correct command?
#1
Hi there,
 
can you help a newbie enter the correct command?
I've looked a lot of videos and commands in the forum, but somehow I can't handle it.
 
I would like to hack the NTLM password from Windows 10 and have already copied the appropriate hash value for me.
 
I would use a PC with The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux as hardware.
 
CPU: AMD Ryzen 5 1600 Six-Core
GPU: AMD Radeon RX 470 8GB
 
I would like to get the best performance out of it, i.e. CPU and GPU
 
My attempt with the wordlist rockyou.txt worked but Hashcat always complained that I didn't have enough lists.
 
I would be really happy if you can support me.
 
If you have any questions about the optimization from your side, I'll try to answer everything exactly.
Reply
#2
ntlm is a really really fast hash

if you just use rockyou.txt (i think it has 14 mio passwords) even with an old graphicscard hashcat will test these passwords in seconds (in fact, the whole process starting hashcat and pushing the candidates to the gpu will last longer)

you can use rules to modify the passes and therefore provide more password-candidates (see /rules)

because of the fact ntlm is such a fast hash try bruteforcing it
just a fast lookup with an test-pw

?a 1to6 under a minute
?a 7 an hour max

more common masks length 7-8 like
?l?d,?l?u?d,?a?2?1?1?1?1?a
?l?d,?l?u?d,?a?2?1?1?1?1?1?a
also minutes

OR google it, there are some sites on the internet which have really huge precomputed rainbowtables for ntlm hashes where you can "lookup" these and check whether there are known or not
Reply
#3
OK thank you for your information,
can you help me to finde the right command?
and i dont think he use my GPU

if i run this...


hashcat -m 1000 -a 3  /home/hacker/Dokumente/NTLM.txt /home/hacker/Dokumente/rockyou.txt                             


                                                  1 ⨯
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 5 1600 Six-Core Processor, 5859/5923 MB (2048 MB allocatable), 12MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 67 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.


Session..........: hashcat                     
Status...........: Exhausted
Hash.Name........: NTLM
Hash.Target......: XXXXXXXXXXXXXXXXX (i have edit)
Time.Started.....: Tue Oct 12 10:33:14 2021 (0 secs)
Time.Estimated...: Tue Oct 12 10:33:14 2021 (0 secs)
Guess.Mask.......: jeffhardy [9]
Guess.Queue......: 2512/14336792 (0.02%)
Speed.#1.........:    1562 H/s (0.04ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: jeffhardy -> jeffhardy
Reply
#4
yeah it seem hashcat just uses your CPU

you can run hashcat -I to see what kind of devices hashcat can utilize, i think you miss some drivers for your GPU

GPU Driver requirements:
  • AMD GPUs on Linux require "RadeonOpenCompute (ROCm)" Software Platform (3.1 or later)
  • AMD GPUs on Windows require "AMD Radeon Adrenalin 2020 Edition" (20.2.2 or later)
  • Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
  • NVIDIA GPUs require "NVIDIA Driver" (440.64 or later) and "CUDA Toolkit" (9.0 or later)
Reply
#5
Yes your are right, the The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux has not the right driver, i have now try to install the driver, but is not working.
do you khow the best OS for hashcat?

what do you think, is OK if i install Ubuntu 21.04... do i need a GUI or can i install comand line only?

or have yor a better idee?
Reply
#6
i think ubuntu or any other debian-based distro beside k.a.l.i will work

command line will be enough for running hashcat
Reply
#7
Do you mean to use -a0 instead of -a3?

(10-12-2021, 08:30 AM)3mu Wrote: OK thank you for your information,
can you help me to finde the right command?
and i dont think he use my GPU

if i run this...


hashcat -m 1000 -a 3  /home/hacker/Dokumente/NTLM.txt /home/hacker/Dokumente/rockyou.txt                             


                                                  1 ⨯
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 5 1600 Six-Core Processor, 5859/5923 MB (2048 MB allocatable), 12MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 67 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.


Session..........: hashcat                     
Status...........: Exhausted
Hash.Name........: NTLM
Hash.Target......: XXXXXXXXXXXXXXXXX (i have edit)
Time.Started.....: Tue Oct 12 10:33:14 2021 (0 secs)
Time.Estimated...: Tue Oct 12 10:33:14 2021 (0 secs)
Guess.Mask.......: jeffhardy [9]
Guess.Queue......: 2512/14336792 (0.02%)
Speed.#1.........:    1562 H/s (0.04ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: jeffhardy -> jeffhardy
Reply
#8
Hello everyone,
now I've finally managed to install a system that also supports my GPU driver.
I didn't get it right with Linux, I made several attempts here.
In the end, I managed it with a Windows 10 PC.

when I start hashcat -I
I get a message that something does not fit with the driver, but the calculation is done quite quickly via the GPU.
(i will post all the command output in the bootom from this)

Ok, can we get to my opening question now what could I use the optimal command now?

@walterlacka
I used -a 3 but only because I read it somewhere, I don't know if that's good.

i tried the command
hashcat.exe -m 1000 -a 3 -O c:\hashcat\NTLM.txt c:\hashcat\rockyou.txt

but the performance was so bad that I canceled it again.

and now i have start ths command.
hashcat.exe -m 1000 -a 3 -O c:\hashcat\NTLM.txt

I think that he is now simply trying out all the combinations
with a password of 1-15 characters
from the times I have calculated that he needs 8 days for the experiment.
so I would now just let it go as it is.


---------------
hashcat.exe -I
hashcat (v6.2.4) starting in backend information mode

Unsupported AMD HIP runtime version '0.0.3188' detected! Falling back to OpenCL...

OpenCL Info:
============

OpenCL Platform ID #1
Vendor..: Advanced Micro Devices, Inc.
Name....: AMD Accelerated Parallel Processing
Version.: OpenCL 2.1 AMD-APP (3188.4)

Backend Device ID #1
Type...........: GPU
Vendor.ID......: 1
Vendor.........: Advanced Micro Devices, Inc.
Name...........: Radeon (TM) RX 470 Graphics
Version........: OpenCL 2.0 AMD-APP (3188.4)
Processor(s)...: 32
Clock..........: 1260
Memory.Total...: 8192 MB (limited to 6745 MB allocatable in one block)
Memory.Free....: 8064 MB
OpenCL.Version.: OpenCL C 2.0
Driver.Version.: 3188.4
PCI.Addr.BDF...: 23:00.0
-----------------------------------

hashcat.exe -m 1000 -a 3 -O c:\hashcat\NTLM.txt c:\hashcat\rockyou.txt
hashcat (v6.2.4) starting

Unsupported AMD HIP runtime version '0.0.3188' detected! Falling back to OpenCL...

OpenCL API (OpenCL 2.1 AMD-APP (3188.4)) - Platform #1 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #1: Radeon (TM) RX 470 Graphics, 8064/8192 MB (6745 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2950 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: XXXXXXXXXXXXXXXXX (i have edit)
Time.Started.....: Wed Oct 13 09:37:32 2021 (0 secs)
Time.Estimated...: Wed Oct 13 09:37:32 2021 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: 123456 [6]
Guess.Queue......: 1/14336787 (0.00%)
Speed.#1.........: 821 H/s (0.01ms) @ Accel:512 Loops:1 Thr:128 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> 123456
Hardware.Mon.#1..: Temp: 42c Fan: 0% Util: 4% Core:1227MHz Mem:2000MHz Bus:16

------------------------

hashcat.exe -m 1000 -a 3 -O c:\hashcat\NTLM.txt
hashcat (v6.2.4) starting

Unsupported AMD HIP runtime version '0.0.3188' detected! Falling back to OpenCL...

OpenCL API (OpenCL 2.1 AMD-APP (3188.4)) - Platform #1 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #1: Radeon (TM) RX 470 Graphics, 8064/8192 MB (6745 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2950 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: XXXXXXXXXXXXXXXXX (i have edit)
Time.Started.....: Wed Oct 13 09:38:23 2021 (0 secs)
Time.Estimated...: Wed Oct 13 09:38:23 2021 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?1 [1]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/15 (6.67%)
Speed.#1.........: 55382 H/s (0.04ms) @ Accel:256 Loops:62 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 62/62 (100.00%)
Rejected.........: 0/62 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-62 Iteration:0-62
Candidate.Engine.: Device Generator
Candidates.#1....: s -> X
Hardware.Mon.#1..: Temp: 52c Fan: 0% Util: 5% Core:1247MHz Mem:2000MHz Bus:16
Reply
#9
-a 3 means bruteforce, so your first command where you tried using rockyou.txt was not right adn therefore i dont know what hashcat did there

so just for a fast first run, copy the follwoing lines into a file called basicmasks.txt

Code:
# all [1-6]
?a
?a?a
?a?a?a
?a?a?a?a
?a?a?a?a?a
?a?a?a?a?a?a

# basic v2 [7-8]
?l?d,?l?u?d,?a?2?1?1?1?1?a
?l?d,?l?u?d,?a?2?1?1?1?1?1?a

then run hashcat with

Code:
hashcat -a 3 -m 1000 -O -w 3 NTLM.txt basicmasks.txt

this will do a short run with all chars 1-6 positions and then switch the mask for position 7-8, see https://hashcat.net/wiki/doku.php?id=hashcat and https://hashcat.net/wiki/doku.php?id=mask_attack for more infos about masks and options

after this run you can supply another maskfile with other masks or try your dictionary attack but dictionary would be -a 0 so
Code:
hashcat -a 0 -m 1000 -O -w 3 NTLM.txt rockyou.txt

also if you install intel opencl runtime you can also utilize your CPU for cracking, after installing this driver
Code:
hashcat -I
should also show up your CPU, adding Option -D 1,2 will tell hahscat to use CPU+GPU (GPU only default)
Reply
#10
Thank you so much...
i will try this in 8 Day if my run is now complite...
Reply