hashcat exhausted что значит
hashcat
advanced password recovery
I am having a problem with hashcat. I seem able to only crack hashes as long as it is only one single hash inside my hashes text file. If I put multiple hashes. it will not crack any. I separate the hashes by putting each one on a new line, and I have generated the hashes myself and tried cracking them separately and it works. So, what am I doing wrong here?
hashes.txt
Wordlists\wordlist1.txt
cracked.txt
My run of the code is:
UPDATE: I am now using ‘Notepad ++’, same thing is still happening. I now get no hashes cracked still. Even if I have the passwords in my wordlist.
Here is the cmd log:
Device #1: GeForce GTX 970M, 3072MB, 1038Mhz, 10MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you erro
rs of code 702
You can disable it with a regpatch, see here: http://hashcat.net/wiki
/doku.php?id=timeout_patch
Cache-hit dictionary stats Wordlists\wordlist1.txt: 174 bytes, 20 words, 20 keys
pace
ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/forum/thread-4161.html
Session.Name. cudaHashcat
Status. Exhausted
Input.Mode. File (Wordlists\wordlist1.txt)
Hash.Target. File (hashes.txt)
Hash.Type. MD5
Time.Started. 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1. 0 H/s
Recovered. 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress. 20/20 (100.00%)
Skipped. 0/20 (0.00%)
Rejected. 0/20 (0.00%)
HWMon.GPU.#1. 0% Util, 50c Temp, N/A Fan
Started: Wed Apr 08 14:27:30 2015
Stopped: Wed Apr 08 14:27:32 2015
hashcat
advanced password recovery
When I’m running this command:
Status. Exhausted
Input.Mode. Mask (?1)
Hash.Target. File (uncracked.txt)
Hash.Type. MD5
Time.Running.: 1 sec
Time.Left. 0 secs
Time.Util. 1025.5ms/168.4ms Real/CPU, 19.7% idle
Speed. 153 c/s Real, 26611 c/s GPU
Recovered. 0/2456 Digests, 0/1 Salts
Progress. 157/157 (100.00%)
Rejected. 0/157 (0.00%)
HWMon.GPU.#1.: 35% Util, 45c Temp, 10% Fan
I’m using a 7970, and it works with wordlists, etc, and other masks, with other hash lists.
Any idea why it’s happening?
(12-24-2012, 03:17 AM) Toil Wrote: Input.Mode. Mask (?1)
Progress. 157/157 (100.00%)
(12-24-2012, 03:17 AM) Toil Wrote: Input.Mode. Mask (?1)
Progress. 157/157 (100.00%)
But, what does it mean «exhausted»
Finished?
Use the increment flag to run all combinations of the mask up to the length you provide or specify no mask and use the build in set
Quote: But, what does it mean «exhausted»
Finished?
Quote: But, what does it mean «exhausted»
Finished?
yes, it means you have exhausted the given keyspace without finding the password.
$ cat o
0610a910e9cd7ec9f78b7e3f4d959e6f
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status. Running
Input.Mode. Mask (?1?2?2?2)
Hash.Target. 0610a910e9cd7ec9f78b7e3f4d959e6f
Hash.Type. MD5
Time.Running.: 0 secs
Time.Left. 0 secs
Time.Util. 137.7ms/0.0ms Real/CPU, 0.0% idle
Speed. 0 c/s Real, 0 c/s GPU
Recovered. 0/1 Digests, 0/1 Salts
Progress. 0/80352 (0.00%)
Rejected. 0/0 (0.00%)
HWMon.GPU.#1.: 31% Util, 40c Temp, 10% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status. Running
Input.Mode. Mask (?1?2?2?2?2?2)
Hash.Target. 0610a910e9cd7ec9f78b7e3f4d959e6f
Hash.Type. MD5
Time.Running.: 0 secs
Time.Left. 0 secs
Time.Util. 218.5ms/169.0ms Real/CPU, 341.7% idle
Speed. 0 c/s Real, 0 c/s GPU
Recovered. 0/1 Digests, 0/1 Salts
Progress. 0/3748902912 (0.00%)
Rejected. 0/0 (0.00%)
HWMon.GPU.#1.: 31% Util, 40c Temp, 10% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => q
Status. Aborted
Input.Mode. Mask (?1?2?2?2?2?2)
Hash.Target. 0610a910e9cd7ec9f78b7e3f4d959e6f
Hash.Type. MD5
Time.Running.: 1 sec
Time.Left. 0 secs
Time.Util. 1149.2ms/169.0ms Real/CPU, 17.2% idle
Speed. 2919.9M c/s Real, 6088.5M c/s GPU
Recovered. 0/1 Digests, 0/1 Salts
Progress. 3355443200/3748902912 (89.50%)
Rejected. 0/3355443200 (0.00%)
HWMon.GPU.#1.: 31% Util, 41c Temp, 10% Fan
Started: Mon Dec 24 22:46:10 2012
Stopped: Mon Dec 24 22:46:12 2012
oclHashcat-plus v0.09 by atom starting.
Status. Cracked
Input.Mode. Mask (?1?1?1?1)
Hash.Target. 0610a910e9cd7ec9f78b7e3f4d959e6f
Hash.Type. MD5
Time.Running.: 1 sec
Time.Util. 1028.2ms/168.4ms Real/CPU, 19.6% idle
Speed. 79214.1k c/s Real, 4241.3M c/s GPU
Recovered. 1/1 Digests, 1/1 Salts
Progress. 81450625/81450625 (100.00%)
Rejected. 0/81450625 (0.00%)
HWMon.GPU.#1.: 28% Util, 41c Temp, 10% Fan
Started: Mon Dec 24 22:46:49 2012
Stopped: Mon Dec 24 22:46:51 2012
hashcat
advanced password recovery
I am having a problem with hashcat. I seem able to only crack hashes as long as it is only one single hash inside my hashes text file. If I put multiple hashes. it will not crack any. I separate the hashes by putting each one on a new line, and I have generated the hashes myself and tried cracking them separately and it works. So, what am I doing wrong here?
hashes.txt
Wordlists\wordlist1.txt
cracked.txt
My run of the code is:
UPDATE: I am now using ‘Notepad ++’, same thing is still happening. I now get no hashes cracked still. Even if I have the passwords in my wordlist.
Here is the cmd log:
Device #1: GeForce GTX 970M, 3072MB, 1038Mhz, 10MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you erro
rs of code 702
You can disable it with a regpatch, see here: http://hashcat.net/wiki
/doku.php?id=timeout_patch
Cache-hit dictionary stats Wordlists\wordlist1.txt: 174 bytes, 20 words, 20 keys
pace
ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/forum/thread-4161.html
Session.Name. cudaHashcat
Status. Exhausted
Input.Mode. File (Wordlists\wordlist1.txt)
Hash.Target. File (hashes.txt)
Hash.Type. MD5
Time.Started. 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1. 0 H/s
Recovered. 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress. 20/20 (100.00%)
Skipped. 0/20 (0.00%)
Rejected. 0/20 (0.00%)
HWMon.GPU.#1. 0% Util, 50c Temp, N/A Fan
Started: Wed Apr 08 14:27:30 2015
Stopped: Wed Apr 08 14:27:32 2015
Взлом хешей с помощью HashCat
Hashcat – это самая быстрая и передовая утилита для восстановления паролей, поддерживающая пять уникальных режимов атаки для более чем трёхсот алгоритмов хеширования.
Hashcat поддерживает:
Также hashcat имеет средства, которые помогают включить распределенный взлом паролей.
HashCat поддерживает следующие режимы атаки:
С помощью данной команды можно проверить все доступные параметры:
Сегодня мы будем использовать режим атаки по словарю.
Содержание:
MD5-хеши
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
Команда:
MD5-хеши с солью
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
md5($pass.$salt):
01dfae6e5d4d90d9892622325959afbe:7050461> hash.txt
Команда:
Хеш-суммы MD5Crypt
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
Команда:
HMAC-SHA1 key
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
Команда:
Хеш-суммы SHA-1
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
Команда:
Хеши SHA2–384
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
SHA2-384 07371af1ca1fca7c6941d2399f3610f1e392c56c6d73fddffe38f18c430a2817028dae1ef09ac683b62148a2c8757f42> hash.txt
Команда:
Хеши SHA3–512
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
SHA3–512 7c2dc1d743735d4e069f3bda85b1b7e9172033dfdd8cd599ca094ef8570f3930c3f2c0b7afc8d6152ce4eaad6057a2ff22e71934b3a3dd0fb55a7fc84a53144e >hash.txt
Команда:
NTLM-хеши
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
Пример:
Команда:
CRC32-хеши
Убедитесь, что входные хеши имеют совместимый с hashcat формат.
hashcat
advanced password recovery
Table of Contents
Overview
Table of Contents
Pre-Installation
Why does a window pop up and close immediately?
The reason for this is that the hashcat tools are command line tools only.
See the wiki page Help for ubernoobs to troubleshoot this problem.
I am a complete noob, what can I do for getting started?
The best way to get started with software from hashcat.net is to use the wiki. Furthermore, you can use the forum to search for your specific questions (forum search function).
Please do not immediately start a new forum thread, first use the built-in search function and/or a web search engine to see if the question was already posted/answered
There are also some tutorials listed under Howtos, videos, papers, articles etc in the wild to learn the very basics. Note these resources can be outdated
I know an online username. How can I use hashcat to crack it?
You can’t. That’s not the way hashcat works.
hashcat cannot help you if you only have a username for some online service. hashcat can only attack back-end password hashes.
Why are there different versions of *hashcat?
Why are there so many binaries, which one should I use?
First, you need to know the details about your operating system:
Starting from this information, the selection of the correct binary goes like this:
For hashcat, the CPU usage should be very low for these binaries (if you do not utilize a OpenCL compatible CPU).
How do I verify the PGP signatures?
Linux
Start by downloading the signing key:
Download the latest version of hashcat and its corresponding signature. For our example, we’re going to use wget to download version 6.1.1:
Verify the signature by running:
Your output will look like this:
Manually inspect the key fingerprint to assure that it matches what’s on the website.
Windows
Is there a hashcat GUI?
There are third-party graphical and web-based user interfaces available. The most up-to-date one is this: http://www.hashkiller.co.uk/hashcat-gui.aspx and https://github.com/s77rt/hashcat.launcher
We neither develop nor maintain these tools, so we can not offer support for them. Please ask the authors of the software for support or post questions on the forums you got the software from.
Installation
How do I install hashcat?
There is no need to really install hashcat or hashcat legacy (CPU only version). You only need to extract the archive you have downloaded.
Please note, your GPU must be supported and the driver must be correctly installed to use this software.
If your operating system or linux distribution does have some pre-build installation package for hashcat, you may be able to install it using those facilities. For example, you can use the following under Kali Linux:
and update it with:
Even if this is supported by some distributions, we do not directly support this here since it depends on the package maintainers to update the packages, install the correct dependencies (some packages may add wrappers, etc), and use reasonable paths.
In case something isn’t working with the packages you download via your package manager, we encourage you to just download the hashcat archive directly, enter the folder, and run hashcat. This is the preferred and only supported method to “install” hashcat.
How does one install the correct driver for the GPU(s)?
Always make sure you have downloaded and extracted the newest version of hashcat first.
If you have already a different driver installed than the recommended from the before mentioned download page, make sure to uninstall it cleanly (see I may have the wrong driver installed. What should I do?).
At this time you need to install the proprietary drivers for hashcat from nvidia.com and amd.com respectively. Do not use the version from your package manager or the pre-installed one on your system.
There is a detailed installation guide for linux servers. You should prefer to use this specific operating system and driver version because it is always thoroughly tested and proven to work.
If you prefer to use a different operating system or distribution, you may encounter some problems with driver installation, etc. In these instances, you may not be able to receive support. Please, always double-check if AMD or NVidia do officially support the specific operating system you want to use. You may be surprised to learn that your favorite Linux distribution is not officially supported by the driver, and often for good reasons.
GPU device not found, why?
and reboot. It is recommended to generate an xorg.conf for Nvidia GPUs on a linux based system as well, in order to apply the kernel timeout patch and enable fan control
I may have the wrong driver installed, what should I do?
What does the cuModuleLoad() 209 error mean?
This error can simply mean that the version of the driver that you have installed is too old:
If the problem still exist:
What does the cuModuleLoad() 301 error mean?
Official SDK ErrorCode: CUDA_ERROR_FILE_NOT_FOUND = 301
You’ve unpacked the hashcat.7z archive using the command “7z e”. This destroys the directory structure.
NVidia added a completely new ShaderModel which is not yet support by hashcat.
If the problem still exist:
This is the typical error message you get when you’re AMD driver installation is faulty. You need to reinstall the recommended driver (while making sure that there is no older driver libs conflicting with it).
This is the typical error message you get when your AMD driver installation is faulty. You need to reinstall the recommended driver.
Receiving this error means that hashcat could not detect any capable GPUs in your system. If you are positive that you have capable GPUs you can try the following suggestions to fix your system:
This is the typical “Out-Of-Memory” Error, and is not driver related. Note that this refers to your GPU memory, not host memory. Also note that there is a maximum allocation size which is typically only 256MB. That means even if your GPU has 4GB ram, hashcat is allowed only to allocate 256MB per buffer.
This is not a driver related error. This error occurs mostly in cases where you are using too many rules. You can adjust the following parameters to reduce your total rule count:
What does the cuStreamSynchronize() 702 error mean?
The most likely reason of this problem is that hashcat could not perfectly map the found and supported OpenCL devices to the devices that the ADL (AMD Display Library) did find. The main problem here is that ADL and OpenCL do use some different means to describe/priorize/sort/name/identify the different devices.
There is little hashcat can do to avoid this problem since the bus id and device id are sometimes the same (reported by OpenCL), even if we are dealing with 2 “different” (but similar) GPUs.
The most likely reason for this problem is that hashcat could not perfectly map the found and supported OpenCL devices to the devices that the ADL (AMD Display Library) did find. ADL and OpenCL do use some different means to describe/priorize/sort/name/identify the different devices, which can contribute to this problem.
There is little hashcat can do to avoid this problem since the bus id and device id are sometimes the same (reported by OpenCL), even if we are dealing with 2 “different” (but similar) GPUs.
In this particular case, hashcat fails to get the temperature of the GPU which uses overdrive 5. This could be because the mapping somehow failed and the device is an overdrive 6 GPU instead or something similar.
I got this error message: undefined symbol: nvmlInit_v2 Error, what does it mean?
This is simple. You are using a version of the Nvidia ForceWare driver that is way too old. It is time to update!
This is a typical error with AMD GPUs when using the packaged driver (*.deb package) as “/usr/lib/libOpenCL.so.1” is exchanged by the package.
How can I use old hashcat/oclHashcat versions?
We really encourage you to always use the latest and greatest version of hashcat. In general, it comes with several improvements, problem fixes, new features, better GPU support etc. In our opinion, there is only one valid reason to use older versions of hashcat: when AMD/NVidia dropped support for your graphics card and hashcat developers decided that it is more appropriate to support the newer generation cards (and hence support/optimize code for the more recent driver versions) instead of keeping support for no-longer supported GPUs.
Post-Installation
I see only the usage, it seems to be a syntax error. What should I do?
For hashcat legacy:
This means for instance that the hash file comes before the word list, directory or mask. Swapping these parameters, e.g. hash file after the mask, is not supported.
hashcat unpacks to 1GB or more, do I really need all the files?
It depends on your system, but usually you do not need all the files within the extracted hashcat folder. The most space is taken from the precompiled kernel files. There’s is a kernel for each GPU type. When hashcat starts up it queries model from your GPU and loads the corresponding kernel for it. This ensures maximum performance.
Depending on if you have a Nvidia or AMD system, the bitness is also important. For NVidia systems there are kernels for 32 bit and 64 bit. So if you use a 64 bit system you don’t need the 32 bit kernels at all and you can safely remove them.
But there is more. It’s unlikely that you have all GPU types in a single system. You can safely remove those kernel files which correspond to GPUs that you do not have in your system. To find out which GPU you have, you can run:
On this system I have 3 graphic cards installed. One uses sm_21, one uses sm_50 and one uses sm_52. So I can safely remove all kernel that do not match this list (but only those with sm_xx within the file name for NVidia).
On AMD systems it’s a bit different. They are distinguished by either VLIW1, VLIW4 and VLIW5. Basically you can say that all GCN (hd7970, R9 cards) cards are VLIW1. VLIW4 is for the 6xxx series and VLIW5 for the 5xxx series. That means, for example, you can typically remove all VLIW4 and VLIW5 kernel if you only have a hd7970 in your system (but only remove those kernels which have the VLIWx within the file name for AMD).
Basic cracking knowledge
What does «Status: Exhausted» mean?
Exhausted simply means hashcat has tried every possible password combination in the attack you have provided, and failed to crack 100% of all hashes given. In other words, hashcat has finished doing everything you told it to do – it has exhausted its search to crack the hashes. You should run hashcat again with a different attack/word list/mask etc.
What is a hashcat mask file?
The format of the lines is defined here: hashcat mask file
Each and every field mentioned above is separated by a comma (“,”, without quotes). If an optional field is not specified, the comma does not need and can’t be written down, hence if you only want to specify a mask (without the optional custom char sets), the lines should look like this:
If 2 custom char sets are needed, you would use something like this:
… and so on and so forth (up to the 4 supported custom char sets).
There are 4 important syntax rules:
What exactly is a weak hash?
The weak hash detection is a special feature of hashcat. The goal of this feature is to notice if there is a hash whose plaintext is empty, that means a 0-length password. Typically when you just hit enter. We call it a weak-hash check even if it should have been called weak-password check but there are simply too many weak-passwords.
However, if your hashlist contains millions of salts we have to run a kernel for each salt. If you want to check for empty passwords for that many salts you will have a very long initialization/startup time by running hashcat. To work around this problem there is a parameter called «—weak-hash-threshold». With it you can set a maximum number of salts for which weak hashes should be checked on start. The default is set to 100, that means if you use a hashlist with 101 unique salts it will not try to do a weak-hash check at all. Note we are talking about unique salts not unique hashes. Cracking unsalted hashes results in 1 unique salt (an empty one). That means if you set it to 0 you are disabling it completely, also for the unsalted hashes.
What is a potfile?
The potfile stores which hashes were already cracked, and thus won’t be cracked again.
It also has an enormous effect on cracking salted hashes. If hashcat notices that all hashes which are bound to a specific salt are cracked, it’s safe to not generate new guesses for this specific salt anymore. This means, for example, if you have 2 hashes with different salts and one is cracked, the speed is doubled. Now if you restart the session for any reason the potfile marks the one cracked hash as cracked and so the salt is marked as cracked. You startup with doubled guessing speed.
Now you have both, the original list and the left list.
It’s also safe to copy (or append) the data from one potfile to another.
How can I identify the hash type?
There is no concrete method for identifying a hash algorithm using the hash alone.
Some hashes have signatures which give a strong indication of which algorithm was used, such as “$1$” for md5crypt. Usually you can rely on this information; however, this method of identification is not bullet-proof! For example, consider an algorithm such as crypt(sha256(pass), “$1$”).
For hashes which have no signature, it is virtually impossible to distinguish which algorithm was used. A string of 32 hex characters could be LM, NTLM, MD4, MD5, double MD5, triple md5, md5(sha512(pass)), so on and so forth. There is literally an infinite number of possibilities for what the algorithm may be!
Tools which claim to be able to identify hashes simply use regular expressions to match the hash against common patterns. This method is extremely unreliable and often yields incorrect results. It is best to avoid using such tools.
A much better way to identify the hash algorithm would be to understand the origin of the hashes (e.g. operating system, COTS application, web application, etc.) and make an educated guess at what the hash algorithm might be. Or better yet, use the source!
For some example hashes see the example hashes wiki page.
Hashcat reports «Status: Cracked», but did not print the hash value, and the outfile is empty. What happened?
If you see the line “INFO: removed X hashes found in pot file”, where X could be any number greater than 0, it means that you had already cracked the target hash during a previous run of this session. The hash will not be cracked again for the following reasons:
The reason for not showing/storing the same crack is that it is a waste of resources to crack a single hash more than once and hashcat assumes that if it was already cracked, the user did already “see” the password. The potfile-reading feature (at startup) will check if some hashes within the hash list were already cracked and marked them as “already cracked” without trying to crack them again and again.
How can I show previously cracked passwords, and output them in a specific format (e.g. email:password)?
—show is always used after the hashes have been cracked; therefore, you only need (and should not specify more than) these command line arguments:
Note: You do not need – and should not specify – any mask, dictionary, wordlist directory, etc.
An example how this 2-fold process would look like is shown below:
1. crack the hashes:
What is a keyspace?
To tell devices which candidates to generate on GPU, hashcat keeps track of some of the candidates on the host. To do this, there are two loops: a loop that runs on the host (the “base loop”), and a loop that runs on the device (the “mod(ifier) loop.”)
The keyspace is calculated according to the following formulas for each program:
hashcat legacy
hashcat
You can calculate the keyspace for a specific attack with the following syntax:
(Don’t include the hashfile!)
Various languages use different character encodings. It may seem overwhelming that there are many different encoding types, many languages, and many different characters that exist. What you need to know when it comes to encoding is that most, if not all, hashing algorithms do not care about encoding at all. Hash algorithms just work with the single bytes a password is composed of. That means if you input a password that contains, for example, a German umlaut, this can result in multiple different hashes of the same unsalted algorithm. To further illustrate this, you will see three different hashes depending on whether you have used ISO-8859-1, utf-8 or utf-16.
There’s no built-in character conversation in hashcat, but this doesn’t mean you can not crack them:
So you need to solve this problem outside of hashcat / hashcat legacy. An easy solution would be to simply convert your wordlists with iconv:
When using Brute Force, if you’re fine to stick to ISO/codepage encodings there are special hashcat charsets that can be found in the charset/ folder:
But note, nowadays a lot of sources use utf-8. This makes things a bit more complicated.
Here’s a nice blog-post of how to deal with utf-8 and utf-16 with hashcat legacy and hashcat: http://blog.bitcrack.net/2013/09/cracking-hashes-with-other-language.html
Attack-Modes
Why should I use a mask attack? I just want to «brute» these hashes!
Read Mask attack. A mask attack is a modern and more advanced form of “brute force”.
It can fully replace brute force, and at the same time mask attacks are more flexible and more capable than traditional brute force attacks.
The general options you should consider/need are:
An example command would therefore look something like this:
I do not know the password length, how can I increment the length of the password candidates?
Attention: these are commands that should not be used, they do not work (there only purpose is to show you what is not accepted)
I want to optimize my Brute-Force attack by ordering letters by frequency in a custom charset. How to do it? Does it make sense?
For example a combinator attack that toggles the first character of every input from the leftside.txt:
How does one use several rules at once?
Firstly, we need to distinguish 2 different cases:
For case number 1 you can just “cat” the individual files
The following description will deal only with case number 2 (the rules should be chained, applied at the same time).
hashcat allows for rule stacking. This can easily be achieved just by appending more rule files to your attack.
OK, there is a hybrid attack for append mask and prepend mask, but what if I want to use both at the same time?
To do this, you can use the rule-stacking feature of hashcat: How does one use several rules at once?
Such rules exist for all the common charsets.
You can easily create your own hybrid rules using maskproessor: rules_with_maskprocessor
Hashcat iterates through the given mask until the full length is reached.
How to use multiple dictionaries?
If you use hashcat with a Dictionary attack (-a 0) you can specify several dictionaries on the command line like this:
Furthermore, if you want to specify a directory directly instead, you could simply specify the path to the directory on the command line:
Note: sometimes it makes sense to do some preparation of the input you want to use for hashcat (outside of hashcat). For instance, it sometimes makes sense to sort and unique the words across several dictionaries if you think there might be several “duplicates”:
hashcat utils might also come handy to do some preparation of your wordlists (for instance the splitlen utility etc)
Why are there 5 different toggle rules in the rules/ folder?
You often hear the following: A great and simple way to make your password harder to crack is to use upper-case characters. This means you flip at least two characters of your password to upper-case. But note: don’t flip them all. Try to find some balance between password length and number of upper-case characters.
We can exploit this behavior leading to an extreme optimized version of the original Toggle-case attack by generating only all these password candidates that have two to five characters flipped to upper-case. The real strong passwords have this balance, they will not exceed this rule. So we don’t need to check them.
This can be done by specialized rules and since hashcat and hashcat legacy support rule-files, they can do toggle-attacks that way too.
Depending on the rule-name they include all possible toggle-case switches of the plaintext positions 1 to 15 of either 1, 2, 3, 4 or five 5 characters at once.
The reason why there is no (syntax) error shown when you didn’t specify any mask, is that hashcat/hashcat legacy have some default values for masks, custom charsets etc. This sometimes comes in very handy since the default values were chosen very wisely and do help some new users to get started very quickly.
This also implies that when you don’t specify a mask explicitly, it could happen (and is very likely) that you do not crack some hashes which you might expect to be cracked immediately/easily (because of the reduced keyspace of the default mask). Therefore, we encourage you that you always should specify a mask explicitly to avoid confusion.
How does one use the new prince attack mode with hashcat legacy?
For hashcat you need to use a pipe and the princeprocessor (standalone binary) from here:
Then your simply pipe like this for slow hashes:
In case you want to crack fast hashes you need to add an amplifier to archieve full speed:
I have a half-known password. I know the first 4 letters, can hashcat get the rest of the password?
Yeah that actually works, thanks to the mask attack! To understand how to make use of this information you really need to read and understand the mask-attack basics. So please read this article first: Mask Attack
Now that you’ve read the Mask Attack article it’s easy to explain. For example consider that you know that the first 4 chars of the password are “Pass” and you know that there’s like 3 or 4 or 5 more letters following from which you do not know if they are letters, digits or symbols you can do the following mask:
To understand how this works with the incremental, please also read this article:
Why are there two different hash-modes for Vbulletin?
There are actually two different hash-modes for Vbulletin. Somewhere between version v3 and v4 they’ve changed the default salt-length from 3 characters to 30 characters. From a high-level programming language view this has no impact but from our low-level view this is really a difference. That’s because of the block-modes used in many hashes, even in that case.
Vbulletin uses a scheme that is simply written like this: md5(md5(pass).salt)
So it first computes the md5 hash of the password itself and then it concatinates it with the salt. Since the software rely on PHP and the md5 function in PHP returns by default a ascii hex repesentation we have a total length in the final md5() transformation of length 32 + 30 = 62.
Performance
How much faster is cracking on Linux compared to a Windows operating system?
Not at all and that’s true for both hashcat and hashcat legacy. Even the GPU drivers are equally good or bad (depends on how you see it).
How can I perform a benchmark?
If you want to find out the maximum performance of your setup under ideal conditions (single hash brute force), you can use the built-in benchmark mode.
This mode is simply a brute force attack with a big-enough mask to create enough workload for your GPUs against a single hash of a single hash-type. It just generates a random, uncrackable hash for you on-the-fly of a specific hash-type. So this is basically the same as running:
Please note the actual cracking performance will vary depending on attack type, number of hashes, number of salts, keyspace, and how frequently hashes are being cracked.
The parameters you should consider when starting a benchmark are:
This means, that for instance a command as simple as this:
My desktop lags too much, anything I can do to avoid it?
In order to give the GPU more breathing room to handle the desktop you can set a lower (“-w 1”) workload profile:
However, be aware that this also will decrease your speed.
Is the 64 bit version faster than the 32 bit version?
Generally you should use the 64 bit versions as these are the ones the developer use, too.
What is it that you call «GPU power»?
The GPU power is simply the amount of base-words (per GPU) which are computed in parallel per kernel invocation. Basically, it’s just a number: S * T * N * V
How to create more work for full speed?
This is a really important topic when working with Hashcat. Let me explain how Hashcat works internally, and why this is so important to understand.
GPUs are not magic superfast compute devices that are thousands of times faster than CPUs – actually, GPUs are quite slow and dumb compared to CPUs. If they weren’t, we wouldn’t even use CPUs anymore; CPUs would simply be replaced with GPU architectures. What makes GPUs fast is the fact that there are thousands of slow, dumb cores (shaders.) This means that in order to make full use of a GPU, we have to parallelize the workload so that each of those slow, dumb cores have enough work to do. Password cracking is what is known as an “embarrassingly parallel problem” so it is easy to parallelize, but we still have to structure the attack (both internally and externally) to make it amenable to acceleration.
For most hash algorithms (with the exception of very slow hash algorithms), it is not sufficient to simply send the GPU a list of password candidates to hash. Generating candidates on the host computer and transferring them to the GPU for hashing is an order of magnitude slower than just hashing on the host directly, due to PCI-e bandwidth and host-device transfer latency (the PCI-e copy process takes longer than the actual hashing process.) To solve this problem, we need some sort of workload amplifier to ensure there’s enough work available for our GPUs. In the case of password cracking, generating password candidates on the GPU provides precisely the sort of amplification we need. In Hashcat, we accomplish this by splitting attacks up into two loops: a “base loop”, and a “mod(ifier) loop.” The base loop is executed on the host computer and contains the initial password candidates (the “base words.”) The mod loop is executed on the GPU, and generates the final password candidates from the base words on the GPU directly. The mod loop is our amplifier – this is the source of our GPU acceleration.
What happens in the mod loop depends on the attack mode. For brute force, a portion of the mask is calculated in the base loop, while the remaining portion of the mask is calculated in the mod loop. For straight mode, words from the wordlist comprise the base loop, while rules are applied in the mod loop (the on-GPU rule engine that executes in the mod loop is our amplifier.) For hybrid modes, words from the wordlist comprise the base loop, while the brute force mask is processed in the mod loop (generating each mask and appending it to base words is our amplifier.)
Without the amplifier, there is no GPU acceleration for fast hashes. If the base or mod loop keyspace is too small, you will not get full GPU acceleration. So the trick is providing enough work for full GPU acceleration, while not providing too much work that the job will never complete.
More work for fast hashes
As should be clear from the above, supplying more work for fast hashes is about *executing more of what you’re doing on the GPUs*. There are a few ways to do this:
* Use wordlist+rules. A few rules can help, but a few thousand can be the sweet spot. Test on your setup to find the combination that is more efficient for your attack. For straight mode against fast hashes, your wordlist should have at least 10 million words and you should supply at least 1000 rules.
More work for slow hashes
Now, we mentioned above that this advice is for most hash algorithms, with the exception of very slow hash algorithms. Slow hash algorithms use some variety of compute-hardening techniques to make the hash computation more resource-intensive and more time-consuming. For slow hash algorithms, we do not need (nor oftentimes do we want) an amplifier to keep the GPU busy, as the GPU will be busy enough with computing the hashes. Using attacks without amplifiers often provide the best efficiency.
Because we are very limited in the number of guesses we can make with slow hashes, you’re often working with very small, highly targeted wordlists. However, sometimes this can have an inverse effect and result in a wordlist being too small to create enough parallelism for the GPU. There are two solutions for this:
Note: pipes work in Windows the same as they do in Linux.
Those attack modes are usually already built into Hashcat, so why should we use a pipe? The reason is, as explained above, masks are split in half internally in Hashcat, with one half being processed in the base loop, and the other half processed in the mod loop, in order to make use of the amplification technique. But this reduces the number of base words, and for small keyspaces, reduces our parallelism, thus resulting in reduced performance.
Is piping a wordlist slower than reading from file?
No, piping is usually equally fast.
However, most candidate generators are not fast enough for hashcat. For fast hashes such as MD5, it is crucial to expand the candidates on the GPU with rules or masks in order to achieve full acceleration. However be aware that different rulesets are not producing constant speeds. Especially big rulesets can lead to a significant speed decrease. The increase from using rules as amplifier can therefor cancel itself out depending how complicated the rules are.
Why is my attack so slow?
Why does hashcat says it has only 2% GPU utilization?
Not having 100% GPU utilization is usually an indicator for a too-small keyspace (meaning, not enough work to be done).
How is it possible that hashcat does not utilize all GPUs?
If the number of base-words is so small that it is smaller than the GPU power of a GPU, then there is simply no work left that a second, or a third, or a fourth GPU could handle.
Why does hashcat sometimes get very slow at the end of an attack?
First we need to define “what is the end of an attack”. oclHashat defines this for the following case:
If the number of base-words is less than the sum of all GPU power values of all GPU. Read What is it that you call «GPU power»?
This happens when you see this message:
If this happens, hashcat tries to balance the remaining base-words to all GPU. To do this, it divides the remaining base-words with the sum of all GPU power of all GPUs which will be a number greater than 0 but less than 1. It then multiplies each GPU power count with this number. This way each GPU gets the same percentage of reduction of parallel workload assigned, resulting in slower speed.
Note that if you have GPUs of different speed it can occur that some GPU finish sooner than others, leading to a situation when some GPU end up in 0 H/s.
Why is hashcat taking so long to report progress?
This is a problem related to (a) how GPU parallelization works in general in combination with (b) an algorithm with a very iteration count.
When it comes to modern hashing algorithms they are typically designed in a way that they are not parallelizable and that the calculation has to be done in serial. You can not start computing iteration 2 if you have not computed iteration 1 before. They depend on each other. This means for slow algorithms like 7-Zip (if we want to make use of the parallelization power of a gpu) we have to place a single password candidate on a single shader (which a gpu has many) and compute the entire hash on a it. This can take a very long time, depending on the iteration count of the algorithm. We’re talking about times up to a minute here for a single hash computation. But what we got for doing it is that we’re able to run a few 100k at the same time and make use of the parallelization power of the gpu in that way. That’s why it takes so long for hashcat to report any progress, because it actually takes that long to compute a single hash with a high iteration count.
In the past hashcat did not report any speed for such extreme cases, resulting in hashing speed of 0H/s. Some users may remember such cases and wondering “why isn’t it doing anything”. From a technical perspective nothing changed. In the past and also today the GPU just need that much time. The only difference is in newer hashcat versions is that it creates an extrapolation based on the current progress of the iterations. For example it knows that the shader processed like 10000 of 10000000 iterations in X time and therefore it can tell how much it will (eventually) take to process the full iteration count and recomputes this into a more or less valid hashing speed, which is in that case not the real one. This is what you are shown in the speed counter.
But that’s the theoretical part. When it comes to GPGPU it’s actually not enough to feed as many password candidates to the GPU as it has shaders. There’s a lot of context switching going on the GPU which we have no control over. To keep all the shaders busy for the entire time we have to feed it with password candidates many times the number of shaders.
(See this forum post for an illustration with examples)