Developping a strategy for few hundred NTLM hashes
#1
Hello,

So I'll be working next week on cracking a few hundred NTLM hashes. 
My setup will be as follows:
RTX 4070 GPU
Ryzen 7 7800X

I will be running hashcat from a The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) distribution installed on an external ssd connected via USB3 to my desktop. (So the whole OS is installed on the external drive). I have about 500go of disk space.

I don't have a lot of information about the passwords that I need to crack, no real info on possible format, the idea is to go blindly into it.
I have 1 week of available time (even though since I'm running this from my desktop, I'll be turning it off/on based on my needs. But I plan on running it 18h/day approximately. 

The strategy I have in mind as of now is the following:
  1. Start with low hanging fruits (rockyou + rule)
  2. Increase wordlist size (100-200Go) + rules
  3. Mask attacks (from https://github.com/sean-t-smith/Extreme_Breach_Masks)

The question I have is when I run different attacks like this, will it keep track of password it tested, meaning that when I run my mask attacks, it won't test for password it has tried in the first 2 attack modes ?
Likewise when running successive masks using a hcmask file ?

And given my setup (external usb drive for the OS), can I expect some performance issue with wordlists ? 

Aditionaly if you have any recommandations or advice, please let me know!

Thank you.
Reply
#2
first you could test some of your hashes with websites like crackstation (up to 20 hashes at once) and other to see whether some of your passes are already known

if applicable use windows and cuda sdk, unless you installed and tried your setup before, this will save you a lot of time and nerves

hashcat doesnt store tested passwords by default, there is a feature called hashcat the brain but this come with some disadvantages (it will lower the overall cracking speed, especially for fast hashes (as your NTLM) and needs storage for storing the memoryfiles) the brain is quite a nice option for really slow hashes like bcrypt and so on, but not really for fast hashes (could be an option for cracking a very specific single hash)

when using masks, you can easily do an attack with 8* times ?a and option increment, with your 4070 in a day, so all you have to attack with afterwards is at least length 9

after cracking (or getting the passwords from websites like above) the first hashes, take a look at the passwords and examine them, do they seem totally random or do they maybe follow a pattern, what kind of language? german, english, italiano, spanish? all these infos could help you to determine the best way for the following attacks
Reply
#3
Hello,

Thank you for your answers. So apparently my OS of choice is not really appreciated so I learnt something new. I'll try to see if I can set up windows on the external disk instead if it provides some real benefits.

The issue with sampling a few hashes on crackstation is that the user base from which the hashes originate is somewhat diverse in terms of culture/languages so there isn't an easy pattern like "it's only spanish speaking users". I could check when the passwords were set and cross reference it with historical password policy to have an idea of what the minimum requirements were (although I have not guarantee they were enforced).

As for Hashcat brain, I understand it may not be worth it in terms of performance so I won't worry about that too much.

In any case, in an ideal world I won't be able to crack a single hash, that would be the best results for me but for it to hold any weight I need to be able to show that the strategy I used was thought out and covered a lot of cases.

Thanks
Reply
#4
what os are you running on your hardware normally? why not using your os right away?

i mean when using an external drive with an extra installed os (live-cd, boot-stick,  whatever) you need to start that os anyway with your hardware so you cannot use it for other tasks
Reply
#5
I need to run a separate OS for confidentiality purposes.
Reply