Practical PRINCE: 1 CPU + 24 hours = 63% Linkedin hashes cracked, 100% automated
#1
After talking to many people about PRINCE, explaining how it works and what's the idea behind, I've decide to write a little demonstration/tutorial to show how it can be used in a real-life scenario. I hope it will help everyone who is interessted in using PRINCE to get started.

I've selected the Linkedin dump as my demonstration hashlist because it has been taken many times when it comes to any kind of analysis of password guessing, so it became a bit of a reference. It consists of a big number of unique hashes, therefore we can actually see whats happening in realtime just by looking at the cracked hashes while it is cracking. We can see how the patterns are self-created and it proofes that the generated password candidates actually match real-life passwords.

PRINCE was designed for attacking slow hashes. Therefore I'll use "only" CPU hashcat for the demonstration. There will be no GPU involved. The CPU that I am using is an Intel i7-4770K. I've decide to use CPU for this fast hash as it matches the speed for a slow hash using a GPU environment. To be exact, the cracking rate for the demonstration is around 5MH/s, which is roughly as slow as a modern single GPU cracking a $1$ hash (1000 times iterated and salted hash).

To reproduce locally, you need:
To avoid struggling with paths, just copied all the files into the same directory.

In this demonstration we do not make use of the personal aspects optimizer. We assume we have no clue what the password could be.


1. Create a fifo


While oclHashat (GPU) supports reading from stdin, Hashcat (CPU) does not. But you can workaround this missing feature simply by creating a named pipe.

Quote:$ mkfifo fifo

Because of the named pipe we need two shells next.


2. Run princeprocessor in the first shell


Quote:$ ./pp64.bin -o fifo < rockyou.txt


3. Run hashcat in the second shell (Replace the XXX with your CPU architecture)


Quote:$ ./hashcat-cliXXX.bin -m 100 -o linkedin.out linkedin.hash fifo


4. Let it run for 24 hours


Quote:Recovered.: 2223916/3521180 hashes

Easy, isn't it? And that's just with rockyou wordlist. I selected rockyou just to make it reproduceable. With one of my personal wordlists (that I am not going to share, sorry) I was able to get into the 75% range in the same time. If your first results with PRINCE are not that good, don't get demotivated. It takes a bit of experience on how to prepare/filter the input wordlist, using optional rules or how to use the optional princeprocessor parameters like --elem-cnt-min and --elem-cnt-max. I'm going to explain them in a later tutorial.

About efficiency: During the 24 hours a total of ~230 billion password candidates have been generated and tested. If you think 230 billion is a lot, it's not. It's not even the half of the brute-force keyspace of a 7-bit length 6 password. To get a better feeling for this, just think of testing the same keyspace against a TrueCrypt volume (TrueCrypt 5.0+ PBKDF2-HMAC-RipeMD160 + AES). It would take less than 3 days by using two 290x and oclHashcat v1.31.

PRINCE is not only about efficiency, it's also about an infinite runtime. Actually, the infinite runtime was one of the major goals when I designed the algorithm. Instead of stopping the demonstration after 24 hours you can continue to run princeprocessor and it will continue to crack the remaining hashes, on and on, and it will never* stop.

* = Based on your input wordlist. With rockyou.txt wordlist at least not within your lifetime

--
atom
Reply
#2
Many thanks for explaining Smile I'll be having a dabble needless to say...
Owner of: www.md5decrypter.co.uk
Reply
#3
Wow great
Reply
#4
Thank you for all your hard work and for sharing Smile
Reply
#5
Great tutorial. It would be better IMHO if you included two things:
1) A general explanation of what the princeprocessor is actually doing.
2) The equivalent named pipe for Windows.

Quote:...It takes a bit of experience on how to prepare/filter the input wordlist...
A tutorial or at least some words of wisdom on this would be much appreciated too.[/quote]
Reply
#6
It's described here http://hashcat.net/tools/princeprocessor...attack.pdf
Reply
#7
(12-26-2014, 01:14 PM)atom Wrote: It's described here http://hashcat.net/tools/princeprocessor...attack.pdf

No quite as much detail as I hoped for, but more than I can [currently] understand. Thanks.
Reply
#8
Thank you atom. The prince processor is something I have wanted to lay my hands on for a long time. Didn't know what I was missing but this is certainly it.
Reply
#9
(12-26-2014, 05:54 AM)rsberzerker Wrote: Great tutorial. It would be better IMHO if you included two things:

2) The equivalent named pipe for Windows.

I'm having the same problem, how do I pipe out of pp64.exe on windows?
Reply
#10
There is no more need to use a named pipe for cpu hashcat to use the PRINCE attack mode (Note: with oclHashcat you can simply pipe it, no named pipe needed at all) because version 0.49 of hashcat has a new attack mode: -a 6 = PRINCE which makes it more easy to use this attack mode (no more standalone princeprocessor needed).

See anouncement here:
https://hashcat.net/forum/thread-3952.html
Reply