parser more restrictive by rejecting a single '?' at the end of the mask (use ?? instead)
  
• Override --quiet and show final status screen in case --status is used
  
• Removed duplicate words in the dictionary file example.dict
  
• Updated Intel OpenCL runtime version check
  
• Work around some AMD OpenCL runtime segmentation faults
  
• Work around some padding issues with host compilers and OpenCL JiT on 32 and 64-bit systems
  

---

Fixed Bugs:

• Fixed a invalid scalar datatype return value in hc_bytealign() where it should be a vector datatype return value
  
• Fixed a problem with attack mode -a 7 together with stdout mode where the mask bytes were missing in the output
  
• Fixed a problem with tab completion where --self-test-disable incorrectly expected a further parameter/value
  
• Fixed a race condition in status view that lead to out-of-bound reads
  
• Fixed detection of unique ESSID in WPA-PMKID-* parser
  
• Fixed missing wordlist encoding in combinator mode
  
• Fixed speed/delay problem when quitting while the outfile folder is being scanned
  
• Fixed the ciphertext max length in Ansible Vault parser
  
• Fixed the tokenizer configuration in Postgres hash parser
  
• Fixed the byte order of digest output for hash-mode 11800 (Streebog-512)
  

---

---

Hashcat has a new generic password candidate interface called "slow candidates".

The first goal of this new interface is to allow attachment of advanced password candidate generators in the future (for example hashcat's table attack, kwprocessor, OMEN, PassGAN, PCFG, princeprocessor, etc.). At this time, the only attack modes that have been added are hashcat's straight attack (including rules engine), combinator attack, and mask attack (AKA brute-force with Markov optimizer). You can enable this new general password-candidate interface by using the new -S/--slow-candidates option.

The second goal of the slow candidates engine is to generate password candidates on-host (on CPU). This is useful when attacking large hashlists with fast hashes (but many salts), or generally with slow hashes. Sometimes we cannot fully run large wordlists in combination with rules, because it simply takes too much time. But if we know of a useful pattern that works well with rules, we often want to use rules with a smaller, targeted wordlist instead, in order to exploit the pattern. On GPU, this creates a bottleneck in hashcat's architecture - because hashcat can only assign the words from the wordlist to the GPU compute units.

A common workaround for this is to use a pipe, and feed hashcat to itself. But this traditional piping approach came at a cost - no ETA, no way to easily distribute chunks, etc. It was also completely incompatible with overlays like Hashtopolis. And if piping hashcat to itself isn't feasible for some reason, you quickly run into performance problems with small wordlists and large rulesets.

To demonstrate this, here's an example where you have a very small wordlist with just a single word in the wordlist, but a huge ruleset to exploit some pattern:

Quote:$ wc -l wordlist.txt
1 wordlist.txt
$ wc -l pattern.rule
99092 pattern.rule

Since the total number of candidates is ([number-of-words-from-wordlist] * [number-of-rules]), this attack should theoretically be enough to fully feed all GPU compute units. But in practice, hashcat works differently internally - mostly to deal with fast hashes. This makes the performance of such an attack terrible:

Quote:$ ./hashcat -m 400 example400.hash wordlist.txt -r pattern.rule --speed-only
...
Speed.#2.........:      145 H/s (0.07ms)

This is where slow candidates comes into play. To feed the GPU compute units more efficiently, hashcat applies rules on-host instead, creating a virtual wordlist in memory for fast access. But more importantly from hashcat's perspective, we now have a large wordlist, which allows hashcat to supply all GPU compute units with candidates. Since hashcat still needs to transfer the candidates over PCI-Express, this slows down cracking performance. In exchange, we get a large overall performance increase - multiple times higher, even considering the PCI-Express bottleneck - for both slow hashes and salted fast hashes with many salts,

Here's the exact same attack, but using the new -S option to turn on slow candidates:

Quote:$ ./hashcat -m 400 example400.hash wordlist.txt -r pattern.rule --speed-only -S
...
Speed.#2.........:   361.3 kH/s (3.54ms)

---

---

This feature will have a significant impact on the art of password cracking - either cracking alone, in small teams over a local network, or in large teams over the Internet.

From a technical perspective, the hashcat brain consists of two in-memory databases called "long-term" and "short-term". When I realized that the human brain also has such a long-term and a short-term memory, that's when I chose to name this feature the "hashcat brain". No worries, you don't need to understand artificial intelligence (AI) here - we are simply talking about the "memory features" of the human brain.

Put simply, the hashcat brain persistently remembers the attacks you've executed against a particular hashlist in the past ... but on a low level.

Hashcat will check each password candidate against the "brain" to find out if that candidate was already checked in the past and then accept it or reject it. The brain will check each candidate for existence in both the long-term and short-term memory areas. The nice thing is that it does not matter which attack-mode originally was used - it can be straight attack, mask attack or any of the advanced future generators. 

The brain computes a hash (a very fast one called xxHash) of every password candidate and store it in the short-term memory first. Hashcat then starts cracking the usual way. Once it's done cracking, it sends a "commit" signal to the hashcat brain, which then moves the candidates from the short-term memory into the long-term memory.

The hashcat brain feature uses a client/server architecture. That means that the hashcat brain itself is actually a network server. I know, I know - you don't want any network sockets in your hashcat process? No problem, then disable the feature in the makefile by setting ENABLE_BRAIN=0 and it will be gone forever. 

It's a network server for a reason. This way we can run multiple hashcat clients ... all using the same hashcat brain. This is great for collaboration with many people involved - plus it stays alive after the client shuts down. (Note, however, that even if you want to only use brain functionality locally, you must run two separate instances of hashcat - one to be the brain server, and one to be the client and perform attacks).

That's it from the technical perspective. It's hard to explain how much potential there is in this, and I'm wondering why I didn't invent this sooner. Maybe it took the Crack Me If You Can password-cracking challenge to realize that we need a feature like this.

Before you try it out yourself, let me show you a few examples.

---

Example 1: Duplicate candidates all around us

---

There's no doubt that rule-based attacks are the greatest general purpose attack-modifier on an existing wordlist. But they have a little-known problem: They produce a lot of duplicate candidates. While this is not relevant for fast hashes, it has a large impact on slow hashes.

In this example, we apply best64.rule to example.dict, and writes the result to test.txt:

Quote:$ ./hashcat --stdout example.dict -r rules/best64.rule -o test.txt

Now we can see how many candidates were produced:

Quote:$ cat test.txt | wc -l
9888032

And now, let's see how many unique candidates are inside:

Quote:$ sort -u test.txt | wc -l
7508620

Of course, the wordlist and rules used have a large impact on the number of duplicates. In our example - a common wordlist and general purpose rule - the average ratio of produced dupes seems to be around 25%. And all of these dupes are detected by the brain:

Quote:$ ./hashcat -z example0.hash example.dict -r rules/best64.rule
...
Rejected.........: 2379391/9888032 (24.06%)

Note:

• Hashcat brain rejects dynamically created duplicate candidates
  
• Average dynamically created duplicate candidates is around 25%
  
• Eliminating the duplicate 25% reduces the attack time by 25%
  

---

Example 2: stop caring about what you've done in the past

---

Think of this: you have a single hash, but it is very high profile. You can use all of your resources. You start cracking - nothing. You try a different attack - still nothing. You're frustrated, but you must continue.. So try more attacks ... but even after two or more days - nothing. You start wondering what you've already done, but you're starting to lose track, getting tired, and making mistakes. Guess what? The hashcat brain comes to the rescue! Here's an attack that you've tried:

Quote:$ ./hashcat -z -m 6211 hashcat_ripemd160_aes.tc rockyou.txt
...
Time.Started.....: xxx (32 mins, 6 secs)

Note that the way you use hashcat doesn't change at all. The hash mode and attack mode can be replaced with anything you'd like. The only difference in your attack is that you add the new -z option to enable hashcat's new brain "client" functionality. By using -z you will also automatically enable the use of "slow candidates" -S mode.

Now let's say that two days later, you forgot that you already performed the attack before. Or maybe it wasn't you who forgot, it's just your coworker on a different machine also trying. This is what happens:

Quote:$ ./hashcat -z -m 6211 hashcat_ripemd160_aes.tc rockyou.txt
...
Rejected.........: 14344384/14344384 (100.00%)
Time.Started.....: xxx (15 secs)

The hashcat brain correctly rejected *all* of the candidates.

Important things to note here:

• The rejected count exactly matches the keyspace.
  
• The attack took a bit of time - it's not 0 seconds. The process is not completely without cost. The client must hash all of the candidates, and transfer them to the hashcat brain; the hashcat brain must then search for those candidates in both memory regions, and send back a reject list; and then hashcat must select new candidates to fill the reject gaps, and so on ...
  
• Most important: 15 seconds is less than 32 minutes
  

---

Example 3: It's the candidates that matter, not the attack

---

As I've stated above, it's not the command line that is stored somehow - it's not high level storage in this mode. This is where the hashcat brain server starts to create a strong advantage over manual (even organized) selection of attacks, because of the overlaps that naturally occur when carrying out a variety of attacks:

Quote:$ ./hashcat -z -m 6211 hashcat_ripemd160_aes.tc -a 3 ?d?d?d?d
...
Rejected.........: 6359/10000 (63.59%)

So what happened here? It rejected 63.59% of a mask? Yes, it did. The reason is this:

Quote:$ grep -c '^[0123456789]\{4\}$' rockyou.txt
6359

Notes:

• The previous command from the second example kicks in here. In the rockyou wordlist, we have 6359 pure digits with length 4 and the hashcat brain was able to reject them - because the mask ?d?d?d?d will also produce them
  
• The hashcat brain does not care about your attack mode. Actually, you could say that the hashcat brain creates a kind of dynamic cross attack-mode while you are using it. As you can see here, attack-mode 0 and attack-mode 3 work together.
  
• The hashcat brain does not end after hashcat finishes - it stays intact because it's a stand-alone process
  

---

Example 4: Improve on what you've done in the past

---

So you're out of ideas, and you start to run some simple brute-force. But you're clever, because you know the target tends to use the symbol "$" somewhere inside the password, and you optimize your mask for this. Let's start with an example not using the hashcat brain:

Quote:$ ./hashcat -m 6211 hashcat_ripemd160_aes.tc -a 3 -1 ?l?d$ ?1?1?1?1?1?1
...
Time.Started.....: xxx (5 hours, 37 mins)
Progress.........: 2565726409/2565726409 (100.00%)

Damn - it did not crack. But then your coworker shows up and tells you that he found out that the target isn't just using the "$" symbol in his passwords, but also the "!" symbol. Damn, this makes your previous run (which took 5.5 hours) completely useless - wasted! You now need even more time for the correct run:

Quote:$ ./hashcat -m 6211 hashcat_ripemd160_aes.tc -a 3 -1 ?l?d$! ?1?1?1?1?1?1
...
Time.Started.....: xxx (6 hours, 39 mins)
Progress.........: 3010936384/3010936384 (100.00%)

Now we do the same again, but with hashcat brain enabled. All of the work of that first command will no longer be wasted. The same commandline history, but this time with hashcat brain enabled, looks like this:

Quote:$ ./hashcat -z -m 6211 hashcat_ripemd160_aes.tc -a 3 -1 ?l?d$ ?1?1?1?1?1?1
...
Time.Started.....: xxx (5 hours, 37 mins)

But now, if we add the "!" character, we see the difference:

Quote:$ ./hashcat -z -m 6211 hashcat_ripemd160_aes.tc -a 3 -1 ?l?d$! ?1?1?1?1?1?1
...
Time.Started.....: xxx (1 hour, 5 mins)

So you can see here how the hashcat brain helps you to reduce the time for the second attack, from ~6 hours to ~1 hour.

---

Example 5: The resurrection of the random rules

---

Random rules and salts? No way! Take a look at this, it's horrible:

Quote:$ cat wordlist.txt
password
$ ./hashcat wordlist.txt --stdout -g 100000 | sort -u | wc -l
20473

What I'm trying to show here is how inefficient the random rules actually are (and always have been). They produce tons of duplicate work.

As you can see from the above example, only 20473 of 100000 tested passwords of the produced random candidates are unique - and the remaining 80% is just wasted time.

I cannot believe that I've never thought about this in detail, but now the hashcat brain brings this to an end:

Quote:./hashcat -z hashlist.txt wordlist.txt -g 100000
...
Rejected.........: 82093/100000 (82.09%)

This alone gives -g a new role in password cracking. If you've ever attended a password cracking contest, you know how important it is to find the patterns that were used to generate the password candidates. Because finding new patterns using the combination of random-rules and debug-rules is a very efficient way to find new attack vectors.

For example, Team Hashcat managed to crack 188k/300k of the SSHA hashlist from the 2018 CMIYC contest - a strong showing. But with random rules, there's a really good chance that you'll discover what you missed. Here's an example of an attack I ran for only few minutes while writing this document:

Quote:$ ./hashcat -z -m 111 c0_111.list.txt wordlist.txt -g 100000 --debug-mode 4
...
INFO: Removed 188292 hashes found in potfile.
...
time:Z4 R3:tim2eeee
sexual:Y3 Z5 O35exllllll
poodle:Y2 T3 sBh:pooDlele
pass123:C z5:ppppppASS123
pool:y4 Z2 Y1:poolpoollll
profit:o8F ^_:_profit
smashing:Z3mashingggg

These are real passwords that Team Hashcat didn't crack during the contest. What matters here is that you can see hints for possible patterns - which counts much more than just cracking a single password. And if you run the exact same command again, hashcat will generate different rules and you get more cracks, and discover more new patterns. You can do this again and again. We call this technique "raking".

Note: It can occur that a pattern discovered from random rules matches an already known pattern. In such a case, it's a strong sign that this pattern may have been searched already, but has not yet been searched exhaustively. Perhaps a previous attack was stopped too early. But with the hashcat brain, that's no longer important - we can just apply the pattern without any worry about creating double work.

---

The costs of hashcat brain

---

It should now be clear now what the potential is here. There are many other examples where this feature really kicks in, but I'm sure you already have your own ideas.

Of course, the hashcat brain does not come for free - there are limitations. It's important to know some key numbers to decide when to use it (and when not to).

Each password candidate creates a hash of 8 bytes that has to be transferred, looked up and stored in the hashcat brain. This brings us to the first question: What kind of hardware do you need? Fortunately, this is pretty easy to calculate. If you have a server with 64 GB of physical memory, then you can store 8,000,000,000 candidates. I guess that's the typical size of every serious password cracker's wordlist; if you have more, you typically have too much trash in your wordlists. If you have less, then you just haven't been collecting them long enough.

So let's assume a candidate list size of 8,000,000,000. That doesn't sound like too much - especially if you want to work with rules and masks. It should be clear that using the hashcat brain against a raw MD5 is not very efficient. But now things become interesting, because of some unexpected effects that kick in.

Imagine you have a salted MD5 list, let's say VBULL which is a fast hash (not a slow hash) - and you have many of them. In thise case, each of the salts starts to work for us.

Yes, you read that right - the more salts, the better!!

Let's continue with our calculation and our 8,000,000,000 password example. The speed of a typical VBULL on a Vega64 is 2170.6 MH/s. If we have 300,000 salts, the speed drops to 7235 H/s. Now to feed the hashcat brain at a rate of 7235 H/s, it will take you 1,105,736 seconds (or 12 days). That means you can run the hashcat brain for 12 days. It's an OK time I think, though I don't let many attacks run for such a long time. Also, this is an inexpensive server with 64GB physical RAM, and you could simply add more RAM, right? At this point we should also consider using swap memory. I think there's actually room for that - but I leave testing this to our users.

Lookup times are pretty good. The hashcat brain uses two binary trees, which means that the more hashes that are added, the more efficient it becomes. Of course, the lookup times will increase drastically in the first moments, but will stabilize at some point. Note that we typically do not compare just one entry vs. million of entries - we compare hundreds of thousands of entries vs. millions of entries.

---

Technical details on the hashcat brain server

---

• The hashcat brain server saves the long-term memory to disc every 5 minutes automatically
  
• The server also saves the long-term memory if the hashcat brain server is killed using Ctrl-C
  
• There's no mitigation against database poisoning - this would cost too many resources
  
• There's currently no mitigation against an evil client requesting the server to allocate too much memory
  
• Make sure your hashcat brain server is protected with a good password, because you have to trust your clients
  
• I'll add a standalone hashcat brain seeding tool later which enables you to easily push all the words from an entire wordlist or a mask very fast. At this time you can use the --hashcat-session option to do so with hashcat itself
  
• You can use --brain-server-whitelist in order to force the clients to use a specific hashlist
  
• The protocol used is pretty simple and does not contain hashcat specific information, which should make it possible for other cracking tools to utilize the server, too
  

---

Technical details on the hashcat brain client

---

• The client calculates the hashcat brain session based on the hashlist entries, to efficiently let a high number of salts work for us. You can override the session calculated with --brain-session, which makes sense if you want to use a fast hash in order to "seed" the hashcat brain with already-tried wordlists or masks.
  
• The use of --remove is forbidden, but this should not really be a problem, since the potfile will do the same for you. Make sure to remove --potfile-disable in case you use it.
  
• If multiple clients use the same attack on the same hashcat brain (which is a clever idea), you end up with a distributed solution - without the need of an overlay for keyspace distribution. This is not the intended use of the hashcat brain and should not be used as it. I'll explain later.
  
• Since each password candidate is creating a hash of 8 bytes, some serious network upstream traffic can be generated from your client. I'll explain later.
  
• The use of xxHash as hash is not required; we can exchange it with whatever hash we want. However so far it's doing a great job.
  

The status view was updated to give you some real-time statistics about the network usage:

Quote:Speed.#1.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#3.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#4.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
...
Brain.Link.#1....: RX: 0 B (0.00 Mbps), TX: 4.1 MB (1.22 Mbps), sending
Brain.Link.#2....: RX: 0 B (0.00 Mbps), TX: 4.7 MB (1.09 Mbps), sending
Brain.Link.#3....: RX: 0 B (0.00 Mbps), TX: 3.5 MB (0.88 Mbps), sending
Brain.Link.#4....: RX: 0 B (0.00 Mbps), TX: 4.1 MB (0.69 Mbps), sending

When the data is transferred, there's no cracking. You can see it's doing 0 H/s. But if you have a slow hash, or a fast hash with multiple salts, this time can be seen as minor overhead. The major time taken is still in the cracking phase. So if you have a fast hash, the more salts the better! As soon as hashcat is done with the network communication, it's starting to work as always:

Quote:Speed.#1.........:   869.1 MH/s (1.36ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#2.........:   870.8 MH/s (1.36ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#3.........:   876.2 MH/s (1.36ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Speed.#4.........:   872.6 MH/s (1.36ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
...
Brain.Link.#1....: RX: 1.3 MB (0.00 Mbps), TX: 10.5 MB (0.00 Mbps), idle
Brain.Link.#2....: RX: 1.3 MB (0.00 Mbps), TX: 10.5 MB (0.00 Mbps), idle
Brain.Link.#3....: RX: 1.3 MB (0.00 Mbps), TX: 10.5 MB (0.00 Mbps), idle
Brain.Link.#4....: RX: 1.3 MB (0.00 Mbps), TX: 10.5 MB (0.00 Mbps), idle

---

The brain and the bottlenecks

---

While working with Team Hashcat to test how the brain performs with large numbers of clients and over the Internet, I learned about some serious bottlenecks.

The most important insight was about the performance of lookups against the brain. That should be obvious solely from the huge amount of data that we're talking about here, but the brain does not just have to look up millions of candidates against millions of existing database entries - it must also insert them into the database after each commit and ensure the ordering stays intact otherwise it would break the binary tree. This simply takes time, even if the lookup process was already threaded. But the feature was so promising that I did not want to abandon development just because of the performance challenge.

But to start from the beginning, keep the following number in mind: 50kH/s

This was the speed that was the maximum performance of the hashcat brain after the first development alpha was finished. In other words, if the performance of your attack was faster than this speed, the hashcat brain becomes the bottleneck. Now there's good and bad news about this:

Bad: This is the total number. Which means, the entire network of all GPUs participating as clients cannot create more than 50kH/s before the bottleneck effect kicks in.

Good: Salts come to the rescue. If you have a large salted hashlist - with, for example 300,000 SSHA1 hashes (as in the last Crack Me If You Can) - this means that the real maximum performance that the brain can handle jumps to 15 GH/s. (You can simply multiply the 50kH/s with the number of unique salts of your hashlist.)

Then there's another bottleneck: the network bandwidth required. For those of you who plan to use the brain inside a local network with 100Mbit, you can skip this section entirely. But for those who plan to use the brain in a large group, over VPN or in general over the Internet, keep in mind that a single GPU can create around 5Mbit/s of upstream before bandwidth becomes a bottleneck. That doesn't mean that a hashcat client will stop working - it will just reduce your theoretical maximum cracking performance.

Both of these lessons learned lead to an upgrade to the brain during development. (This means that everything that you've read up to this point is already outdated!) The bottlenecks still exist, but there's kind of a mitigation to them. To better understand what we mean when talking about how to mitigate the problem, we need new terminology in the hashcat brain universe - something we'll call brain client "features".

When running as a client, hashcat now has a new parameter called --brain-client-features. With this parameter, you can select from two features (so far) that the client has to offer:

• Brain "Hashes" feature
  
• Brain "Attacks" feature
  

The brain "hashes" feature is everything that we've explained from the beginning - the *low-level* function of the brain. The brain "attacks" feature is the *high-level* strategy which I added to mitigate the bottlenecks. By default, both "features" are active, and run in parallel. Depending on your use case, you can selectively enable or disable either one.

The brain "attack" feature should be explained in more detail in order to understand what it is doing. It is a high-level approach, or a compressed hint. Hashcat clients request this "hint" from the brain about a given attack as soon as the client is assigned a new work package from the local hashcat dispatcher. For example, if you have a system with 4 GPUs, the local hashcat dispatcher is responsible for distributing the workload across the local GPUs. What's new is that before a GPU starts actually working on the package, it asks the brain for a high level confirmation of whether or not to proceed. The process of how this work is basically the same as with the low-level architecture: the client "reserves" a package when the hashcat brain moves it to short-term memory - and once it is done, it will be moved to long-term memory.

The attack package itself is another 8-byte checksum - but that's more than enough to assign all feasible combinations of attacks a unique identifier. For example, hashcat takes options like the attack mode itself, rules with -r (but also -j and -k rules), masks, user-defined custom charset, Markov options, a checksum of the wordlists (if used) and so on. All of these options are combined in a repeatable way, and from that unique combination of options, a checksum is created that uniquely "fingerprints" all of the components of the attack.

When the clients connect to the hashcat brain, they send this attack checksum (along with the session ID) to the brain, so that the brain knows precisely which attack is running on a particular hashcat client. Now, if the local dispatcher creates a new package, the local start point and end point of this attack is sent to the brain so that the brain can track it. The client will automatically reject an entire package - for example, an entire wordlist, or an entire wordlist plus a specific list of rules - if the attack has some overlaps. This is done *before* the client sends any password candidate hashes to the brain. This means that if a package is rejected:

• The client doesn't need to transfer the hashes (which mitigates the bandwidth bottleneck)
  
• The brain server doesn't need to compare it (which mitigates the lookup bottleneck)
  

If the attack package itself is not rejected, the hashes are still sent to the brain and compared.

The hashcat brain is kind of clever when it comes to the packages. It recognizes overlapping packages on a low level - in cases where only part of one package overlaps with another package. When this occurs, the brain only rejects the overlapping section of the package and informs the client about that. It is then up to the client to decide whether it wants to either launch the attack with a minimized package size, or to ask the local dispatcher for another (smaller) portion to fill the gap. Of course, this newly creates portion is also first sent to the brain, in case it can be rejected. The entire process is packed into a loop and it will repeat the process until the client decides that the package is big enough (and the default setting for accepting a package and to start executing is half of the original package size.)

Something I realized - after I had already finished with the implementation of the high-level feature - was that the new brain "attack" feature is a very strong feature for standalone use. By setting --brain-client-features 2, you tell the client to only use the attack feature. This completely eliminates all bottlenecks - the network bandwidth, but even more importantly, the lookup bottleneck. The drawback is that you lose cross-attack functionality.

If you think that this new feature is a nice way to get a native hashcat multi-system distribution ... you are wrong. The brain client still requires running in -S mode, which means that this is all about slow hashes or fast hashes with many salts. There's also no wordlist distribution, and most importantly, there's no distribution of cracked hashes across all network clients. So the brain "attack" feature is not meant to be an alternative to existing distribution solutions, but just as a mitigation for the bottlenecks (and it works exactly as such).

---

Commandline Options

---

Most of the commands are self-explaining. I'm just adding them here to inform you which ones exist:

• Add new option --brain-server to start a hashcat brain server
  
• Add new option --brain-client to start a hashcat brain client, automatically activates --slow-candidates
  
• Add new option --brain-host and --brain-port to specify ip and port of brain server, both listening and connecting
  
• Add new option --brain-session to override automatically calculated brain session ID
  
• Add new option --brain-session-whitelist to allow only explicit written session ID on brain server
  
• Add new option --brain-password to specify the brain server authentication password
  
• Add new option --brain-client-features which allows enable and disable certain features of the hashcat brain
  

---

Final words

---

The hashcat brain development is now in its second month, and from what I've seen so far, it works well enough to release it. In all that time, I've also improved the maximum performance of the low-level hash lookup from 50kH/s to roughly 650kH/s (depending on which type of hardware the brain server is running on).

Of course, it's possible that there are some bugs that I did not detect while developing this monster, and it's simply too much code to verify all of the different possible behavior in different situations. Please let me know if you find any strange behavior, and I'll try to fix is as quickly as possible.

This feature, in my opinion, will significantly alter the workflow of someone who is doing serious cracking on a daily basis. It's not just the time saving effect - it's mostly the confidence in your own work. This confidence is fed by two factors: first, that you know the brain will rule out duplicated work (when you simply didn't have enough time to track all of the details when running different attacks), and second, that you get immediate visible feedback when your attacks overlap and you're duplicating work. When you see that a given attack is producing a 20% or higher reject rate, it will give you a better understanding of what type of work is actually being performed by your hardware. This gives you deeper insight, and the chance to update and improve your own attack strategies at a high level.

-- atom

PS: If you build from sources, do not forget to run "git submodule update --init" to get the xxHash headers