GPU Crack Speed Half of Expected
Evening Everyone,

I've got a small list of hashes to crack (NTLM from a Domain Controller). Back when I first picked up the GPU I was curious to see what it could do. Just for reference my spec list (workstation, not a dedicated crack machine or anything).

Ryzen 9 3900X
Dual 1TB Intel 660p
ASUS Prime X570-P
Gigabyte Windforce RTX 2070S
(4x16GB) 64GB DDR4 3600MHz CL15

I went for my dictionaries and rules first. I knew these passwords would be very weak and therefore easily guessed by simple means. The wordlist in question is about half a GB (not very large), and the rule file was just over a single MB. Just for reference, I have 6 of 19 cracked. (I took a small subset of accounts, basically DA/EA, some service accounts)

hashcat.exe -m 1000 -a 0 hashes/<Company>Hashes.txt -w wordlists/GRC.txt -r rules/custom.rule -w 3 -O

That yielded about 12,000 MH/s on NTLM, which I can kind of understand. Storing all that in memory can be intensive, therefore it isn't all stored in memory... However, I started bruteforcing which is where I expected much closer to 67000-68000 MH/s on NTLM. I'm currently getting ~30,000 MH/s on a brute force, which while far better then wordlists is still not nearly the performance I expected. 

hashcat.exe -m 1000 -a 3 hashes/<Company>Hashes.txt -w 3 -O

Notes: I'm using the pre-built binary available on the website - 6.0.0 for hashcat. I've updated my GPU drivers to the latest WHQL (which if memory serves me correctly is 451.48). I got that update maybe 2 or 3 days ago. I double checked that I wasn't thermal throttling, power throttling or anything. I'm sitting comfortably at ~65C +/- 3C, boosting to 1900-1930MHz. 100% GPU Util. 

Am I missing something? 

TLDR: Performance not what I expected on NTLM.

Hashcat.PNG (Size: 68.24 KB / Downloads: 1)
Bruteforce: 30,000 MH/s
Wordlists + Rules: 12,000 MH/s
Benchmark: 67000-68000 MH/s

the commands that you use are very weird/wrong:

1. the -w that you use twice in your -a 0 (dictionary attack) is wrong. why two times -w ? one time -w without the actual workload profile

2. in the second command, you use a mask attack (-a 3) without a mask. yeah, a mask attack without a mask !? o.O
That's also very strange... are you sure that is what you are trying to run. normally you at least define and run some specific mask like:
-a 3 -w 3 --increment--increment-min 6 -a 3 hash.txt ?a?a?a?a?a?a?a?a

at the end, I think you are just confused about the comparison against the benchmark speed:
hashcat.exe -m 1000 -b

^ this benchmark run uses a single NTLM hash and therefore hashcat can apply optimizations that can't be done with multiple hashes. Benchmark also uses a very huge keyspace/mask (and workload profile, -w 3). It's the maximum speed that you only can reach in real runs if you only crack single hashes with a mask atttack (-a 3) and a similar workload profile (-w 3) and a large keyspace/mask.

It's difficult to compare against things that are not identical/similar ... i.e. it's like comparing apples to oranges.

Just try to run a benchmark or a single hash with a huge mask (and -w 3) and you will see different speeds.
Evening Phil,

The first command was a typo in the post (-w <wordlist>), not in my terminal. I have a bad habit of doing that and it will throw an error if I do it. It's a habit from other applications like gobuster where I have to specify -w /usr/share/wordlists/dirbuster/list.txt.

I've never much looked into Mask Attacks before. My understanding was essentially they're a brute force attack (aaaa-zzzz), but you can specify specific characters where ?l is lowercase, ?u is uppercase, ?d is a decimal and ?a is all (upper, lower, decimal and symbol). ?s would be symbols.

Eg: P@$$w0rd1! as a mask would look like ?u?s?s?s?l?d?l?l?d?s.

Therefore would stand that a bruteforce would naturally be ?a?a?a?a?a?a?a (all possible combinations of upper, lower, numbers and symbols) which by definition is a mask... I thought. I could be wrong, like I said, I haven't really investigated it.

Your last point (misunderstanding the benchmark) is quite possible..

without specifying any mask, hashcat will use the default mask, see

The default mask is probably not what you would call brute-force.

it's actually not even clear what we should generally call "brute-force": is it --increment ?a?a?a?a?a?a?a?a or --increment ?b?b?b?b?b?b?b etc
several people have different interpretation of "brute-force" i.e. trying ALL possibilities... it's just better to be specific and tell hashcat what you want to run. The default mask is neither the all ?a, nor all ?b... it's just a very good mask that works quite well for the general use, but might not be what you want (if you don't know the detail about the default mask).

So the best advice is to always specify a mask with -a 3