OCLHashcat: Multi GPU Password Cracking on Linux using Open CL

Recently some pretty major advances have come around in the world of GPU based hash cracking. Up untill now there was not much for Linux which would utilize multi GPUs to crack password hashs. This has been changed with the release of Oclhashcat. The release of oclhashcat signifies a signifigant jump in the speed on linux based GPU systems. There is also a cpu based version called hashcat but for this article I will be reviewing oclhashcat

One of the nice things about Opencl is that it works on Nvidia and ATI based systems. As I do not have any ATI cards I will be focusing on Nvidia based systems. The steps for ATI would be the same you would just have to install the stream drivers rather than the Nvidia drivers.  In order for opencl to work you are going to need the newest nvidia drivers.

You can check your driver version like this:

[root@tools ~]# cat /proc/driver/nvidia/version
NVRM version: NVIDIA UNIX x86_64 Kernel Module  195.36.15  Fri Mar 12 00:29:13 PST 2010

You can download the Nvidia drivers for your system from here

Since the newest Nvidia drivers already include the opencl libraries there is nothing else to do, opencl should be working.

As I am writing this article version 2.0 of oclhashcat has just been released.

Some of the key features include:
* Free
* Multi-GPU
* Multi-Hash
* Linux & Windows native binaries
* Uses OpenCL
* Fastest multihash MD5 cracker on NVidia cards
* Fastest multihash MD5 cracker on ATI 5xxx cards
* Supports wordlists (not limited to Brute-Force / Mask-Attack)
* Can mix wordlists with Mask-Attack to emulate Hybrid-Attacks
* Runs very cautious, you can still watch movies while cracking
* Kernel workload can be configured while cracking
* Supports pause / resume
* Supports huge numbers of hashes (4 million and more)
* Able to work in a distributed environment
* Includes hashcats entire rule engine to modify wordlists on start
* … and much more

Supported algorithms include:
* MD5
* md5($pass.$salt)
* md5($salt.$pass)
* md5(md5($pass))
* md5(md5($pass).$salt)
* SHA1
* MySQL
* MySQL4.1/MySQL5
* MD4
* NTLM
* Domain Cached Credentials

The binaries can be downloaded from here . The source is currently not available and based on comments by the author he does not plan on making it so anytime soon. Although this is a pain its still a great tool.

My test box is going to be a server we have with 4 Nvidia 295gtx’s. Since a 295 is really 2 cards in one, our test box essentially has 8 video cards.

Lets have a look at the menu:

[root@tools oclHashcat-0.20]# ./oclHashcat64.bin --help
./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)
oclHashcat, advanced password recovery

Usage: ./oclHashcat64.bin [options] hashlist wordlist_left|mask_left wordlist_right|mask_right

Startup:
-V,  --version             print version
-h,  --help                print help
--eula                print eula

Logging and Files:
--restore             restore previous session
--quiet               quiet mode
-o,  --output-file=FILE    output-file for recovered hashes
--output-format=NUM   0 = hash:pass
1 = hash:hex_pass
2 = hash:pass:hex_pass
-e,  --salt-file=FILE      salts-file for unsalted hashlists
-j,  --rule-left=RULE      rule applied to each word from left wordlist
-k,  --rule-right=RULE     rule applied to each word from right wordlist

Resources:
--restore-options=STR Skip words (left:right) per device. Seperate with comma
-d,  --gpu-devicelist=STR  OCL devices to use. Seperate with comma
-n,  --gpu-accel=NUM       workload tuning: 1=fast desktop, 80=fast crunching
--gpu-loops=NUM       workload fine-tuning if -n is not precise enough

Buildin-Masks:

?l = aeionrsdlctbmfuhkgpywjvzxq
?u = ASERMLNDCTBIPOHKGFUJYWVXZQ
?d = 1023985476
?s = .-!_@ *#$+/,&?%=);(^:"[<'`]>|{}

Custom-Masks:
-1,  --custom-mask1=CS     user-defineable masks
-2,  --custom-mask2=CS     example:
-3,  --custom-mask3=CS     --custom-mask3=?dabcdef
-4,  --custom-mask4=CS     sets mask ?3 to 0123456789abcdef

Attacks:
-m,  --hash-mode=NUM       number of hash-mode
0    = MD5
1    = md5($pass.$salt)
2    = md5($salt.$pass)
3    = md5(md5($pass))
5    = md5(md5($pass).$salt)
100  = SHA1
200  = MySQL
300  = MySQL4.1/MySQL5
900  = MD4
1000 = NTLM
1100 = Domain Cached Credentials
1500 = DES

As you can see there are quite a few options for hash cracking. For the sake of this article I will be cracking some md5 hashs from hashkiller.com.

The syntax for oclhascat is a little tricky at first but once you understand it it gets much easier. It works on a character set and a specific position for each character.

For example lets look at the built in charsets:

?l = aeionrsdlctbmfuhkgpywjvzxq
?u = ASERMLNDCTBIPOHKGFUJYWVXZQ
?d = 1023985476
?s = .-!_@ *#$+/,&?%=);(^:"[<'`]>|{}

So for example many people commonly use a name with a birthdate or some other date of significance after it, so I could define that like ?u?l?l?l?l ?d?d?d?d. While this looks very odd what I am saying is that I want to test 9 character passwords and that I am assuming the first letter is going to be a capitol, the next 4 letters will be lowercase a-z and that the last 4 characters are numbers meaning and dates like 1948 or 2012 will be covered. This targeted method of attack can be much faster that a normal brutefore. The only major limitation I have found so far in oclhashcat is the fact that you cannot give it a range of password lengths. This is not the end of the word because the tool can be easily scripted but its of feature that should be the authors priority to implement.

Ok so lets look at a real example:

[root@tools oclHashcat-0.20]# ./oclHashcat64.bin opencrack.txt example.dict ?d?d?d?d
./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)
oclHashcat v0.20 starting...

Digests: 5331 entries, 5331 unique
Scanned: example.dict (129988)
Maskprocessor: ?d?d?d?d (10000)
Summary: 1299880000 combinations
Platforms: 1
Platform: NVIDIA Corporation, OpenCL 1.0 CUDA 3.0.1 (8 matched)
Device #1: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
Device #2: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
Device #3: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
Device #4: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
Device #5: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
Device #6: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
Device #7: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
Device #8: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css04_le_4_4318.kernel (3393 bytes)
WARNING: words in wordlist_left < 491520. Can't gain full performance
c553b8fe622bed5e8ed62a94bc94d57d:babe1010
acf5f893c0871f4d4b87decfcded01fd:06039000
3fb707242bb356b2d5782b6b1fa7a150:yen9961
6ee18d60785401df7af0bbc676789c76:sweetie2010
929f5c4d8343ded8241c2f36b5831484:mann5630
15a810a418b53f550bf6f5ffc0ac703e:katie1602
39d5dee99d8831bb979a6677c05e2aef:megan2822
989b3b7feef58ea4c340476f6ecc48b6:miba2102
ef56087d70af5cc10b00622e08a56886:death9413
05032716992559f48cf71028ea8a36cb:temp4562
b9d094a85dd539c4963fc8eba0ae5355:sasha1509
ad95048b366bd4cc4047d1ef76a46706:730469
7e1b7f303931b88bc8faed0a42713d34:megan9569
ff36cd6d2a64b22f2df912fa9b9c5981:20052605
839b2da837b9fa4f5e239a1b425f1474:Pop3434
f7dddf41bbfd47e775a746f57af69eab:teri0814
9a1ff19330af5d3db35571910fdfb23d:1282244
eb44015f12b1a1cd07f9bdb780f375bd:michele1156
[s]tatus [p]ause [r]esume [h]elp [q]uit =>
Threads...: 8
Speed.GPU1:  327.9M/s (finished)
Speed.GPU2:  327.9M/s (finished)
Speed.GPU3:  326.3M/s (finished)
Speed.GPU4:  319.9M/s (finished)
Speed.GPU5:  329.1M/s (finished)
Speed.GPU6:  328.3M/s (finished)
Speed.GPU7:  330.2M/s (finished)
Speed.GPU8:  327.9M/s (finished)
Speed.GPU*: 2617.7M/s
Recovered.: 18/5331 Digests, 0/1 Salts
Progress..: 1299840000/1299880000 (100.00%)
Running...: 9 secs
Estimated.: 0 secs

Started: Sun Jun 20 09:29:33 2010
Stopped: Sun Jun 20 09:29:43 2010

NOTE: If you are recieving the “./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)” error I am told that this is nothing to worry about and is simply a small bug in Linux.

In the example I just showed what we did was take our md5 list which I have named opencrack.txt and we ran it against the example dictionary which comes with oclhashcat. At the same time we told oclhash cat to add a bruteforce of 4 digits to the end of each word.

You can see here the number of combinations we are looking at: Summary: 1299880000 combinations

You can see here the combined speed of all your GPUs: Speed.GPU*: 2617.7M/s
(Since this attack only took nine seconds my gpus didn’t even have time to get fired up, they are about twice as fast as this normally.)

The next line shows us how many passwords were loaded and how many recovered: Recovered.: 18/5331 Digests, 0/1 Salts
As you can see we did recover 18 of the 5331 passwords with just this quick simple attack.

The next few lines give time summaries and a percentage of how far along the crack is.

Ok so lets look at some bruteforce options:

[root@tools oclHashcat-0.20]# ./oclHashcat64.bin opencrack.txt -n 80 -m 0 -1 ?l?u?d?s ?1?1?1 ?1?1?1
./oclHashcat64.bin: /usr/lib64/libOpenCL.so: no version information available (required by ./oclHashcat64.bin)
oclHashcat v0.20 starting...

Digests: 5331 entries, 5331 unique
Maskprocessor: ?1?1?1 (830584)
Maskprocessor: ?1?1?1 (830584)
Summary: 689869781056 combinations
Platforms: 1
Platform: NVIDIA Corporation, OpenCL 1.0 CUDA 3.0.1 (8 matched)
Device #1: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Device #2: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Device #3: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Device #4: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Device #5: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Device #6: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Device #7: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Device #8: GeForce GTX 295, 895MB, 1242Mhz, 30MCU
Kernel: kernels/oclHashcat_m0000_4_4318.kernel (60317 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
Kernel: kernels/mp_run_css03_le_4_4318.kernel (3176 bytes)
WARNING: words in wordlist_left < 4915200. Can't gain full performance
[s]tatus [p]ause [r]esume [h]elp [q]uit =>
b18a5dd9691f569bfa14d67f921deeeb:Khzhid
8abe43e1c718e403846ebea7393daf05:teekel
742f40069bda6a1f547ae40ea6a9d452:mdkswc
fa053ed88aad28bbe9cc7666a3b39f19:rs_l1b
2a4a5a32877506a37426829d71918f4b:gyvenk
6a182f3c48123a4af5657f75b25b96be:xlriop
0ab2c17e2bc85953e93f194debe2a032:qtyqty
42e604cfac34630dc0ff02bd1123b7c1:10@D3D
16bd51d25ed0c5797320e8c3afa90a22:zara<3
ad95048b366bd4cc4047d1ef76a46706:730469
67b0b903b0bc55e52124a8a3fd5fa0e5:t31bh5
8713864611c063edd4f18e26dce4ea08:Darma6
[s]tatus [p]ause [r]esume [h]elp [q]uit =>
Threads...: 8
Speed.GPU1:  500.1M/s (finished)
Speed.GPU2:  500.8M/s (finished)
Speed.GPU3:  501.0M/s (finished)
Speed.GPU4:  501.1M/s (finished)
Speed.GPU5:  500.6M/s (finished)
Speed.GPU6:  500.8M/s (finished)
Speed.GPU7:  501.1M/s (finished)
Speed.GPU8:  501.1M/s (finished)
Speed.GPU*: 4006.6M/s
Recovered.: 12/5331 Digests, 0/1 Salts
Progress..: 689869781056/689869781056 (100.00%)
Running...: 3 mins, 4 secs
Estimated.: 0 secs

Started: Sun Jun 20 09:51:46 2010
Stopped: Sun Jun 20 09:54:50 2010

So in this attack we did a full bruteforce of a-z, A-Z, 0-9 and .-!_@ *#$+/,&?%=);(^:”[\<'`]>|{}. This is defined by giving the -1 argument for built in masks and then using that one in each of the six positions.

-1 ?l?u?d?s   ?1?1?1 ?1 ?1?1

If we knew a few things about our password policy, for example that the first letter was always a capitol we could refine this attack a little like this -1 ?l?u?d?s ?u?1?1 ?1 ?1?1 and if we also knew that the last 2 places were always numbers we could -1 ?l?u?d?s ?u?1?1 ?1 ?d?d. These functions allow us to refine our attack to improve the time it takes to complete. On this particular system you can see that a full 6 character brute force only took 3 mins so for passwords of 6 chars and under I always do a full bruteforce. The same attack with 7 characters takes about 4 hours on my system so using some of the placement tricks can really speed things up.

At any point during the cracing proccess you can press “s” and get a status report:

[s]tatus [p]ause [r]esume [h]elp [q]uit => s
Threads...: 8
Speed.GPU1:  500.7M/s (running)
Speed.GPU2:  500.8M/s (running)
Speed.GPU3:  501.2M/s (running)
Speed.GPU4:  501.2M/s (running)
Speed.GPU5:  501.2M/s (running)
Speed.GPU6:  501.2M/s (running)
Speed.GPU7:  501.2M/s (running)
Speed.GPU8:  501.1M/s (running)
Speed.GPU*: 4008.5M/s
Recovered.: 3/5331 Digests, 0/1 Salts
Progress..: 84520227840/689869781056 (12.25%)
Running...: 33 secs
Estimated.: 2 mins, 31 secs

This report will tell you the speed of the GPU’s, number of passwords recovered and estimated time to finish.

The last thing I will show is the included batchcrack script. This script is included to make up for the fact that there in no way to define a range I assume. The script runs through about 20 different attacks. The cool thing about the script is the author made every thing in variables which are easily changed.

Open the script in your favorite editor and look at the first section:

OUTPUT_FILE=batchcrack.out
DICT_FILE=example.dict
HASH_MODE=0
GPU_DEVICELIST=1,2
GPU_ACCEL=80
GPU_LOOPS=256

This is the default configuration. It needs to be edited to reflect the amount of GPU’s you would like to use so for me it would be GPU_DEVICELIST=1,2,3,4,5,6,7,8.

The hashmode is md5 by default but can be changed to any of the modes available:

0 = MD5
1 = md5($pass.$salt)
2 = md5($salt.$pass)
3 = md5(md5($pass))
5 = md5(md5($pass).$salt)
100 = SHA1
200 = MySQL
300 = MySQL4.1/MySQL5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials
1500 = DES

You can also change the gpu acceleration to any number between 1 and 80 where 1 is the nicest to your system and 80 is the fastest. This setting depends on if you are running a Xserver or are doing any other tasks on your computer. My box is dedicated to cracking so I use 80 for every thing.

Other options possible to change are the output file, the input dictionary and the number of GPU loops.

One other change I made to my script was to add a line to full bruteforce 7 chars. This will make the script take 4-5 hours to complete but I feel thats well worth it. I simply added the line to the bruteforce section of the script.

if [ $BRUTEFORCE -eq 1 ]
then
        $ECHO Running brute-force attacks

        run -1 ?l?d?u?s ?1       ?1
        run -1 ?l?d?u?s ?1?1     ?1
        run -1 ?l?d?u?s ?1?1     ?1?1
        run -1 ?l?d?u?s ?1?1?1   ?1?1
        run -1 ?l?d?u   ?1?1?1   ?1?1?1
        run -1 ?l?d?s   ?1?1?1   ?1?1?1

        run ?d?d?d?d ?d?d?d
        run ?d?d?d?d ?d?d?d?d
        run ?d?d?d?d ?d?d?d?d?d
        run ?d?d?d?d ?d?d?d?d?d?d

        run ?l?l?l?l ?l?l?l
        run ?l?l?l?l ?l?l?l?l
        run -1 ?l?d?u?s ?1?1?1?1     ?1?1?1
        $ECHO ""
fi

Ok so once our script is edited lets run it against our ist of md5′s:
(I did not include the 7 char bruteforce in this example)

[root@tools oclHashcat-0.20]# ./batchcrack.sh opencrack.txt
Running mask attacks
$ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d ... RT: 12 CR: 0 / 5331
$ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d ... RT: 13 CR: 0 / 5331
$ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d ... RT: 13 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?l?l?l?l ?d?d?d ... RT: 12 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?l?l?l?l ?l?d?d ... RT: 13 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?d?l?l?l ?l?l?d ... RT: 13 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?d?d?l?l ?l?l?l ... RT: 14 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?l ?l?l?l ... RT: 13 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?l?l?l ... RT: 13 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?l?l ... RT: 13 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l ... RT: 12 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d?d ... RT: 13 CR: 3 / 5331
$ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d?d ... RT: 13 CR: 10 / 5331
$ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d?d ... RT: 13 CR: 14 / 5331
$ ./oclHashcat64.bin ... ?l?l?l?l ?d?d?d?d ... RT: 14 CR: 27 / 5331
$ ./oclHashcat64.bin ... ?d?d?l?l ?l?l?d?d ... RT: 14 CR: 27 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?l?l?l?l ... RT: 19 CR: 27 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?l?l?l ... RT: 15 CR: 28 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l?l ... RT: 14 CR: 30 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?l ... RT: 13 CR: 30 / 5331
$ ./oclHashcat64.bin ... ?l?d?d?d ?d?d?d?d?d ... RT: 14 CR: 31 / 5331
$ ./oclHashcat64.bin ... ?l?l?d?d ?d?d?d?d?d ... RT: 16 CR: 33 / 5331
$ ./oclHashcat64.bin ... ?l?l?l?d ?d?d?d?d?d ... RT: 17 CR: 36 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?l?l?l ... RT: 39 CR: 36 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?l?l ... RT: 22 CR: 36 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?l ... RT: 17 CR: 36 / 5331
$ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d ... RT: 13 CR: 36 / 5331
$ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d ... RT: 12 CR: 36 / 5331
$ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d ... RT: 13 CR: 37 / 5331
$ ./oclHashcat64.bin ... ?u?l?l?l ?d?d?d ... RT: 13 CR: 37 / 5331
$ ./oclHashcat64.bin ... ?u?l?l?l ?l?d?d ... RT: 13 CR: 39 / 5331
$ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d?d ... RT: 13 CR: 39 / 5331
$ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d?d ... RT: 13 CR: 39 / 5331
$ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d?d ... RT: 13 CR: 39 / 5331
$ ./oclHashcat64.bin ... ?u?l?l?l ?d?d?d?d ... RT: 14 CR: 39 / 5331
$ ./oclHashcat64.bin ... ?u?d?d?d ?d?d?d?d?d ... RT: 14 CR: 39 / 5331
$ ./oclHashcat64.bin ... ?u?l?d?d ?d?d?d?d?d ... RT: 16 CR: 39 / 5331
$ ./oclHashcat64.bin ... ?u?l?l?d ?d?d?d?d?d ... RT: 17 CR: 39 / 5331

./batchcrack.sh: line 186: i: command not found
Running combinator attacks
$ ./oclHashcat64.bin ... example.dict example.dict ... RT: 19 CR: 54 / 5331
$ ./oclHashcat64.bin ... example.dict example.dict --rule-left=l$- ... RT: 18 CR: 54 / 5331

Running hybrid attacks
$ ./oclHashcat64.bin ... -1 ?l?d?s?u example.dict ?1 ... RT: 12 CR: 54 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?s?u example.dict ?1?1 ... RT: 12 CR: 56 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d example.dict ?1?1?1 ... RT: 15 CR: 63 / 5331
$ ./oclHashcat64.bin ... -1 ?d example.dict ?1?1?1?1 ... RT: 13 CR: 70 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?s?u ?1 example.dict ... RT: 15 CR: 71 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?s?u ?1?1 example.dict ... RT: 14 CR: 75 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d ?1?1?1 example.dict ... RT: 15 CR: 79 / 5331
$ ./oclHashcat64.bin ... -1 ?d ?1?1?1?1 example.dict ... RT: 14 CR: 81 / 5331

Running brute-force attacks
$ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1 ?1 ... RT: 13 CR: 81 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1 ?1 ... RT: 12 CR: 81 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1 ?1?1 ... RT: 13 CR: 82 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?u?s ?1?1?1 ?1?1 ... RT: 15 CR: 84 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?u ?1?1?1 ?1?1?1 ... RT: 27 CR: 91 / 5331
$ ./oclHashcat64.bin ... -1 ?l?d?s ?1?1?1 ?1?1?1 ... RT: 43 CR: 93 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d ... RT: 13 CR: 94 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d ... RT: 12 CR: 96 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?d ... RT: 14 CR: 101 / 5331
$ ./oclHashcat64.bin ... ?d?d?d?d ?d?d?d?d?d?d ... RT: 29 CR: 127 / 5331
$ ./oclHashcat64.bin ... ?l?l?l?l ?l?l?l ... RT: 15 CR: 129 / 5331

As you can see there are a variety of targeted attacks in this script. We recovered 127 of 5331 passwords which is pretty good for a script which takes 10 mins to run. If we include the 7 char bruteforce line we increase our chances significantly.

Once the script is finished the cracked hash’s will be in a nice hash:password format in the outputfile:

[root@tools oclHashcat-0.20]# head -n 25 batchcrack.out
016d36db759cbd97f97b8f44d1586020:zukt,
01f83ed4bd86376bd9fa66e473b074f8:jfuf2009
027e6a2a604638adbd930b4557063c15:0129112924
03cc48ea3a4d1ee0414d0deadd07d023:0162645647
05032716992559f48cf71028ea8a36cb:temp4562
053f55b3c966e636577b27d29c3a6e01:fqmrrkez
06a776ee99089aea3d42d29dcd6e7fb4:pmvntugx
06aee226d2d65dc15ad4e12670bda119:zlnytrdx
06bfa6e9bc34362a51e0809f4538e72d:safalala
077e1e814d536ac7ea4d2a807139b8c3:uiclqcwd
083097a6b9af3c8f670f5b9a7ad4f17b:9212280494
08571f5827caf4405af9ffb5d346f2bc:kxjfmulh
089ebba58081b56b18563a0dc37a56c3:bgwwlpwr
08cd4d799f69a6692295134b07582a2f:ruzwmgjk
08d553c67a1b549fbbb6f8c105a2576f:vwyxpfbw
091436aed7244fdb9c739d26d8d6344a:oyohrvbd
09e752289986cf77e8970aaab3c64ad9:ptfapwwv
0a34afb822cf799d3a4480f6fc156bd4:zurjpwxp
0a5be673cd81a2bc3cf9fd27c620729a:qmzkkzox
0a7b0eb41f25362dc841a01969a32d39:ybtztguo
0ab2c17e2bc85953e93f194debe2a032:qtyqty
0ad18ed230360f5766ec26bced48a1fd:vkydksvx
0b281b54fbd3ec9da2c8beee878703f3:tzvhrcek
0b9a85aca47e4b2cbb537032958d9f3c:utsnrccj
0bbd06bbf91816b3284e5603464e4e8c:dkffsvtv

All in all Oclhashcat is a great new tool and will be a strong contender in the GPU hash cracking field. My only 2 problems with the tools are that there is no range function (which the author has promised to fix) and that the source is not availble. For more information on oclhashcat you can visit their website, forums and IRC channel

Penetration Tester's Open Source Toolkit (Paperback)

By (author): Jeremy Faircloth, Jay Beale, Roelof Temmingh, Haroon Meer, Charl van der Walt, HD Moore


List Price: $59.95 USD
New From: $10.94 USD In Stock
Used from: $0.94 USD In Stock

Share