Is there an intentional difference between how hashcat performs a dictionary + rule attack against NTLM vs WPA/WPA2?
While testing different dictionary and rule combinations against a set of test passwords, I found several example passwords that are easily cracked with -m 1000 that are completely missed by -m 2500 when using the same dictionary and rule combinations.
The example passwords used in these tests are:
Roomba123456
Yellow123456
Mountain123456
Rattt1234567
I have run the below tests using hashcat version 4.2.1, 4.2.0 and 4.1.0, multiple dictionaries and rules files, all with the same result.
I’m wondering if I’m using incorrect parameters? Or is there something else going on? Can anyone explain the results I’m seeing?
Examples are below:
Key:
testdict.txt - small dictionary that contains only the capitalized base english words for the test passwords (smallest possible dictionary to speed up the tests).
testdictwithpw.txt - small dictionary that also contains the passwords - used for testing pure dictionary attack
test.hccapx - hccapx file with multiple handshakes representing all four test passwords
easy.txt - ntlm hashes for the same test passwords
Test 1: crack the test NTLM passwords with a dictionary + rockyou-30000.rule attack:
Command:
$ sudo hashcat-4.2.1/hashcat64.bin -m 1000 easy.txt testdict.txt -r hashcat-4.2.1/rules/rockyou-30000.rule
Result:
xxxxx72c839f8192a028681c9b9xxxxx:Roomba123456
xxxxx83e5999052ff069677ef5axxxxx:Yellow123456
xxxxxba6f894f0ff9aee13461c7xxxxx:Mountain123456
xxxxxddc94978e09a8679e8e944xxxxx:Rattt1234567
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: easy.txt
Time.Started.....: Thu Aug 30 14:42:17 2018 (1 sec)
Time.Estimated...: Thu Aug 30 14:42:18 2018 (0 secs)
Guess.Base.......: File (testdict.txt)
Guess.Mod........: Rules (hashcat-4.2.1/rules/rockyou-30000.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 339.8 kH/s (0.05ms) @ Accel:32 Loops:16 Thr:512 Vec:1
Speed.Dev.#2.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:512 Vec:1
Speed.Dev.#3.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:512 Vec:1
Speed.Dev.#*.....: 339.8 kH/s
Recovered........: 4/4 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 15232/120000 (12.69%)
Rejected.........: 0/15232 (0.00%)
Restore.Point....: 0/4 (0.00%)
Candidates.#1....: Room83 -> Rattt06
Candidates.#2....: [Copying]
Candidates.#3....: [Copying]
HWMon.Dev.#1.....: Temp: 37c Fan: 27% Util: 1% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#2.....: Temp: 43c Fan: 27% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#3.....: Temp: 43c Fan: 27% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
Started: Thu Aug 30 14:42:03 2018
Stopped: Thu Aug 30 14:42:19 2018
Test 2: Repeat same attack against WPA/WPA2 hccapx and the same passwords
Command:
$ sudo hashcat-4.2.1/hashcat64.bin -m 2500 test.hccapx testdict.txt -r hashcat-4.2.1/rules/rockyou-30000.rule
Result:
Only one of the four passwords was cracked -
xxxxx65798e44fb4c46d248c408xxxxx:98fc1155eaf2:44032c66aa3a:B:Mountain123456
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Thu Aug 30 15:51:59 2018 (24 mins, 38 secs)
Time.Estimated...: Thu Aug 30 16:16:37 2018 (0 secs)
Guess.Base.......: File (testdict.txt)
Guess.Mod........: Rules (hashcat-4.2.1/rules/rockyou-30000.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 20 H/s (0.10ms) @ Accel:64 Loops:16 Thr:1024 Vec:1
Speed.Dev.#2.....: 0 H/s (0.00ms) @ Accel:64 Loops:16 Thr:1024 Vec:1
Speed.Dev.#3.....: 0 H/s (0.00ms) @ Accel:64 Loops:16 Thr:1024 Vec:1
Speed.Dev.#*.....: 20 H/s
Recovered........: 1/9 (11.11%) Digests, 0/1 (0.00%) Salts
Progress.........: 120000/120000 (100.00%)
Rejected.........: 90000/120000 (75.00%)
Restore.Point....: 0/4 (0.00%)
Candidates.#1....: Mouitain82 -> Mouitain82
Candidates.#2....: [Copying]
Candidates.#3....: [Copying]
HWMon.Dev.#1.....: Temp: 52c Fan: 35% Util: 0% Core:1873MHz Mem:4513MHz Bus:16
HWMon.Dev.#2.....: Temp: 30c Fan: 27% Util: 0% Core: 139MHz Mem: 405MHz Bus:16
HWMon.Dev.#3.....: Temp: 33c Fan: 27% Util: 0% Core: 139MHz Mem: 405MHz Bus:16
Started: Thu Aug 30 15:51:34 2018
Stopped: Thu Aug 30 16:16:38 2018
Test 3: Pure dictionary attack against WPA/WPA2 hccapx to rule out a problem with the hccapx file
Command:
$ sudo hashcat-4.2.1/hashcat64.bin -m 2500 test.hccapx testdictwithpw.txt
Result:
xxxxxf6505b637b12f4cf17f057xxxxx:98fc1155eaf2:44032c66aa3a:B:Roomba123456
xxxxx65798e44fb4c46d248c408xxxxx:98fc1155eaf2:44032c66aa3a:B:Mountain123456
xxxxx2fa3e3b28707dd45fc26c8xxxxx:98fc1155eaf2:44032c66aa3a:B:Yellow123456
xxxxx54af681e7f32975be84f37xxxxx:98fc1155eaf2:44032c66aa3a:B:Rattt1234567
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Thu Aug 30 16:18:46 2018 (1 sec)
Time.Estimated...: Thu Aug 30 16:18:47 2018 (0 secs)
Guess.Base.......: File (testdictwithpw.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Speed.Dev.#2.....: 136 H/s (0.10ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Speed.Dev.#3.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Speed.Dev.#*.....: 136 H/s
Recovered........: 4/9 (44.44%) Digests, 0/1 (0.00%) Salts
Progress.........: 8/8 (100.00%)
Rejected.........: 3/8 (37.50%)
Restore.Point....: 0/8 (0.00%)
Candidates.#1....: [Copying]
Candidates.#2....: Mountain -> Rattt1234567
Candidates.#3....: [Copying]
HWMon.Dev.#1.....: Temp: 45c Fan: 29% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#2.....: Temp: 42c Fan: 27% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#3.....: Temp: 46c Fan: 28% Util: 0% Core:1898MHz Mem:4513MHz Bus:16
Started: Thu Aug 30 16:18:20 2018
Stopped: Thu Aug 30 16:18:48 2018
While testing different dictionary and rule combinations against a set of test passwords, I found several example passwords that are easily cracked with -m 1000 that are completely missed by -m 2500 when using the same dictionary and rule combinations.
The example passwords used in these tests are:
Roomba123456
Yellow123456
Mountain123456
Rattt1234567
I have run the below tests using hashcat version 4.2.1, 4.2.0 and 4.1.0, multiple dictionaries and rules files, all with the same result.
I’m wondering if I’m using incorrect parameters? Or is there something else going on? Can anyone explain the results I’m seeing?
Examples are below:
Key:
testdict.txt - small dictionary that contains only the capitalized base english words for the test passwords (smallest possible dictionary to speed up the tests).
testdictwithpw.txt - small dictionary that also contains the passwords - used for testing pure dictionary attack
test.hccapx - hccapx file with multiple handshakes representing all four test passwords
easy.txt - ntlm hashes for the same test passwords
Test 1: crack the test NTLM passwords with a dictionary + rockyou-30000.rule attack:
Command:
$ sudo hashcat-4.2.1/hashcat64.bin -m 1000 easy.txt testdict.txt -r hashcat-4.2.1/rules/rockyou-30000.rule
Result:
xxxxx72c839f8192a028681c9b9xxxxx:Roomba123456
xxxxx83e5999052ff069677ef5axxxxx:Yellow123456
xxxxxba6f894f0ff9aee13461c7xxxxx:Mountain123456
xxxxxddc94978e09a8679e8e944xxxxx:Rattt1234567
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: easy.txt
Time.Started.....: Thu Aug 30 14:42:17 2018 (1 sec)
Time.Estimated...: Thu Aug 30 14:42:18 2018 (0 secs)
Guess.Base.......: File (testdict.txt)
Guess.Mod........: Rules (hashcat-4.2.1/rules/rockyou-30000.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 339.8 kH/s (0.05ms) @ Accel:32 Loops:16 Thr:512 Vec:1
Speed.Dev.#2.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:512 Vec:1
Speed.Dev.#3.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:512 Vec:1
Speed.Dev.#*.....: 339.8 kH/s
Recovered........: 4/4 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 15232/120000 (12.69%)
Rejected.........: 0/15232 (0.00%)
Restore.Point....: 0/4 (0.00%)
Candidates.#1....: Room83 -> Rattt06
Candidates.#2....: [Copying]
Candidates.#3....: [Copying]
HWMon.Dev.#1.....: Temp: 37c Fan: 27% Util: 1% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#2.....: Temp: 43c Fan: 27% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#3.....: Temp: 43c Fan: 27% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
Started: Thu Aug 30 14:42:03 2018
Stopped: Thu Aug 30 14:42:19 2018
Test 2: Repeat same attack against WPA/WPA2 hccapx and the same passwords
Command:
$ sudo hashcat-4.2.1/hashcat64.bin -m 2500 test.hccapx testdict.txt -r hashcat-4.2.1/rules/rockyou-30000.rule
Result:
Only one of the four passwords was cracked -
xxxxx65798e44fb4c46d248c408xxxxx:98fc1155eaf2:44032c66aa3a:B:Mountain123456
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Thu Aug 30 15:51:59 2018 (24 mins, 38 secs)
Time.Estimated...: Thu Aug 30 16:16:37 2018 (0 secs)
Guess.Base.......: File (testdict.txt)
Guess.Mod........: Rules (hashcat-4.2.1/rules/rockyou-30000.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 20 H/s (0.10ms) @ Accel:64 Loops:16 Thr:1024 Vec:1
Speed.Dev.#2.....: 0 H/s (0.00ms) @ Accel:64 Loops:16 Thr:1024 Vec:1
Speed.Dev.#3.....: 0 H/s (0.00ms) @ Accel:64 Loops:16 Thr:1024 Vec:1
Speed.Dev.#*.....: 20 H/s
Recovered........: 1/9 (11.11%) Digests, 0/1 (0.00%) Salts
Progress.........: 120000/120000 (100.00%)
Rejected.........: 90000/120000 (75.00%)
Restore.Point....: 0/4 (0.00%)
Candidates.#1....: Mouitain82 -> Mouitain82
Candidates.#2....: [Copying]
Candidates.#3....: [Copying]
HWMon.Dev.#1.....: Temp: 52c Fan: 35% Util: 0% Core:1873MHz Mem:4513MHz Bus:16
HWMon.Dev.#2.....: Temp: 30c Fan: 27% Util: 0% Core: 139MHz Mem: 405MHz Bus:16
HWMon.Dev.#3.....: Temp: 33c Fan: 27% Util: 0% Core: 139MHz Mem: 405MHz Bus:16
Started: Thu Aug 30 15:51:34 2018
Stopped: Thu Aug 30 16:16:38 2018
Test 3: Pure dictionary attack against WPA/WPA2 hccapx to rule out a problem with the hccapx file
Command:
$ sudo hashcat-4.2.1/hashcat64.bin -m 2500 test.hccapx testdictwithpw.txt
Result:
xxxxxf6505b637b12f4cf17f057xxxxx:98fc1155eaf2:44032c66aa3a:B:Roomba123456
xxxxx65798e44fb4c46d248c408xxxxx:98fc1155eaf2:44032c66aa3a:B:Mountain123456
xxxxx2fa3e3b28707dd45fc26c8xxxxx:98fc1155eaf2:44032c66aa3a:B:Yellow123456
xxxxx54af681e7f32975be84f37xxxxx:98fc1155eaf2:44032c66aa3a:B:Rattt1234567
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Thu Aug 30 16:18:46 2018 (1 sec)
Time.Estimated...: Thu Aug 30 16:18:47 2018 (0 secs)
Guess.Base.......: File (testdictwithpw.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Speed.Dev.#2.....: 136 H/s (0.10ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Speed.Dev.#3.....: 0 H/s (0.00ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Speed.Dev.#*.....: 136 H/s
Recovered........: 4/9 (44.44%) Digests, 0/1 (0.00%) Salts
Progress.........: 8/8 (100.00%)
Rejected.........: 3/8 (37.50%)
Restore.Point....: 0/8 (0.00%)
Candidates.#1....: [Copying]
Candidates.#2....: Mountain -> Rattt1234567
Candidates.#3....: [Copying]
HWMon.Dev.#1.....: Temp: 45c Fan: 29% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#2.....: Temp: 42c Fan: 27% Util: 0% Core:1771MHz Mem:4513MHz Bus:16
HWMon.Dev.#3.....: Temp: 46c Fan: 28% Util: 0% Core:1898MHz Mem:4513MHz Bus:16
Started: Thu Aug 30 16:18:20 2018
Stopped: Thu Aug 30 16:18:48 2018