OCLHashcat: Multi GPU Password Cracking on Linux using Open CL

Recently some pretty major advances have come around in the world of GPU based hash cracking. Up untill now there was not much for Linux which would utilize multi GPUs to crack password hashs. This has been changed with the release of Oclhashcat. The release of oclhashcat signifies a signifigant jump in the speed on linux based GPU systems. There is also a cpu based version called hashcat but for this article I will be reviewing oclhashcat

One of the nice things about Opencl is that it works on Nvidia and ATI based systems. As I do not have any ATI cards I will be focusing on Nvidia based systems. The steps for ATI would be the same you would just have to install the stream drivers rather than the Nvidia drivers.  In order for opencl to work you are going to need the newest nvidia drivers.

You can check your driver version like this:

bash

  1. [root@tools ~]# cat /proc/driver/nvidia/version
  2. NVRM version: NVIDIA UNIX x86_64 Kernel Module  195.36.15  Fri Mar 12 00:29:13 PST 2010

You can download the Nvidia drivers for your system from here

Since the newest Nvidia drivers already include the opencl libraries there is nothing else to do, opencl should be working.

As I am writing this article version 2.0 of oclhashcat has just been released.

Some of the key features include:
* Free
* Multi-GPU
* Multi-Hash
* Linux & Windows native binaries
* Uses OpenCL
* Fastest multihash MD5 cracker on NVidia cards
* Fastest multihash MD5 cracker on ATI 5xxx cards
* Supports wordlists (not limited to Brute-Force / Mask-Attack)
* Can mix wordlists with Mask-Attack to emulate Hybrid-Attacks
* Runs very cautious, you can still watch movies while cracking
* Kernel workload can be configured while cracking
* Supports pause / resume
* Supports huge numbers of hashes (4 million and more)
* Able to work in a distributed environment
* Includes hashcats entire rule engine to modify wordlists on start
* … and much more

Supported algorithms include:
* MD5
* md5($pass.$salt)
* md5($salt.$pass)
* md5(md5($pass))
* md5(md5($pass).$salt)
* SHA1
* MySQL
* MySQL4.1/MySQL5
* MD4
* NTLM
* Domain Cached Credentials

The binaries can be downloaded from here . The source is currently not available and based on comments by the author he does not plan on making it so anytime soon. Although this is a pain its still a great tool.

My test box is going to be a server we have with 4 Nvidia 295gtx’s. Since a 295 is really 2 cards in one, our test box essentially has 8 video cards.

Lets have a look at the menu:

bash

  1. [root@tools oclHashcat-0.20]# ./oclHashcat64.bin --help
  2. ./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)
  3. oclHashcat, advanced password recovery
  4.  
  5. Usage: ./oclHashcat64.bin [options] hashlist wordlist_left|mask_left wordlist_right|mask_right
  6.  
  7. Startup:
  8. -V,  --version             print version
  9. -h,  --help                print help
  10. --eula                print eula
  11.  
  12. Logging and Files:
  13. --restore             restore previous session
  14. --quiet               quiet mode
  15. -o,  --output-file=FILE    output-file for recovered hashes
  16. --output-format=NUM   0 = hash:pass
  17. 1 = hash:hex_pass
  18. 2 = hash:pass:hex_pass
  19. -e,  --salt-file=FILE      salts-file for unsalted hashlists
  20. -j,  --rule-left=RULE      rule applied to each word from left wordlist
  21. -k,  --rule-right=RULE     rule applied to each word from right wordlist
  22.  
  23. Resources:
  24. --restore-options=STR Skip words (left:right) per device. Seperate with comma
  25. -d,  --gpu-devicelist=STR  OCL devices to use. Seperate with comma
  26. -n,  --gpu-accel=NUM       workload tuning: 1=fast desktop, 80=fast crunching
  27. --gpu-loops=NUM       workload fine-tuning if -n is not precise enough
  28.  
  29. Buildin-Masks:
  30.  
  31. ?l = aeionrsdlctbmfuhkgpywjvzxq
  32. ?u = ASERMLNDCTBIPOHKGFUJYWVXZQ
  33. ?d = 1023985476
  34. ?s = .-!_@ *#$+/,&?%=);(^:"[\<'`]>|{}
  35.  
  36. Custom-Masks:
  37. -1,  --custom-mask1=CS     user-defineable masks
  38. -2,  --custom-mask2=CS     example:
  39. -3,  --custom-mask3=CS     --custom-mask3=?dabcdef
  40. -4,  --custom-mask4=CS     sets mask ?3 to 0123456789abcdef
  41.  
  42. Attacks:
  43. -m,  --hash-mode=NUM       number of hash-mode
  44. 0    = MD5
  45. 1    = md5($pass.$salt)
  46. 2    = md5($salt.$pass)
  47. 3    = md5(md5($pass))
  48. 5    = md5(md5($pass).$salt)
  49. 100  = SHA1
  50. 200  = MySQL
  51. 300  = MySQL4.1/MySQL5
  52. 900  = MD4
  53. 1000 = NTLM
  54. 1100 = Domain Cached Credentials
  55. 1500 = DES

As you can see there are quite a few options for hash cracking. For the sake of this article I will be cracking some md5 hashs from hashkiller.com.

The syntax for oclhascat is a little tricky at first but once you understand it it gets much easier. It works on a character set and a specific position for each character.

For example lets look at the built in charsets:

bash

  1. ?l = aeionrsdlctbmfuhkgpywjvzxq
  2. ?u = ASERMLNDCTBIPOHKGFUJYWVXZQ
  3. ?d = 1023985476
  4. ?s = .-!_@ *#$+/,&?%=);(^:"[\<'`]>|{}

So for example many people commonly use a name with a birthdate or some other date of significance after it, so I could define that like ?u?l?l?l?l ?d?d?d?d. While this looks very odd what I am saying is that I want to test 9 character passwords and that I am assuming the first letter is going to be a capitol, the next 4 letters will be lowercase a-z and that the last 4 characters are numbers meaning and dates like 1948 or 2012 will be covered. This targeted method of attack can be much faster that a normal brutefore. The only major limitation I have found so far in oclhashcat is the fact that you cannot give it a range of password lengths. This is not the end of the word because the tool can be easily scripted but its of feature that should be the authors priority to implement.

Ok so lets look at a real example:

bash

  1. [root@tools oclHashcat-0.20]# ./oclHashcat64.bin opencrack.txt example.dict ?d?d?d?d
  2. ./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)
  3. oclHashcat v0.20 starting...
  4.  
  5. Digests: 5331 entries, 5331 unique
  6. Scanned: example.dict (129988)
  7. Maskprocessor: ?d?d?d?d (10000)
  8. Summary: 1299880000 combinations
  9. Platforms: 1
  10. Platform: NVIDIA Corporation, OpenCL 1.0 CUDA 3.0.1 (8 matched)
  11. Device #1: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  12. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  13. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  14. Device #2: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  15. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  16. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  17. Device #3: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  18. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  19. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  20. Device #4: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  21. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  22. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  23. Device #5: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  24. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  25. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  26. Device #6: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  27. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  28. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  29. Device #7: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  30. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  31. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  32. Device #8: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  33. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  34. Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
  35. WARNING: words in wordlist_left < 491520. Can't gain full performance
  36. c553b8fe622bed5e8ed62a94bc94d57d:babe1010
  37. acf5f893c0871f4d4b87decfcded01fd:06039000
  38. 3fb707242bb356b2d5782b6b1fa7a150:yen9961
  39. 6ee18d60785401df7af0bbc676789c76:sweetie2010
  40. 929f5c4d8343ded8241c2f36b5831484:mann5630
  41. 15a810a418b53f550bf6f5ffc0ac703e:katie1602
  42. 39d5dee99d8831bb979a6677c05e2aef:megan2822
  43. 989b3b7feef58ea4c340476f6ecc48b6:miba2102
  44. ef56087d70af5cc10b00622e08a56886:death9413
  45. 05032716992559f48cf71028ea8a36cb:temp4562
  46. b9d094a85dd539c4963fc8eba0ae5355:sasha1509
  47. ad95048b366bd4cc4047d1ef76a46706:730469
  48. 7e1b7f303931b88bc8faed0a42713d34:megan9569
  49. ff36cd6d2a64b22f2df912fa9b9c5981:20052605
  50. 839b2da837b9fa4f5e239a1b425f1474:Pop3434
  51. f7dddf41bbfd47e775a746f57af69eab:teri0814
  52. 9a1ff19330af5d3db35571910fdfb23d:1282244
  53. eb44015f12b1a1cd07f9bdb780f375bd:michele1156
  54. [s]tatus [p]ause [r]esume [h]elp [q]uit =>
  55. Threads...: 8
  56. Speed.GPU1:  327.9M/s (finished)
  57. Speed.GPU2:  327.9M/s (finished)
  58. Speed.GPU3:  326.3M/s (finished)
  59. Speed.GPU4:  319.9M/s (finished)
  60. Speed.GPU5:  329.1M/s (finished)
  61. Speed.GPU6:  328.3M/s (finished)
  62. Speed.GPU7:  330.2M/s (finished)
  63. Speed.GPU8:  327.9M/s (finished)
  64. Speed.GPU*: 2617.7M/s
  65. Recovered.: 18/5331 Digests, 0/1 Salts
  66. Progress..: 1299840000/1299880000 (100.00%)
  67. Running...: 9 secs
  68. Estimated.: 0 secs
  69.  
  70. Started: Sun Jun 20 09:29:33 2010
  71. Stopped: Sun Jun 20 09:29:43 2010

NOTE: If you are recieving the “./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)” error I am told that this is nothing to worry about and is simply a small bug in Linux.

In the example I just showed what we did was take our md5 list which I have named opencrack.txt and we ran it against the example dictionary which comes with oclhashcat. At the same time we told oclhash cat to add a bruteforce of 4 digits to the end of each word.

You can see here the number of combinations we are looking at: Summary: 1299880000 combinations

You can see here the combined speed of all your GPUs: Speed.GPU*: 2617.7M/s
(Since this attack only took nine seconds my gpus didn’t even have time to get fired up, they are about twice as fast as this normally.)

The next line shows us how many passwords were loaded and how many recovered: Recovered.: 18/5331 Digests, 0/1 Salts
As you can see we did recover 18 of the 5331 passwords with just this quick simple attack.

The next few lines give time summaries and a percentage of how far along the crack is.

Ok so lets look at some bruteforce options:

bash

  1. [root@tools oclHashcat-0.20]# ./oclHashcat64.bin opencrack.txt -n 80 -m 0 -1 ?l?u?d?s ?1?1?1 ?1?1?1
  2. ./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)
  3. oclHashcat v0.20 starting...
  4.  
  5. Digests: 5331 entries, 5331 unique
  6. Maskprocessor: ?1?1?1 (830584)
  7. Maskprocessor: ?1?1?1 (830584)
  8. Summary: 689869781056 combinations
  9. Platforms: 1
  10. Platform: NVIDIA Corporation, OpenCL 1.0 CUDA 3.0.1 (8 matched)
  11. Device #1: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  12. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  13. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  14. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  15. Device #2: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  16. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  17. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  18. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  19. Device #3: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  20. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  21. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  22. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  23. Device #4: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  24. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  25. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  26. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  27. Device #5: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  28. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  29. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  30. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  31. Device #6: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  32. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  33. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  34. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  35. Device #7: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  36. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  37. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  38. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  39. Device #8: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
  40. Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
  41. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  42. Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
  43. WARNING: words in wordlist_left < 4915200. Can't gain full performance
  44. [s]tatus [p]ause [r]esume [h]elp [q]uit =>
  45. b18a5dd9691f569bfa14d67f921deeeb:Khzhid
  46. 8abe43e1c718e403846ebea7393daf05:teekel
  47. 742f40069bda6a1f547ae40ea6a9d452:mdkswc
  48. fa053ed88aad28bbe9cc7666a3b39f19:rs_l1b
  49. 2a4a5a32877506a37426829d71918f4b:gyvenk
  50. 6a182f3c48123a4af5657f75b25b96be:xlriop
  51. 0ab2c17e2bc85953e93f194debe2a032:qtyqty
  52. 42e604cfac34630dc0ff02bd1123b7c1:10@D3D
  53. 16bd51d25ed0c5797320e8c3afa90a22:zara<3
  54. ad95048b366bd4cc4047d1ef76a46706:730469
  55. 67b0b903b0bc55e52124a8a3fd5fa0e5:t31bh5
  56. 8713864611c063edd4f18e26dce4ea08:Darma6
  57. [s]tatus [p]ause [r]esume [h]elp [q]uit =>
  58. Threads...: 8
  59. Speed.GPU1:  500.1M/s (finished)
  60. Speed.GPU2:  500.8M/s (finished)
  61. Speed.GPU3:  501.0M/s (finished)
  62. Speed.GPU4:  501.1M/s (finished)
  63. Speed.GPU5:  500.6M/s (finished)
  64. Speed.GPU6:  500.8M/s (finished)
  65. Speed.GPU7:  501.1M/s (finished)
  66. Speed.GPU8:  501.1M/s (finished)
  67. Speed.GPU*: 4006.6M/s
  68. Recovered.: 12/5331 Digests, 0/1 Salts
  69. Progress..: 689869781056/689869781056 (100.00%)
  70. Running...: 3 mins, 4 secs
  71. Estimated.: 0 secs
  72.  
  73. Started: Sun Jun 20 09:51:46 2010
  74. Stopped: Sun Jun 20 09:54:50 2010

So in this attack we did a full bruteforce of a-z, A-Z, 0-9 and .-!_@ *#$+/,&?%=);(^:”[\<‘`]>|{}. This is defined by giving the -1 argument for built in masks and then using that one in each of the six positions.

-1 ?l?u?d?s   ?1?1?1 ?1 ?1?1

If we knew a few things about our password policy, for example that the first letter was always a capitol we could refine this attack a little like this -1 ?l?u?d?s ?u?1?1 ?1 ?1?1 and if we also knew that the last 2 places were always numbers we could -1 ?l?u?d?s ?u?1?1 ?1 ?d?d. These functions allow us to refine our attack to improve the time it takes to complete. On this particular system you can see that a full 6 character brute force only took 3 mins so for passwords of 6 chars and under I always do a full bruteforce. The same attack with 7 characters takes about 4 hours on my system so using some of the placement tricks can really speed things up.

At any point during the cracing proccess you can press “s” and get a status report:

bash

  1. [s]tatus [p]ause [r]esume [h]elp [q]uit =&gt; s
  2. Threads...: 8
  3. Speed.GPU1:  500.7M/s (running)
  4. Speed.GPU2:  500.8M/s (running)
  5. Speed.GPU3:  501.2M/s (running)
  6. Speed.GPU4:  501.2M/s (running)
  7. Speed.GPU5:  501.2M/s (running)
  8. Speed.GPU6:  501.2M/s (running)
  9. Speed.GPU7:  501.2M/s (running)
  10. Speed.GPU8:  501.1M/s (running)
  11. Speed.GPU*: 4008.5M/s
  12. Recovered.: 3/5331 Digests, 0/1 Salts
  13. Progress..: 84520227840/689869781056 (12.25%)
  14. Running...: 33 secs
  15. Estimated.: 2 mins, 31 secs

This report will tell you the speed of the GPU’s, number of passwords recovered and estimated time to finish.

The last thing I will show is the included batchcrack script. This script is included to make up for the fact that there in no way to define a range I assume. The script runs through about 20 different attacks. The cool thing about the script is the author made every thing in variables which are easily changed.

Open the script in your favorite editor and look at the first section:

bash

  1. OUTPUT_FILE=batchcrack.out
  2. DICT_FILE=example.dict
  3. HASH_MODE=0
  4. GPU_DEVICELIST=1,2
  5. GPU_ACCEL=80
  6. GPU_LOOPS=256

This is the default configuration. It needs to be edited to reflect the amount of GPU’s you would like to use so for me it would be GPU_DEVICELIST=1,2,3,4,5,6,7,8.

The hashmode is md5 by default but can be changed to any of the modes available:

0 = MD5
1 = md5($pass.$salt)
2 = md5($salt.$pass)
3 = md5(md5($pass))
5 = md5(md5($pass).$salt)
100 = SHA1
200 = MySQL
300 = MySQL4.1/MySQL5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials
1500 = DES

You can also change the gpu acceleration to any number between 1 and 80 where 1 is the nicest to your system and 80 is the fastest. This setting depends on if you are running a Xserver or are doing any other tasks on your computer. My box is dedicated to cracking so I use 80 for every thing.

Other options possible to change are the output file, the input dictionary and the number of GPU loops.

One other change I made to my script was to add a line to full bruteforce 7 chars. This will make the script take 4-5 hours to complete but I feel thats well worth it. I simply added the line to the bruteforce section of the script.

bash

  1. if [ $BRUTEFORCE -eq 1 ]
  2. then
  3.         $ECHO Running brute-force attacks
  4.  
  5.         run -1 ?l?d?u?s ?1       ?1
  6.         run -1 ?l?d?u?s ?1?1     ?1
  7.         run -1 ?l?d?u?s ?1?1     ?1?1
  8.         run -1 ?l?d?u?s ?1?1?1   ?1?1
  9.         run -1 ?l?d?u   ?1?1?1   ?1?1?1
  10.         run -1 ?l?d?s   ?1?1?1   ?1?1?1
  11.  
  12.         run ?d?d?d?d ?d?d?d
  13.         run ?d?d?d?d ?d?d?d?d
  14.         run ?d?d?d?d ?d?d?d?d?d
  15.         run ?d?d?d?d ?d?d?d?d?d?d
  16.  
  17.         run ?l?l?l?l ?l?l?l
  18.         run ?l?l?l?l ?l?l?l?l
  19.         run -1 ?l?d?u?s ?1?1?1?1     ?1?1?1
  20.         $ECHO &quot;&quot;
  21. fi

Ok so once our script is edited lets run it against our ist of md5’s:
(I did not include the 7 char bruteforce in this example)

bash

  1. [root@tools oclHashcat-0.20]# ./batchcrack.sh opencrack.txt
  2. Running mask attacks
  3. $ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d ... RT: 12 CR: 0 / 5331
  4. $ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d ... RT: 13 CR: 0 / 5331
  5. $ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d ... RT: 13 CR: 3 / 5331
  6. $ ./oclHashcat64.bin ... ?l?l?l?l ?d?d?d ... RT: 12 CR: 3 / 5331
  7. $ ./oclHashcat64.bin ... ?l?l?l?l ?l?d?d ... RT: 13 CR: 3 / 5331
  8. $ ./oclHashcat64.bin ... ?d?l?l?l ?l?l?d ... RT: 13 CR: 3 / 5331
  9. $ ./oclHashcat64.bin ... ?d?d?l?l ?l?l?l ... RT: 14 CR: 3 / 5331
  10. $ ./oclHashcat64.bin ... ?d?d?d?l ?l?l?l ... RT: 13 CR: 3 / 5331
  11. $ ./oclHashcat64.bin ... ?d?d?d?d ?l?l?l ... RT: 13 CR: 3 / 5331
  12. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?l?l ... RT: 13 CR: 3 / 5331
  13. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l ... RT: 12 CR: 3 / 5331
  14. $ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d?d ... RT: 13 CR: 3 / 5331
  15. $ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d?d ... RT: 13 CR: 10 / 5331
  16. $ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d?d ... RT: 13 CR: 14 / 5331
  17. $ ./oclHashcat64.bin ... ?l?l?l?l ?d?d?d?d ... RT: 14 CR: 27 / 5331
  18. $ ./oclHashcat64.bin ... ?d?d?l?l ?l?l?d?d ... RT: 14 CR: 27 / 5331
  19. $ ./oclHashcat64.bin ... ?d?d?d?d ?l?l?l?l ... RT: 19 CR: 27 / 5331
  20. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?l?l?l ... RT: 15 CR: 28 / 5331
  21. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l?l ... RT: 14 CR: 30 / 5331
  22. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?l ... RT: 13 CR: 30 / 5331
  23. $ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d?d?d ... RT: 14 CR: 31 / 5331
  24. $ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d?d?d ... RT: 16 CR: 33 / 5331
  25. $ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d?d?d ... RT: 17 CR: 36 / 5331
  26. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l?l?l ... RT: 39 CR: 36 / 5331
  27. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?l?l ... RT: 22 CR: 36 / 5331
  28. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?l ... RT: 17 CR: 36 / 5331
  29. $ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d ... RT: 13 CR: 36 / 5331
  30. $ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d ... RT: 12 CR: 36 / 5331
  31. $ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d ... RT: 13 CR: 37 / 5331
  32. $ ./oclHashcat64.bin ... ?u?l?l?l ?d?d?d ... RT: 13 CR: 37 / 5331
  33. $ ./oclHashcat64.bin ... ?u?l?l?l ?l?d?d ... RT: 13 CR: 39 / 5331
  34. $ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d?d ... RT: 13 CR: 39 / 5331
  35. $ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d?d ... RT: 13 CR: 39 / 5331
  36. $ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d?d ... RT: 13 CR: 39 / 5331
  37. $ ./oclHashcat64.bin ... ?u?l?l?l ?d?d?d?d ... RT: 14 CR: 39 / 5331
  38. $ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d?d?d ... RT: 14 CR: 39 / 5331
  39. $ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d?d?d ... RT: 16 CR: 39 / 5331
  40. $ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d?d?d ... RT: 17 CR: 39 / 5331
  41.  
  42. ./batchcrack.sh: line 186: i: command not found
  43. Running combinator attacks
  44. $ ./oclHashcat64.bin ... example.dict example.dict ... RT: 19 CR: 54 / 5331
  45. $ ./oclHashcat64.bin ... example.dict example.dict --rule-left=l$- ... RT: 18 CR: 54 / 5331
  46.  
  47. Running hybrid attacks
  48. $ ./oclHashcat64.bin ... -1 ?l?d?s?u example.dict ?1 ... RT: 12 CR: 54 / 5331
  49. $ ./oclHashcat64.bin ... -1 ?l?d?s?u example.dict ?1?1 ... RT: 12 CR: 56 / 5331
  50. $ ./oclHashcat64.bin ... -1 ?l?d example.dict ?1?1?1 ... RT: 15 CR: 63 / 5331
  51. $ ./oclHashcat64.bin ... -1 ?d example.dict ?1?1?1?1 ... RT: 13 CR: 70 / 5331
  52. $ ./oclHashcat64.bin ... -1 ?l?d?s?u ?1 example.dict ... RT: 15 CR: 71 / 5331
  53. $ ./oclHashcat64.bin ... -1 ?l?d?s?u ?1?1 example.dict ... RT: 14 CR: 75 / 5331
  54. $ ./oclHashcat64.bin ... -1 ?l?d ?1?1?1 example.dict ... RT: 15 CR: 79 / 5331
  55. $ ./oclHashcat64.bin ... -1 ?d ?1?1?1?1 example.dict ... RT: 14 CR: 81 / 5331
  56.  
  57. Running brute-force attacks
  58. $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1 ?1 ... RT: 13 CR: 81 / 5331
  59. $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1 ?1 ... RT: 12 CR: 81 / 5331
  60. $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1 ?1?1 ... RT: 13 CR: 82 / 5331
  61. $ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1?1 ?1?1 ... RT: 15 CR: 84 / 5331
  62. $ ./oclHashcat64.bin ... -1 ?l?d?u ?1?1?1 ?1?1?1 ... RT: 27 CR: 91 / 5331
  63. $ ./oclHashcat64.bin ... -1 ?l?d?s ?1?1?1 ?1?1?1 ... RT: 43 CR: 93 / 5331
  64. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d ... RT: 13 CR: 94 / 5331
  65. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d ... RT: 12 CR: 96 / 5331
  66. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?d ... RT: 14 CR: 101 / 5331
  67. $ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?d?d ... RT: 29 CR: 127 / 5331
  68. $ ./oclHashcat64.bin ... ?l?l?l?l ?l?l?l ... RT: 15 CR: 129 / 5331

As you can see there are a variety of targeted attacks in this script. We recovered 127 of 5331 passwords which is pretty good for a script which takes 10 mins to run. If we include the 7 char bruteforce line we increase our chances significantly.

Once the script is finished the cracked hash’s will be in a nice hash:password format in the outputfile:

bash

  1. [root@tools oclHashcat-0.20]# head -n 25 batchcrack.out
  2. 016d36db759cbd97f97b8f44d1586020:zukt,
  3. 01f83ed4bd86376bd9fa66e473b074f8:jfuf2009
  4. 027e6a2a604638adbd930b4557063c15:0129112924
  5. 03cc48ea3a4d1ee0414d0deadd07d023:0162645647
  6. 05032716992559f48cf71028ea8a36cb:temp4562
  7. 053f55b3c966e636577b27d29c3a6e01:fqmrrkez
  8. 06a776ee99089aea3d42d29dcd6e7fb4:pmvntugx
  9. 06aee226d2d65dc15ad4e12670bda119:zlnytrdx
  10. 06bfa6e9bc34362a51e0809f4538e72d:safalala
  11. 077e1e814d536ac7ea4d2a807139b8c3:uiclqcwd
  12. 083097a6b9af3c8f670f5b9a7ad4f17b:9212280494
  13. 08571f5827caf4405af9ffb5d346f2bc:kxjfmulh
  14. 089ebba58081b56b18563a0dc37a56c3:bgwwlpwr
  15. 08cd4d799f69a6692295134b07582a2f:ruzwmgjk
  16. 08d553c67a1b549fbbb6f8c105a2576f:vwyxpfbw
  17. 091436aed7244fdb9c739d26d8d6344a:oyohrvbd
  18. 09e752289986cf77e8970aaab3c64ad9:ptfapwwv
  19. 0a34afb822cf799d3a4480f6fc156bd4:zurjpwxp
  20. 0a5be673cd81a2bc3cf9fd27c620729a:qmzkkzox
  21. 0a7b0eb41f25362dc841a01969a32d39:ybtztguo
  22. 0ab2c17e2bc85953e93f194debe2a032:qtyqty
  23. 0ad18ed230360f5766ec26bced48a1fd:vkydksvx
  24. 0b281b54fbd3ec9da2c8beee878703f3:tzvhrcek
  25. 0b9a85aca47e4b2cbb537032958d9f3c:utsnrccj
  26. 0bbd06bbf91816b3284e5603464e4e8c:dkffsvtv

All in all Oclhashcat is a great new tool and will be a strong contender in the GPU hash cracking field. My only 2 problems with the tools are that there is no range function (which the author has promised to fix) and that the source is not availble. For more information on oclhashcat you can visit their website, forums and IRC channel

Penetration Tester’s Open Source Toolkit (Paperback)


List Price: $59.95
New From: $12.86 USD In Stock
Used from: $0.46 USD In Stock

Share