NTLM Performance Problem
#1
Hello,
i have a little performance problem with cracking a NTLM hash.

My Hardware:
Disk: Samsung 970 Plus M.2
GPU: 2x RTX 2080 TI

With Benchmark i get this results:
Quote:Hashmode: 1000 - NTLM

Speed.#1.........: 92787.1 MH/s (24.13ms) @ Accel:128 Loops:1024 Thr:256 Vec:2
Speed.#2.........: 89742.9 MH/s (24.92ms) @ Accel:128 Loops:1024 Thr:256 Vec:2
Speed.#*.........:  182.5 GH/s


With my favorit attack-mode:
Quote:A Wordlist with only 12 words
hashcat64.exe -a 6 -w 4 -i --increment-min=5 NTLM-Hash PW_List.txt -1 ?d?l!@MLK-?? ?1?1?1?1?1?1?1
Speed.#1.........:  8555.0 kH/s (1.05ms) @ Accel:128 Loops:1024 Thr:256 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:128 Loops:1024 Thr:256 Vec:1

so i looked at https://hashcat.net/faq/morework and tryed the 1st version with a pipe to hashcat
Quote:hashcat64.exe --stdout -a 6 -i PW_List.txt -1 ?l?d??!@LKM ?1?1?1?1?1?1?1 | hashcat64.exe -m 1000 NTLM-Hash

Speed.#1.........:  306.5 kH/s (2.35ms) @ Accel:512 Loops:1 Thr:64 Vec:1
Speed.#2.........:  315.0 kH/s (2.39ms) @ Accel:512 Loops:1 Thr:64 Vec:1

pure wordlist attack is also not so fast as it looks in the benchmark results:
Quote:hashcat64.exe -O -a 0 -w 4 -m 1000 NTLM-Hash wordlist_600million.txt
Speed.#1.........:  5998.7 kH/s (0.39ms) @ Accel:128 Loops:1 Thr:256 Vec:1
Speed.#2.........:  5912.1 kH/s (0.39ms) @ Accel:128 Loops:1 Thr:256 Vec:1
Speed.#*.........: 11910.9 kH/s

edit://
now i make my wordlist a little bi bigger and the performance looks much better (but still a long way to 182.5 GH/s):
Quote:hashcat64.exe -a 6 -w 4  PW_List.txt -1 ?d?l!@MLK-?? ?1?1?1?1 --stdout -o PW_List_+4.txt

hashcat64.exe -a 6 -w 4 -i NTLM-Hash PW_List_+4.txt -1 ?d?l!@MLK-?? ?1?1?1?1?1?1?1


Guess.Mod........: Mask (?1?1?1?1) [4], Right Side
Guess.Charset....: -1 ?d?l!@MLK-??, -2 Undefined, -3 Undefined, -4 Undefined
Speed.#1.........: 24265.2 MH/s (90.51ms) @ Accel:128 Loops:1024 Thr:256 Vec:1
Speed.#2.........: 23676.4 MH/s (92.23ms) @ Accel:128 Loops:1024 Thr:256 Vec:1
Speed.#*.........: 47941.6 MH/s
Reply
#2
There are a few things going on here.

The very first thing i'd note would be the warnings/advice given when running a benchmark.
```

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.

```
Benchmark, by default, uses the optimized kernels, which restrict the max candidate length in order to increase speed. You should most likely be using the optimized kernels for your attacks so I would start by adding -O to everything you are running. Only your "pure wordlist" attack has it in place.

Now, this may not help all that much, and that's totally fine in most of the above cases. Benchmarking is done with a full workload, single hash, optimized brute force. It's meant to indicate the absolute maximum speed you can achieve against 1 hash with a brute force mask of something like ?a?a?a?a?a?a?a?a?a. The speed at which candidates can be generated and loaded on the GPU under those conditions is significantly faster than in other attacks, such as dictionary attacks, where candidates have to be loaded from the dictionary instead of being generated on the GPU. Rules and other operations that do candidate generation/modification on the GPU instead of the host are very fast and can be used to increase the performance/speed of a running job if applied on top of a normal straight(dictionary) attack. Your attempts to increase work to get more performance are working, as you noted in the last attack, however it is not really reasonable to expect mask/benchmark speeds out of a hybrid or wordlist attack. If you run a simple mask attack, -a 3 ?a?a?a?a?a?a?a?a?a, and find that it shows roughly the same speed as your benchmark, then there shouldnt be any issues with your setup and it just comes down to optimizing your workload for the best possible performance.
Reply
#3
Thanks.

Actual the PC is running with the last caracter-set for the next 24h, ...later i will have a look about "hashcat checkpoint funktion" to make a break, otherwise i will start to test some optimization tomorrow an will report the results here.

If pure bruteforce is much fast than my actual 47GB/s, i will write a little batch for my wordlist which sequentielly work on word from my list like:

hashcat63.exe ................. -1 ?d?l!@MLK-??  password_1?1?1?1?1?1?1?1?1?1?1
hashcat63.exe ................. -1 ?d?l!@MLK-??  password_2?1?1?1?1?1?1?1?1?1?1
hashcat63.exe ................. -1 ?d?l!@MLK-??  password_3?1?1?1?1?1?1?1?1?1?1
hashcat63.exe ................. -1 ?d?l!@MLK-??  password_4?1?1?1?1?1?1?1?1?1?1
hashcat63.exe ................. -1 ?d?l!@MLK-??  password_5?1?1?1?1?1?1?1?1?1?1
Reply
#4
That attack is not going to have good speed either, because static mask prefixes slow hashcat down. Generate a rules file for the mask part and do a wordlist+rules attack.
Reply
#5
(01-04-2020, 12:56 PM)undeath Wrote: That attack is not going to have good speed either, because static mask prefixes slow hashcat down. Generate a rules file for the mask part and do a wordlist+rules attack.

the bruteforce is also not as fast as a hoped:


Code:
hashcat64.exe -O -w 4 -a 3 -i -m 1000 Hash -1 ?d?l??!@-MLK xxx?1?1?1?1?1?1?1?1

Time.Estimated...: Sat Jan 04 14:46:26 2020 (6 mins, 14 secs)
Guess.Mask.......: XXXXXXXX?1?1?1?1?1?1?1 [14]
Guess.Charset....: -1 ?d?l??!@-MLK, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 14/15 (93.33%)
Speed.#1.........:  305.1 MH/s (0.47ms) @ Accel:128 Loops:1 Thr:256 Vec:2
Speed.#2.........:  291.7 MH/s (0.47ms) @ Accel:128 Loops:1 Thr:256 Vec:2
Speed.#*.........:  596.8 MH/s

I will try a wordlist+Rule format,...... i will post my resulst Wink
Reply
#6
The first time that i working with rules, but i think the rule will be fine:

Code:
mp64.exe -o test_4.rule -1 ?l?d??@!-MLK "$?1 $?1 $?1 $?1"

i started hashcat with:
Code:
hashcat64.exe -a 0 -w 4 -O -m 1000 HASH PW_List+4.txt -r test_4.rule

but my cracking speed is slower than Wordlist+Maskfile ;-/
Code:
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18199.2 MH/s (28.69ms) @ Accel:128 Loops:256 Thr:256 Vec:1
Speed.#2.........: 17529.8 MH/s (29.37ms) @ Accel:128 Loops:256 Thr:256 Vec:1
Speed.#*.........: 35730.2 MH/s

My rule-file is ~44MB, my wordlist ~500MB

Quote:You can use it in your cracking session by setting the -O option.
Ah, i forgot this in the attack, now it runs much faster,...but still only 1/3 of the benchmark.
Is there any other trick to push the speed ?

Code:
Guess.Mod........: Mask (?1?1?1?1?1) [5], Right Side
Guess.Charset....: -1 ?d?l!@MLK-??, -2 Undefined, -3 Undefined, -4 Undefined
Speed.#1.........: 32800.0 MH/s (62.36ms) @ Accel:128 Loops:1024 Thr:256 Vec:1
Speed.#2.........: 29737.9 MH/s (64.31ms) @ Accel:128 Loops:1024 Thr:256 Vec:1
Speed.#*.........: 62539.4 MH/s
Reply