My bugs for v0.09b41
#1
BUgs for v0.09b41 with 301.42 on GTX470 GPU under Windows 7 64 bit.

Briefly, I have designed a series of test that covers most hash types and attack-modes with 5 different password lengths (2,4,8,12 and 15). Here's the result I have. Other Beta tester, please test the faulty conditions that I find so that we can know if it is system, GPU or myself specific:

- Status bar at the bottom not always appearing (really intermittent).
- For -m 2100 DCC2, length 4 password not cracked in attack mode 3 (bruteforce). The attack starts normally but ends in a cuStreamSynchronize<> 999 error. Interesting enough, length 8 finishes with the same error message but the password is written in the output file.
- For -m 2811 IPB, only attack mode 0 works, the others fails to crack passwords.
- For -m 11 Joomla, only attack mode 0 works, the others fails to crack passwords.
- What are the changes for LM hashes, they don't work at all anymore?
- For -m 900 MD4, length 12 does not work in attack mode 3 (bruteforce).
- I think that at one point we could mix and crack both phpbb3 and wordpress together. It does not work anymore, it cracks only the hash type that comes first in the hash list.
- For -m 2811 MyBB, it gives a length exception error. The salt tested was 12345678 which should be valid.
- For -m 2711 VB > 3.8.5, only attack mode 0 works, the others fail to crack passwords.

Tested and works perfectly (-m): 1100, 1600, 2600, 400 (when only 1 algo present), 500, 0, 300, 1000, 21, 101, 100, 1400, 1700, 121, 2611.

I include the .bat, dic, hash and passwords used. The .bat file contains only the base structure for 1 hash type, you have to adapt it to your system parameters and rename the file used.


Attached Files
.zip   Test.zip (Size: 4.41 KB / Downloads: 5)
#2
I get the exact same bugs with the GTX460 under the same conditions except that for the DCC bug with length 8 after the cuSynchronize, the password don't make it to the output file.
#3
Again, I get the exact same bug on a Windows Vista 32 bit system with a GTS250 GPU and driver 301.42.
#4
now thats a nice report mastercracker. i need to reproduce some of them while others i know are already known:

Quote:- Status bar at the bottom not always appearing (really intermittent).

Yep, known and yeah, I must fix this.

Quote:- What are the changes for LM hashes, they don't work at all anymore?

Only the LM halfes (as suggested) are allowed any longer. This makes it much more easier in code Smile

Quote:- I think that at one point we could mix and crack both phpbb3 and wordpress together. It does not work anymore, it cracks only the hash type that comes first in the hash list.

You mean a warning message? Yeah, that could make sense

Quote:- For -m 2811 MyBB, it gives a length exception error. The salt tested was 12345678 which should be valid.

I am not sure about that since I never saw MyBB with salt-length != 5. I am using MyBB and there is no option in the configuration that allows me to change that.

left to check:

Quote:- For -m 2100 DCC2, length 4 password not cracked in attack mode 3 (bruteforce). The attack starts normally but ends in a cuStreamSynchronize<> 999 error. Interesting enough, length 8 finishes with the same error message but the password is written in the output file.
- For -m 2811 IPB, only attack mode 0 works, the others fails to crack passwords.
- For -m 11 Joomla, only attack mode 0 works, the others fails to crack passwords.
- For -m 900 MD4, length 12 does not work in attack mode 3 (bruteforce).
- For -m 2711 VB > 3.8.5, only attack mode 0 works, the others fail to crack passwords.

Appended to my message is a Perl script i use to test oclHashcat-plus. Once you get managed to install all the additional perl-modules it can create every hash-type in either passthrough (dictionary) or random mode.

Thanks!


Attached Files
.zip   test-plus.zip (Size: 2.86 KB / Downloads: 7)
#5
Unless newer versions of MyBB changed their hashing scheme, it was typically always with a 8 character salt using mixalphanum charset (no symbols). IPB have a 5 character salt using mixalphanum and symbols.

You can see typical cracking request at Insidepro for MyBB and you will see what I am talking about:

http://forum.insidepro.com/viewtopic.php?t=6397

I will test your tool later on and let you know how I find it.
#6
For the test-plus.pl, some of the perl modules are a pain to install when you don't know how to do it properly (I learned the hard way what is the easy way). To be able to install some of the modules, I had to manually remove one value that kept giving me an error from the make file. A certain -lbufferoverflowU. Hopefully, it won't affect the program. Anyway, now it seems to work and I have a couple of questions:

1) In the single mode, unless I write the command line wrong, it gives lines with different -n values at the start and hashes at the end. What do those means? Also none of the hash correspond to the initial password. Here's the command line that I used:

Code:
test-plus.pl single 0 testpass > test.txt

2) In the passthrough, it works like expected. Is it possible to specify the salt to use in the hashing?

Thanks


Also, test-plus.pl does not generate length 15 passwords for DCC2 (-m 2100). I don't know if it is a limitation of test-plus or of the DCC2 algorithm.
#7
(08-07-2012, 04:48 AM)mastercracker Wrote: For the test-plus.pl, some of the perl modules are a pain to install when you don't know how to do it properly (I learned the hard way what is the easy way). To be able to install some of the modules, I had to manually remove one value that kept giving me an error from the make file. A certain -lbufferoverflowU. Hopefully, it won't affect the program. Anyway, now it seems to work and I have a couple of questions:

Yes, its pretty simple if you are on linux. I dont know about windows.

(08-07-2012, 04:48 AM)mastercracker Wrote: 1) In the single mode, unless I write the command line wrong, it gives lines with different -n values at the start and hashes at the end. What do those means? Also none of the hash correspond to the initial password. Here's the command line that I used:

Code:
test-plus.pl single 0 testpass > test.txt

This is very confusing. The single mode require 1 or 2 parameters, but not 3? what are you trying to do?

(08-07-2012, 04:48 AM)mastercracker Wrote: 2) In the passthrough, it works like expected. Is it possible to specify the salt to use in the hashing?

No, but thats something many people asked for. Maybe I will add it sometime.

(08-07-2012, 04:48 AM)mastercracker Wrote: Also, test-plus.pl does not generate length 15 passwords for DCC2 (-m 2100). I don't know if it is a limitation of test-plus or of the DCC2 algorithm.

Thats right, its limited even more because of its design. We can not change this.
#8
Quote:This is very confusing. The single mode require 1 or 2 parameters, but not 3? what are you trying to do?
What's the command line then? I state "single", tells what hash type I want with 0 and then what password to hash with "testpass". I then redirect everything to test.txt. I don't see what I could remove and still get what I want.
---------------------------------------------------------------
As for the 0.09b42, you asked to test it again on the AMD side. I ran it again on the CUDA side (GTX470) because now I have ALL algos except WPA. The original problems on the first post are still there but here's the list of the bug I have on the other algos. Anything not listed means that it worked perfectly.

- For -m 10 md5($pass.$salt), Bruteforce of length 2 is not working.
- For -m 30 md5(unicode($pass).$salt), Length 15 does not work on all modes and length 2 does not work on bruteforce.
- For -m 110 sha1($pass.$salt), Bruteforce of length 2 is not working.
- For -m 111 nsldaps, SSHA-1(Base64), Netscape LDAP SSHA, Dictionary attack works (-a 0) but all the other attack mode fails.
- For -m 112 Oracle 11g, Bruteforce of length 2 is not working. The rest is perfect.
- For -m 130 sha1(unicode($pass).$salt), attack mode 1 and 7 fails. Mode 0,3 and 6 works perfectly well.
- For -m 131 MSSQL(2000), something really wrong is happening. Only the password with length 4 was cracked normally with bruteforcing. The password of length 2 that was supposed to be cracked by bruteforcing was cracked by the following command line in mode 7:

cudahashcat-plus64.exe -a 7 -d 1 -m 131 -o found.txt hash.txt ?s?s dic1.txt

I have double-checked, there is no empty line in dic1.txt so I don't know how it got cracked.
- For -m 132 MSSQL(2005), attack mode 1 and 7 fails. Mode 0,3 and 6 works perfectly well.
- For -m 141 EPiServer 6.x, Nothing worked.
- For -m 1410 sha256($pass.$salt), bruteforce with length 2 did not work. Everything else works fine.
- For -m 1710 sha512($pass.$salt), dictionary worked for all length and bruteforce for length 8, 12 and 15. All the other test (mode + length) failed.
- For -m 1800 sha512crypt, SHA512(Unix), there is random problems. -a 1 for length 15 failed, -a 3 for length 4 failed, -a 6 for length 15 failed, -a 7 for length 4 and 8 failed. The rest worked.
- For -m 2100 DCC2, I have generated the length 15 hashes with PasswordsPro Hash generator and they were cracked in all mode... Dictionary mode for length 2 failed. Bruteforce for length 4 failed. All the rest worked.
#9
wonderful report. will work on it
#10
reproduced:

Quote:- For -m 10 md5($pass.$salt), Bruteforce of length 2 is not working.
- For -m 30 md5(unicode($pass).$salt), Length 15 does not work on all modes
- For -m 30 md5(unicode($pass).$salt), Length 2 does not work on bruteforce.
- For -m 110 sha1($pass.$salt), Bruteforce of length 2 is not working.
- For -m 111 nsldaps, SSHA-1(Base64), Netscape LDAP SSHA, Dictionary attack works (-a 0) but all the other attack mode fails.
- For -m 112 Oracle 11g, Bruteforce of length 2 is not working. The rest is perfect.
- For -m 141 EPiServer 6.x, Nothing worked.
- For -m 1410 sha256($pass.$salt), bruteforce with length 2 did not work. Everything else works fine.
- For -m 1710 sha512($pass.$salt), dictionary worked for all length and bruteforce for length 8, 12 and 15. All the other test (mode + length) failed.

Looks like a general Problem of length 2 brute-force on sha based algorithms (byte-swapped).

Can not reproduce:

Quote:- For -m 130 sha1(unicode($pass).$salt), attack mode 1 and 7 fails. Mode 0,3 and 6 works perfectly well.
- For -m 132 MSSQL(2005), attack mode 1 and 7 fails. Mode 0,3 and 6 works perfectly well.
- For -m 131 MSSQL(2000), something really wrong is happening. Only the password with length 4 was cracked normally with bruteforcing. The password of length 2 that was supposed to be cracked by bruteforcing was cracked by the following
command line in mode 7: cudahashcat-plus64.exe -a 7 -d 1 -m 131 -o found.txt hash.txt ?s?s dic1.txt -- I have double-checked, there is no empty line in dic1.txt so I don't know how it got cracked.
- For -m 1800 sha512crypt, SHA512(Unix), there is random problems. -a 1 for length 15 failed, -a 3 for length 4 failed, -a 6 for length 15 failed, -a 7 for length 4 and 8 failed. The rest worked.
- For -m 2100 DCC2, I have generated the length 15 hashes with PasswordsPro Hash generator and they were cracked in all mode... Dictionary mode for length 2 failed. Bruteforce for length 4 failed. All the rest worked.

I really tried all of them on my hd6990. very strange!