Cracking NTLM,MD5 and MD4 Passwords with the CUDA Multi-Forcer

I have decided to do a few pieces on password auditing over the next few days as sort of a follow up to some of my previous articles on passwords. By writing these , I hope to encourage people to use longer more secure passwords and not to worry so much about the convenience of a short easy to remember password.

For this article I am going to assume a few things. If you do not meet all these requirments this article will not be very helpful. If there is some interest I will write a follow up on how to get your Linux box going with Nvidia and CUDA.

1. You are running a linux disro

2. You have the Nvidia drivers and toolkit installed and you have a working CUDA enviorment

Password cracking is one of the funnest parts of my job, no matter how many times I do it i still get a rush when I see the hash decrypt.

For this demo we are going to use a tool called the CUDA-Multi-forcer. We can download the tool here . Once we get the archive we simply unpack it:

tar xjvf  filename.tar.bz2

The binaries are pre built so we dont have to worry about compiling the source. There are also windows and Mac (Intel only) binaries available however I have not used either one so I can not speak as to how well they work. So once you have it unpacked you should be looking at something like this.

Now as you can see there is a binary for 32 bit Linux and 64 bit Linux. I am using a 64 bit so I will be using that one.

So in order to run this tool we need to grab some ntlm hash’s. How and where you get these is your affair. I will be doing it the completely legit way and using my favorite online password hash generator. The folk over at Insidepro have graciously made this great service available online.

http://www.insidepro.com/hashes.php

Its easy to use, just enter a password and hit generate and it will hash your password in about 60 different ways. The one we are interested in is about halfway down and says NTLM.  I decide to use the password “ph33r” which is a common way people try to remember passwords by replacing letters with numbers otherwise known as l33t sp33k.

In the past this was a viable solution but with what I am about to show you is that  a password with any less than 9 or 10 chars is pretty much useless when pitted against a GPU powered machine. So once we have the hash we want to make a file in the directory of the CUDA Multiforcer.

Ok so now we are ready to give it a crack.

Just a little refresher on password lingo. There are a few ways to break passwords. The most common is whats called a dictionary attack which is where the attackler has a large dictionary of words and uses a tool like John the Ripper to compare you hash to very word. This can be fairly quick depending on you CPU power but the limitation is that if the actuall password is not in the dictionary the attack will fail.

The second type is whats known as a bruteforce.  This is what we are doing here. With a brute force the attacker can specify a charset of characters like a-z lowercase or A-Z uppercase and add numbers and punctuation if needed. A “full” charset is all 96 printable characters on a US keyboard. I am American so that is what I use but its easy to modify the charset file for a different language. So, now that we know the difference between the two attacks lets proceed.

Using conventional NTLM brute force tools on a high end PC we can test about 1 million passwords per second. While this may sound like a lot, when you consider how many possible combination’s there are in a 8 char password using all 96 chars its not very much.  So enter GPU power.

This test was done with a Nvidia 295 gtx card. The processing power of Nvidia cards varies by make and model. The 295 is one of the better ones. We can speed up the bruteforce process by about 5 times.

So here is the complete command we are going to use. I will break down each of the options.

-h The type of hash NTLM MD5 and MD4 are currently supported

-c The charset we want to use. The is a complete list inside the charset directory.

-f the path to the file where we have our hash. We can add as many hash’s to the file as we want.

–min=  minimum number of chars to try

–max= maximum number of char to try. The limit for NTLM is 14

The last 3 options are advanced options so using the defaults that I have should be fine. They are also optional options so the tool will run fine with out them. They are simply meant for optimization.

I will also run the tool with the time command in front of it so you can see how fast it cracks our password.

There it is! A five char password with letters and numbers cracked in 12.6 seconds.  I hope most people at this point are considering using stronger passwords. Hopefully this short demo was helpful as a intro to using GPU’s for password and I hope it also helps to enlighten users to the need for strong passwords.