05-10-2011, 04:11 PM
GPU bruteforcing NTLM hashes using oclHashcat
Find my tutorial on how to get NTLM hashes here
This is a brief overview of Hashcat and mainly oclHashcat.
![[Image: hashcat_logo.png]](http://markwood.co.cc/donotdelete/oclHashcat-tutorial/hashcat_logo.png)
Hashcat is the worlds fastest CPU based password recovery tool. There are also GPU counterparts: oclHashcat, oclHashcat-plus and oclHashcat-list.
Hashcat is a program that can be used to recover plain text strings for a variety of hashing methods including but not limited to:
MD5
SHA1
MySQL
NTLM
Attack-Modes
Straight
Combination
Toggle-Case
Brute-Force
Permutation
Table-Lookup
oclHashcat
oclHashcat, (also known as cudaHashcat), is the world's fastest GPU based password recovery program. There is no GUI for oclHashcat.
I'm surprised that I've never heard of this program until a few days ago when someone pointed it out to me in IRC. oclHashcat also lets you utilise multiple GPUs, (I have two in this machine), which both support Cuda.
You *can* use ATI cards I think, but we're all green team here.
The first thing you look at for a new program is the help menu.
You'll need to be in the directory you want to run it from, another bonus about this program is that you don't need to install it! It works on Windows and Linux as well.
Usage: cudaHashcat [options] hashlist dict_left|mask_left dict_right|mask_right
It's really simple to use the only thing that stumped me was the way it uses two masks for cracking, a left side and a right side.
For bruteforcing your options are:
?l = lowercase
?u = uppercase
?d = digits
?s = special characters
What you'll want to do is to specify a charset by using "-1"
Now you've told it that "-1" is equivalent to ?l?d?s?u
OUTPUT=
-1 ?l?d?s?u ?1?1?1?1 ?1?1?1
?1?1?1?1 = left
?1?1?1?1 = right
Totals 8 chars
This will perform an 8 character bruteforce on the hases within out-hash.txt, when it cracks one it'll put the hash and password into out-hash-cracked.txt.
-m tells us that it's cracking NTLM hashes
Check out this video with purehate from the backtrack dev team.
Extra Info
Hashcats Website: http://hashcat.net
User Manual: http://hashcat.net/files/hashcat_user_manual.pdf
Images
![[Image: HC-01.png]](http://markwood.co.cc/donotdelete/oclHashcat-tutorial/HC-01.png)
![[Image: HC-02.png]](http://markwood.co.cc/donotdelete/oclHashcat-tutorial/HC-02.png)
![[Image: HC-03.png]](http://markwood.co.cc/donotdelete/oclHashcat-tutorial/HC-03.png)
![[Image: HC-04.png]](http://markwood.co.cc/donotdelete/oclHashcat-tutorial/HC-04.png)
Out of 137 hashes you can see that I only managed to crack 12 and using GPU I was able to try 300/400 million passwords a second. It took 2 hours something.
Find my tutorial on how to get NTLM hashes here
This is a brief overview of Hashcat and mainly oclHashcat.
Hashcat is the worlds fastest CPU based password recovery tool. There are also GPU counterparts: oclHashcat, oclHashcat-plus and oclHashcat-list.
Hashcat is a program that can be used to recover plain text strings for a variety of hashing methods including but not limited to:
MD5
SHA1
MySQL
NTLM
Attack-Modes
Straight
Combination
Toggle-Case
Brute-Force
Permutation
Table-Lookup
oclHashcat
oclHashcat, (also known as cudaHashcat), is the world's fastest GPU based password recovery program. There is no GUI for oclHashcat.
I'm surprised that I've never heard of this program until a few days ago when someone pointed it out to me in IRC. oclHashcat also lets you utilise multiple GPUs, (I have two in this machine), which both support Cuda.
You *can* use ATI cards I think, but we're all green team here.
The first thing you look at for a new program is the help menu.
Code:
cudaHashcat64.exe --helpYou'll need to be in the directory you want to run it from, another bonus about this program is that you don't need to install it! It works on Windows and Linux as well.
Usage: cudaHashcat [options] hashlist dict_left|mask_left dict_right|mask_right
It's really simple to use the only thing that stumped me was the way it uses two masks for cracking, a left side and a right side.
For bruteforcing your options are:
?l = lowercase
?u = uppercase
?d = digits
?s = special characters
What you'll want to do is to specify a charset by using "-1"
Code:
-1 ?l?d?s?uNow you've told it that "-1" is equivalent to ?l?d?s?u
Code:
D:\Desktop\oclHashcat-0.26\oclHashcat-0.26>cudaHashcat64.exe out-hash.txt -o out-hash-cracked.txt --outfile-format=0 -m 1000 -1 ?l?d ?1?1?1?1 ?1?1?1?1OUTPUT=
-1 ?l?d?s?u ?1?1?1?1 ?1?1?1
?1?1?1?1 = left
?1?1?1?1 = right
Totals 8 chars
This will perform an 8 character bruteforce on the hases within out-hash.txt, when it cracks one it'll put the hash and password into out-hash-cracked.txt.
-m tells us that it's cracking NTLM hashes
Check out this video with purehate from the backtrack dev team.
Extra Info
Hashcats Website: http://hashcat.net
User Manual: http://hashcat.net/files/hashcat_user_manual.pdf
Images
Out of 137 hashes you can see that I only managed to crack 12 and using GPU I was able to try 300/400 million passwords a second. It took 2 hours something.
![[Image: nomnomnom.jpg]](http://img844.imageshack.us/img844/884/nomnomnom.jpg)