Posts: 24
Threads: 4
Joined: Apr 2014
04-05-2014, 01:54 PM
(This post was last modified: 04-05-2014, 01:56 PM by Zilent.)
Hi hash-experts!
I need some help getting together the best command line approach for bruteforcing a tricky LM hash. The thing is, that I've tried using LM hash tables of up to 339 GB, without any luck. So it's probably something about the codepage/charset used.
I'm pretty sure the hash has been created with some special language chars, like in Denmark we use Æ, Ø and Å regularly (those are UPPER case, but I'm not sure whether the LM algorithm would treat them as regular english chars, their LCASE are respectively æ, ø and å). I can't be sure, but I'd like to use my own list af possible chars/special chars in the command line.
I have both the LM (clearly not empty) and the NT hash, but of course I'll try to break the LM instead of NT.
The LM is apparently longer than 7 chars, as the last part of the hash is not "aad3b435b51404ee". So I guess, that I'm looking at a pwd between 8 and 14 chars.
Would I attack the LM in 2 parts, like maybe the first part shows me "PASSWOR" and I could try to guess the rest? Or will I attack the entire LM hash at once?
I know, that I will need the "-m 3000" switch for LM. I also need UPPER case letters and digits. Further more I'll need special chars - like the mentioned danish chars.
Regarding special chars... Which of those would require en escape char to work within a Windows cmd prompt?
Posts: 621
Threads: 57
Joined: May 2010
Assuming that your hashes has been extracted properly and not syskeyed, yes you have to crack both halves separately. They have to be on separate lines of your hash list. Use the -m 3000 and you should read about the custom charsets:
http://hashcat.net/wiki/doku.php?id=mask_attack
Also, hopefully your rainbow tables did cover the whole keyspace. To be sure, I would redo it by bruteforce using a GPU. It can be done in a reasonable time nowadays. Make sure you do include space as a character as well.
Posts: 24
Threads: 4
Joined: Apr 2014
04-08-2014, 07:29 AM
Thank you for the answer. I'm trying this:
cudaHashcat64.exe --status -t 64 -a 3 -m 3000 lm.txt -1 ?u?d?s æøåÆØÅ ?l?l?l?l?l?l?l
lm.txt contains the 2 LM hash values. They should be properly extracted.
This is my output - it finished very fast:
cudaHashcat v1.01 starting...
Hashes: 2 total, 1 unique salts, 2 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
* Brute-Force
* Scalar-Mode
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 570, 1280MB, 1464Mhz, 15MCU
Device #2: GeForce GTX 570, 1280MB, 1464Mhz, 15MCU
Device #1: Kernel ./kernels/4318/m3000_a3.sm_20.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_v1.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx
Device #2: Kernel ./kernels/4318/m3000_a3.sm_20.64.ptx
Device #2: Kernel ./kernels/4318/markov_le_v1.64.ptx
Device #2: Kernel ./kernels/4318/bzero.64.ptx
Session.Name...: cudaHashcat
Status.........: Exhausted
Input.Mode.....: Mask (µ°ÕãÃ┼) [6]
Hash.Target....: File (lm.txt)
Hash.Type......: LM
Time.Started...: Tue Apr 08 07:21:34 2014 (1 sec)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 0 H/s
Speed.GPU.#2...: 0 H/s
Speed.GPU.#*...: 0 H/s
Recovered......: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 1/1 (100.00%)
Rejected.......: 0/1 (0.00%)
HWMon.GPU.#1...: 1% Util, 41c Temp, 1800rpm Fan
HWMon.GPU.#2...: 0% Util, 37c Temp, 1830rpm Fan
Started: Tue Apr 08 07:21:34 2014
Stopped: Tue Apr 08 07:21:35 2014
What worries me is the "mask" output, which looks pretty awkward.
I should have [space] in the custom charset: "?u?d?s æøåÆØÅ"
Trying without the [space] the mask output seems allright, but it still finishes too fast I believe:
Hashes: 2 total, 1 unique salts, 2 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
* Brute-Force
* Scalar-Mode
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 570, 1280MB, 1464Mhz, 15MCU
Device #2: GeForce GTX 570, 1280MB, 1464Mhz, 15MCU
Device #1: Kernel ./kernels/4318/m3000_a3.sm_20.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_v1.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx
Device #2: Kernel ./kernels/4318/m3000_a3.sm_20.64.ptx
Device #2: Kernel ./kernels/4318/markov_le_v1.64.ptx
Device #2: Kernel ./kernels/4318/bzero.64.ptx
Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?l?l?l?l?l?l?l) [7]
Hash.Target....: File (lm.txt)
Hash.Type......: LM
Time.Started...: Tue Apr 08 07:27:22 2014 (10 secs)
Time.Estimated.: Tue Apr 08 07:27:34 2014 (2 secs)
Speed.GPU.#1...: 328.4 MH/s
Speed.GPU.#2...: 327.4 MH/s
Speed.GPU.#*...: 655.8 MH/s
Recovered......: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 6530826240/8031810176 (81.31%)
Rejected.......: 0/6530826240 (0.00%)
HWMon.GPU.#1...: 96% Util, 50c Temp, 1860rpm Fan
HWMon.GPU.#2...: 96% Util, 45c Temp, 1860rpm Fan
Session.Name...: cudaHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?l?l?l?l?l?l?l) [7]
Hash.Target....: File (lm.txt)
Hash.Type......: LM
Time.Started...: Tue Apr 08 07:27:22 2014 (13 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 1067.9 kH/s
Speed.GPU.#2...: 153.9 MH/s
Speed.GPU.#*...: 155.0 MH/s
Recovered......: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 8031810176/8031810176 (100.00%)
Rejected.......: 0/8031810176 (0.00%)
HWMon.GPU.#1...: 89% Util, 49c Temp, 1860rpm Fan
HWMon.GPU.#2...: 77% Util, 45c Temp, 1860rpm Fan
Started: Tue Apr 08 07:27:22 2014
Stopped: Tue Apr 08 07:27:36 2014
What am I doing wrong? Thanx!
Posts: 2,940
Threads: 12
Joined: May 2012
you're defining a custom charset, but using ?l (lower alpha) in your mask. so you're only brute forcing length 7 lower alpha passwords, you aren't using your custom charset at all. also if you want to use a space in your custom charset you either need to escape it, or use an hcchar file.
Posts: 24
Threads: 4
Joined: Apr 2014
Thank you, I totally missed the delicate difference between l and 1. This seems to run as expected:
cudaHashcat64.exe --status -t 64 -a 3 -m 3000 lm.txt -1 ?u?d?sæøåÆØÅ ?1?1?1?1?1?1?1
I'm trying without the space.
Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (lm.txt)
Hash.Type......: LM
Time.Started...: Tue Apr 08 21:28:08 2014 (3 mins, 13 secs)
Time.Estimated.: Tue Apr 08 23:16:23 2014 (1 hour, 45 mins)
Speed.GPU.#1...: 338.8 MH/s
Speed.GPU.#2...: 338.7 MH/s
Speed.GPU.#*...: 677.6 MH/s
Recovered......: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 131302686720/4398046511104 (2.99%)
Rejected.......: 0/131302686720 (0.00%)
HWMon.GPU.#1...: 99% Util, 86c Temp, 2940rpm Fan
HWMon.GPU.#2...: 99% Util, 74c Temp, 2220rpm Fan
//Z//
