Introduction to Cracking Password Hashes with oclHashcat

By | 2015/02/10

If you have a fairly decent video card and a good wordlist, you can crack password hashes with oclHashcat. Here’s is a quick how-to!


If you are new to the approach of cracking passwords, I suggest reading the Ars article How I became a password cracker.

This guide below assumes you have downloaded the latest version of oclHashcat for your video card (AMD or nvidia) and are ready to crack.


Timebomb

oclHashcat incorporates a timebomb which means older versions of oclHashcat exit when trying to run if they are too old. It was previously possible to do some hexedit fu to avoid the timebomb, but current versions of oclHashcat are no longer able to be patched like this. I attempted to patch a current version but it appears atom has changed the app to not be able to be cracked in this way.

In short, you will need a recent high end video card, current drivers, and current version of oclHashcat.


Video card requirements

The current versions of oclHashcat require a recent video card. For nvidia, compute capability 2.0 or higher is required as well as current nvidia drivers. Older cards are no longer supported by nvidia and as such, no longer supported by the cuda libraries used by oclHashcat.

I picked up a GeForce GT 545 OEM DDR5 from craigslist for near free which works. Obviously the faster the video card, the faster your password cracking will be but it is possible to get a used ~$40 card if you are cheap like me.

If you have cash to spend, consumer high end gaming video cards work best.


wordlist

For effective password cracking, you need at least one good wordlist. A wordlist is literally a list of words in a text file such as:

apple
cat
dog
beer
house

Wordlists can get quite huge, however it is rumored that atom (creator of oclHashcat / Hashcat) uses a very small wordlist quite effectively. Size does not matter but rather how you use a wordlist is what counts.

The most effective wordlist known and used as of date is the rockyou wordlist. This wordlist and others are easily found online. Here is a helpful link.

There are also wordlists for sale. I purchased and use the uniqpass wordlist with great success for example.

uniqpass also offers a free small wordlist here.

A free large wordlist (15GB!) known as the crackstation is available here. I donated $10 USD to the creator.

Here is another good source of wordlists.


Get some hashes to crack

Next, you will need some password hashes to crack. The hashcat wiki has a page of example hashes to see what you are looking for. For this blog post, we will be cracking a WordPress password hash.

Our WordPress hash to try and crack in this blog post is:

$P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0

I’ll save this hash in a text file called wordpresshash.txt.


Get cracking!

Before starting, if on Linux, disable any desktop effects. Running oclHashcat will tax your GPU and desktop effects should be disabled.

Below is an example command specifying the hash type 400 (wordpress), and attack mode 0 (check straight list of words), my hash file to crack, and the rockyou wordlist. I’m using nvidia, so the executable is named cudaHashcat64.bin.

$ ./cudaHashcat64.bin -m400 -a0 wordpresshash.txt /media/wdblue/wordlists/rockyou.txt 
 cudaHashcat v1.31 starting...

Device #1: GeForce GT 545, 1023MB, 1741Mhz, 3MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4318/m00400.sm_21.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx

Cache-hit dictionary stats /media/wdblue/wordlists/rockyou.txt: 139921497 bytes, 14343296 words, 14343296 keyspace

[s]tatus [p]ause [r]esume [b]ypass [q]uit => 


Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: File (/media/wdblue/wordlists/rockyou.txt)
Hash.Target....: $P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0
Hash.Type......: phpass, MD5(WordPress), MD5(phpBB3), MD5(Joomla)
Time.Started...: Tue Feb 10 20:07:42 2015 (3 secs)
Time.Estimated.: Tue Feb 10 20:16:33 2015 (8 mins, 47 secs)
Speed.GPU.#1...:    57659 H/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 98305/14343296 (0.69%)
Skipped........: 0/98305 (0.00%)
Rejected.......: 1/98305 (0.00%)
HWMon.GPU.#1...: -1% Util, 46c Temp, 41% Fan

[s]tatus [p]ause [r]esume [b]ypass [q]uit => 

8 minutes are estimated for an ETA.

…and in less then that time, my hash is cracked!

$P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0:24/12/1989
                                             
Session.Name...: cudaHashcat
Status.........: Cracked
Input.Mode.....: File (/media/wdblue/wordlists/rockyou.txt)
Hash.Target....: $P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0
Hash.Type......: phpass, MD5(WordPress), MD5(phpBB3), MD5(Joomla)
Time.Started...: Tue Feb 10 20:07:42 2015 (3 mins, 44 secs)
Speed.GPU.#1...:    57810 H/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 12877825/14343296 (89.78%)
Skipped........: 0/12877825 (0.00%)
Rejected.......: 1/12877825 (0.00%)
HWMon.GPU.#1...: -1% Util, 68c Temp, 41% Fan

Started: Tue Feb 10 20:07:42 2015
Stopped: Tue Feb 10 20:11:26 2015 

The password was simply: 24/12/1989

Cracked passwords are written to a .pot file if you happen to miss the screen output.

$ cat cudaHashcat.pot
$P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0:24/12/1989


So there you go! Obviously that was a quick intro. For an approach to cracking, I suggest using a straight attack mode 0 to first see if the hash is just in any of your wordlists. This is fast, and will give you a quick check. Then next, try more complicated attack modes which will add more time. I typically go with attack mode 6 next with oclHashcat.