DES, Hex-Charset and Split/Limit??
#1
I'm right now attempting to derive the NTLM hash from an NTLMv1-ESS hash.

I've managed to crack the 2nd part of the NTLM hash, used ct3 to calc the last 4 chars of the hash, but need to crack one final remaining bit of DES.

Configuring my rig as follows:


Code:
# /opt/hashcat-5.1.0/hashcat64.bin -m 14000 -w4 -a 3 -1 /opt/hashcat-5.1.0/charsets/DES_full.charset --hex-charset deshash ?1?1?1?1?1?1?1?1

Works fine, but will take about 7 days to complete.

So deciding to throw some money into the mix i'm renting a few p3.16XL instances from amazon and intend to break up the keyspace.

I try the argument as advertised in the usage statement in order to determine the keyspace values to use...

Code:
# /opt/hashcat-5.1.0/hashcat64.bin -m 14000 -w4 -a 3 -1 /opt/hashcat-5.1.0/charsets/DES_full.charset --hex-charset deshash ?1?1?1?1?1?1?1?1 --keyspace

and get a short version of the hashcat usage statement back at me.


Code:
Usage: /opt/hashcat-5.1.0/hashcat64.bin [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

Try --help for more help.

moving the --keyspace statement around doesn't resolve anything.

*googles* - Finds: https://hashcat.net/forum/thread-5818.html

and wings it assuming: 34359738368 is an accurate number to use.

But now with split and limit my commands start looking like:


Code:
# /opt/hashcat-5.1.0/hashcat64.bin -m 14000 -w4 -a 3 -1 /opt/hashcat-5.1.0/charsets/DES_full.charset --hex-charset deshash ?1?1?1?1?1?1?1?1 -s 0 -l 5726623061

which returns a decent estimate of approximately 9hours or so to crack.

So I move to number 2...

Code:
# /opt/hashcat-5.1.0/hashcat64.bin -m 14000 -w4 -a 3 -1 /opt/hashcat-5.1.0/charsets/DES_full.charset --hex-charset deshash ?1?1?1?1?1?1?1?1 -s 5726623061 -l 11453246122

and now I get an estimate of 18 hours.

... number 3... and so on.

Am I right in thinking that the limit is being ignored for some reason in calculation of the estimated time? Is it performing as intended/expected? The way it almost exactly increases by a similar proportion each time is confusing me somewhat.

Then there are the percentages complete.
The first rig, after 1.5 hrs sits as 15% ish complete.
The second rig, after 1hr and 10 minutes, sits at 37.5% complete (which I think  is nearer 7.5% because i'm pretty sure it started at near 30% already progressed)
The third rig after 1 hour and 10 minutes... 42.5% (which I think is nearer 2.5% because i'm pretty sure it started at near 40%).
and so on.

All rigs are identical and are cracking at practically the same 345GH/s rate.

I just need to confirm i'm actually progressing through the keyspace as expected, and anyone able to confirm the actual figure I should use for the keyspace given --keyspace doesn't appear to work for DES at least it would be much appreciated. Thanks.
Reply
#2
1. --keyspace doesn't expect any hash file. you cannot specify the hash file when computing the keyspace (remove deshash from you command line)

2. for -l (--limit) you specify the number of restore points to process so for instance -s 11453246122 -l 5726623061 is totally fine because it means start at 11453246122 and continue for 5726623061 restore points within this chunk). in your wrong interpretation of the values that would not be possible because -l would be less that -s, but this is not how -s/-l works, just read --help and the FAQ. so basically -l is the same value for all your nodes, but the start -s would be different for all nodes (start increased by 1/nodes of the keyspace if identical power)
Reply
#3
(11-08-2019, 12:19 AM)philsmd Wrote: 1. --keyspace doesn't expect any hash file. you cannot specify the hash file when computing the keyspace (remove deshash from you command line)

2. for -l (--limit) you specify the number of restore points to process so for instance -s 11453246122 -l 5726623061 is totally fine because it means start at 11453246122 and continue for 5726623061 restore points within this chunk). in your wrong interpretation of the values that would not be possible because -l would be less that -s, but this is not how -s/-l works, just read --help and the FAQ. so basically -l is the same value for all your nodes, but the start -s would be different for all nodes (start increased by 1/nodes of the keyspace if identical power)

You absolute legend. Thank you! That was exactly what I needed.
Reply