If you have a fairly decent video card and a good wordlist, you can crack password hashes with oclHashcat. Here’s is a quick how-to!
If you are new to the approach of cracking passwords, I suggest reading the Ars article How I became a password cracker.
This guide below assumes you have downloaded the latest version of oclHashcat for your video card (AMD or nvidia) and are ready to crack.
oclHashcat incorporates a timebomb which means older versions of oclHashcat exit when trying to run if they are too old. It was previously possible to do some hexedit fu to avoid the timebomb, but current versions of oclHashcat are no longer able to be patched like this. I attempted to patch a current version but it appears atom has changed the app to not be able to be cracked in this way.
In short, you will need a recent high end video card, current drivers, and current version of oclHashcat.
Video card requirements
The current versions of oclHashcat require a recent video card. For nvidia, compute capability 2.0 or higher is required as well as current nvidia drivers. Older cards are no longer supported by nvidia and as such, no longer supported by the cuda libraries used by oclHashcat.
I picked up a GeForce GT 545 OEM DDR5 from craigslist for near free which works. Obviously the faster the video card, the faster your password cracking will be but it is possible to get a used ~$40 card if you are cheap like me.
If you have cash to spend, consumer high end gaming video cards work best.
For effective password cracking, you need at least one good wordlist. A wordlist is literally a list of words in a text file such as:
apple cat dog beer house
Wordlists can get quite huge, however it is rumored that atom (creator of oclHashcat / Hashcat) uses a very small wordlist quite effectively. Size does not matter but rather how you use a wordlist is what counts.
The most effective wordlist known and used as of date is the rockyou wordlist. This wordlist and others are easily found online. Here is a helpful link.
There are also wordlists for sale. I purchased and use the uniqpass wordlist with great success for example.
uniqpass also offers a free small wordlist here.
A free large wordlist (15GB!) known as the crackstation is available here. I donated $10 USD to the creator.
Here is another good source of wordlists.
Get some hashes to crack
Next, you will need some password hashes to crack. The hashcat wiki has a page of example hashes to see what you are looking for. For this blog post, we will be cracking a WordPress password hash.
Our WordPress hash to try and crack in this blog post is:
I’ll save this hash in a text file called wordpresshash.txt.
Before starting, if on Linux, disable any desktop effects. Running oclHashcat will tax your GPU and desktop effects should be disabled.
Below is an example command specifying the hash type 400 (wordpress), and attack mode 0 (check straight list of words), my hash file to crack, and the rockyou wordlist. I’m using nvidia, so the executable is named cudaHashcat64.bin.
$ ./cudaHashcat64.bin -m400 -a0 wordpresshash.txt /media/wdblue/wordlists/rockyou.txt cudaHashcat v1.31 starting... Device #1: GeForce GT 545, 1023MB, 1741Mhz, 3MCU Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702 Hashes: 1 hashes; 1 unique digests, 1 unique salts Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes Rules: 1 Applicable Optimizers: * Zero-Byte * Single-Hash * Single-Salt Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 80c Device #1: Kernel ./kernels/4318/m00400.sm_21.64.ptx Device #1: Kernel ./kernels/4318/bzero.64.ptx Cache-hit dictionary stats /media/wdblue/wordlists/rockyou.txt: 139921497 bytes, 14343296 words, 14343296 keyspace [s]tatus [p]ause [r]esume [b]ypass [q]uit => Session.Name...: cudaHashcat Status.........: Running Input.Mode.....: File (/media/wdblue/wordlists/rockyou.txt) Hash.Target....: $P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0 Hash.Type......: phpass, MD5(WordPress), MD5(phpBB3), MD5(Joomla) Time.Started...: Tue Feb 10 20:07:42 2015 (3 secs) Time.Estimated.: Tue Feb 10 20:16:33 2015 (8 mins, 47 secs) Speed.GPU.#1...: 57659 H/s Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.......: 98305/14343296 (0.69%) Skipped........: 0/98305 (0.00%) Rejected.......: 1/98305 (0.00%) HWMon.GPU.#1...: -1% Util, 46c Temp, 41% Fan [s]tatus [p]ause [r]esume [b]ypass [q]uit =>
8 minutes are estimated for an ETA.
…and in less then that time, my hash is cracked!
$P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0:24/12/1989 Session.Name...: cudaHashcat Status.........: Cracked Input.Mode.....: File (/media/wdblue/wordlists/rockyou.txt) Hash.Target....: $P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0 Hash.Type......: phpass, MD5(WordPress), MD5(phpBB3), MD5(Joomla) Time.Started...: Tue Feb 10 20:07:42 2015 (3 mins, 44 secs) Speed.GPU.#1...: 57810 H/s Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 12877825/14343296 (89.78%) Skipped........: 0/12877825 (0.00%) Rejected.......: 1/12877825 (0.00%) HWMon.GPU.#1...: -1% Util, 68c Temp, 41% Fan Started: Tue Feb 10 20:07:42 2015 Stopped: Tue Feb 10 20:11:26 2015
The password was simply: 24/12/1989
Cracked passwords are written to a .pot file if you happen to miss the screen output.
$ cat cudaHashcat.pot $P$BjsWoVfZrkl13QryXsLRCEOomnoQpW0:24/12/1989
So there you go! Obviously that was a quick intro. For an approach to cracking, I suggest using a straight attack mode 0 to first see if the hash is just in any of your wordlists. This is fast, and will give you a quick check. Then next, try more complicated attack modes which will add more time. I typically go with attack mode 6 next with oclHashcat.