Posts: 4
Threads: 1
Joined: May 2013
Hi, I'm looking into MSSQL 2005 hashes.
I've run hashcat on my workstation cpu previously and everything seemed to work fine. Today I started with Hashcat-plus (cudaHashcat-plus64 0.14.7z to be precise) running on an Amazon EC2 Cluster GPU instance.
I've been using 2 hashes for testing purposes that both result in a 5 character result. The weird thing is that every other time (literally 2 out of 4 runs) I run the command the result changes between Exhausted and Cracked.
Same hashes, same command:
-a 3 -m 132 -1 ?l?u?d <hashfile> ?1?1?1?1?1
The results are both lower case alpha characters only. And although the success rate seems to be somewhat higher when I run with just ?l instead of ?l?u?d it still returns exhausted 1 out of 5 times.
What could this possibly be? What could I try to fix this?
Posts: 5,232
Threads: 233
Joined: Apr 2010
You could start posting all required information for us to reproduce the problem. Like hashes, dictionary, words, commandlines, screenshots, etc..
Posts: 4
Threads: 1
Joined: May 2013
That was going to be my next step. I thought someone might recognize this issue from my description alone. Especially since it's a simple 5 character brute force, no words, no dictionaries.
The command line I posted already:
-a 3 -m 132 -1 ?l <hashfile> ?1?1?1?1?1
and
-a 3 -m 132 -1 ?l?u?d <hashfile> ?1?1?1?1?1
I will add screenshots and hashes later today
Posts: 2,266
Threads: 16
Joined: Feb 2013
05-22-2013, 03:06 PM
(This post was last modified: 05-26-2013, 07:22 AM by philsmd.)
Did some test now but was unable to reproduce this. Are you sure that the charset matches with the passwords, i.e. that all hashes *could* definitely be cracked by the mask? E.g are there no special characters etc.
Please also tell us what hardware do you use (cuda/ocl - card model) and/or which kernel is loaded.
MY TESTS:
Code: // Description: Generates the MSSQL 2005 hashes starting from a password and salt
// Date: 05/22/13
//
// License: belongs to the PUBLIC DOMAIN, donated to hashcat, credits MUST go to hashcat
// and me for their hard work. Thx
// Disclaimer: WE PROVIDE THE PROGRAM “AS IS†WITHOUT WARRANTY OF ANY KIND, EITHER
// EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
// Furthermore, NO GUARANTEES THAT IT WORKS FOR YOU AND WORKS CORRECTLY
//
// HOWTO compile: gcc mssql_2005_compute.c -o mssql_2005_compute -lcrypto
// Example usage: ./mssql_2005_compute hashcat 18102152
// 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
#include <string.h>
#include <stdio.h>
#include <openssl/sha.h>
#define DIGEST_LENGTH 20
#define MSSQL2005_IDENTIFIER "0100"
#define MAX_PASS_LEN 50
#define MAX_LEN_SALT 8 // 8 octets == 4 hex
#define MAX_LEN_UNICODE_SALT 105
#define HEX_BLOCK_SIZE 2
char*HEX_CHARS="0123456789abcdef";
int generate_hash(char digest[DIGEST_LENGTH],char*salt,char*pass)
{
int i,len_pass,len_unicode_salt;
char unicode_salt[MAX_LEN_UNICODE_SALT];
len_pass=strlen(pass);
if (len_pass>MAX_PASS_LEN)
{
printf("[-] ERROR: password too long. EXIT.\n");
return 0;
}
// Convert pass to uppercase unicode
memset(unicode_salt,0,MAX_LEN_UNICODE_SALT);
len_unicode_salt=len_pass*2;
for (i=0; i<len_pass; i++)
{
unicode_salt[i*2]=pass[i]; // Unicode
}
// Salt
memcpy(unicode_salt+len_unicode_salt,salt,4);
len_unicode_salt+=4;
SHA_CTX context;
SHA1_Init(&context);
SHA1_Update(&context,(unsigned char*)unicode_salt,len_unicode_salt);
SHA1_Final(digest, &context);
return 0;
}
void print_hash(unsigned char*salt,unsigned char digest[DIGEST_LENGTH])
{
int i;
printf("0x%s",MSSQL2005_IDENTIFIER);
for (i=0; i<sizeof(salt)/sizeof(char); i++)
{
printf("%02x",salt[i]);
}
for (i=0; i<DIGEST_LENGTH; i++)
{
printf("%02x",digest[i]);
}
printf("\n");
}
int parse_salt(char salt[MAX_LEN_SALT],char*input)
{
int i,j,len_hex=strlen(HEX_CHARS),power,len=strlen(input);
char*pos;
if (len<MAX_LEN_SALT)
{
fprintf(stderr,"[-] Error: salt is too short, length of %i expected\n",
MAX_LEN_SALT);
return 1;
}
if (len!=MAX_LEN_SALT)
{
fprintf(stderr,"[!] Warning: salt should be *exactly* of length %i, ",
MAX_LEN_SALT);
fprintf(stderr,"using only first %i bytes\n",MAX_LEN_SALT);
}
memset(salt,0,MAX_LEN_SALT+1); // null terminator included
for (i=0; i<MAX_LEN_SALT; i+=HEX_BLOCK_SIZE)
{
for (j=0,power=len_hex; j<HEX_BLOCK_SIZE; j++,power/=len_hex)
{
pos=strchr(HEX_CHARS,input[i+j]);
if (pos==NULL)
{
fprintf(stderr,"[-] Unexpected character encountered. *Not* a valid");
fprintf(stderr," hex char. EXIT\n");
return 1;
}
salt[i/HEX_BLOCK_SIZE]+=(pos-HEX_CHARS)*power;
}
}
return 0;
}
void usage()
{
printf("--- MSSQL 2005 COMPUTE ---\nUSAGE:\n ./mssql_2005_compute ");
printf("<PASS> <HEX_SALT>\n");
}
int main(int argc,char**argv)
{
int i;
unsigned char digest[DIGEST_LENGTH];
// COMMAND LINE PARSING
if (argc<2)
{
fprintf(stderr,"[-] Please specify the password. EXIT\n");
usage();
return 1;
}
if (argc<3)
{
fprintf(stderr,"[-] Please specify a salt. EXIT\n");
usage();
return 1;
}
// END COMMAND LINE PARSING
char salt[MAX_LEN_SALT+1];
if (!parse_salt(salt,argv[2]))
{
if (!generate_hash(digest,salt,argv[1]))
{
// success
print_hash(salt,digest);
return 0;
}
else
{
fprintf(stderr,"[-] Error: password generation was *not* successful");
return 1;
}
}
return 1;
}
My salt from example ( http://hashcat.net/wiki/doku.php?id=example_hashes ): 18102152
My test file: hash_mssql2005
5 lower case letters as per example above
Code: $ ./mssql_2005_compute testa 18102152 > hash_mssql2005
$ ./mssql_2005_compute testb 18102152 >> hash_mssql2005
$ ./mssql_2005_compute testc 18102152 >> hash_mssql2005
$ ./mssql_2005_compute hashc 18102152 >> hash_mssql2005
My command line:
Code: $ cudaHashcat-plus32 -a 3 -m 132 -1 ?l?u?d hash_mssql2005 ?1?1?1?1?1
AND
Code: $ cudaHashcat-plus32 -a 3 -m 132 -1 ?l hash_mssql2005 ?1?1?1?1?1
The result of my tests are that I always get all hashes cracked and "Status.........: Cracked" in the output (as expected).
Could you try to do the same?
Posts: 4
Threads: 1
Joined: May 2013
05-23-2013, 10:33 PM
(This post was last modified: 05-23-2013, 10:35 PM by Jogjab.)
I just tested with the following hashes:
0x0100493B0CD58C4FC9AE7EE99DE6E1A7FB7CF3A5C06F772EE6C3
0x0100493B0CD5E0D54FEA458255877489497C7CAD4B194CBA78E0
0x0100439E6485166D20C4F889C2D5E7586776EC1E9C587708DC7F
0x010092F57A756207EC7C5DBA4B049B2B8F48F78BE393C8574961
0x01004315BFDDA7111F6527DBB1231B959965F2240CB8B458CC8F
0x010005023796D13D79705008012D8B79E145240F36208AA43F31
0x0100D9DDCA46A82CFF7F01DC9AC622BE4A9336DE592F6554CB2A
0x0100A5AD3B3D4C8A4EBFEB47B4158F5B7AB532521E947AC2E290
0x0100493B0CD5C6E788CE01102D5ECEB000428558CD76CAA202DC
these should result in the following (not in order):
testa
atset
xlasi
ylupr
xiazl
brlec
weird
testab
qrtwey
For some reason I haven't been able to get 'testa'. Even after 10 runs, it just never returns this.
I have unexpected behavior with some of the others as well. But 'testa' just never works.
My command lines are
sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1
and
sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l?u?d -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1
As for the hardware: I'm testing Amazon EC2 GPU Cluster
Take a look at these weird results. Same test set run with a couple of seconds between them. Only difference is ?l?u?d vs ?l
But the results aren't the same. And even in the second case it still doesn't return 'testa'
Code: sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l?u?d -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1
cudaHashcat-plus v0.14 by atom starting...
Hashes: 11 total, 7 unique salts, 10 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 128 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #2: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #1: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx
Device #2: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx
0x01004315bfdda7111f6527dbb1231b959965f2240cb8b458cc8f:xlasi
0x010092f57a756207ec7c5dba4b049b2b8f48f78be393c8574961:atset
0x010005023796d13d79705008012d8b79e145240f36208aa43f31:ylupr
0x0100a5ad3b3d4c8a4ebfeb47b4158f5b7ab532521e947ac2e290:brlec
0x0100d9ddca46a82cff7f01dc9ac622be4a9336de592f6554cb2a:xiazl
0x0100493b0cd58c4fc9ae7ee99de6e1a7fb7cf3a5c06f772ee6c3:weird
0x0100439e6485166d20c4f889c2d5e7586776ec1e9c587708dc7f:testb
Session.Name...: cudaHashcat-plus
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1)
Hash.Target....: File (hashes.test)
Hash.Type......: MSSQL(2005)
Time.Started...: Thu May 23 20:24:03 2013 (1 min, 13 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 390.2M/s
Speed.GPU.#2...: 390.2M/s
Speed.GPU.#*...: 780.4M/s
Recovered......: 7/10 (70.00%) Digests, 6/7 (85.71%) Salts
Progress.......: 397601649088/397601649088 (100.00%)
Rejected.......: 340801413504/397601649088 (85.71%)
HWMon.GPU.#1...: 27% Util, -1c Temp, -1% Fan
HWMon.GPU.#2...: 40% Util, -1c Temp, -1% Fan
Started: Thu May 23 20:24:03 2013
Stopped: Thu May 23 20:25:26 2013
sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1
cudaHashcat-plus v0.14 by atom starting...
Hashes: 11 total, 7 unique salts, 10 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 128 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #2: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #1: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx
Device #2: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx
0x01004315bfdda7111f6527dbb1231b959965f2240cb8b458cc8f:xlasi
0x010092f57a756207ec7c5dba4b049b2b8f48f78be393c8574961:atset
0x0100a5ad3b3d4c8a4ebfeb47b4158f5b7ab532521e947ac2e290:brlec
0x0100d9ddca46a82cff7f01dc9ac622be4a9336de592f6554cb2a:xiazl
0x010005023796d13d79705008012d8b79e145240f36208aa43f31:ylupr
0x0100493b0cd58c4fc9ae7ee99de6e1a7fb7cf3a5c06f772ee6c3:weird
0x0100439e6485166d20c4f889c2d5e7586776ec1e9c587708dc7f:testb
0x0100493b0cd5c6e788ce01102d5eceb000428558cd76caa202dc:qrtwey
0x0100493b0cd5adeda1e3a7caf1b8784fcd766e54c2cc787426af:testab
Session.Name...: cudaHashcat-plus
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1)
Hash.Target....: File (hashes.test)
Hash.Type......: MSSQL(2005)
Time.Started...: Thu May 23 20:25:48 2013 (1 sec)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 254.9M/s
Speed.GPU.#2...: 261.2M/s
Speed.GPU.#*...: 516.0M/s
Recovered......: 9/10 (90.00%) Digests, 6/7 (85.71%) Salts
Progress.......: 2162410432/2162410432 (100.00%)
Rejected.......: 1853494656/2162410432 (85.71%)
HWMon.GPU.#1...: 0% Util, -1c Temp, -1% Fan
HWMon.GPU.#2...: 6% Util, -1c Temp, -1% Fan
Started: Thu May 23 20:25:48 2013
Stopped: Thu May 23 20:25:56 2013
So, I just don't understand the difference between the two and I don't understand why it doesn't return 'testa'
Posts: 4
Threads: 1
Joined: May 2013
As for your other questions...
I started using Linux yesterday. So I hope I'm anwsering you're questions correctly:
I'm running:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"
And it's cuda
(05-22-2013, 03:06 PM)philsmd Wrote: Did some test now but was unable to reproduce this. Are you sure that the charset matches with the passwords, i.e. that all hashes *could* definitely be cracked by the mask? E.g are there no special characters etc.
Please also tell us what hardware do you use (cuda/ocl - card model) and/or which kernel is loaded.
MY TESTS:
Code: // Description: Generates the MSSQL 2005 hashes starting from a password and salt
// Date: 05/22/13
//
// License: belongs to the PUBLIC DOMAIN, donated to hashcat, credits MUST go to hashcat
// and me for their hard work. Thx
// Disclaimer: WE PROVIDE THE PROGRAM “AS IS†WITHOUT WARRANTY OF ANY KIND, EITHER
// EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
// Furthermore, NO GUARANTEES THAT IT WORKS FOR YOU AND WORKS CORRECTLY
//
// HOWTO compile: gcc mssql_2005_compute.c -o mssql_2005_compute -lcrypto
// Example usage: ./mssql_2005_compute hashcat 18102152
// 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
#include <string.h>
#include <stdio.h>
#include <openssl/sha.h>
#define DIGEST_LENGTH 20
#define MSSQL2005_IDENTIFIER "0100"
#define MAX_PASS_LEN 50
#define MAX_LEN_SALT 8 // 8 octets == 4 hex
#define MAX_LEN_UNICODE_SALT 105
#define HEX_BLOCK_SIZE 2
char*HEX_CHARS="0123456789abcdef";
int generate_hash(char digest[DIGEST_LENGTH],char*salt,char*pass)
{
int i,len_pass,len_unicode_salt;
char unicode_salt[MAX_LEN_UNICODE_SALT];
len_pass=strlen(pass);
if (len_pass>MAX_PASS_LEN)
{
printf("[-] ERROR: password too long. EXIT.\n");
return 0;
}
// Convert pass to uppercase unicode
memset(unicode_salt,0,MAX_LEN_UNICODE_SALT);
len_unicode_salt=len_pass*2;
for (i=0; i<len_pass; i++)
{
unicode_salt[i*2]=pass[i]; // Unicode
}
// Salt
memcpy(unicode_salt+len_unicode_salt,salt,4);
len_unicode_salt+=4;
SHA_CTX context;
SHA1_Init(&context);
SHA1_Update(&context,(unsigned char*)unicode_salt,len_unicode_salt);
SHA1_Final(digest, &context);
return 0;
}
void print_hash(char*salt,unsigned char digest[DIGEST_LENGTH])
{
int i;
printf("0x%s",MSSQL2005_IDENTIFIER);
for (i=0; i<sizeof(salt)/sizeof(char); i++)
{
printf("%02x",salt[i]);
}
for (i=0; i<DIGEST_LENGTH; i++)
{
printf("%02x",digest[i]);
}
printf("\n");
}
int parse_salt(char salt[MAX_LEN_SALT],char*input)
{
int i,j,len_hex=strlen(HEX_CHARS),power,len=strlen(input);
char*pos;
if (len<MAX_LEN_SALT)
{
fprintf(stderr,"[-] Error: salt is too short, length of %i expected\n",
MAX_LEN_SALT);
return 1;
}
if (len!=MAX_LEN_SALT)
{
fprintf(stderr,"[!] Warning: salt should be *exactly* of length %i, ",
MAX_LEN_SALT);
fprintf(stderr,"using only first %i bytes\n",MAX_LEN_SALT);
}
memset(salt,0,MAX_LEN_SALT+1); // null terminator included
for (i=0; i<MAX_LEN_SALT; i+=HEX_BLOCK_SIZE)
{
for (j=0,power=len_hex; j<HEX_BLOCK_SIZE; j++,power/=len_hex)
{
pos=strchr(HEX_CHARS,input[i+j]);
if (pos==NULL)
{
fprintf(stderr,"[-] Unexpected character encountered. *Not* a valid");
fprintf(stderr," hex char. EXIT\n");
return 1;
}
salt[i/HEX_BLOCK_SIZE]+=(pos-HEX_CHARS)*power;
}
}
return 0;
}
void usage()
{
printf("--- MSSQL 2005 COMPUTE ---\nUSAGE:\n ./mssql_2005_compute ");
printf("<PASS> <HEX_SALT>\n");
}
int main(int argc,char**argv)
{
int i;
unsigned char digest[DIGEST_LENGTH];
// COMMAND LINE PARSING
if (argc<2)
{
fprintf(stderr,"[-] Please specify the password. EXIT\n");
usage();
return 1;
}
if (argc<3)
{
fprintf(stderr,"[-] Please specify a salt. EXIT\n");
usage();
return 1;
}
// END COMMAND LINE PARSING
char salt[MAX_LEN_SALT+1];
if (!parse_salt(salt,argv[2]))
{
if (!generate_hash(digest,salt,argv[1]))
{
// success
print_hash(salt,digest);
return 0;
}
else
{
fprintf(stderr,"[-] Error: password generation was *not* successful");
return 1;
}
}
return 1;
}
My salt from example (http://hashcat.net/wiki/doku.php?id=example_hashes ): 18102152
My test file: hash_mssql2005
5 lower case letters as per example above
Code: $ ./mssql_2005_compute testa 18102152 > hash_mssql2005
$ ./mssql_2005_compute testb 18102152 >> hash_mssql2005
$ ./mssql_2005_compute testc 18102152 >> hash_mssql2005
$ ./mssql_2005_compute hashc 18102152 >> hash_mssql2005
My command line:
Code: $ cudaHashcat-plus32 -a 3 -m 132 -1 ?l?u?d hash_mssql2005 ?1?1?1?1?1
Code: $ cudaHashcat-plus32 -a 3 -m 132 -1 ?l hash_mssql2005 ?1?1?1?1?1
The result of my tests are that I always get all hashes cracked and "Status.........: Cracked" in the output (as expected).
Could you try to do the same?
Posts: 2,266
Threads: 16
Joined: Feb 2013
05-25-2013, 10:28 AM
(This post was last modified: 05-26-2013, 07:20 AM by philsmd.)
I did now try to run the exactly same cmds on my machine (32bit, cuda - gtx 580, win) and I always get following output (tested w/ newest beta and w/ release version 0.14):
Code: Recovered......: 10/10 (100.00%) Digests, 7/7 (100.00%) Salts
Maybe you are able to test w/ another setup (machine, 32 bit on same machine etc).
It definitely works here (also running it repeatedly).
Update: now tested also on a Cuda/64 bit Ubuntu system (this setup should be indeed similar to yours!?), both cmds working perfectly there recovering 10 Digest, 7 Salts... Could you try on windows or on 32 bit linux please (and also try oclHashcat-plus32.bin on your 64 bit system)?
Thx
|
