MD5 mask cracking - exhausted/different result each time
#1
Hello,
yesterday I needed to crack one MD5 hash, which I didn't manage with hashcat.
I recovered it by tcpdump-ing my FTP server, and I was very surprised hashcat did not found it.

I thought I get the mask right - I was using before aircrack-ng, so I am not completely new to this stuff.

I am using latest version 6.1.1 on windows 10 cmd/PS. 
I wouldn't dare to send bug report to github after one day with hashcat, so I am asking here Smile
Could someone tell me what is wrong?

For testing I am using md5 hash f86bdb19deb2c5ab632734b8d884ce06:testowy
(I hope it is OK to post hash together with its plaintext)

Code:
hashcat.exe -a 3 -m 0 hashes2.txt testo?l?l
Code:
hashcat.exe -a 3 -m 0 hashes2.txt test?l?l?l

With 2 variables I repeat this command few times, delete potfile inbetween, and i get different result each time: usually correct, frequently wrong, sometimes exhausted.

With 3 or more variables hashcat is always exhausted.

Optimization -O does not change anything.




Code:
hashcat.exe -a 3 -m 0 hashes2.txt testo?l?l
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) Pentium(R) CPU 2117U @ 1.80GHz, skipped
* Device #2: Intel(R) HD Graphics, 1336/1400 MB (350 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 77 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

f86bdb19deb2c5ab632734b8d884ce06:testowx

Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: f86bdb19deb2c5ab632734b8d884ce06
Time.Started.....: Wed Aug 05 15:11:58 2020 (0 secs)
Time.Estimated...: Wed Aug 05 15:11:58 2020 (0 secs)
Guess.Mask.......: testo?l?l [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:    79777 H/s (0.12ms) @ Accel:1024 Loops:1 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 676/676 (100.00%)
Rejected.........: 0/676 (0.00%)
Restore.Point....: 0/676 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: testona -> testoqg

Started: Wed Aug 05 15:11:54 2020
Stopped: Wed Aug 05 15:11:59 2020

another result:
Code:
hashcat.exe -a 3 -m 0 hashes2.txt testo?l?l
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) Pentium(R) CPU 2117U @ 1.80GHz, skipped
* Device #2: Intel(R) HD Graphics, 1336/1400 MB (350 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 77 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

f86bdb19deb2c5ab632734b8d884ce06:testowp

Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: f86bdb19deb2c5ab632734b8d884ce06
Time.Started.....: Wed Aug 05 15:16:44 2020 (0 secs)
Time.Estimated...: Wed Aug 05 15:16:44 2020 (0 secs)
Guess.Mask.......: testo?l?l [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  231.1 kH/s (0.12ms) @ Accel:1024 Loops:1 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 676/676 (100.00%)
Rejected.........: 0/676 (0.00%)
Restore.Point....: 0/676 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: testona -> testoqg

Started: Wed Aug 05 15:16:40 2020
Stopped: Wed Aug 05 15:16:45 2020

or even
 
Code:
hashcat.exe -a 3 -m 0 hashes2.txt testo?l?l
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) Pentium(R) CPU 2117U @ 1.80GHz, skipped
* Device #2: Intel(R) HD Graphics, 1336/1400 MB (350 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 77 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: MD5
Hash.Target......: f86bdb19deb2c5ab632734b8d884ce06
Time.Started.....: Wed Aug 05 15:17:35 2020 (0 secs)
Time.Estimated...: Wed Aug 05 15:17:35 2020 (0 secs)
Guess.Mask.......: testo?l?l [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:    93737 H/s (0.10ms) @ Accel:1024 Loops:1 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 676/676 (100.00%)
Rejected.........: 0/676 (0.00%)
Restore.Point....: 676/676 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: testona -> testoqg

Started: Wed Aug 05 15:17:32 2020
Stopped: Wed Aug 05 15:17:37 2020

3 variables:
Code:
hashcat.exe -a 3 -m 0 hashes2.txt test?l?l?l
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) Pentium(R) CPU 2117U @ 1.80GHz, skipped
* Device #2: Intel(R) HD Graphics, 1336/1400 MB (350 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 77 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: MD5
Hash.Target......: f86bdb19deb2c5ab632734b8d884ce06
Time.Started.....: Wed Aug 05 15:28:28 2020 (0 secs)
Time.Estimated...: Wed Aug 05 15:28:28 2020 (0 secs)
Guess.Mask.......: test?l?l?l [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  1292.8 kH/s (1.78ms) @ Accel:1024 Loops:1 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 17576/17576 (100.00%)
Rejected.........: 0/17576 (0.00%)
Restore.Point....: 17576/17576 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: testeri -> testqxq

Started: Wed Aug 05 15:28:25 2020
Stopped: Wed Aug 05 15:28:29 2020
Reply
#2
very bad. we call this false positive (or just a wrong result)..

just try with -D 1 , it will work perfectly fine.

it seems to be a driver problem, because the same code works on each and every other opencl/cuda device perfectly fine.

maybe you can update the driver or something. otherwise I would recommend to use a modern NVIDIA GPU or use -D 1.

I don't think we can do much here. can't reproduce this on my systems. The command works perfectly fine and the correct results are returned (testowy).

BTW: for the next time, do not forget that forum rules do not allow posting hashes
Reply
#3
Thank you for reply Smile
Reply