oclHashcat exhausted immediatly when using long mask on WPA brute-force attack
#1
Hello everyone,

I'm trying to brute-force a 26 characters long WPA key, all characters are hexa and uppercase, no space no special character (for info this is the format of the Livebox WPA key, which is my ISP modem).

I'm using oclHashcat v1.30 (v1.31 not compatible with my driver version, which is yet catalyst 14.9) on ubuntu 14.10 with 2 Radeon HD7950, everything I tried so far worked fine (average 200kH/s), ie. dictionary attacks on several WPA keys.




Here is the command that i use :

Code:
oclHashcat64.bin -m 2500 -a3 10_clean.hccap -1 ?dABCDEF ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

oclHashcat returns almost immediatly (exhausted), indeed, the completion percentage shows 100%. No errors shown. I like my GPUs but I know they are not that fast. What happens is all the keys are rejected/skipped (100%).

If I try the same command with a shorter mask, it works as expected.

Exemple :
Code:
oclHashcat64.bin -m 2500 -a3 10_clean.hccap -1 ?dABCDEF ?1?1?1?1?1?1?1?1?1

The limit being 15 characters in the mask (Mask (?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1) [15] works normally and Mask (?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1) [16] exhausts immediatly).


According to the wiki oclHashcat should be able to work up to 55 characters (or 27 plaintext, but I admit I don't know on which side I sit but anyway, 26 is under 27). oclHashcat used to be able to handle 15 characters max but oclHashcat-plus v0.15 has risen this limit to 55.




Here is the output (for any mask with more than 15 characters) :

Code:
oclHashcat v1.30 starting...

Device #1: Tahiti, 2968MB, 925Mhz, 28MCU
Device #2: Tahiti, 2967MB, 925Mhz, 28MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel oclHashcat/oclHashcat-1.30/kernels/4098/m2500.Tahiti_1526.3_1526.3 (VM).kernel (257320 bytes)
Device #1: Kernel oclHashcat/oclHashcat-1.30/kernels/4098/markov_le_v1.Tahiti_1526.3_1526.3 (VM).kernel (93212 bytes)
Device #1: Kernel oclHashcat/oclHashcat-1.30/kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)
Device #2: Kernel oclHashcat/oclHashcat-1.30/kernels/4098/m2500.Tahiti_1526.3_1526.3 (VM).kernel (257320 bytes)
Device #2: Kernel oclHashcat/oclHashcat-1.30/kernels/4098/markov_le_v1.Tahiti_1526.3_1526.3 (VM).kernel (93212 bytes)
Device #2: Kernel oclHashcat/oclHashcat-1.30/kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)

                                            
Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1) [26]
Hash.Target....: Livebox-5BBC (9c:7d:6b:e7:43:a0 <-> f1:61:49:bd:5c:cd)
Hash.Type......: WPA/WPA2
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Speed.GPU.#2...:        0 H/s
Speed.GPU.#*...:        0 H/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/0 (100.00%)
Skipped........: 0/0 (100.00%)
Rejected.......: 0/0 (100.00%)
HWMon.GPU.#1...: 59% Util, 29c Temp, 33% Fan
HWMon.GPU.#2...:  0% Util, 25c Temp, 33% Fan

Started: Tue Nov 25 18:12:06 2014
Stopped: Tue Nov 25 18:12:07 2014
#2
I forgot to mention that oclHashcat has no problem when running a dictionary attack using a dictionary made of 26 characters keys following the same format.

Code:
oclHashcat64.bin -m 2500 10_clean.hccap dictionaries/Liveb0x_WPA_hexa.txt
#3
I have to add that I have 4GB or RAM.

My assumption is that, when using a mask, oclHashcat somehow tries to "reserve" the memory space for the entire possible dictionary for that mask.

8 charcaters -> 2GB
16 charcaters -> 4GB
32 characters -> 8GB

so with my setup it's only fine until 15 characters.

I don't find a reason why oclHashcat would work this way but that's the best reason I can find so far. Moreover it would be a big coincidence that I'm fine till 15 characters, which matches the 'old' limit of oclHashcat (previous -plus v0.15).

Unfortunately I don't have an extra DDR3 module to try.
#4
No, has nothing to do with memory. In a mask attack candidates are generated on the GPU.

The simple and obvious answer is that mask attacks are limited to 15 characters. Each attack mode has a different limit. 55 characters is for dictionary attacks.

The attack you want to run is impossible anyway even if hashcat did support it. Do the math.

16^26 / 200000 / 31556926 =~ 3213622518817528429 years.