04-17-2015, 08:21 PM
So I just put together a Tyan machine with 8 980s, and I've been running a big domain we had captured in a previous engagement as a test.
With the 8 cards we can brute force 7-character NTLM pretty quickly, so before I ran any wordlists and rules, I cranked out the following:
cudaHashcat64.bin -a 3 -m 1000 -i /path/to/hash-file.txt ?a?a?a?a?a?a?a
That spit out a whole bunch of plain 1 to 7 characters, easy enough.
When I moved on to using wordlists though, I noticed a large number of 7 character passwords getting spit out as well. I know its removing the previously cracked hashes - I get the message at the beginning of the crack that x number of hashes were found in the cudaHashcat.pot file (am I wrong in thinking that it removes those?).
I went back and tried the following just in case:
cudaHashcat64.bin -a 3 -m 1000 -i --markov-disable -1 ?u?l?d?s /path/to/hash-file.txt ?1?1?1?1?1?1?1
That spit out even more plains. I went back and used another wordlists based attack with a different rules file, and again, more 7 character plains were returned.
Now, I'll admit that this domain we're running is a bit screwy, so I suppose there could be spaces or something at the end of what I think are 7 character passwords - I haven't looked at that quite yet. But it seems right now like something odd is going on - every time I run a 7 character brute, it says that it finds x number of hashes in the pot file, and then proceeds to crack more 7 character passwords.
Any ideas? Am I missing something in the command? I don't think I am because the recovered number keeps increasing every time I run the brute force, so I'm pretty sure its correctly removing the previous cracked hashes from each run.
As reference, the domain I'm going after has 389,093 unique NTLM hashes. I have driver 346.47, and cudaHashcat-1.35.
With the 8 cards we can brute force 7-character NTLM pretty quickly, so before I ran any wordlists and rules, I cranked out the following:
cudaHashcat64.bin -a 3 -m 1000 -i /path/to/hash-file.txt ?a?a?a?a?a?a?a
That spit out a whole bunch of plain 1 to 7 characters, easy enough.
When I moved on to using wordlists though, I noticed a large number of 7 character passwords getting spit out as well. I know its removing the previously cracked hashes - I get the message at the beginning of the crack that x number of hashes were found in the cudaHashcat.pot file (am I wrong in thinking that it removes those?).
I went back and tried the following just in case:
cudaHashcat64.bin -a 3 -m 1000 -i --markov-disable -1 ?u?l?d?s /path/to/hash-file.txt ?1?1?1?1?1?1?1
That spit out even more plains. I went back and used another wordlists based attack with a different rules file, and again, more 7 character plains were returned.
Now, I'll admit that this domain we're running is a bit screwy, so I suppose there could be spaces or something at the end of what I think are 7 character passwords - I haven't looked at that quite yet. But it seems right now like something odd is going on - every time I run a 7 character brute, it says that it finds x number of hashes in the pot file, and then proceeds to crack more 7 character passwords.
Any ideas? Am I missing something in the command? I don't think I am because the recovered number keeps increasing every time I run the brute force, so I'm pretty sure its correctly removing the previous cracked hashes from each run.
As reference, the domain I'm going after has 389,093 unique NTLM hashes. I have driver 346.47, and cudaHashcat-1.35.