Cracking LM
#1
Hi everyone,
I've noticed some very weird behaviors while playing with LM hashes.
So I generated some LM hashes:
Code:
0182BD0BD4444BF836077A718CCDF409:12345678
8C6F5D02DEB21501:ABC
1C3A2B6D939A1021:AAA

When trying to bruteforce these (In 16 bytes form or 32) I get either wrong cracked passwords or "Exhausted". Always, with some certain hashes.

Let's say this hash:
Code:
0182BD0BD4444BF836077A718CCDF409:12345678

Here we go:
Code:
hc64p -m3000 -a3 ..\M\LM.hash ?d?d?d?d?d?d?d?d
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a3.sm_21.ptx

36077a718ccdf409:8
0182bd0bd4444bf8:1234467

Status.......: Cracked
Input.Mode...: Mask (?d?d?d?d?d?d?d)
Hash.Target..: 0182bd0bd4444bf836077a718ccdf409
Hash.Type....: LM
Time.Running.: 0 secs
Time.Util....: 964.5ms/1.5ms Real/CPU, 0.2% idle
Speed........:  4512.0k c/s Real, 35682.4k c/s GPU
Recovered....: 2/2 Digests, 1/1 Salts
Progress.....: 4352000/10000000 (43.52%)
Rejected.....: 0/4352000 (0.00%)
HWMon.GPU.#1.:  0% Util, 45c Temp, -1rpm Fan

Started: Mon May 28 18:36:43 2012
Stopped: Mon May 28 18:36:45 2012
Notice the second hash.


Another one:
Code:
8C6F5D02DEB21501:ABC

Code:
hc64p -m3000 -a3 -1 ?u?d ..\M\LM.hash ?1?1?1
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a3.sm_21.ptx

8c6f5d02deb21501:AAC

Status.......: Exhausted
Input.Mode...: Mask (?1?1?1)
Hash.Target..: 00000000000000008c6f5d02deb21501
Hash.Type....: LM
Time.Running.: 0 secs
Time.Left....: 0 secs
Time.Util....: 998.0ms/1.6ms Real/CPU, 0.2% idle
Speed........:    46747 c/s Real, 10930.8k c/s GPU
Recovered....: 1/2 Digests, 0/1 Salts
Progress.....: 46656/46656 (100.00%)
Rejected.....: 0/46656 (0.00%)
HWMon.GPU.#1.:  0% Util, 45c Temp, -1rpm Fan

Started: Mon May 28 18:39:42 2012
Stopped: Mon May 28 18:39:44 2012


One more?
Code:
1C3A2B6D939A1021:AAA

Code:
hc64p -m3000 -a3 -1 ?u?d ..\M\LM.hash ?1?1?1
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a3.sm_21.ptx


Status.......: Exhausted
Input.Mode...: Mask (?1?1?1)
Hash.Target..: 00000000000000001c3a2b6d939a1021
Hash.Type....: LM
Time.Running.: 0 secs
Time.Left....: 0 secs
Time.Util....: 997.8ms/1.6ms Real/CPU, 0.2% idle
Speed........:    46757 c/s Real, 38278.6k c/s GPU
Recovered....: 0/2 Digests, 0/1 Salts
Progress.....: 46656/46656 (100.00%)
Rejected.....: 0/46656 (0.00%)
HWMon.GPU.#1.:  0% Util, 44c Temp, -1rpm Fan

Started: Mon May 28 18:42:36 2012
Stopped: Mon May 28 18:42:37 2012
Not found!


At first I thought it's my generator which is the problem, I used EGB to make sure of that but, EGB cracked them all correctly!
Code:
LM bfLM.ini %hash%
Maximum password length: 7 characters
Number of GPU to be used: 1
Configuration file: "bfLM.ini"
36077a718ccdf409:8
0182bd0bd4444bf8:1234567
1c3a2b6d939a1021:AAA
8c6f5d02deb21501:ABC

All passwords found! Time elapsed: 0d:0h:0m:1s.


Most if not all of these problems disappear when doing a dictiory attack:
Code:
hc64p -m3000 ..\M\LM.hash ..\M\Odic.dic
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 6
Unique digests: 5
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a0.sm_21.ptx

Scanned dictionary ..\M\Odic.dic: 20 bytes, 4 words, 4 keyspace, starting attack
...

36077a718ccdf409:8
aad3b435b51404ee:
8c6f5d02deb21501:ABC
1c3a2b6d939a1021:AAA
0182bd0bd4444bf8:1234567

Status.......: Cracked
Input.Mode...: File (..\M\Odic.dic)
Hash.Target..: File (..\M\LM.hash)
Hash.Type....: LM
Time.Running.: 0 secs
Time.Util....: 994.9ms/0.0ms Real/CPU, 0.0% idle
Speed........:        4 c/s Real,        0 c/s GPU
Recovered....: 5/5 Digests, 1/1 Salts
Progress.....: 4/4 (100.00%)
Rejected.....: 0/4 (0.00%)
HWMon.GPU.#1.:  0% Util, 38c Temp, -1rpm Fan

Started: Mon May 28 19:16:21 2012
Stopped: Mon May 28 19:16:23 2012


Tried:
oclHashcat-plus-0.09b15
oclHashcat-plus-0.08

Similar results with oclHashcat-lite-0.10b49.

Am I doing something wrong? I don't think so.
I'm also amazed that nobody noticed this before. Or it's just me?
#2
what driver do you have installed?

might be connected to this? https://hashcat.net/forum/thread-1173.html
#3
@M@LIK

Quote:0182BD0BD4444BF836077A718CCDF409

Exhausted for me also. Sad
#4
@undeath:: Not sure what you really mean...
It's Nvidia, I download the drivers from here: http://www.nvidia.com/drivers
The current version on my machine is: 296.10

@Hash-IT:: Thanks for the try!


EDiT:
undeath Wrote: might be connected to this? https://hashcat.net/forum/thread-1173.html
I don't think so, since this is LM, bf, Nvidia. And that's salted MD5s, dictionaries, AMD.

Did you give a try? See if you have the same problem.
#5
works fine for my cayman gpu:

Code:
root@sf:~/oclHashcat-plus-0.09# ./oclHashcat-plus64.bin -m 3000 0182BD0BD4444BF836077A718CCDF409 ?d?d?d?d?d?d?d?d -a 3
** Valid keyfile for beta usage: atom (expires 04.05.2013)

oclHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 40
Password lengths range: 1 - 7
Platform: AMD compatible platform found
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 70c
Device #1: Cayman, 1024MB, 830Mhz, 24MCU
Device #2: Cayman, 1024MB, 830Mhz, 24MCU
Device #1: Allocating 72MB host-memory
Device #1: Kernel ./kernels/4098/m3000_a3.Cayman_923.1_1.4.1720.kernel (931776 bytes)
Device #2: Allocating 72MB host-memory
Device #2: Kernel ./kernels/4098/m3000_a3.Cayman_923.1_1.4.1720.kernel (931776 bytes)

36077a718ccdf409:8                          
0182bd0bd4444bf8:1234567                    
                                            
Status.......: Cracked
Input.Mode...: Mask (?d?d?d?d?d?d?d)
Hash.Target..: 0182bd0bd4444bf836077a718ccdf409
Hash.Type....: LM
Time.Running.: 0 secs
Time.Util....: 961.2ms/1.3ms Real/CPU, 0.1% idle
Speed........:  4527.6k c/s Real, 23501.3k c/s GPU
Recovered....: 2/2 Digests, 1/1 Salts
Progress.....: 4352000/10000000 (43.52%)
Rejected.....: 0/4352000 (0.00%)
HWMon.GPU.#1.:  0% Util, 42c Temp, 56% Fan
HWMon.GPU.#2.:  0% Util, 42c Temp, 30% Fan

Started: Tue May 29 14:39:38 2012
Stopped: Tue May 29 14:39:42 2012

As well as for my sm_21 GPU:

Code:
root@ht:~/oclHashcat-plus-0.09# ./cudaHashcat-plus64.bin -m 3000 0182BD0BD4444BF836077A718CCDF409 ?d?d?d?d?d?d?d?d -a 3  
** Valid keyfile for beta usage: atom (expires 04.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
Platform: NVidia compatible platform found
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 70c
Device #1: GeForce GTX 560 Ti, 1023MB, 1660000Mhz, 8MCU
Device #1: Allocating 19MB host-memory
Device #1: Kernel ./kernels/4318/m3000_a3.sm_21.ptx

36077a718ccdf409:8                          
0182bd0bd4444bf8:1234467                    
                                            
Status.......: Cracked
Input.Mode...: Mask (?d?d?d?d?d?d?d)
Hash.Target..: 0182bd0bd4444bf836077a718ccdf409
Hash.Type....: LM
Time.Running.: 0 secs
Time.Util....: 990.7ms/0.2ms Real/CPU, 0.0% idle
Speed........:  4392.6k c/s Real, 45653.1k c/s GPU
Recovered....: 2/2 Digests, 1/1 Salts
Progress.....: 4352000/10000000 (43.52%)
Rejected.....: 0/4352000 (0.00%)
HWMon.GPU.#1.: -1% Util, 30c Temp, 15% Fan

Started: Tue May 29 14:41:49 2012
Stopped: Tue May 29 14:41:51 2012
#6
@atom:: You should have looked closer...
atom Wrote: As well as for my sm_21 GPU:

Code:
...
36077a718ccdf409:8
0182bd0bd4444bf8:1234467
...

0182bd0bd4444bf8:1234467
It should be:
0182bd0bd4444bf8:1234567

Have you tried:
Code:
1C3A2B6D939A1021:AAA
OR
1C3A2B6D939A1021AAD3B435B51404EE:AAA
EF20F1AFA8178582AAD3B435B51404EE:AAB
20606B82A2C18CEAAAD3B435B51404EE:AAC
Pretty sure you won't be able to crack them using ( Nvidia's GPU + BF + oclHashcat-plus ).
#7
Hi M@LIK,

could you try and post result with last -lite beta version ?

(05-28-2012, 06:17 PM)M@LIK Wrote: Hi everyone,
I've noticed some very weird behaviors while playing with LM hashes.
So I generated some LM hashes:
Code:
0182BD0BD4444BF836077A718CCDF409:12345678
8C6F5D02DEB21501:ABC
1C3A2B6D939A1021:AAA

When trying to bruteforce these (In 16 bytes form or 32) I get either wrong cracked passwords or "Exhausted". Always, with some certain hashes.

Let's say this hash:
Code:
0182BD0BD4444BF836077A718CCDF409:12345678

Here we go:
Code:
hc64p -m3000 -a3 ..\M\LM.hash ?d?d?d?d?d?d?d?d
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a3.sm_21.ptx

36077a718ccdf409:8
0182bd0bd4444bf8:1234467

Status.......: Cracked
Input.Mode...: Mask (?d?d?d?d?d?d?d)
Hash.Target..: 0182bd0bd4444bf836077a718ccdf409
Hash.Type....: LM
Time.Running.: 0 secs
Time.Util....: 964.5ms/1.5ms Real/CPU, 0.2% idle
Speed........:  4512.0k c/s Real, 35682.4k c/s GPU
Recovered....: 2/2 Digests, 1/1 Salts
Progress.....: 4352000/10000000 (43.52%)
Rejected.....: 0/4352000 (0.00%)
HWMon.GPU.#1.:  0% Util, 45c Temp, -1rpm Fan

Started: Mon May 28 18:36:43 2012
Stopped: Mon May 28 18:36:45 2012
Notice the second hash.


Another one:
Code:
8C6F5D02DEB21501:ABC

Code:
hc64p -m3000 -a3 -1 ?u?d ..\M\LM.hash ?1?1?1
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a3.sm_21.ptx

8c6f5d02deb21501:AAC

Status.......: Exhausted
Input.Mode...: Mask (?1?1?1)
Hash.Target..: 00000000000000008c6f5d02deb21501
Hash.Type....: LM
Time.Running.: 0 secs
Time.Left....: 0 secs
Time.Util....: 998.0ms/1.6ms Real/CPU, 0.2% idle
Speed........:    46747 c/s Real, 10930.8k c/s GPU
Recovered....: 1/2 Digests, 0/1 Salts
Progress.....: 46656/46656 (100.00%)
Rejected.....: 0/46656 (0.00%)
HWMon.GPU.#1.:  0% Util, 45c Temp, -1rpm Fan

Started: Mon May 28 18:39:42 2012
Stopped: Mon May 28 18:39:44 2012


One more?
Code:
1C3A2B6D939A1021:AAA

Code:
hc64p -m3000 -a3 -1 ?u?d ..\M\LM.hash ?1?1?1
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 2
Unique digests: 2
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a3.sm_21.ptx


Status.......: Exhausted
Input.Mode...: Mask (?1?1?1)
Hash.Target..: 00000000000000001c3a2b6d939a1021
Hash.Type....: LM
Time.Running.: 0 secs
Time.Left....: 0 secs
Time.Util....: 997.8ms/1.6ms Real/CPU, 0.2% idle
Speed........:    46757 c/s Real, 38278.6k c/s GPU
Recovered....: 0/2 Digests, 0/1 Salts
Progress.....: 46656/46656 (100.00%)
Rejected.....: 0/46656 (0.00%)
HWMon.GPU.#1.:  0% Util, 44c Temp, -1rpm Fan

Started: Mon May 28 18:42:36 2012
Stopped: Mon May 28 18:42:37 2012
Not found!


At first I thought it's my generator which is the problem, I used EGB to make sure of that but, EGB cracked them all correctly!
Code:
LM bfLM.ini %hash%
Maximum password length: 7 characters
Number of GPU to be used: 1
Configuration file: "bfLM.ini"
36077a718ccdf409:8
0182bd0bd4444bf8:1234567
1c3a2b6d939a1021:AAA
8c6f5d02deb21501:ABC

All passwords found! Time elapsed: 0d:0h:0m:1s.


Most if not all of these problems disappear when doing a dictiory attack:
Code:
hc64p -m3000 ..\M\LM.hash ..\M\Odic.dic
** Valid keyfile for beta usage: malik (expires 18.05.2013)

cudaHashcat-plus v0.09 by atom starting...

Hashes: 6
Unique digests: 5
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 32
GPU-Accel: 8
Password lengths range: 1 - 7
...
Device #1: Kernel ./kernels/4318/m3000_a0.sm_21.ptx

Scanned dictionary ..\M\Odic.dic: 20 bytes, 4 words, 4 keyspace, starting attack
...

36077a718ccdf409:8
aad3b435b51404ee:
8c6f5d02deb21501:ABC
1c3a2b6d939a1021:AAA
0182bd0bd4444bf8:1234567

Status.......: Cracked
Input.Mode...: File (..\M\Odic.dic)
Hash.Target..: File (..\M\LM.hash)
Hash.Type....: LM
Time.Running.: 0 secs
Time.Util....: 994.9ms/0.0ms Real/CPU, 0.0% idle
Speed........:        4 c/s Real,        0 c/s GPU
Recovered....: 5/5 Digests, 1/1 Salts
Progress.....: 4/4 (100.00%)
Rejected.....: 0/4 (0.00%)
HWMon.GPU.#1.:  0% Util, 38c Temp, -1rpm Fan

Started: Mon May 28 19:16:21 2012
Stopped: Mon May 28 19:16:23 2012


Tried:
oclHashcat-plus-0.09b15
oclHashcat-plus-0.08

Similar results with oclHashcat-lite-0.10b49.

Am I doing something wrong? I don't think so.
I'm also amazed that nobody noticed this before. Or it's just me?
#8
If I'm not mistaken, this is a serious problem!
#9
Well, this LM, so it cant be that serious Smile