Dictiionary Attack - how-to-question
#21
I think under macOS you can't really install the driver by downloading and installing "the new" or a "different" one from the Intel (vendor) page or similar. I think under macOS the only thing you could do is to test different macOS versions (sierra, mojave, catalina etc).

but I'm no macOS user or macOS expert, maybe somebody else knows if something could be done to fix driver problems.

BTW: it's not enough to just post the error message, it's also important to know if any other hash type did succeed without error and which of the hash types failed. maybe you can post the whole output of hashcat -b ?
Reply
#22
copied - here´s the entire thread:

osx-lhind6519:hashcat u545634$ ./hashcat -b
hashcat (v5.1.0-1774-gf96594ef) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL API (OpenCL 1.2 (Apr 18 2019 20:03:31)) - Platform #1 [Apple]
====================================================================
* Device #1: Intel(R) Core(TM) i5-4260U CPU @ 1.40GHz, skipped
* Device #2: HD Graphics 5000, 1472/1536 MB (384 MB allocatable), 40MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable

Hashmode: 0 - MD5

Speed.#2.........: 289.5 MH/s (71.40ms) @ Accel:8 Loops:128 Thr:512 Vec:1

Hashmode: 100 - SHA1

Speed.#2.........: 99657.0 kH/s (51.52ms) @ Accel:8 Loops:32 Thr:512 Vec:1

Hashmode: 1400 - SHA2-256

Speed.#2.........: 41723.0 kH/s (61.78ms) @ Accel:4 Loops:32 Thr:512 Vec:1

Hashmode: 1700 - SHA2-512

Speed.#2.........: 11369.6 kH/s (56.50ms) @ Accel:8 Loops:4 Thr:512 Vec:1

Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095)

Speed.#2.........: 4983 H/s (62.88ms) @ Accel:16 Loops:4 Thr:512 Vec:1

Hashmode: 1000 - NTLM

Speed.#2.........: 454.8 MH/s (91.14ms) @ Accel:16 Loops:128 Thr:512 Vec:1

Hashmode: 3000 - LM

Speed.#2.........: 73270.9 kH/s (69.71ms) @ Accel:2 Loops:1024 Thr:64 Vec:1

Hashmode: 5500 - NetNTLMv1 / NetNTLMv1+ESS

Speed.#2.........: 282.8 MH/s (73.10ms) @ Accel:16 Loops:64 Thr:512 Vec:1

Hashmode: 5600 - NetNTLMv2

Speed.#2.........: 21658.6 kH/s (59.40ms) @ Accel:8 Loops:8 Thr:512 Vec:1

Hashmode: 1500 - descrypt, DES (Unix), Traditional DES

Speed.#2.........: 2610.1 kH/s (1002.59ms) @ Accel:1 Loops:1024 Thr:64 Vec:1

Hashmode: 500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000)

Speed.#2.........: 133.5 kH/s (72.26ms) @ Accel:32 Loops:15 Thr:512 Vec:1

Hashmode: 3200 - bcrypt $2*$, Blowfish (Unix) (Iterations: 32)

* Device #2: ATTENTION! OpenCL kernel self-test failed.

Your device driver installation is probably broken.
See also: https://hashcat.net/faq/wrongdriver

Speed.#2.........: 417 H/s (46.28ms) @ Accel:1 Loops:1 Thr:16 Vec:1

Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000)

Speed.#2.........: 1682 H/s (72.50ms) @ Accel:4 Loops:8 Thr:512 Vec:1

Hashmode: 7500 - Kerberos 5, etype 23, AS-REQ Pre-Auth

Speed.#2.........: 3424.5 kH/s (93.53ms) @ Accel:2 Loops:64 Thr:64 Vec:1

Hashmode: 13100 - Kerberos 5, etype 23, TGS-REP

Speed.#2.........: 3530.8 kH/s (91.51ms) @ Accel:2 Loops:64 Thr:64 Vec:1

Hashmode: 15300 - DPAPI masterkey file v1 (Iterations: 23999)

Speed.#2.........: 842 H/s (62.94ms) @ Accel:16 Loops:4 Thr:512 Vec:1

Hashmode: 15900 - DPAPI masterkey file v2 (Iterations: 12899)

Speed.#2.........: 417 H/s (58.84ms) @ Accel:8 Loops:2 Thr:512 Vec:1

Hashmode: 7100 - macOS v10.8+ (PBKDF2-SHA512) (Iterations: 1023)

clBuildProgram(): CL_BUILD_PROGRAM_FAILURE

Error: out of memory.

* Device #2: Kernel /Users/u545634/hashcat/OpenCL/m07100-pure.cl build failed.

it´s really interesting and mind-widening getting to talk with hashcat experts like you are -
Reply
#23
is there a way I can specify password patterns in "-a 3" mode with following constraints:

-> minimum password length is 8 characters
-> the first letter is an upper-case letter
-> the rest of the password can be upper-case letters, lower-case letters, digits (0-9) and one special character "@"

the attack vector should start with password length of 8 characters, if the password is not cracked, then the attack vector should continue with 9 characters etc. this should work with an "--increment" - though I dont know yet what this vector looks like - could anyone help me out ?
Reply
#24
In general you would use a command like this:
Code:
hashcat -m 14700 -a 3 -w 3 --increment --increment-min 8 -2 ?u?l?d@ extracted_hash.txt ?u?2?2?2?2?2?2?2?2?2

instead of -2 you could also use --custom-charset2 (or any other custom charset, like -4, -3, -2, -1 and use it within the mask with ?4, ?3, ?2, ?1 respectively).


But there is a big problem here: mask attacks of course try all possibilities and therefore are most of the time not the most clever approach, especially if it comes to slow hash types like itunes... the length matters a lot here and you are already trying lengths that get infeasible to crack within a reasonable time frame (months to years).

I would suggest looking into dictionary based attacks combined with rules etc (see https://hashcat.net/wiki/).
Brute-forcing or mask attack are not always the most clever attacks... you need to find more efficient/targetted approaches that are more feasible than just "brute-force it".
Reply
#25
ohk, copied. the rule-based attack as such is considered the most complicated but most efficient attack - it gets even more complicated in combination with a "wordlist" - I will try this, what I understood from your proposed command "-2 ?u?l?d@" is that "-2" is some kind of attack vector nomination in which upper (?u) and lower (?l) case letters, digits (?d) and the special character (@) are combined, what does "-w 3" do ?
Reply
#26
-w is for the workload profile, see the output of the hashcat --help command:
Code:
hashcat --help
...
- [ Workload Profiles ] -

  # | Performance | Runtime | Power Consumption | Desktop Impact
===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless

you could say that -w 3 actually would be optional, but it's always recommended to think about this option and how to likely improve performance
Reply
#27
I entered:

Started: Mon Apr 27 23:44:43 2020
Stopped: Mon Apr 27 23:44:43 2020
osx-lhind6519:hashcat u545634$ ./hashcat -d 2 $ ... -a 6 Manifest1.txt password.txt ?d?d?d?d
hashcat (v5.1.0-1774-gf96594ef) starting...

OpenCL API (OpenCL 1.2 (Apr 18 2019 20:03:31)) - Platform #1 [Apple]
====================================================================
* Device #1: Intel(R) Core(TM) i5-4260U CPU @ 1.40GHz, skipped
* Device #2: HD Graphics 5000, 1472/1536 MB (384 MB allocatable), 40MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hash '$': Token length exception
No hashes loaded.

How can I fix the token length exception and why is it that hashes are not loaded ?
Reply
#28
I just noticed I forgot the hashmode -m 14700
I entered:

./hashcat -d 2 -m 14700 Manifest1.txt $ ... -a 6 password.txt ?d?d?d?d
Reply
#29
I just happened to crack my itunes backup password - jumping around in my room -/. thnx philsmd for your support
Reply
#30
glad to hear that. well done !
Reply