Posts: 35
Threads: 3
Joined: Dec 2022
Learning how to crack my sample MS 2010 file with simple 6 characters password (two lowercase letters and 4 digits).
While cracking with john
Code:
$ john --incremental --format=office-opencl johnofficehash
it takes 46 seconds to crack at speed 119771C/s. John manual says that it is "
pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters)" Machine is AWS p3 V100 w/ Openwall AMI.
While cracking with
Code:
hashcat -m 9500 hashcatofficehash -a 3 -i ?a?a?a?a?a?a?a
it shows 20% faster speed of 142000 compare to john's, but no result after 10 minutes of cracking. Machine is AWS p3 V100 w/ NVIDIA drivers and CUDA.
Am I missing the hashcat masking techique to emulate the john's one?
Posts: 893
Threads: 15
Joined: Sep 2017
(01-14-2023, 05:34 AM)pipss Wrote: Learning how to crack my sample MS 2010 file with simple 6 characters password (two lowercase letters and 4 digits).
While cracking with john Code:
$ john --incremental --format=office-opencl johnofficehash
it takes 46 seconds to crack at speed 119771C/s. John manual says that it is "pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters)" Machine is AWS p3 V100 w/ Openwall AMI.
While cracking with Code:
hashcat -m 9500 hashcatofficehash -a 3 -i ?a?a?a?a?a?a?a
it shows 20% faster speed of 142000 compare to john's, but no result after 10 minutes of cracking. Machine is AWS p3 V100 w/ NVIDIA drivers and CUDA.
Am I missing the hashcat masking techique to emulate the john's one?
can you show the output of hashcat when running this cli? anyway, it should be no problem when sorting the options like this but you should stick to the expected form
hashcat options hash maks, so hashcat -m 9500 -a 3 -i hashcatofficehash ?a?a?a?a?a?a?a
Posts: 35
Threads: 3
Joined: Dec 2022
The output for 4 character mask session is:
Code:
hashcat -m 9500 -a 3 -i officehashhashcat ?a?a?a?a?a?a?a
hashcat (v6.2.6) starting
CUDA API (CUDA 11.6)
====================
* Device #1: Tesla V100-SXM2-16GB, 15854/16160 MB, 80MCU
OpenCL API (OpenCL 3.0 CUDA 11.6.134) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla V100-SXM2-16GB, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Session..........: hashcat
Status...........: Running
Hash.Mode........: 9500 (MS Office 2010)
Hash.Target......: $office$*2010*100000*128*16*71dca6323e2d2b42fe014ed...45b1ca
Time.Started.....: Tue Jan 17 10:43:04 2023 (55 secs)
Time.Estimated...: Tue Jan 17 10:52:24 2023 (8 mins, 25 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?a?a?a?a [4]
Guess.Queue......: 4/7 (57.14%)
Speed.#1.........: 145.7 kH/s (11.29ms) @ Accel:8 Loops:512 Thr:512 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 7864320/81450625 (9.66%)
Rejected.........: 0/7864320 (0.00%)
Restore.Point....: 0/857375 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:24-25 Iteration:53248-53760
Candidate.Engine.: Device Generator
Candidates.#1....: vari -> vp8x
Hardware.Mon.#1..: Temp: 57c Util: 99% Core:1530MHz Mem: 877MHz Bus:16
takes already 9 minutes ☹
Posts: 35
Threads: 3
Joined: Dec 2022
Testing 9500:
Code:
hashcat -b -m 9500
hashcat (v6.2.6) starting in benchmark mode
Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 11.6)
====================
* Device #1: Tesla V100-SXM2-16GB, 15854/16160 MB, 80MCU
OpenCL API (OpenCL 3.0 CUDA 11.6.134) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla V100-SXM2-16GB, skipped
Benchmark relevant options:
===========================
* --optimized-kernel-enable
------------------------------------------------------
* Hash-Mode 9500 (MS Office 2010) [Iterations: 100000]
------------------------------------------------------
Speed.#1.........: 146.4 kH/s (91.00ms) @ Accel:32 Loops:1024 Thr:512 Vec:1
Started: Wed Jan 18 09:28:13 2023
Stopped: Wed Jan 18 09:28:22 2023
Testing 22000:
Code:
hashcat -b -m 22000
hashcat (v6.2.6) starting in benchmark mode
Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 11.6)
====================
* Device #1: Tesla V100-SXM2-16GB, 15854/16160 MB, 80MCU
OpenCL API (OpenCL 3.0 CUDA 11.6.134) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla V100-SXM2-16GB, skipped
Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------------------------------------------------
* Hash-Mode 22000 (WPA-PBKDF2-PMKID+EAPOL) [Iterations: 4095]
-------------------------------------------------------------
Speed.#1.........: 885.2 kH/s (90.71ms) @ Accel:32 Loops:512 Thr:256 Vec:1
Started: Wed Jan 18 09:30:45 2023
Stopped: Wed Jan 18 09:30:51 2023
Posts: 893
Threads: 15
Joined: Sep 2017
you can try adding options
for optimzed kernel and workload
and maybe even try
for slow candidates
but regarding your outputs your are quite at maximum speed for this type of hash
your benchmark mode 9500
Speed.#1.........: 146.4 kH/s (91.00ms) @ Accel:32 Loops:1024 Thr:512 Vec:1
your attack speed mode 9500
Speed.#1.........: 145.7 kH/s (11.29ms) @ Accel:8 Loops:512 Thr:512 Vec:1
main problem is the high iterationcount of 100.000 for this type of hash, this slows down massivly
Posts: 35
Threads: 3
Joined: Dec 2022
(01-19-2023, 06:51 PM)Snoopy Wrote: you can try adding options
for optimzed kernel and workload
and maybe even try for slow candidates
My password is like aa1111 so to make it very easy for hashcat I tried w/ mask -1 ?l?d ?1?1?1?1?1?1 Hashcat showed estimated time 4 hours.
Tried adding flags -O -w3 or -S but it didn't make any difference in estimated time.
Posts: 893
Threads: 15
Joined: Sep 2017
as i wrote above, you are at the maximum hashrate for this hashalgorithm with your hardware, it wont be getting any faster
the only thing to reduce needed time is to reduce your keyspace by changing your mask to (your given info) ?l?l?d?d?d?d to fit your searched password
Posts: 35
Threads: 3
Joined: Dec 2022
01-20-2023, 05:27 PM
(This post was last modified: 01-20-2023, 05:28 PM by pipss.)
Quote:?l?l?d?d?d?d to fit your searched password
Already tried this before, it’s easily for hashcat, took 2 minutes.
Question is how john w/ just default settings and w/o any masks so smartly cracked this password in less than minute
Posts: 893
Threads: 15
Joined: Sep 2017
dont know how johns maskattack is implemented but hashcat uses randomized/shuffled output when using mask attack,
just take a look at hashcat -a3 --stdout ?d?d?d?d, instead of trying plain 0000, 0001, 0002, 0003 and so on, hashcat runs like this 7793, 6793, 1273 ,0273 ,2273 and even when running the same command again the output differs from the first one
so the "right guess" could be anything between first bulk of candidates oder last bulk, the diff between how long it takes to guess the right pass is just pure random
Posts: 35
Threads: 3
Joined: Dec 2022
Today tried some NT hash, and result was opposite. With:
Code:
john hash --format=nt
hashcat -m 1000 hash -a3 --show
John took 6 minutes, and hashcat 10 seconds!