incremental:ASCII - how to mask?
#1
Learning how to crack my sample MS 2010 file with simple 6 characters password (two lowercase letters and 4 digits).

While cracking with john 
Code:
$ john --incremental --format=office-opencl johnofficehash
it takes 46 seconds to crack at speed 119771C/s. John manual says that it is "pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters)" Machine is AWS p3 V100 w/ Openwall AMI.

While cracking with 
Code:
hashcat -m 9500 hashcatofficehash  -a 3 -i ?a?a?a?a?a?a?a
it shows 20% faster speed of 142000 compare to john's, but no result after 10 minutes of cracking. Machine is AWS p3 V100 w/ NVIDIA drivers and CUDA.

Am I missing the hashcat masking techique to emulate the john's one?
Reply
#2
(01-14-2023, 05:34 AM)pipss Wrote: Learning how to crack my sample MS 2010 file with simple 6 characters password (two lowercase letters and 4 digits).

While cracking with john 
Code:
$ john --incremental --format=office-opencl johnofficehash
it takes 46 seconds to crack at speed 119771C/s. John manual says that it is "pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters)" Machine is AWS p3 V100 w/ Openwall AMI.

While cracking with 
Code:
hashcat -m 9500 hashcatofficehash  -a 3 -i ?a?a?a?a?a?a?a
it shows 20% faster speed of 142000 compare to john's, but no result after 10 minutes of cracking. Machine is AWS p3 V100 w/ NVIDIA drivers and CUDA.

Am I missing the hashcat masking techique to emulate the john's one?

can you show the output of hashcat when running this cli? anyway, it should be no problem when sorting the options like this but you should stick to the expected form

hashcat options hash maks, so hashcat -m 9500 -a 3 -i hashcatofficehash ?a?a?a?a?a?a?a
Reply
#3
The output for 4 character mask session is:
Code:
hashcat -m 9500 -a 3 -i officehashhashcat ?a?a?a?a?a?a?a
hashcat (v6.2.6) starting

CUDA API (CUDA 11.6)
====================
* Device #1: Tesla V100-SXM2-16GB, 15854/16160 MB, 80MCU

OpenCL API (OpenCL 3.0 CUDA 11.6.134) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla V100-SXM2-16GB, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates


Session..........: hashcat
Status...........: Running
Hash.Mode........: 9500 (MS Office 2010)
Hash.Target......: $office$*2010*100000*128*16*71dca6323e2d2b42fe014ed...45b1ca
Time.Started.....: Tue Jan 17 10:43:04 2023 (55 secs)
Time.Estimated...: Tue Jan 17 10:52:24 2023 (8 mins, 25 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?a?a?a?a [4]
Guess.Queue......: 4/7 (57.14%)
Speed.#1.........:  145.7 kH/s (11.29ms) @ Accel:8 Loops:512 Thr:512 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 7864320/81450625 (9.66%)
Rejected.........: 0/7864320 (0.00%)
Restore.Point....: 0/857375 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:24-25 Iteration:53248-53760
Candidate.Engine.: Device Generator
Candidates.#1....: vari -> vp8x
Hardware.Mon.#1..: Temp: 57c Util: 99% Core:1530MHz Mem: 877MHz Bus:16

takes already 9 minutes ☹
Reply
#4
Testing 9500: 

Code:
hashcat -b -m 9500     
hashcat (v6.2.6) starting in benchmark mode

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 11.6)
====================
* Device #1: Tesla V100-SXM2-16GB, 15854/16160 MB, 80MCU

OpenCL API (OpenCL 3.0 CUDA 11.6.134) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla V100-SXM2-16GB, skipped

Benchmark relevant options:
===========================
* --optimized-kernel-enable

------------------------------------------------------
* Hash-Mode 9500 (MS Office 2010) [Iterations: 100000]
------------------------------------------------------

Speed.#1.........:  146.4 kH/s (91.00ms) @ Accel:32 Loops:1024 Thr:512 Vec:1

Started: Wed Jan 18 09:28:13 2023
Stopped: Wed Jan 18 09:28:22 2023


Testing 22000:
Code:
hashcat -b -m 22000
hashcat (v6.2.6) starting in benchmark mode

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 11.6)
====================
* Device #1: Tesla V100-SXM2-16GB, 15854/16160 MB, 80MCU

OpenCL API (OpenCL 3.0 CUDA 11.6.134) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla V100-SXM2-16GB, skipped

Benchmark relevant options:
===========================
* --optimized-kernel-enable

-------------------------------------------------------------
* Hash-Mode 22000 (WPA-PBKDF2-PMKID+EAPOL) [Iterations: 4095]
-------------------------------------------------------------

Speed.#1.........:  885.2 kH/s (90.71ms) @ Accel:32 Loops:512 Thr:256 Vec:1

Started: Wed Jan 18 09:30:45 2023
Stopped: Wed Jan 18 09:30:51 2023
Reply
#5
you can try adding options
Code:
-O -w3
for optimzed kernel and workload
and maybe even try
Code:
-S
for slow candidates

but regarding your outputs your are quite at maximum speed for this type of hash

your benchmark mode 9500
Speed.#1.........:  146.4 kH/s (91.00ms) @ Accel:32 Loops:1024 Thr:512 Vec:1

your attack speed mode 9500
Speed.#1.........:  145.7 kH/s (11.29ms) @ Accel:8 Loops:512 Thr:512 Vec:1

main problem is the high iterationcount of 100.000 for this type of hash, this slows down massivly
Reply
#6
(01-19-2023, 06:51 PM)Snoopy Wrote: you can try adding options
Code:
-O -w3
for optimzed kernel and workload
and maybe even try
Code:
-S
for slow candidates

My password is like aa1111 so to make it very easy for hashcat I tried w/  mask -1 ?l?d ?1?1?1?1?1?1 Hashcat showed estimated time 4 hours. 

Tried adding flags -O -w3 or -S but it didn't make any difference in estimated time.
Reply
#7
as i wrote above, you are at the maximum hashrate for this hashalgorithm with your hardware, it wont be getting any faster

the only thing to reduce needed time is to reduce your keyspace by changing your mask to (your given info) ?l?l?d?d?d?d to fit your searched password
Reply
#8
Quote:?l?l?d?d?d?d to fit your searched password

Already tried this before, it’s easily for hashcat, took 2 minutes.

Question is how john w/ just default settings and w/o any masks so smartly cracked this password in less than minute Smile
Reply
#9
dont know how johns maskattack is implemented but hashcat uses randomized/shuffled output when using mask attack,

just take a look at hashcat -a3 --stdout ?d?d?d?d, instead of trying plain 0000, 0001, 0002, 0003 and so on, hashcat runs like this 7793, 6793, 1273 ,0273 ,2273 and even when running the same command again the output differs from the first one

so the "right guess" could be anything between first bulk of candidates oder last bulk, the diff between how long it takes to guess the right pass is just pure random
Reply
#10
Today tried some NT hash, and result was opposite. With:
Code:
john hash --format=nt
hashcat -m 1000 hash -a3 --show

John took 6 minutes, and hashcat 10 seconds! Smile
Reply