„Installation“ unter Apple Macintosh OS X 10.11.x:
$ cd Downloads $ wget http://hashcat.net/files/hashcat-2.00.7z [...] $ 7z x hashcat-2.00.7z [...] $ cd hashcat-2.00
Welche Benutzer gibt es auf dem System (Debian GNU/Linux)?
debian$ cat /etc/passwd [...] everybody:x:1001:1001:Hashcat Test Account,,,:/home/everybody:/bin/bash [...]
Wie werden die Passwörter auf dem System „gehasht“?
debian$ grep -E "^ENCRYPT_METHOD" /etc/login.defs ENCRYPT_METHOD SHA512
Den „anzugreifenden“ Hash kopieren wir in eine Datei:
debian# grep -F "everybody" /etc/shadow | cut -d ":" -f 2 | tee ~/Downloads/everybody_shadow.sha512 $6$qzwwrTUI$ao79fjxzggxBezWq8fvUrKH20XiR5Y/VTKoMsJ9WXjbo7WZWMLbDYlamkwjoIV/NG5WdoYN0RIPtIdNW6yLZa.
Welches Hashcat-„Modul“ kann solche Hashs „angreifen“?
osx$ ./hashcat-cli64.app --help | grep -F -i 'sha' | grep -F -i '512' | grep -F -i 'unix' 1800 = SHA-512(Unix)
Ich weiß „nur“, dass es sich um ein vierstelliges Passwort aus Kleinbuchstaben handelt (die Datei mit dem Hash habe ich bereits in das Verzeichnis von Hashcat kopiert!):
osx$ ./hashcat-cli64.app -m 1800 -a 3 everybody_shadow.sha512 ?l?l?l?l Initializing hashcat v2.00 with 8 threads and 32mb segment-size... Added hashes from file shadow_sha512.txt: 1 (1 salts) Activating quick-digest mode for single-hash with salt [s]tatus [p]ause [r]esume [b]ypass [q]uit => s Input.Mode: Mask (?l?l?l?l) [4] Index.....: 0/1 (segment), 456976 (words), 0 (bytes) Recovered.: 0/1 hashes, 0/1 salts Speed/sec.: - plains, 1.10k words Progress..: 14200/456976 (3.11%) Running...: 00:00:00:13 Estimated.: 00:00:06:43 $6$qzwwrTUI$ao79fjxzggxBezWq8fvUrKH20XiR5Y/VTKoMsJ9WXjbo7WZWMLbDYlamkwjoIV/NG5WdoYN0RIPtIdNW6yLZa.:nstl All hashes have been recovered Input.Mode: Mask (?l?l?l?l) [4] Index.....: 0/1 (segment), 456976 (words), 0 (bytes) Recovered.: 1/1 hashes, 1/1 salts Speed/sec.: - plains, 1.08k words Progress..: 282948/456976 (61.92%) Running...: 00:00:04:22 Estimated.: 00:00:02:41 Started: Sat Jan 16 11:04:28 2016 Stopped: Sat Jan 16 11:08:50 2016
Wenn ich alle Zeichen (nicht „nur“ Kleinbuchstaben) berücksichtigen möchte, dauert das ganze schon erheblich länger:
osx$ ./hashcat-cli64.app -a 3 -m 1800 everybody_shadow.sha512 ?a?a?a?a Initializing hashcat v2.00 with 8 threads and 32mb segment-size... Added hashes from file shadow_sha512.txt: 1 (1 salts) Activating quick-digest mode for single-hash with salt [s]tatus [p]ause [r]esume [b]ypass [q]uit => s Input.Mode: Mask (?a?a?a?a) [4] Index.....: 0/1 (segment), 81450625 (words), 0 (bytes) Recovered.: 0/1 hashes, 0/1 salts Speed/sec.: - plains, 1.09k words Progress..: 13912/81450625 (0.02%) Running...: 00:00:00:13 Estimated.: 00:20:44:04 [s]tatus [p]ause [r]esume [b]ypass [q]uit => q [...]
Wenn „die“ Festplatte mit „der“ Windows-Installation unter Debian GNU/Linux 8.x unter „/media/user/222444A1244479B5“ automatisch eingehängt wurde, kopieren wir den NTLM-Hash eines bestimmten Benutzers wie folgt in eine Datei:
debian$ sudo aptitude install samdump2 [...] debian$ cd /media/user/222444A1244479B5/Windows/System32/config debian$ samdump2 SYSTEM SAM | grep -F "everybody" | cut -d ":" -f 4 | tee ~/Downloads/hashcat-2.00/everybody_SAM.ntlm 1ea1fd7b4931ec9255cda7cb6060b092
In dem selben 7z-Archiv (siehe oben) sind auch Binaries für Linux enthalten (die Installation ist vergleichbar einfach!):
debian$ ./hashcat-cli64.bin -a 3 -m 1000 everybody_SAM.ntlm ?a?a?a?a Initializing hashcat v2.00 with 8 threads and 32mb segment-size... Added hashes from file ../samdump2_modified.txt: 1 (1 salts) Activating quick-digest mode for single-hash [s]tatus [p]ause [r]esume [b]ypass [q]uit => Input.Mode: Mask (?a?a?a?a) [4] Index.....: 0/1 (segment), 81450625 (words), 0 (bytes) Recovered.: 0/1 hashes, 0/1 salts Speed/sec.: 95.62M plains, 95.62M words Progress..: 81450625/81450625 (100.00%) Running...: --:--:--:-- Estimated.: --:--:--:-- Started: Tue Jan 19 15:33:35 2016 Stopped: Tue Jan 19 15:33:37 2016
Hier ist schon mit dem bloßen Auge erkennbar, dass NTLM-Hashes „etwas“ schneller berechnet werden können als SHA512-Hashes!
Installation unter Debian GNU/Linux 8.x (mit einem relativ alten Nvidia-Treiber):
$ sudo aptitude install libcuda1 [...] $ mkdir ~/Downloads $ cd Downloads $ wget http://hashcat.net/files/cudaHashcat-2.01.7z [...] $ 7z x cudaHashcat-2.01.7z [...] $ cd cudaHashcat-2.01
Analog zum „CPU-Durchgang“ (siehe oben) jetzt mit der (nicht wirklich potenten) GPU inkl. schreiben von Ergebnissen in eine Datei:
debian$ ./cudaHashcat64.bin -w 3 -m 1800 -a 3 -o outfile.txt ~/Downloads/shadow_sha512.txt ?l?l?l?l cudaHashcat v2.01 starting... Device #1: GeForce 605, 1023MB, 1046Mhz, 1MCU Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702 Hashes: 1 hashes; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable Optimizers: * Zero-Byte * Single-Hash * Single-Salt * Brute-Force Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 80c Device #1: Kernel ./kernels/4318/m01800.sm_21.64.cubin Device #1: Kernel ./kernels/4318/markov_le_v1.sm_21.64.cubin Device #1: Kernel ./kernels/4318/amp_a3_v1.sm_21.64.cubin Session.Name...: cudaHashcat Status.........: Cracked Input.Mode.....: Mask (?l?l?l?l) [4] Hash.Target....: $6$qzwwrTUI$ao79fjxzggxBezWq8fvUrKH20XiR5... Hash.Type......: sha512crypt, SHA512(Unix) Time.Started...: Mon Jan 18 12:10:02 2016 (3 mins, 37 secs) Speed.GPU.#1...: 897 H/s Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 194560/456976 (42.58%) Rejected.......: 0/194560 (0.00%) Restore.Point..: 6144/17576 (34.96%) HWMon.GPU.#1...: -1% Util, 63c Temp, 50% Fan Started: Mon Jan 18 12:10:02 2016 Stopped: Mon Jan 18 12:13:41 2016
Was steht nun in der Datei?
$ cat outfile.txt $6$qzwwrTUI$ao79fjxzggxBezWq8fvUrKH20XiR5Y/VTKoMsJ9WXjbo7WZWMLbDYlamkwjoIV/NG5WdoYN0RIPtIdNW6yLZa.:nstl
Und das ganze mit einem NTLM-Hash:
debian$ cd ~/Downloads/cudaHashcat-2.01 debian$ ./cudaHashcat64.bin -w 3 -m 1000 -a 3 -o everybody_SAM.ntlm everybody_PLAIN.txt ?l?l?l?l cudaHashcat v2.01 starting... Device #1: GeForce 605, 1023MB, 1046Mhz, 1MCU Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702 Hashes: 1 hashes; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable Optimizers: * Zero-Byte * Precompute-Init * Precompute-Merkle-Demgard * Meet-In-The-Middle * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Brute-Force * Scalar-Mode * Raw-Hash Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 80c Device #1: Kernel ./kernels/4318/m01000_a3.sm_21.64.cubin Device #1: Kernel ./kernels/4318/markov_le_v1.sm_21.64.cubin ATTENTION! The wordlist or mask you are using is too small. Therefore, oclHashcat is unable to utilize the full parallelization power of your GPU(s). The cracking speed will drop. Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed INFO: approaching final keyspace, workload adjusted Session.Name...: cudaHashcat Status.........: Cracked Input.Mode.....: Mask (?l?l?l?l) [4] Hash.Target....: 1ea1fd7b4931ec9255cda7cb6060b092 Hash.Type......: NTLM Time.Started...: 0 secs Speed.GPU.#1...: 115.0 MH/s Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 456976/456976 (100.00%) Rejected.......: 0/456976 (0.00%) HWMon.GPU.#1...: -1% Util, 53c Temp, 40% Fan Started: Mon Jan 18 15:22:06 2016 Stopped: Mon Jan 18 15:22:07 2016
Hier meckert die GPU-Version, da nicht genug Berechnungen paralellisiert werden können!
Lösung: kleine „Wortlisten“ der CPU übergeben und in einer anderen Konsole eine ergänzende größere „Wortliste“ der GPU übergeben!
Haben wir ein Ergebnis?
$ cat everybody_PLAIN.txt 1ea1fd7b4931ec9255cda7cb6060b092:nstl
MacBook Pro (Retina, 15-inch, Late 2013):
$ ./hashcat-cli64.app -b Initializing hashcat v2.00 with 8 threads and 32mb segment-size... Device...........: Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz Instruction set..: x86_64 Number of threads: 8 Hash type: MD5 Speed/sec: 85.83M words Hash type: SHA1 Speed/sec: 46.12M words Hash type: SHA256 Speed/sec: 25.45M words Hash type: SHA512 Speed/sec: 5.71M words Hash type: bcrypt, Blowfish(OpenBSD) Speed/sec: 5.55k words Hash type: NTLM Speed/sec: 81.86M words Hash type: WPA/WPA2 Speed/sec: 3.42k words
FUJITSU ESPRIMO P910:
$ ./hashcat-cli64.bin -b Initializing hashcat v2.00 with 8 threads and 32mb segment-size... Device...........: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz Instruction set..: x86_64 Number of threads: 8 Hash type: MD5 Speed/sec: 88.75M words Hash type: SHA1 Speed/sec: 52.09M words Hash type: SHA256 Speed/sec: 24.96M words Hash type: SHA512 Speed/sec: 8.50M words Hash type: bcrypt, Blowfish(OpenBSD) Speed/sec: 5.87k words Hash type: NTLM Speed/sec: 90.71M words Hash type: WPA/WPA2 Speed/sec: 4.42k words
FUJITSU ESPRIMO P910 (Teil 2):
$ ./cudaHashcat64.bin -b cudaHashcat v2.01 starting in benchmark-mode... Device #1: GeForce 605, 1023MB, 1046Mhz, 1MCU Hashtype: MD5 Workload: 1024 loops, 256 accel Speed.GPU.#1.: 168.7 MH/s Hashtype: SHA1 Workload: 1024 loops, 256 accel Speed.GPU.#1.: 41459.3 kH/s Hashtype: SHA256 Workload: 1024 loops, 256 accel Speed.GPU.#1.: 19300.3 kH/s Hashtype: SHA512 Workload: 256 loops, 256 accel Speed.GPU.#1.: 5210.5 kH/s Hashtype: bcrypt, Blowfish(OpenBSD) Workload: 32 loops, 2 accel Speed.GPU.#1.: 46 H/s Hashtype: NTLM Workload: 1024 loops, 256 accel Speed.GPU.#1.: 251.2 MH/s Hashtype: WPA/WPA2 Workload: 1024 loops, 32 accel Speed.GPU.#1.: 2785 H/s