Performance drop with partially known long plain NTLM
Hi All,

Not a request for help as such, mainly interested to know if the situation I have is expected and from an academic perspective why it is occurring.

I've been trying to crack an unknown NTLM hash (set as a challenge by a friend) using a single GTX 670 and cudaHashcat-lite64.exe on Windows with various masks. I've been focusing on 7-8-9-10 character masks and getting consistent speeds of about 2850 M/s (which I *think* is about normal for this card (confirmation would be reassuring)).

Today I changed my tactics based on new information he provided - namely it's a 12 or 13 character plain and I now know the first five characters. So I modified my mask to be "<5-known-characters>?1?1?1?1?1?1?1?1" (where ?1 is ?l?d?s) and set it to solve using 12 followed by 13 characters. My surprise came when I saw the new hashing performance was only about 120 M/s.

My understanding is that the algorithm shouldn't depend on the plain length that strongly (borne out by an attempt at a 13 character ?l mask which gave 2850 M/s). It seems like the bottleneck comes about due to effectively running a hybrid attack using just masks.

The interesting thing to me is that the program is now reporting about 88% GPU utilisation rather than about 99% (though that wouldn't account for the 30x drop in performance by itself).

Any thoughts, or is this behaviour expected?

