oclHashcat running with

March 2, 2015, 10:01 am

≫ Next: [oclHashcat-1.33] clCreateBuffer() -61 Error

Hi guys,

I'm looking for a version of Hashcat, which is able to be executed on a nVidia GPU with driver version 312.69, because Lenovo modifies the nVidia drivers and until today there's no newer version of this driver available for my system.
oclHashcat 1.33: "NV users require ForceWare 346.x or later". :-(
I already tried to find information on the internet, but without success.

Thx, KDAS

↧

[oclHashcat-1.33] clCreateBuffer() -61 Error

March 3, 2015, 1:36 am

≫ Next: Piping Masprocessor in oclHashcat

≪ Previous: oclHashcat running with

Hello Everyone,

I've encountered a Problem while updating to oclHashcat-1.33. At first the Error "clCreateBuffer() -61" showed up everytime I tried to start cracking on some Hashes (tried it with the oclExample0.sh). After some Googling I stumbled accross the Command

Code:

export GPU_MAX_HEAP_SIZE=90

Now I am able to run Hashcat fine, except when I am trying to use the tuned performance Profile.

The following Job runs fine

Code:

./oclHashcat64.bin -a 0 -m 2711 -w 2 -o ../outfiles/hashes_out.txt --username --remove ../crackme/hashes_w_u.txt ../wordlist/rockyou.txt --status

But when I try to increase the Performance Profile to 3, I get the above mentioned Error

Code:

./oclHashcat64.bin -a 0 -m 2711 -w 3 -o ../outfiles/hashes_out.txt --username --remove ../crackme/hashes_w_u.txt ../wordlist/rockyou.txt --status

Hashes: 4818 hashes; 4818 unique digests, 4818 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes

Rules: 1

Applicable Optimizers:

* Zero-Byte

* Precompute-Init

* Early-Skip

* Not-Iterated

Watchdog: Temperature abort trigger set to 90c

Watchdog: Temperature retain trigger set to 80c

Device #1: Kernel ./kernels/4098/m02710_a0.Cypress_1573.4_1573.4.kernel (1053060 bytes)

ERROR: clCreateBuffer() -61

I don't know if its worth mentioning but I have an old HD5850 that I use to toy around with oclHashcat Smile

As always thanks in advance for any Help or Suggestions Smile

↧

Piping Masprocessor in oclHashcat

March 3, 2015, 2:31 am

≫ Next: Explaining the PostgreSQL pass-the-hash vulnerability

≪ Previous: [oclHashcat-1.33] clCreateBuffer() -61 Error

Hi folks,

I just wanna make sure, that my pipe command is correct:

mp64 -q 3 -r 6 z?l?l?l?l?l?l?l?l | cudaHashcat64 -m 5800 -n 8 hash:salt

I didn't post --status and --output command. I just to make sure, that the following words are tested against the hash:

lower case, 9 cases, not more than 3 case in a row, not more than 5 case in a word.

I'm using a windows machine with an nvidia graphics.

↧

Explaining the PostgreSQL pass-the-hash vulnerability

March 3, 2015, 3:21 am

≫ Next: Problem with DCC Hash

≪ Previous: Piping Masprocessor in oclHashcat

While we were working on the hashcat trac ticket #490 Support for postgres challenge-response authentication we instantly realized that this scheme is vulnerable to a pass-the-hash attack (PTH).

As all infosec people know finding an unknown exploitable vulnerability is something that hooks us pretty hard. So we started to investigate that vulnerability instead of continuing to code the oclHashcat kernel. First, we tried to use the search engines to see if this problem is already publicly known. To our surprise, there were no interesting results (at the time we tried) for PostgreSQL in combination to pass-the-hash.

After that we tried to write a proof of concept (POC) to make sure our finding is real, using the latest available PostgreSQL database version from their GIT repository. That indeed worked so we decided to write a comprehensive write-up of our finding and sent it to the PostgreSQL security team and hence we handled this problem using a responsible disclosure.

The PostgreSQL security team response was fast. The response was (in short) that the vulnerability is known and they linked us to a public mailing list. It took us a little bit to go through all the different posts and we finally did find an interesting post that seems to be the only post that somehow referes to the PTH protocol design weakness. To our surprise, no one commented on this, in our opinion, very important note about this critical protocol design weakness. The response to our private email to the security team also said that there is no reason to keep this disclosure private and that we can go ahead and publicly discuss/announce it.

Attached to this forum post is a link to our comprehensive write-up, a link to our proof of concept patch and including in our write-up a proposal for a fix in pseudocode form. As we are no professionals when it comes to handling such weaknesses we hoped that the postgres security team would took the lead over handling the issue and for example open up a CVE or starting on implementing a fix, but this did not happen.

We know that many hashcat users work professionally as pentesters or do have very good pentesting skills, hence we are pretty sure that you will "like" this pass-the-hash weakness and have some opinions to share how critical such things are.

For those of you who do not deal with PTH in a daily basis, PTH is simply a technique that allows an attacker to gain access to a system that is protected with a password but without knowing the password. So instead of cracking the hash you can use the hash itself for authentication. Simply put, (using this protocol) you do not need to know the password to login to a PostgreSQL server even if it is "password-protected".

Finally, please note that this vulnerability is still present in all known PostgreSQL database versions.

Here are the links:

--
atom
philsmd

↧

Problem with DCC Hash

March 3, 2015, 5:22 am

≫ Next: QBW Encoding, Hash Extraction

≪ Previous: Explaining the PostgreSQL pass-the-hash vulnerability

Hi, i'm Necos and i'm new in this stuff, by the way, i'm from Argentina.

Well, my problem is with the format of the Domain Cached Credential hash, i used the 'creddump7' to extract the hash of the account, and this is what i got: jhon.may:d2578hcf7990099a1e1c523041c6687e:ar:ar.contoso.com

Obviously, this is not the real hash, is only an example of the hash that i've got.

I'm using HashCat v0.49 and this commandline:

hashcat-cli64.exe -m 1100 -a 3 -n 2 -1=?l?u?s?d --pw-min=6 --pw-max=8 hash.txt ?u?l?l?s?d?d?d?d -o crackedhash.txt

Result:
Skipping line: jhon.may:d2578hcf7990099a1e1c523041c6687e:ar:ar.contoso.com (se
parator unmatched)
No hashes loaded

So i've tried with this hash:

d2578hcf7990099a1e1c523041c6687e:ar:ar.contoso.com

Result:
1 salts contain separator-char ':'
Added hashes from file hash.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen

Input.Mode: Mask (?u?l?l?s?d?d) [6]
Index.....: 0/1 (segment), 58000800 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 6.84M plains, 6.84M words
Progress..: 58000800/58000800 (100.00%)
Running...: 00:00:00:09
Estimated.: --:--:--:--

After a while, i've nothing.

In the Examples Hashes's page shows this for the DCC hashes:

1100 Domain Cached Credentials, mscash 4dd8965d1d476fa0d026722989a6b772:3060147285011

But it's not like mine so... what i'm doing wrong?

Thanks in advance

↧

QBW Encoding, Hash Extraction

March 3, 2015, 12:12 pm

≫ Next: oclHashcat problem with starting in Kali linux

≪ Previous: Problem with DCC Hash

Apologies if this isn't a good place for the question... Close if necessary.

In my organization I frequently need to crack passwords on Quickbooks QBW files. It is simple enough to strip the passwords from the files with other tools, but this isn't ideal for us for a few reasons. Some weaker passwords can be cracked with other tools, but I'd prefer to attack the raw hash if feasible for the more difficult passwords.

Through some research and testing I've been able to determine that the QBW files use a SQLAnywhere structure for the security and passwords are stored using SHA1 salted with the user name. The problem I'm finding is that all of this data looks to be encoded in such a way as to hide the 'plain text' hash and user name - a search of the raw file content (in Hexedit, big and/or little endian, unicode, etc) doesn't 'hit' on a known user name, hash, or known transactional item. I've tried accessing directly through SQLAW but can't establish a connection to the database (I'm assuming due to the encoding.) I haven't yet tried the quickbooks SDK and don't really want to go there if I don't have to.

So the fundamental question is whether anyone here knows the method that Intuit uses to encode the content of the file, and/or how to locate/view/access the Security table(s) so I can access the raw hashes.

Thanks for any thoughts.

-a guy name Lou

(Edit: Brain cramp - typed MySQL, is actually SQLAnywhere)

↧

oclHashcat problem with starting in Kali linux

March 3, 2015, 3:58 pm

≫ Next: difference between login passwords and file passwords

≪ Previous: QBW Encoding, Hash Extraction

I'm going very mad, this thing driving me crazy.
I have Kali Linux, latest version, install drivers for my ATI 5870 graphic card, capture cap file, convert it to hccap, have wordlist, but I dont know how to start f**king oclHashcat !

I can normaly start hashcat and it works, but oclhashcat is seems that is not default built-in Kali linux, so I download oclHashcat for AMD v1.33 and I can't start it.

Is there someone why can explain step by step, what to do to start oclhashcat in Kali linux ?

Thanks a lot.

↧

difference between login passwords and file passwords

March 3, 2015, 5:47 pm

≫ Next: Two hashes one result - why?

≪ Previous: oclHashcat problem with starting in Kali linux

Now that the hashcats can work on file passwords, at the users requests, a question would be if anyone has studied the difference between login passwords and file passwords.

E.g., someone other than the user dictates the rules about what constitutes a valid login password, while the user gets to choose whatever document or archive password they want.

So login passwords are going to have a pattern influenced by constraints that don't apply to file passwords, so they are liable to have different characteristics.

Has this been studied or discussed anywhere?

And would it have any affect on choosing the types of attacks used?

↧

Two hashes one result - why?

March 3, 2015, 6:19 pm

≫ Next: Help Running Hashcat For My Specifications

≪ Previous: difference between login passwords and file passwords

I got two hashes

hash number 1:

Code:

$ml$26246$87487bb03941a7d1e702cc54ee81e7f61e5e46f554b47677279a59185baaba5f$4b98b​b3ebefd1c7195aa991916b7d7e683e992fd9a9d1355533456d62bad58c1ccc0380351252b5215a3b​064dd9fa00513566db80a297858473828882305b8ce

hash number 2:

Code:

$ml$26246$87487bb03941a7d1e702cc54ee81e7f61e5e46f554b47677279a59185baaba5f$4b98b​b3ebefd1c7195aa991916b7d7e683e992fd9a9d1355533456d62bad58c1ccc0380351252b5215a3b​064dd9fa00513566db80a297858473828882305b8ce0437f57d7b9da19fe19d2384d7221d7e8264a​6f035562ab1937b57948856eff531f60777ee5f71aa3507cc5b71caee7cf39b914623230e7f84440​1cb29f6df84

Both produce the same password. How is it possible?

↧

Help Running Hashcat For My Specifications

March 4, 2015, 4:46 pm

≫ Next: Cannot access wifi with cracked pass

≪ Previous: Two hashes one result - why?

Hi,

I have a hash I would like to crack, but am not sure what to put in the console. I looked through the wiki, but still haven't completely figured it out.

I want to basically bruteforce the hash, with these conditions:

each letter with charset '?l?u?`~!@ #$%^&' (In other words, all capital letters, lowercase letters, and some other characters)
I also know that the password is 3-6 characters long.

This is what I put in command prompt:

cudaHashcat64 -m 7100 hash.txt -1 '?l?u?`~!@ #$%^&*)(' -i -a 5

could someone tell me what the correct syntax would be for what I want? I'm guessing I should to mask attack, but that doesn't seem to be an option in oclHashcat.

↧

Cannot access wifi with cracked pass

March 4, 2015, 5:38 pm

≫ Next: Help understanding toggles and rules WPA

≪ Previous: Help Running Hashcat For My Specifications

Hi,

I have captured a WPA handshake from a nearby AP, and run it through oclhashcat to obtain the passphrase, however I'm unable to connect to it. I'm assuming I'm near enough as I was near enough to capture the handshake originally, and airodump-ng is giving a power level of around -60dBm. Adaptor is a Ralink 2870.
Everytime I try to authenticate, it just comes back with the password prompt again after a few seconds. Silly question but I am using the correct part of the hashcat ppt file as the password? I have something like ssid:bssid:???:password.

Any ideas? I'm sure the password hasn't been changed in the short time between me getting the handshake and cracking it, although I haven't recaptured yet.

Thanks.

↧

Help understanding toggles and rules WPA

March 4, 2015, 5:47 pm

≫ Next: Windows and Linux hashcat scripts for WPA b-f

≪ Previous: Cannot access wifi with cracked pass

I have been playing around with my own network for learning, if I set the WiFi password for keepoff1 (not very strong) it takes no time with a base dictionary. If I change the password to K3#p)ff1, how would I use the rules with oclhashcat to take a regular dictionary and adjust it?

thanks in advance.

↧

Windows and Linux hashcat scripts for WPA b-f

March 5, 2015, 2:04 am

≫ Next: remove un-needed kernels.

≪ Previous: Help understanding toggles and rules WPA

In attach contains 2 scripts, for analyse WPA/WPA2 *.hccap file for Linux and Windows platforms.

Each, get *.hccap in keys directory(or keys/input_files for windows stript) and analyse:
- analyse small wordlist file first
- analyse big wordlist file second
- analyse custom wordlist file third
- 8 full digit bruteforce
- 9 full digit bruteforce
- 10 full digit bruteforce
- restore operation if scripts will be terminated

Please double check that all nesesery folders created and all wordlist will be placed.

I hope it will be useful for you.

.zip

scripts.zip (Size: 1.75 KB / Downloads: 4)

↧

remove un-needed kernels.

March 5, 2015, 9:46 am

≫ Next: Laptop choices

≪ Previous: Windows and Linux hashcat scripts for WPA b-f

Hello. I'm looking to get cudaHashcat going on a couple of machines. I have a very small amount of hard disk space available on each machine, and I need to get the cudaHashcat install to fit the same size as oclHashcat does, or thereabouts.

It occurs to me, that I might be able to remove un-needed kernels from my deployment, as each machine has identical cards in them and are running identical operating systems.

Is there a lookup table I can use to determine which kernel is actually required for my setup? I'm not sure what factors come into play when the determination is made. If I had one of the machines with enough space to get the whole thing on, I imagine I could probably examine a ptrace to figure out what kernel file was being loaded, but that isn't an option for me.

If anyone has any direction on the matter (or knows off hand what kernel is required if you're using a:
VGA compatible controller: NVIDIA Corporation GK106 [GeForce GTX 645 OEM] (rev a1) ) please let me know. Thank you

↧

Laptop choices

March 5, 2015, 11:49 am

≫ Next: How to deal with small wordlists

≪ Previous: remove un-needed kernels.

Hi everyone!

I'm thinking of these laptop options... as cheap ones but with amd graphics... what would you say?

Of course that hashcat performance is of interest, but the first two are really low in price, and I cannot figure out HOW MUCH difference in performance there will be, because obviously prefer to spend the little as possible to save for beer, although not the super better ultra megahashes.

1) RADEON R5:
http://www.bestbuy.com/site/toshiba-sate...Id=8790174

2) RADEON R4:
http://www.bestbuy.com/site/lenovo-15-6-...Id=1576208

3) RADEON R5:
http://www.bestbuy.com/site/dell-inspiro...Id=9463444

4) AMD Radeon HD 8650G:
http://www.bestbuy.com/site/hp-envy-touc...Id=5342009

5) RADEON R7:
http://www.bestbuy.com/site/hp-envy-touc...Id=8825037

6) RADEON R6:
http://www.bestbuy.com/site/dell-inspiro...Id=9463453

Thanks!!

↧

How to deal with small wordlists

March 5, 2015, 11:53 am

≫ Next: v1.33 is much slower than v1.21,Can anyone test it

≪ Previous: Laptop choices

With oclHashcat v1.32 we added the AMP kernel that compute the password candidates on GPU. That had one advantage and one disadvantage.

The advantage was that you can now get full cracking speed even for the faster ones of the slow hashes like md5crypt because there's no bottleneck on the candidate generator engine.

The disadvantage is that the candidate are now generate in parallel, because they are generated on GPU. When you amplify your input wordlist with your rules for example, they now are copied raw on the bus and mangled on the gpu, in parallel. But if you have only a wordlist with a few words, like 1000, and you have 20000 shaders on your GPU, you can only make use of 1000 of you parallelism power. The good thing about this is that you can workaround this behavior and let 1.33 work like 1.31. I'll show you how to do this.

I'll now show how speeds change on my old but still working hd5770 cracking WPA:

Benchmark results:

Quote:root@sf:~/oclHashcat-1.34# ./oclHashcat64.bin -b -m 2500 -d 2
oclHashcat v1.34 starting in benchmark-mode...

...

Speed.GPU.#1.: 56509 H/s

Benchmark is basically the same as brute-force with -w 3:

Quote:root@sf:~/oclHashcat-1.34# ./oclHashcat64.bin -a 3 -m 2500 -d 2 -w 3 hashcat.hccap ?a?a?a?a?a?a?a?a
oclHashcat v1.34 starting...

...

Speed.GPU.#1...: 56431 H/s

And even with a wordlist you can archieve this speed, it just needs to be big enough and a little amplifier:

Quote:root@sf:~/oclHashcat-1.34# ./oclHashcat64.bin -a 0 -m 2500 -d 2 -w 3 hashcat.hccap /root/dict/untouched/rockyou.txt -r rules/best64.rule
oclHashcat v1.34 starting...

...

Speed.GPU.#1...: 56384 H/s

Your problem that you might have seen since is when you have a to small wordlist:

Quote:root@sf:~/oclHashcat-1.34# ./oclHashcat64.bin -a 0 -m 2500 -d 2 -w 3 hashcat.hccap rockyou1k.txt -r rules/best64.rule
oclHashcat v1.34 starting...

Speed.GPU.#1...: 11024 H/s

But, you can workaround this simply by using a pipe (also on windows). The following example using the same input:

Quote:root@sf:~/oclHashcat-1.34# ./hashcat-cliAVX2.bin rockyou1k.txt -r rules/best64.rule --stdout | ./oclHashcat64.bin -a 0 -m 2500 -d 2 -w 3 hashcat.hccap
oclHashcat v1.34 starting...

...

Starting attack in stdin mode...

Speed.GPU.#1...: 56720 H/s

Voilà, we're back in business! Just to finish this. With v1.32+ we can choose ourself if we want "vertical" or "horizontal" parallelism. That why it is how it is.

↧

v1.33 is much slower than v1.21,Can anyone test it

March 6, 2015, 5:31 am

≫ Next: Pyrit export wordlist & oclhashcat

≪ Previous: How to deal with small wordlists

With my hashlist :
Speed of v1.31/1.32/1.33 :2400 MH/s
Speed of v1.21 :7000 Mh/s

I said it on my last post, but nobody believe me.
So I send the example hashlist and command to atom, but he refused to test it.

Can anyone test it ?

My example hashlist and command link is: http://www.jinniu.in/test.zip

My last post is : http://hashcat.net/forum/thread-3744.html

Quote:atom Online
Administrator
*******
Posts: 3,334
Joined: Apr 2010
Re: v1.33 is slower than v1.21,please test this with my hashlist
To: smile

smile Wrote:
atom Wrote:
smile Wrote:I wrote a thread that on http://hashcat.net/forum/thread-3744.html . and I found that v1.33 is still much slower than v1.21 .

I sent the hashlist to you, please test this on your computer?

The hashlist link is http://www.jinniu.in/test.zip

you did not use -w 3

It is still the same when I use -w 3
Speed of v1.33 :2400 MH/s
Speed of v1.21 :7000 Mh/s (290x on windows 2008 r2)
Have you tested it with my hashlist file yourself?

I don't like being PM't with questions like that. That's very selfish move. If you thnk there's a problem please post on forum or trac

↧

Pyrit export wordlist & oclhashcat

March 6, 2015, 3:21 pm

≫ Next: Tridition DES supported ???

≪ Previous: v1.33 is much slower than v1.21,Can anyone test it

Alright might seem like a dumb question but hey im gonna ask before i do all that work lol

can i export passwords with pyrit's export_password command and be able to use it with hashcat or does pyrit butcher the wordlists?

if im correct dosent it append a newline char at the end of everyline would that mess with hashcat?

thx in advance

↧

Tridition DES supported ???

March 7, 2015, 8:24 am

≫ Next: Apples Password Helper

≪ Previous: Pyrit export wordlist & oclhashcat

hi,

i am new here ,since last few days i am playing around with cudahashcat 1.33.

i am still struggling to use DES but cant figure out correct syntax to launch a mask attack for a known DES pair.

for example i have DES pair in HEX as:

KEY: 5A5A57676A57666F << known but i want to recover it for testing
CRYPT: 974AFFBF86022D1F
PLAIN: 675A69675E5A6B5A

i want to try a small key space example:
key space range from 5A5A576600000000 To 5A5A576800000000

now i don't know how to feed my crypt and plain text along with keyspace Sad

i searched again n again cant find any doc or wiki for such requirements ...

i have to select hash type as 1500 for DES not sure about other parameters that i should write in command on cli Sad

Do i need to convert my values into asci first ?

OR hashcat doesn't support this at all ?

Regards

↧

Apples Password Helper

March 7, 2015, 5:00 pm

≫ Next: Mask >10 years for 11 char lowercase, decimal WPA2 hash

≪ Previous: Tridition DES supported ???

Wondering if someone could help me Im desperate. I have an encrypted external hard drive with all of my pictures on it and I don't know what to do I encrypted it using Appels built in encryption on a mac. All I know is the password is 12 characters long and it was chosen under memorable with Apples Password Helper. Im pretty sure it uses PBKDF2.
Please help me. I beg you.

↧