Same hashes different results
#1
Hi, I'm looking into MSSQL 2005 hashes.

I've run hashcat on my workstation cpu previously and everything seemed to work fine. Today I started with Hashcat-plus (cudaHashcat-plus64 0.14.7z to be precise) running on an Amazon EC2 Cluster GPU instance.

I've been using 2 hashes for testing purposes that both result in a 5 character result. The weird thing is that every other time (literally 2 out of 4 runs) I run the command the result changes between Exhausted and Cracked.

Same hashes, same command:
-a 3 -m 132 -1 ?l?u?d <hashfile> ?1?1?1?1?1

The results are both lower case alpha characters only. And although the success rate seems to be somewhat higher when I run with just ?l instead of ?l?u?d it still returns exhausted 1 out of 5 times.

What could this possibly be? What could I try to fix this?
#2
You could start posting all required information for us to reproduce the problem. Like hashes, dictionary, words, commandlines, screenshots, etc..
#3
That was going to be my next step. I thought someone might recognize this issue from my description alone. Especially since it's a simple 5 character brute force, no words, no dictionaries.

The command line I posted already:
-a 3 -m 132 -1 ?l <hashfile> ?1?1?1?1?1
and
-a 3 -m 132 -1 ?l?u?d <hashfile> ?1?1?1?1?1

I will add screenshots and hashes later today
#4
Did some test now but was unable to reproduce this. Are you sure that the charset matches with the passwords, i.e. that all hashes *could* definitely be cracked by the mask? E.g are there no special characters etc.

Please also tell us what hardware do you use (cuda/ocl - card model) and/or which kernel is loaded.

MY TESTS:
Code:
// Description: Generates the MSSQL 2005 hashes starting from a password and salt
// Date: 05/22/13
//
// License: belongs to the PUBLIC DOMAIN, donated to hashcat, credits MUST go to hashcat
//          and me for their hard work. Thx
// Disclaimer: WE PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
//         EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
//         OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
//         Furthermore, NO GUARANTEES THAT IT WORKS FOR YOU AND WORKS CORRECTLY
//
// HOWTO compile: gcc mssql_2005_compute.c -o mssql_2005_compute -lcrypto
// Example usage: ./mssql_2005_compute hashcat 18102152
// 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
#include <string.h>
#include <stdio.h>
#include <openssl/sha.h>

#define DIGEST_LENGTH 20
#define MSSQL2005_IDENTIFIER "0100"
#define MAX_PASS_LEN 50
#define MAX_LEN_SALT 8  // 8 octets == 4 hex
#define MAX_LEN_UNICODE_SALT 105
#define HEX_BLOCK_SIZE 2
char*HEX_CHARS="0123456789abcdef";

int generate_hash(char digest[DIGEST_LENGTH],char*salt,char*pass)
{
    int i,len_pass,len_unicode_salt;
    char unicode_salt[MAX_LEN_UNICODE_SALT];
    len_pass=strlen(pass);
    if (len_pass>MAX_PASS_LEN)
    {
        printf("[-] ERROR: password too long. EXIT.\n");
        return 0;
    }
    // Convert pass to uppercase unicode
    memset(unicode_salt,0,MAX_LEN_UNICODE_SALT);
    len_unicode_salt=len_pass*2;
    for (i=0; i<len_pass; i++)
    {
        unicode_salt[i*2]=pass[i];   // Unicode
    }
    // Salt
    memcpy(unicode_salt+len_unicode_salt,salt,4);
    len_unicode_salt+=4;
    SHA_CTX context;
    SHA1_Init(&context);
    SHA1_Update(&context,(unsigned char*)unicode_salt,len_unicode_salt);
    SHA1_Final(digest, &context);
    return 0;
}

void print_hash(unsigned char*salt,unsigned char digest[DIGEST_LENGTH])
{
    int i;
    printf("0x%s",MSSQL2005_IDENTIFIER);
    for (i=0; i<sizeof(salt)/sizeof(char); i++)
    {
        printf("%02x",salt[i]);
    }
    for (i=0; i<DIGEST_LENGTH; i++)
    {
        printf("%02x",digest[i]);
    }
    printf("\n");
}

int parse_salt(char salt[MAX_LEN_SALT],char*input)
{
    int i,j,len_hex=strlen(HEX_CHARS),power,len=strlen(input);
    char*pos;
    if (len<MAX_LEN_SALT)
    {
        fprintf(stderr,"[-] Error: salt is too short, length of %i expected\n",
                MAX_LEN_SALT);
        return 1;
    }
    if (len!=MAX_LEN_SALT)
    {
        fprintf(stderr,"[!] Warning: salt should be *exactly* of length %i, ",
                MAX_LEN_SALT);
        fprintf(stderr,"using only first %i bytes\n",MAX_LEN_SALT);
    }
    memset(salt,0,MAX_LEN_SALT+1);  // null terminator included
    for (i=0; i<MAX_LEN_SALT; i+=HEX_BLOCK_SIZE)
    {
        for (j=0,power=len_hex; j<HEX_BLOCK_SIZE; j++,power/=len_hex)
        {
            pos=strchr(HEX_CHARS,input[i+j]);
            if (pos==NULL)
            {
                fprintf(stderr,"[-] Unexpected character encountered. *Not* a valid");
                fprintf(stderr," hex char. EXIT\n");
                return 1;
            }
            salt[i/HEX_BLOCK_SIZE]+=(pos-HEX_CHARS)*power;
        }
    }
    return 0;
}

void usage()
{
    printf("--- MSSQL 2005 COMPUTE ---\nUSAGE:\n    ./mssql_2005_compute ");
    printf("<PASS> <HEX_SALT>\n");
}

int main(int argc,char**argv)
{
    int i;
    unsigned char digest[DIGEST_LENGTH];
    // COMMAND LINE PARSING
    if (argc<2)
    {
        fprintf(stderr,"[-] Please specify the password. EXIT\n");
        usage();
        return 1;
    }
    if (argc<3)
    {
        fprintf(stderr,"[-] Please specify a salt. EXIT\n");
        usage();
        return 1;
    }
    // END COMMAND LINE PARSING
    char salt[MAX_LEN_SALT+1];
    if (!parse_salt(salt,argv[2]))
    {
        if (!generate_hash(digest,salt,argv[1]))
        {
            // success
            print_hash(salt,digest);
            return 0;
        }
        else
        {
            fprintf(stderr,"[-] Error: password generation was *not* successful");
            return 1;
        }
    }
    return 1;
}

My salt from example (http://hashcat.net/wiki/doku.php?id=example_hashes ): 18102152

My test file: hash_mssql2005
5 lower case letters as per example above
Code:
$ ./mssql_2005_compute testa 18102152 >  hash_mssql2005
$ ./mssql_2005_compute testb 18102152 >> hash_mssql2005
$ ./mssql_2005_compute testc 18102152 >> hash_mssql2005
$ ./mssql_2005_compute hashc 18102152 >> hash_mssql2005

My command line:
Code:
$ cudaHashcat-plus32 -a 3 -m 132 -1 ?l?u?d hash_mssql2005 ?1?1?1?1?1
AND
Code:
$ cudaHashcat-plus32 -a 3 -m 132 -1 ?l hash_mssql2005 ?1?1?1?1?1

The result of my tests are that I always get all hashes cracked and "Status.........: Cracked" in the output (as expected).
Could you try to do the same?
#5
I just tested with the following hashes:

0x0100493B0CD58C4FC9AE7EE99DE6E1A7FB7CF3A5C06F772EE6C3
0x0100493B0CD5E0D54FEA458255877489497C7CAD4B194CBA78E0
0x0100439E6485166D20C4F889C2D5E7586776EC1E9C587708DC7F
0x010092F57A756207EC7C5DBA4B049B2B8F48F78BE393C8574961
0x01004315BFDDA7111F6527DBB1231B959965F2240CB8B458CC8F
0x010005023796D13D79705008012D8B79E145240F36208AA43F31
0x0100D9DDCA46A82CFF7F01DC9AC622BE4A9336DE592F6554CB2A
0x0100A5AD3B3D4C8A4EBFEB47B4158F5B7AB532521E947AC2E290
0x0100493B0CD5C6E788CE01102D5ECEB000428558CD76CAA202DC

these should result in the following (not in order):
testa
atset
xlasi
ylupr
xiazl
brlec
weird
testab
qrtwey

For some reason I haven't been able to get 'testa'. Even after 10 runs, it just never returns this.
I have unexpected behavior with some of the others as well. But 'testa' just never works.

My command lines are
sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1
and
sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l?u?d -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1

As for the hardware: I'm testing Amazon EC2 GPU Cluster

Take a look at these weird results. Same test set run with a couple of seconds between them. Only difference is ?l?u?d vs ?l
But the results aren't the same. And even in the second case it still doesn't return 'testa'
Code:
sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l?u?d -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1
cudaHashcat-plus v0.14 by atom starting...

Hashes: 11 total, 7 unique salts, 10 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 128 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #2: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #1: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx
Device #2: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx

0x01004315bfdda7111f6527dbb1231b959965f2240cb8b458cc8f:xlasi
0x010092f57a756207ec7c5dba4b049b2b8f48f78be393c8574961:atset
0x010005023796d13d79705008012d8b79e145240f36208aa43f31:ylupr
0x0100a5ad3b3d4c8a4ebfeb47b4158f5b7ab532521e947ac2e290:brlec
0x0100d9ddca46a82cff7f01dc9ac622be4a9336de592f6554cb2a:xiazl
0x0100493b0cd58c4fc9ae7ee99de6e1a7fb7cf3a5c06f772ee6c3:weird
0x0100439e6485166d20c4f889c2d5e7586776ec1e9c587708dc7f:testb

Session.Name...: cudaHashcat-plus
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1)
Hash.Target....: File (hashes.test)
Hash.Type......: MSSQL(2005)
Time.Started...: Thu May 23 20:24:03 2013 (1 min, 13 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...:   390.2M/s
Speed.GPU.#2...:   390.2M/s
Speed.GPU.#*...:   780.4M/s
Recovered......: 7/10 (70.00%) Digests, 6/7 (85.71%) Salts
Progress.......: 397601649088/397601649088 (100.00%)
Rejected.......: 340801413504/397601649088 (85.71%)
HWMon.GPU.#1...: 27% Util, -1c Temp, -1% Fan
HWMon.GPU.#2...: 40% Util, -1c Temp, -1% Fan

Started: Thu May 23 20:24:03 2013
Stopped: Thu May 23 20:25:26 2013

sudo ./cudaHashcat-plus64.bin -a 3 -m 132 -1 ?l -i --increment-min=5 --increment-max=6 hashes.test ?1?1?1?1?1?1
cudaHashcat-plus v0.14 by atom starting...

Hashes: 11 total, 7 unique salts, 10 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 128 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #2: Tesla M2050, 2687MB, 1147Mhz, 14MCU
Device #1: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx
Device #2: Kernel ./kernels/4318/m0130_a3.sm_20.64.ptx

0x01004315bfdda7111f6527dbb1231b959965f2240cb8b458cc8f:xlasi
0x010092f57a756207ec7c5dba4b049b2b8f48f78be393c8574961:atset
0x0100a5ad3b3d4c8a4ebfeb47b4158f5b7ab532521e947ac2e290:brlec
0x0100d9ddca46a82cff7f01dc9ac622be4a9336de592f6554cb2a:xiazl
0x010005023796d13d79705008012d8b79e145240f36208aa43f31:ylupr
0x0100493b0cd58c4fc9ae7ee99de6e1a7fb7cf3a5c06f772ee6c3:weird
0x0100439e6485166d20c4f889c2d5e7586776ec1e9c587708dc7f:testb
0x0100493b0cd5c6e788ce01102d5eceb000428558cd76caa202dc:qrtwey
0x0100493b0cd5adeda1e3a7caf1b8784fcd766e54c2cc787426af:testab

Session.Name...: cudaHashcat-plus
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1)
Hash.Target....: File (hashes.test)
Hash.Type......: MSSQL(2005)
Time.Started...: Thu May 23 20:25:48 2013 (1 sec)
Time.Estimated.: 0 secs
Speed.GPU.#1...:   254.9M/s
Speed.GPU.#2...:   261.2M/s
Speed.GPU.#*...:   516.0M/s
Recovered......: 9/10 (90.00%) Digests, 6/7 (85.71%) Salts
Progress.......: 2162410432/2162410432 (100.00%)
Rejected.......: 1853494656/2162410432 (85.71%)
HWMon.GPU.#1...:  0% Util, -1c Temp, -1% Fan
HWMon.GPU.#2...:  6% Util, -1c Temp, -1% Fan

Started: Thu May 23 20:25:48 2013
Stopped: Thu May 23 20:25:56 2013

So, I just don't understand the difference between the two and I don't understand why it doesn't return 'testa'
#6
As for your other questions...

I started using Linux yesterday. So I hope I'm anwsering you're questions correctly:
I'm running:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"

And it's cuda

(05-22-2013, 03:06 PM)philsmd Wrote: Did some test now but was unable to reproduce this. Are you sure that the charset matches with the passwords, i.e. that all hashes *could* definitely be cracked by the mask? E.g are there no special characters etc.

Please also tell us what hardware do you use (cuda/ocl - card model) and/or which kernel is loaded.

MY TESTS:
Code:
// Description: Generates the MSSQL 2005 hashes starting from a password and salt
// Date: 05/22/13
//
// License: belongs to the PUBLIC DOMAIN, donated to hashcat, credits MUST go to hashcat
//          and me for their hard work. Thx
// Disclaimer: WE PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
//         EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
//         OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
//         Furthermore, NO GUARANTEES THAT IT WORKS FOR YOU AND WORKS CORRECTLY
//
// HOWTO compile: gcc mssql_2005_compute.c -o mssql_2005_compute -lcrypto
// Example usage: ./mssql_2005_compute hashcat 18102152
// 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
#include <string.h>
#include <stdio.h>
#include <openssl/sha.h>

#define DIGEST_LENGTH 20
#define MSSQL2005_IDENTIFIER "0100"
#define MAX_PASS_LEN 50
#define MAX_LEN_SALT 8  // 8 octets == 4 hex
#define MAX_LEN_UNICODE_SALT 105
#define HEX_BLOCK_SIZE 2
char*HEX_CHARS="0123456789abcdef";

int generate_hash(char digest[DIGEST_LENGTH],char*salt,char*pass)
{
    int i,len_pass,len_unicode_salt;
    char unicode_salt[MAX_LEN_UNICODE_SALT];
    len_pass=strlen(pass);
    if (len_pass>MAX_PASS_LEN)
    {
        printf("[-] ERROR: password too long. EXIT.\n");
        return 0;
    }
    // Convert pass to uppercase unicode
    memset(unicode_salt,0,MAX_LEN_UNICODE_SALT);
    len_unicode_salt=len_pass*2;
    for (i=0; i<len_pass; i++)
    {
        unicode_salt[i*2]=pass[i];   // Unicode
    }
    // Salt
    memcpy(unicode_salt+len_unicode_salt,salt,4);
    len_unicode_salt+=4;
    SHA_CTX context;
    SHA1_Init(&context);
    SHA1_Update(&context,(unsigned char*)unicode_salt,len_unicode_salt);
    SHA1_Final(digest, &context);
    return 0;
}

void print_hash(char*salt,unsigned char digest[DIGEST_LENGTH])
{
    int i;
    printf("0x%s",MSSQL2005_IDENTIFIER);
    for (i=0; i<sizeof(salt)/sizeof(char); i++)
    {
        printf("%02x",salt[i]);
    }
    for (i=0; i<DIGEST_LENGTH; i++)
    {
        printf("%02x",digest[i]);
    }
    printf("\n");
}

int parse_salt(char salt[MAX_LEN_SALT],char*input)
{
    int i,j,len_hex=strlen(HEX_CHARS),power,len=strlen(input);
    char*pos;
    if (len<MAX_LEN_SALT)
    {
        fprintf(stderr,"[-] Error: salt is too short, length of %i expected\n",
                MAX_LEN_SALT);
        return 1;
    }
    if (len!=MAX_LEN_SALT)
    {
        fprintf(stderr,"[!] Warning: salt should be *exactly* of length %i, ",
                MAX_LEN_SALT);
        fprintf(stderr,"using only first %i bytes\n",MAX_LEN_SALT);
    }
    memset(salt,0,MAX_LEN_SALT+1);  // null terminator included
    for (i=0; i<MAX_LEN_SALT; i+=HEX_BLOCK_SIZE)
    {
        for (j=0,power=len_hex; j<HEX_BLOCK_SIZE; j++,power/=len_hex)
        {
            pos=strchr(HEX_CHARS,input[i+j]);
            if (pos==NULL)
            {
                fprintf(stderr,"[-] Unexpected character encountered. *Not* a valid");
                fprintf(stderr," hex char. EXIT\n");
                return 1;
            }
            salt[i/HEX_BLOCK_SIZE]+=(pos-HEX_CHARS)*power;
        }
    }
    return 0;
}

void usage()
{
    printf("--- MSSQL 2005 COMPUTE ---\nUSAGE:\n    ./mssql_2005_compute ");
    printf("<PASS> <HEX_SALT>\n");
}

int main(int argc,char**argv)
{
    int i;
    unsigned char digest[DIGEST_LENGTH];
    // COMMAND LINE PARSING
    if (argc<2)
    {
        fprintf(stderr,"[-] Please specify the password. EXIT\n");
        usage();
        return 1;
    }
    if (argc<3)
    {
        fprintf(stderr,"[-] Please specify a salt. EXIT\n");
        usage();
        return 1;
    }
    // END COMMAND LINE PARSING
    char salt[MAX_LEN_SALT+1];
    if (!parse_salt(salt,argv[2]))
    {
        if (!generate_hash(digest,salt,argv[1]))
        {
            // success
            print_hash(salt,digest);
            return 0;
        }
        else
        {
            fprintf(stderr,"[-] Error: password generation was *not* successful");
            return 1;
        }
    }
    return 1;
}

My salt from example (http://hashcat.net/wiki/doku.php?id=example_hashes ): 18102152

My test file: hash_mssql2005
5 lower case letters as per example above
Code:
$ ./mssql_2005_compute testa 18102152 >  hash_mssql2005
$ ./mssql_2005_compute testb 18102152 >> hash_mssql2005
$ ./mssql_2005_compute testc 18102152 >> hash_mssql2005
$ ./mssql_2005_compute hashc 18102152 >> hash_mssql2005

My command line:
Code:
$ cudaHashcat-plus32 -a 3 -m 132 -1 ?l?u?d hash_mssql2005 ?1?1?1?1?1
AND
Code:
$ cudaHashcat-plus32 -a 3 -m 132 -1 ?l hash_mssql2005 ?1?1?1?1?1

The result of my tests are that I always get all hashes cracked and "Status.........: Cracked" in the output (as expected).
Could you try to do the same?
#7
I did now try to run the exactly same cmds on my machine (32bit, cuda - gtx 580, win) and I always get following output (tested w/ newest beta and w/ release version 0.14):
Code:
Recovered......: 10/10 (100.00%) Digests, 7/7 (100.00%) Salts

Maybe you are able to test w/ another setup (machine, 32 bit on same machine etc).
It definitely works here (also running it repeatedly).

Update: now tested also on a Cuda/64 bit Ubuntu system (this setup should be indeed similar to yours!?), both cmds working perfectly there recovering 10 Digest, 7 Salts... Could you try on windows or on 32 bit linux please (and also try oclHashcat-plus32.bin on your 64 bit system)?
Thx