Breaking AIX hashes with hashcat

Breaking AIX hashes with hashcat - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: Breaking AIX hashes with hashcat (/thread-2247.html)

Breaking AIX hashes with hashcat - atom - 04-20-2013

Hey Guys,

I just wanted to inform you about the accomplished work that philsmd and me spend some time in the last week.

The hashes used in AIX:

{smd5}
{ssha1}
{ssha256}
{ssha512}

They are supported to crack with hashcat now. Do not confuse them with OpenLDAP ones.

Quote:
root@sf:~/hashcat-0.45# ./hashcat-cliXOP.bin -m 6300 test6300 -a 3 ?l?l?l?l?l?l?l!
{smd5}01234567$yOImZPvBC8dg1HjGYfH7j.:hashcat!

root@sf:~/hashcat-0.45# ./hashcat-cliXOP.bin -m 6700 test6700 -a 3 ?l?l?l?l?l?l?l!
{ssha1}06$0123456789abcdef$pPDynUWwKgFKx8N5CP.d8D5C.wZ:hashcat!

root@sf:~/hashcat-0.45# ./hashcat-cliXOP.bin -m 6400 test6400 -a 3 ?l?l?l?l?l?l?l!
{ssha256}06$0123456789abcdef$9zHeDVOh2swHIvL1O9LPvTDeWwv0zbsB5n531R3J.UP:hashcat!

root@sf:~/hashcat-0.45# ./hashcat-cliXOP.bin -m 6500 test6500 -a 3 ?l?l?l?l?l?l?l!
{ssha512}06$0123456789abcdef$WGuBLjBECNeZKYKPqZUz8QTIbXCYLKqm0SoMnjvJaCwKR...:hashcat!

Here are the speeds, captured on a stock clocked AMD FX(tm)-8120 Eight-Core Processor using 8 threads:

{smd5} 80.60 KH/s
{ssha1} 822.22 KH/s
{ssha256} 394.14 KH/s
{ssha512} 175.61 KH/s

I will soon port all hashes to oclHashcat-plus and update the post with the GPU speeds.

The hashes will be supported with hashcat CPU v0.45 and oclHashcat-plus v0.15. Beta-Tester can already download hashcat b6 version.

For details of how the hashes are generated check out the follow-up post.

--
atom

RE: Breaking AIX hashes with hashcat - philsmd - 04-20-2013

Hi guys, thx @atom,
and here are the details, it is (partially) too easy to be true and not understandable why nobody else came up with this details b4 ;-):
- smd5 uses md5_crypt basically
- ssha* variants use pbkdf2-hmac-sha-* (there are three of those ssha1, ssha256 and ssha512 connected to the pbkdf2-hmac-sha-* variant)

Furthermore, there is a non-standard (but well-known) base64 table in use:
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

The main difference of smd5 from standard md5_crypt() is that smd5 doesn't use the "$1$" within the md5_crypt digest generation.
But there is an option, they told me, that enables the "standard" version of md5_crypt, i.e. w/ std_hash=true or similar.

There are also very small base64 hacks in ssha* variants but of no big deal, i.e. the length of the outcome hash, what happens w/ padding etc.
If you have some sample hashes (or better password/hash pairs), it is easy to spot this details.

Too much words, here I open a ticket w/ source code attached (be warned: this code is hackish, was quickly written down, w/o looking at performance etc, but should be working too. Don't blame me for the (bad) code, ok?):
https://hashcat.net/trac/ticket/135

RE: Breaking AIX hashes with hashcat - radix - 04-20-2013

cool stuff

RE: Breaking AIX hashes with hashcat - eljolot - 04-21-2013

awesome Big Grin

RE: Breaking AIX hashes with hashcat - Rolf - 04-21-2013

I like how md5-based variant is more secure in terms of computation than sha-2 based variant.

RE: Breaking AIX hashes with hashcat - halfie - 04-21-2013

thanks atom and phil :-)

RE: Breaking AIX hashes with hashcat - atom - 04-22-2013

Finished the port to GPU. Speeds on two stock clocked hd6990's:

smd5: 10 MH/s
ssha1: 44 MH/s
ssha256: 18 MH/s
ssha512: 2 MH/s

RE: Breaking AIX hashes with hashcat - philsmd - 04-22-2013

Amazing speeds! Great, thx for the port and update here