ecryptfs H/s
#1
Hi there,

I'm currently investigating the possibilities to bruteforce an ecryptfs hash (http://cybermashup.com/2015/08/25/how-to...passwords/).

After extracting the hash I ran a benchmark using a wordlist of over 1 billion (1x10^9) words. The complete process took over 4 days (+/- 3300 H/s). Given the fact that nothing is known about the hash (except for the length probably being 8, 9 or 10 characters), I want to try all possible combinations of 8, 9 and 10 character passwords, containing upper case, lower case, digits and special characters. That would give me 95^8, 95^9 and 95^10 possibilities to try.

Needless to say that by the time this process is done and/or the password is found, chances are I won't be around anymore ;-)

Questions:

1. Is finding ecryptfs hashes really much slower than finding other hashes?
2. Can I speed up the process (more hardware and/or smart thinking)?

Normally I would not bother to ask, but finding the hashed password is really important because of personal reasons and all input is greatly appreciated!

Q
#2
1. Yes, ecryptfs is very slow -- but so is your GPU. A good modern GPU will be more than twice as fast as that. GTX 970 for example achieves ~ 6500 H/s on ecryptfs, while a Titan X achieves ~ 10000 H/s.

2. Yes, you can and should do both. Password cracking is an embarrassingly parallel problem, and thus scales linearly (so eight GPUs will be eight times as fast as one GPU.) You have to have the right GPU as well, as mentioned in #1 your current GPU is woefully underpowered. But even if you had e.g. 8x Titan X, brute force would still be out of the question, so you need to reduce your search space. Highly-targeted wordlists are pretty much your only hope.
#3
Hi epixoip,

Thank you for your valuable input.

You confirmed my fears ...

Perhaps another way to go is to get the sha512crypt hash of the same password? If I'm correct doing a brute force that way should be much faster.

Using a sha512crypt hash should also increase my chances finding the password using online lists. These services seem to be readily available accepting sha512crypt hashes whereas I have not found any online list accepting ecryptfs hashes.

Any thoughts on that?

Q
#4
If you have a sha512crypt hash and you know it's the same password, then yes you'd absolutely target the sha512crypt hash instead.

I'm not sure which online services/lists you're referring to, but I wouldn't go that route unless you know the site is reputable. Even still, sha512crypt is still pretty damn slow, so you still need highly-targeted wordlists.