Low GPU utilization and how to cope with it
#1
Hi all,

I am using hashcat in hybrid mode (mode 7) on hashes that I know represent emails.
On the left side, I am using a mask file, with multiple masks. This mask file changes for each hash (it 
contains first name, last name, combinations of those, etc.). On the right side, I use a wordlist of common domain names.

Because of the fact that the mask file changes for each hash (different first name last name combos), I am starting hashcat anew for every hash. I used some NodeJS scripts to function as wrapper for that. That works.

At each invocation however, hashcat is mentioning that I am not providing the GPU with enough work. 

I have read the FAQ entry about providing more work here: https://hashcat.net/wiki/doku.php?id=fre...full_speed
I have tried these approaches to increase the GPU utilization:

1. increasing the amount of masks and increasing the amount of domains - didn't help
2. instead of using a hybrid attack with masks and domain lists, I tried to accomplish the same using multi rules. Creating the multi rules worked fine, but running it still leads to the same / similar low GPU utilization

Ergo, I am at a loss how to keep the GPU occupied. Does the root of the problem perhaps lie in the fact that I am starting hashcat for one by one hashes, instead of a long hashcat file. Any help is much appreciated, thank you.
Some background info: I am using hashcat inside Docker that has OpenCL.
#2
Running a hybrid attack on a single mask against a single hash would indeed be pretty inefficient.
~
#3
convert the smaller of the two lists into a rules file and don't use mode 7 but mode 0
#4
(01-05-2019, 01:12 AM)royce Wrote: Running a hybrid attack on a single mask against a single hash would indeed be pretty inefficient.

Thanks for your answer Royce.
The mask file contains about 24 different masks for each hash. And those 24 masks are only the left side of the candidate, the right side are 56 common domain names. So hashcat has 24x56 = 1344 masks to process for each single hash. 

I am not understanding how that is not enough to use full parallelization, but I am probably missing something.
#5
can you give some examples of what the left and right part look like in the hybrid attack.

I think your calculation is completely wrong.
you still have 24 masks on the left side and this number won't increase with the number of passwords on the right side.
masks != password candidates

if you have 24 masks and combine it with 56 "common domain names" , you still have 24 masks, you won't suddently have 1344 masks.

if we are talking about the overall number password candidates and/or keyspace (attention: hashcat has in fact a different definition of keyspace so please make always sure about which keyspace we are talking about) instead, you would need to analyze all masks on the left side and see how much password candidates each and every single masks covers and multiple this number by the 56 different words (and summing up all the different masks password candidates * 56 results for each and every mask).

My guess is that your masks are either not masks with huge keyspaces (e.g. with a lot of ?a?a?a... or ?b?b?b etc at the start) or you are confusing -a 7 with a combinator attack (-a 1) etc, which does not use one mask (file) and a dict ... but 2 dictionaries instead. This would explain slower speed.
But you also didn't really mention what setup you have and what the benchmarks / speeds are in your specific case.
Full examples of the left and right side and the command you use would be needed to troubleshoot this (also: did you use -w 3, -O etc ?).
#6
(01-05-2019, 05:28 PM)philsmd Wrote: can you give some examples of what the left and right part look like in the hybrid attack.

Thanks Phil, it indeed helps if I give an example command:

hashcat -O -m 0 -a 7 -o /var/crackedHashes eb54efeb0659cbbe080a2a8280b52d5d /var/commonLocal.hcmask /var/commonDomainsMasked

see this paste for the mask file:
https://pastebin.com/xCNLDEyk
and this one for the domains:
https://pastebin.com/b8tLt1tn

The -a 7 takes proper care of merging the mask on the left side, with the various domain names on the other sides.
The command works and leads to hashcat cracking hashes, but my concern is performance, and hashcat indicates this as well:

"The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s)."


Hope this clarifies. I know I am doing something 'wrong', but I can't figure out how to fully utilize the available resources.
#7
(01-05-2019, 01:50 AM)undeath Wrote: convert the smaller of the two lists into a rules file and don't use mode 7 but mode 0

Thanks. I think I had tried this already but will try again and report.
#8
if you are indeed attacking unsalted md5 there is no reason to have a targeted attack per hash.