Cisco IOS MD5 BruteForce Mask
#1
I am new to hashcat/cudahashcat. I'm a network engineer trying to recover some passwords from some old configs.

I have a standard Cisco IOS salted md5 hash. I found some rainbow tables but they did not find a match. I would like to try to brute force this but figuring out the mask has me questioning myself.

Could someone provide the correct mask to bruteforce a cisco ios md5?

Thanks
#2
the mask depens on what candidates you want to test, not on your hashing scheme.
#3
Assuming that it's this type of hash:

Code:
$ openssl passwd -1 -salt 0000 -table password
password    $1$0000$aWwcZQIpZ/gD70N/fOUeh0

... then you need to specify the hash type (-m 500 = Cisco-IOS MD5) and the attack type (-a 3 = brute-force), as in:

Code:
./cudaHashcat64.bin -a 3 -m 500 '$1$0000$aWwcZQIpZ/gD70N/fOUeh0'

If you know anything about what the password might contain (character sets and/or position), that's when you use a mask.

Edit to add: It also sounds like you might want to look into using some word lists, instead of rainbow tables.
~
#4
Thank you for your quick replies!

Forgive my windows Wink Royce - I am running as you recommended and I threw a few errors. is this expected? See below.

I ended up hitting the temp threshold on my GPU and it aborted. I can figure out how to tweak those options.


Quote:F:\hai>cudaHashcat64.exe -a 3 -m 500 '$1$UGFu$YccIH1wt6GA3jMolTQzOt1'
cudaHashcat v1.35 starting...

WARNING: Hash ''$1$UGFu$YccIH1wt6GA3jMolTQzOt1'': Signature unmatched


ERROR: No hashes loaded


F:\hai>cudaHashcat64.exe -a 3 -m 500 $1$UGFu$YccIH1wt6GA3jMolTQzOt1
cudaHashcat v1.35 starting...

Device #1: GeForce GTX 660 Ti, 3072MB, 1058Mhz, 7MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you erro
rs of code 702
You can disable it with a regpatch, see here: http://hashcat.net/wiki
/doku.php?id=timeout_patch

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes, 0/1 rotates
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4318/m00500.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_v2.64.ptx
Device #1: Kernel ./kernels/4318/amp_a3_v2.64.ptx


ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/forum/thread-4161.html


Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1) [1]
Hash.Target....: $1$UGFu$YccIH1wt6GA3jMolTQzOt1
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 126 H/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 62/62 (100.00%)
Skipped........: 0/62 (0.00%)
Rejected.......: 0/62 (0.00%)
HWMon.GPU.#1...: 69% Util, 67c Temp, N/A Fan


ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/forum/thread-4161.html


Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?2) [2]
Hash.Target....: $1$UGFu$YccIH1wt6GA3jMolTQzOt1
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 4582 H/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 2232/2232 (100.00%)
Skipped........: 0/2232 (0.00%)
Rejected.......: 0/2232 (0.00%)
HWMon.GPU.#1...: 70% Util, 67c Temp, N/A Fan


ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/forum/thread-4161.html


Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?2?2) [3]
Hash.Target....: $1$UGFu$YccIH1wt6GA3jMolTQzOt1
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 188.8 kH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 80352/80352 (100.00%)
Skipped........: 0/80352 (0.00%)
Rejected.......: 0/80352 (0.00%)
HWMon.GPU.#1...: 71% Util, 67c Temp, N/A Fan


ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/forum/thread-4161.html


Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2) [4]
Hash.Target....: $1$UGFu$YccIH1wt6GA3jMolTQzOt1
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: Tue Apr 14 12:00:44 2015 (2 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 1277.3 kH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 2892672/2892672 (100.00%)
Skipped........: 0/2892672 (0.00%)
Rejected.......: 0/2892672 (0.00%)
HWMon.GPU.#1...: 92% Util, 74c Temp, N/A Fan

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2) [5]
Hash.Target....: $1$UGFu$YccIH1wt6GA3jMolTQzOt1
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: Tue Apr 14 12:00:44 2015 (27 secs)
Time.Estimated.: Tue Apr 14 12:01:59 2015 (42 secs)
Speed.GPU.#1...: 1482.5 kH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 40599552/104136192 (38.99%)
Skipped........: 0/40599552 (0.00%)
Rejected.......: 0/40599552 (0.00%)
Restore.Point..: 458752/1679616 (27.31%)
HWMon.GPU.#1...: 97% Util, 85c Temp, N/A Fan

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
#5
This looks normal. Brute force automatically starts with short masks and then moves on to longer ones. While it's moving through the short masks, they're too short to really make the GPUs work hard, so that's why you're seeing those messages. Notice that when the mask lengthened from 4:

Input.Mode.....: Mask (?1?2?2?2) [4]

... to 5:

Input.Mode.....: Mask (?1?2?2?2?2) [5]

... the warning was not displayed.
~
#6
btw, you're not specifying a mask. It will not do what you think it does.
#7
Thank you Royce.
#8
undeath - could you elaborate?
#9
if you don't specify a mask hashcat will use a default one. One that is not full brute force.