sudden drop in cracking speed
#1
Question 
Hey everyone

I've been using hashcat since 5.1 and still use the same hardware, namely a NVIDIA GeForce GTX 1070 (GPU) and an Intel(R) Core(TM) i7-8700 (CPU).
In those ~3 years, I've had a consistent speed of 30'000 MH/s on NTLM. Since ~1 year I also installed the recommended CUDA Toolkit and OpenCL Runtime, which improved the speed by a tiny bit.

Now, since 2 weeks or so, I'm only getting 600 kH/s when I try rockyou.txt on any NTLM hash. I didn't change anything on the hashcat installation nor did I alter drivers or anything. The weird thing is, that the benchmark still shows the normal speed of 30'000 MH/s. I researched on this and found some people saying that the speed drops if you don't provide enough work. However, I have cracked NTLM hashes in the past using rockyou.txt and have had a consistent speed of 30'000 MH/s and didn't experience any speed drop. I use the same commands I have also used in the past. Thus, this sudden drop in speed doesn't make any sense to me. I think it's also not a hardware issue, as the benchmark still shows the normal speed.
I reinstalled all drivers, CUDA, OpenCL and Hashcat as stated in the FAQ. This didn't change anything in speed. I also rolled back the last Windows Update, which sadly also didn't improve cracking speed. I've also tried older versions of hashcat, with no success.

To be clear, this is not limited to NTLM, I'm getting this behaviour on all hash modes. I just used NTLM as an example here. 

I uploaded the output of trying to crack a single NTLM hash and a benchmark output on gist:
cracking output: https://gist.github.com/githubkuyaya/339...5449d18974
benchmark output: https://gist.github.com/githubkuyaya/dc0...19546e8be3


Does anyone have an idea of what might be the cause of this?
I'm happy to provide more information/outputs if needed.
Reply
#2
Add -O to your command and retest.
Reply
#3
- Rockyou alone is way too small for a benchmarking scenario with a single NTLM, as you noted
- You are not using -O to enable the optimized kernel, which is enabled in benchmarks by default
- There have been some changes to Hashcat Autotuning recently, but this mostly referred to speed dropping over time, iirc. Maybe try the latest beta from hashcat.net/beta

Aside from that, please provide a benchmark with an attack with a more suitable keyspace for the algo. If you want to stick to NTLM, use rockyou + dive.rule for example.
Reply
#4
(11-18-2021, 12:55 AM)Chick3nman Wrote: Add -O to your command and retest.
That took even longer, about 10 minutes to complete. https://gist.github.com/githubkuyaya/e6d...519928a025

(11-18-2021, 01:10 AM)NoReply Wrote: - Rockyou alone is way too small for a benchmarking scenario with a single NTLM, as you noted
- You are not using -O to enable the optimized kernel, which is enabled in benchmarks by default
- There have been some changes to Hashcat Autotuning recently, but this mostly referred to speed dropping over time, iirc. Maybe try the latest beta from hashcat.net/beta

Aside from that, please provide a benchmark with an attack with a more suitable keyspace for the algo. If you want to stick to NTLM, use rockyou + dive.rule for example.
I tried it with the beta but got the same speeds as with the normal version.
Dive gave me a significant higher speed. After 38 seconds, it actually cracked the hash, so that's the output of it:
https://gist.github.com/githubkuyaya/f85...7266159621

An interesting fact to mention is maybe that the speed isn't consistent. It keeps dropping the longer it takes. If I just do a plain rockyou wordlist attack with no parameters whatsoever, it starts at ~14'000 kH/s, but after a few seconds, it drops to 4'000 kH/s, and keeps dropping after that. The longer it's cracking, the slower it gets.
To visualize this, I started to crack a hash and instantly pressed [s]tatus as soon as it started to crack. After 4 seconds, I aborted the cracking process to show the final speed. It dropped from 14'000 kH/s to 4'000 kH/s:
https://gist.github.com/githubkuyaya/da7...e1ffe5b7aa

I see the same behaviour (slower the longer it takes) when I try to crack with wordlist + rule.

However, the speed is consistent when I do a mask brute-force. Masks are also faster than rules, getting to almost 1/3 of the old speed:
https://gist.github.com/githubkuyaya/d3e...d413cd61a3

I hope this helps.

btw we could also communicate via discord if needed, I just think it's kinda more well-arranged in a forum post
Reply