How to optimize speed or setup
#1
Hello guys,

I have some troubles setting up my hashcat.
I am very new to this I tried searching through the threads but I did not find anything that can help me.

I have a IPMI2 hash that I want to recover my password from. I know the password but I am looking for fastest way to get the password. If its 9 char password I can do it in 9 minutes with brute force on my current setup. But when I add 3 chars to my password it is showing me that it will take more than 10years.

Is there a faster way than brute force? How can I optimize my setup. I just need to point into right direction. And come up with faster solution.

I have tried wordlist, straight and combination.

I will appreciate any help.
Reply
#2
if u know ur password why u wana recover it..

anyway, its totaly normal, u adding 3 chars that mean 12 chars overwall the keyspace will get bigger..,

what command are u using, and why would u add 3 char if u know ur pw?
i dont get it
Reply
#3
Welcome to the exponential wall of brute force. If you're going to make a habit of this, you should learn math.
Reply
#4
(10-12-2016, 08:52 AM)pepix Wrote: Is there a faster way than brute force? How can I optimize my setup. I just need to point into right direction. And come up with faster solution.

Hi,
if you want to be faster than bruteforce (e.g., because it is a very slow hash) you should have a look at probabilistic password models. A good starting point is "A Study of Probabilistic Password Models (SP '14)".

Here you can find the 3 most used alternatives to bruteforce:

## Probabilistic Context-Free Grammars
-> Password Cracking Using Probabilistic Context-Free Grammars (SP '09)
-> Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms (SP '12)
-> Effect of Grammar on Security of Long Passwords (CODASPY '13)
-> On the Semantic Patterns of Passwords and their Security Impact (NDSS '14)
-> Next Gen PCFG Password Cracking (TIFS '15)
---> Software (old): https://sites.google.com/site/reusablese...ic_cracker
---> Software (new): https://github.com/lakiw/pcfg_cracker

## Markov Models
-> Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff (CCS '05)
-> OMEN: Faster Password Guessing Using an Ordered Markov Enumerator (ESSoS '15)
-> OMEN+: When Privacy meets Security: Leveraging personal information for password cracking (CoRR '13)
-> A Study of Probabilistic Password Models (SP '14)
---> Software (old): http://openwall.info/wiki/john/markov
---> Software (new): https://github.com/RUB-SysSec/Password-G...-Framework (OMEN will be published very soon)

## Neural Networks
-> Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks (USENIX '16)
-> (A rather strange approach, but the ?FIRST? writing about this topic) Using neural networks for password cracking by Sebastian Neef
--> Software (old): https://github.com/gehaxelt/RNN-Passwords
--> Software (new): https://github.com/cupslab/neural_network_cracking

## Approach Comparison
-> Measuring Real-World Accuracies and Biases in Modeling Password Guessability (USENIX '15)
-> A Framework for Comparing Password Guessing Strategies (PASSWORDS '15)

## Hybrids
-> Introducing the PRINCE attack-mode (PASSWORDS '14)
---> Software: https://github.com/hashcat/princeprocessor
---> Software: https://github.com/hashcat/hashcat
Reply
#5
Two notes here:

Approaches that use Markov Models need to be split into two groups. The ones that can work with slow hashes and the ones that can work with both slow and fast hashes. There's only one implementation which can handle both and that's the one implemented in hashcat. Whenever you use a mask in hashcat, you always use a Markov Models based keyspace search optimization unless you use --markov-disable. The first group, the ones that can handle slow hashes only, is more efficient. For example: OMEN. But, they are good for slow hashes only. But then, they are not as a good as a real wordlist attack and if you have a really slow hash like veracrypt there's only a wordlist attack left you can do. That means Markov Models of the first kind becomes more useless the slower the hash is.

And there's those approaches that base on some feedback. But feedback, that make no sense for slow hashes. For example NN. I can't understand how such an paper gets accepted to BH. The NN approach needs a fast hash to be useful. But then, there's no way to implement NN fast enough for a fast hash. So we can't use it for slow hashes and we can't use it for fast hashes. There's nothing left makes this approach a typical theoretical attack which is useless in a real-life scenario.

Also, IPMI2 is a fast hash, not a slow hash.
Reply
#6
(10-15-2016, 10:12 AM)atom Wrote: And there's those approaches that base on some feedback. But feedback, that make no sense for slow hashes. For example NN. I can't understand how such an paper gets accepted to BH. The NN approach needs a fast hash to be useful. But then, there's no way to implement NN fast enough for a fast hash. So we can't use it for slow hashes and we can't use it for fast hashes. There's nothing left makes this approach a typical theoretical attack which is useless in a real-life scenario.

Never heard of "NN" before. Can you provide a link or a title of the talk? BH => BlackHat, is a hacker conference and quite often does not reach the academic audience. Thx.

Edit:
Do you mean NN => Neural Networks?
The aforementioned paper was accepted at USENIX Security conference in Austin, Texas, USA this year. It even won the best paper award.
Reply
#7
Yes, I meant usenix, not BH and it's mostly academic. Makes even more sense now that one won the best paper Smile
Reply
#8
(10-12-2016, 12:37 PM)kiara Wrote: if u know ur password why u wana recover it..

anyway, its totaly normal, u adding 3 chars that mean 12 chars overwall the keyspace will get bigger..,

what command are u using, and why would u add 3 char if u know ur pw?
i dont get it

I need to know how long would it take to get my password. I am just learning the process of recovering passwords. Even if I did not know the password with access to the server it is a matter of 12 sec to change to password.

(10-12-2016, 08:24 PM)epixoip Wrote: Welcome to the exponential wall of brute force. If you're going to make a habit of this, you should learn math.

Sarcasm is always very helpful. I understand the math, that is why I am asking for help with better option. Since simple brute force can not do the trick.

(10-14-2016, 11:31 AM)root2 Wrote: Hi,
if you want to be faster than bruteforce (e.g., because it is a very slow hash) you should have a look at probabilistic password models. A good starting point is "A Study of Probabilistic Password Models (SP '14)".

Here you can find the 3 most used alternatives to bruteforce:

## Probabilistic Context-Free Grammars
-> Password Cracking Using Probabilistic Context-Free Grammars (SP '09)
-> Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms (SP '12)
-> Effect of Grammar on Security of Long Passwords (CODASPY '13)
-> On the Semantic Patterns of Passwords and their Security Impact (NDSS '14)
-> Next Gen PCFG Password Cracking (TIFS '15)
---> Software (old): https://sites.google.com/site/reusablese...ic_cracker
---> Software (new): https://github.com/lakiw/pcfg_cracker

## Markov Models
-> Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff (CCS '05)
-> OMEN: Faster Password Guessing Using an Ordered Markov Enumerator (ESSoS '15)
-> OMEN+: When Privacy meets Security: Leveraging personal information for password cracking (CoRR '13)
-> A Study of Probabilistic Password Models (SP '14)
---> Software (old): http://openwall.info/wiki/john/markov
---> Software (new): https://github.com/RUB-SysSec/Password-G...-Framework (OMEN will be published very soon)

## Neural Networks
-> Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks (USENIX '16)
-> (A rather strange approach, but the ?FIRST? writing about this topic) Using neural networks for password cracking by Sebastian Neef
--> Software (old): https://github.com/gehaxelt/RNN-Passwords
--> Software (new): https://github.com/cupslab/neural_network_cracking

## Approach Comparison
-> Measuring Real-World Accuracies and Biases in Modeling Password Guessability (USENIX '15)
-> A Framework for Comparing Password Guessing Strategies (PASSWORDS '15)

## Hybrids
-> Introducing the PRINCE attack-mode (PASSWORDS '14)
---> Software: https://github.com/hashcat/princeprocessor
---> Software: https://github.com/hashcat/hashcat

Very good post, finally very good answer I will get right on it. Thank you very much.
Reply