02-20-2019, 09:44 AM
Howdy all,
I'm still trying to crack a single PBKDF2-SHA512 password from a MacAirBook running El Capitan, using hashcat on my new PC, which means I've had to extract the hash from the Mac and move it to my PC to work on cracking.
I just built a new PC last week with the following specs (mainly because my old rig was...well, old. But a tiny bit with this cracking task in mind):
OS: Windows 10
Mainboard: X470 Aorus Gaming 5 Wifi (this board has another available PCIe 3 slots if I wanted to add a second GPU, which I may do at some point, lemme know if this is recommended for this task below)
CPU: AMD Ryzen 7 1700
GPU: single XFX Radeon RX590 Fatboy 8GB GDDR5
RAM: 32 GB Corsair Vengeance DDR4
PSU: EVGA Supernova 850 G2 850W 80plus Gold
Regarding the password I'm trying to crack, I don't have any idea what it could be, but I suspect it is almost certainly longer than 6 characters and more likely 8-12 characters long, and could contain upper/lower/digits/symbols. I also don't know if there are any particular amends/prepends (digital years, etc.) to whatever the password is. I've read through a lot of the Wiki articles and forums on the different attack types as well as how to maximize parallelization so I feel like I more or less understand the basic premise of what I should be trying, but I'm only a noob trying to crack one password with absolutely no coding experience or knowledge beyond starting to learn how to use hashcat just a few weeks ago in order to crack this one password. I'm basically looking for more specific guidance on attack commands that I should try. If I see specific command written out, I'm pretty good at learning each component of the command to understand how it fits into the overall approach, but sometimes the commands written out in the Wiki pages aren't very thorough or don't have good explanations included with them for me to understand how they work. (But I'm also noob, so it could just be that.)
I've already installed Hashcat on the new PC and it runs fine although I've been unsuccessful at getting anything other than an exhausted session with only "candidates" that don't ever work.
So far I've tried the following attacks with the included results:
Hybrid dictionary attack using the "rockyou" wordlist and the "oneruletorulethemall" rule:
hashcat64 -a0 -m7100 D:\HashcatCL\hashes\hash1.txt D:\HashcatCL\wordlists\rockyou.txt D:\HashcatCL\rules\oneruletorulethemall.rule
result: (this took 49 minutes, which I thought was way too long for such a simple attack and a newer/stronger GPU, maybe this is a parallelization/utilization issue? But I thought using rules with the dictionary was part of increasing work/parallelization.)
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: macOS v10.8+ (PBKDF2-SHA512)
Hash.Target......: $ml$32894$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...696144 (masked)
Time.Started.....: Wed Feb 13 00:00:50 2019 (49 mins, 56 secs)
Time.Estimated...: Wed Feb 13 00:50:46 2019 (0 secs)
Guess.Base.......: File (D:\HashcatCL\wordlists\rockyou.txt)
Guess.Queue......: 1/2 (50.00%)
Speed.#1.........: 4788 H/s (4.46ms) @ Accel:32 Loops:16 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32880-32893
Candidates.#1....: $HEX[2a627269616e6e653031322a] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 0% Core:1541MHz Mem:2000MHz Bus:16
also tried a hybrid dictionary attack using two dictionaries "rockyou" and "english" as well as the "oneruletorulethemall" rule and the result didn't take that long but didn't recover anything (I've also used the best64 rule on the same attacks):
hashcat64 -a 0 -m 7100 D:\HashcatCL\hashes\hash1.txt D:\HashcatCL\wordlists\rockyou.txt D:\HashcatCL\wordlists\english.txt D:\HashcatCL\rules\oneruletorulethemall.rule
result:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: macOS v10.8+ (PBKDF2-SHA512)
Hash.Target......: $ml$32894$f75ad5635a1bad19b0ae22efd80f1765a5d132254...696144
Time.Started.....: Wed Feb 13 11:00:15 2019 (12 secs)
Time.Estimated...: Wed Feb 13 11:00:27 2019 (0 secs)
Guess.Base.......: File (D:\HashcatCL\rules\oneruletorulethemall.rule)
Guess.Queue......: 3/3 (100.00%)
Speed.#1.........: 4510 H/s (5.35ms) @ Accel:32 Loops:16 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 52014/52014 (100.00%)
Rejected.........: 0/52014 (0.00%)
Restore.Point....: 52014/52014 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32880-32893
Candidates.#1....: ######################################################### -> -8,9
Hardware.Mon.#1..: Util: 4% Core:1541MHz Mem:2000MHz Bus:16
(someobody on a forum mentioned that if the password doesn't exactly match one of the words in the dictionaries I'm using, then I'll never recover the password. Suggestions? Is there a better dictionary than "rockyou", which is the one I hear about the most. Also, by using the rules in my dictionary attack I'm emulating a hybrid attack correct?)
also tried a mask attack with 8 character spaces (lowercase charset only) and an increased workload:
hashcat64 -a 3 -m 7100 -w 3 -i D:\HashcatCL\hashes\hash1.txt ?l?l?l?l?l?l?l?l
but by the time the "guess queue" gets to 6th character space out of 8, the estimated time becomes 16 hours, so I quit the session because obviously the wait time only increases exponentially with each character space. Not only that, I realized if the password is more than 8 characters spaces hashcat wouldn't recover it anyway. Not only that if the character spaces included not just lowercase but upper/digital/symbol then I'd really be screwed. And when I try a brute-force or long character space (8 or more) mask attack, it says "years" for estimated time, lol.
Considering my rig, and considering that I thought I was already increasing the workload/utilization/parallelization, is there anything else I should be trying? Or am I not properly utilizing parallelization? On several of the sessions I've run, I keep getting this msg about supplying more work:
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework (which I've read through and tried to implement as best I understand)
Isn't the "rockyou" wordlist one of the larger/most used wordlists out there? If not, should I be using multiple wordlists in the same session (like I did in the second example attack above)?
If the mask is too small and its already showing
I've read the Wiki article on supplying more work, but I don't know how else to increase it for the particular type of sessions I'm running. More dictionaries? More rules? If so, which ones? I only have one hash to crack so I can't supply more of those?
Anybody have better ideas or a direction to push me in?
Markov? (which I know nothing about)
Some other hybrid?
Thx for your ears.
I'm still trying to crack a single PBKDF2-SHA512 password from a MacAirBook running El Capitan, using hashcat on my new PC, which means I've had to extract the hash from the Mac and move it to my PC to work on cracking.
I just built a new PC last week with the following specs (mainly because my old rig was...well, old. But a tiny bit with this cracking task in mind):
OS: Windows 10
Mainboard: X470 Aorus Gaming 5 Wifi (this board has another available PCIe 3 slots if I wanted to add a second GPU, which I may do at some point, lemme know if this is recommended for this task below)
CPU: AMD Ryzen 7 1700
GPU: single XFX Radeon RX590 Fatboy 8GB GDDR5
RAM: 32 GB Corsair Vengeance DDR4
PSU: EVGA Supernova 850 G2 850W 80plus Gold
Regarding the password I'm trying to crack, I don't have any idea what it could be, but I suspect it is almost certainly longer than 6 characters and more likely 8-12 characters long, and could contain upper/lower/digits/symbols. I also don't know if there are any particular amends/prepends (digital years, etc.) to whatever the password is. I've read through a lot of the Wiki articles and forums on the different attack types as well as how to maximize parallelization so I feel like I more or less understand the basic premise of what I should be trying, but I'm only a noob trying to crack one password with absolutely no coding experience or knowledge beyond starting to learn how to use hashcat just a few weeks ago in order to crack this one password. I'm basically looking for more specific guidance on attack commands that I should try. If I see specific command written out, I'm pretty good at learning each component of the command to understand how it fits into the overall approach, but sometimes the commands written out in the Wiki pages aren't very thorough or don't have good explanations included with them for me to understand how they work. (But I'm also noob, so it could just be that.)
I've already installed Hashcat on the new PC and it runs fine although I've been unsuccessful at getting anything other than an exhausted session with only "candidates" that don't ever work.
So far I've tried the following attacks with the included results:
Hybrid dictionary attack using the "rockyou" wordlist and the "oneruletorulethemall" rule:
hashcat64 -a0 -m7100 D:\HashcatCL\hashes\hash1.txt D:\HashcatCL\wordlists\rockyou.txt D:\HashcatCL\rules\oneruletorulethemall.rule
result: (this took 49 minutes, which I thought was way too long for such a simple attack and a newer/stronger GPU, maybe this is a parallelization/utilization issue? But I thought using rules with the dictionary was part of increasing work/parallelization.)
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: macOS v10.8+ (PBKDF2-SHA512)
Hash.Target......: $ml$32894$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...696144 (masked)
Time.Started.....: Wed Feb 13 00:00:50 2019 (49 mins, 56 secs)
Time.Estimated...: Wed Feb 13 00:50:46 2019 (0 secs)
Guess.Base.......: File (D:\HashcatCL\wordlists\rockyou.txt)
Guess.Queue......: 1/2 (50.00%)
Speed.#1.........: 4788 H/s (4.46ms) @ Accel:32 Loops:16 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32880-32893
Candidates.#1....: $HEX[2a627269616e6e653031322a] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 0% Core:1541MHz Mem:2000MHz Bus:16
also tried a hybrid dictionary attack using two dictionaries "rockyou" and "english" as well as the "oneruletorulethemall" rule and the result didn't take that long but didn't recover anything (I've also used the best64 rule on the same attacks):
hashcat64 -a 0 -m 7100 D:\HashcatCL\hashes\hash1.txt D:\HashcatCL\wordlists\rockyou.txt D:\HashcatCL\wordlists\english.txt D:\HashcatCL\rules\oneruletorulethemall.rule
result:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: macOS v10.8+ (PBKDF2-SHA512)
Hash.Target......: $ml$32894$f75ad5635a1bad19b0ae22efd80f1765a5d132254...696144
Time.Started.....: Wed Feb 13 11:00:15 2019 (12 secs)
Time.Estimated...: Wed Feb 13 11:00:27 2019 (0 secs)
Guess.Base.......: File (D:\HashcatCL\rules\oneruletorulethemall.rule)
Guess.Queue......: 3/3 (100.00%)
Speed.#1.........: 4510 H/s (5.35ms) @ Accel:32 Loops:16 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 52014/52014 (100.00%)
Rejected.........: 0/52014 (0.00%)
Restore.Point....: 52014/52014 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32880-32893
Candidates.#1....: ######################################################### -> -8,9
Hardware.Mon.#1..: Util: 4% Core:1541MHz Mem:2000MHz Bus:16
(someobody on a forum mentioned that if the password doesn't exactly match one of the words in the dictionaries I'm using, then I'll never recover the password. Suggestions? Is there a better dictionary than "rockyou", which is the one I hear about the most. Also, by using the rules in my dictionary attack I'm emulating a hybrid attack correct?)
also tried a mask attack with 8 character spaces (lowercase charset only) and an increased workload:
hashcat64 -a 3 -m 7100 -w 3 -i D:\HashcatCL\hashes\hash1.txt ?l?l?l?l?l?l?l?l
but by the time the "guess queue" gets to 6th character space out of 8, the estimated time becomes 16 hours, so I quit the session because obviously the wait time only increases exponentially with each character space. Not only that, I realized if the password is more than 8 characters spaces hashcat wouldn't recover it anyway. Not only that if the character spaces included not just lowercase but upper/digital/symbol then I'd really be screwed. And when I try a brute-force or long character space (8 or more) mask attack, it says "years" for estimated time, lol.
Considering my rig, and considering that I thought I was already increasing the workload/utilization/parallelization, is there anything else I should be trying? Or am I not properly utilizing parallelization? On several of the sessions I've run, I keep getting this msg about supplying more work:
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework (which I've read through and tried to implement as best I understand)
Isn't the "rockyou" wordlist one of the larger/most used wordlists out there? If not, should I be using multiple wordlists in the same session (like I did in the second example attack above)?
If the mask is too small and its already showing
I've read the Wiki article on supplying more work, but I don't know how else to increase it for the particular type of sessions I'm running. More dictionaries? More rules? If so, which ones? I only have one hash to crack so I can't supply more of those?
Anybody have better ideas or a direction to push me in?
Markov? (which I know nothing about)
Some other hybrid?
Thx for your ears.