A million little bugs - hashcat dev

Today atom released oclhashcat-lite version 0.07. I just finished the benchmark with my nvidia 570 ti.

* changes v0.06 -> v0.07:

type: feature
file: kernels
desc: added support for AMD GPU's "Devastator" and "Scrapper"

type: feature
file: kernels
desc: added -m 600 = nsldap, SHA-1(Base64), Netscape LDAP SHA

type: feature
file: kernels
desc: added -m 700 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA

type: feature
file: kernels
desc: added -m 1300 = MSSQL(2000)

type: feature
file: kernels
desc: added -m 2300 = MSSQL(2005)

type: feature
file: kernels
desc: added -m 2400 = Cisco-PIX MD5

type: feature
file: kernels
desc: added support for vector datatypes on NV for better sm_21 utilization

type: feature
file: host programs
desc: added support for mixed GPU types (example: hd5970 and hd6850)

type: feature
file: host programs
desc: simplified --pw-skip and --pw-limit for more intuitive usuage, see hashcat wiki for details

type: feature
file: host programs
desc: added --pw-skip-plain and --pw-limit-plain, user can specify a string instead of a number

type: feature
file: host programs
desc: added support for setting CPU affinity. Defaults: Linux unlocked, Windows locked to CPU #1
cred: MrUltimate

type: feature
file: host programs
desc: added display of the mask in status screen
cred: tatgdi

type: feature
file: host programs
desc: added display of the hash in status screen

type: feature
file: host programs
desc: changed restore-timer function. if set to 0, the restore-file is written instantly on progress

type: change
file: host programs
desc: changed restore-timer default value to 0

type: change
file: kernels
desc: switched to AMD Accelerated Parallel Processing "APP" SDK v2.5

type: change
file: host programs
desc: changed outfile-formats for more flexibility. default value is 3. see --help for more
cred: TheFire

type: change
file: host programs
desc: recalibrated defaults for gpu_accel and gpu_loops that kernels run fast but not to aggressive

type: change
file: host programs
desc: changed speed display compressing threshold from 10000 to 100000

type: change
file: kernels
desc: removed kernel encryption. thus, archive file became smaller and startup-time reduced

type: bug
file: host programs
desc: fixed some typos in error messages

type: bug
file: host programs
desc: fixed bug in --gpu-async which was not enabled even if specified

type: bug
file: host programs
desc: fixed NVidia issue: cuStreamsynchronize() 700

type: bug
file: host programs
desc: workarounded AMD issue: "100% CPU killer bug". Linux only, requires Catalyst >= 11.11

type: bug
file: host programs
desc: workarounded AMD issue: ../../src/xcb_io.c:140: dequeue_pending_request

http://hashcat.net/oclhashcat-lite/

Atom came up with a new beta of oclhashcat-lite, here is the summary:

type: feature
file: kernels
desc: added support for "Devastator" and "Scrapper" GPU's
-
type: feature
file: host programs
desc: added support for mixed GPU types (example: hd5970 and hd6850)
-
type: feature
file: host programs
desc: if --restore-timer is 0, restore file is written on change instantly
-
type: change
file: host programs
desc: changed default value for --restore-timer to 0
-
type: change
file: kernels
desc: switched to Accelerated Parallel Processing "APP" SDK v2.5

root@sf:~/oclHashcat-lite-0.07# ./oclHashcat-lite64.bin -n 160 -1 ?l?d?s?u --pw-min 8 -m 0 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1?1
oclHashcat-lite v0.7 by atom starting...

Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cypress, 512MB, 0Mhz, 20MCU
Device #2: Cypress, 512MB, 0Mhz, 20MCU

[s]tatus [p]ause [r]esume [q]uit => s
Status.......: Running
Hash.Type....: MD5
Time.Running.: 15 secs
Time.Left....: 6 days, 17 hours
Plain.Text...: ***aaaaa
Plain.Length.: 8
Speed.GPU.#1.: 5691.4M/s
Speed.GPU.#2.: 5692.7M/s
Speed.GPU.#*.: 11384.1M/s
Progress.....: 171547033600/6634204312890625 (0.00%)
HWMon.GPU.#1.: 99% GPU, 50c Temp
HWMon.GPU.#2.: 98% GPU, 47c Temp

As a side note, you don't need the SDK 2.5 since the new catalyst 11.11 includes it.

It was an exciting weekend, sadly team Hashcat only achieved the second place. The team Insidepro however managed to beat us. Congrats to them and a big thanks to minga: http://contest.korelogic.com/stats.html

I don't think that these numbers can say enough without any background story:

So, as you might notice i write as i where a member of any team, actually i took part in the contest as a member of team hashcat. Sadly i was very late and got in about 12 hours after the contest actually started and was quite overwhelmed by the challenges, hashes, websites, irc channels etc. It took me about an hour to actually get an overview and start working since i didn't know what the past 12 hours happened. There were a few issues and rumors about strange things that happened. The first to mention is that somehow hashcat.net went offline a few hours before the contest started, as by now there is no evidence of any attack but it's strange.

There are a few other things which i will mention later but now to the contest. The contest itself was about as you might guess hashcracking, yes! To be exactly it was about little more, 19 challenges and 20 lists of hashes with different encryption (mscash2, bf, phpass-md5, md5, md5_gen(28), bsdi, raw-sha512, mysql-sha1, md5_gen(23), md5_gen(22), des, md5_gen(12), ssha, mssql, oracle11, raw-sha1, md5_gen(16), phps, md5_gen(0), nt). The contest was not directly about to crack the most hashes since there where different weights for example one mscash2 got you 16000 points and one DES just 10. In addition to this lists there where the mentioned 19 challenges which included things like a encryped zip, rars, pdfs, docs and even a encrypted dmg file. Some of the challenges contained again hash lists.

So yea, that's about it. Back to the point as i got into the contest. The clock is running, already 12 hours past, hashcat is #1 on the leaderboard with about 5m points followed by john-users and insidepro. I am preparing myself to get started with special contest optimized versions of hashcat and an (i call it for now) special online management suite where the team could manage itself. I am looking at the cracked hashes and studying the left hash lists. Where to get started? Most of these hashes are not crackable with hashcat. As i take a loot back in the irc channel where the rest of the team hangs i notice rumors. "damn, why we have to use john?" followed by an "this is freaking slow!" and something like "john-users are catching up" gave me the hint that there is a problem. Of the 20 hashlists minga provided the minority could be cracked by hashcat with GPU acceleration. I decided to ignore this for now and try my luck on the left phpass, MD5-Unix and NTLM. A few hours went by in which i struggled with these lists. Only a couple of hashes every now and then. I'm trying to figure out what's the point, where did minga get the hashes, wich pattern, masks, dictionaries etc he used. Searching for patterns and masks in the already cracked hashes, wrapping my head around the challenges i notice resentment in the channel. The john users are ahead! Ok, now to the fridge, some more redbulls and coffees are necessary! Back at my computer i see that atom was awake again talking about the mscash2. It's 6 somewhat AM saturday, the contest is now up 21 hour and atom is deciding to implementing mscash2 in oclhashcat-plus. Yes, you don't read wrong, there is a about 27 hours left and he decides to pull out all his abillities and implement an algorythm he never used before! So ok, i'm thinking "the chance is not really huge that he can do this in time but if, it would be great" and sending atom "give it a shot".

The coffeein is kicking in and i go back to my work. Let's check my mac to see what the dmg cracking tool did. Hm..nothing, great. What are the left rar and zip files do? Nothing, no plain worked. Suxx...let's run a freaking bruteforce. Back to the hash lists. I have multiple machines running cpu and gpu jobs on several lists. 50 new NTLM, nice. upload. 5 new phpass. upload. 3 new MD5-Unix. upload. 2 hours work. Progress!
This can not be" i am saying to myself as i look at the results. "Where are the patterns we are missing?" asking the rest of the team. No one have a answer. "We are missing some importend clues!" i am saying to the team. "We know that there are correlations of patterns on every list, if we get on pattern on one list, the chance is huge that we get a more cracks on another".

I am looking at my latest cracks on MD5-Unix and phpass as i seem to discover a pattern. The obsession kicks in and i am working the next two hours on a dictionary. The words a combined patterns, like "mel", "and", "ina" etc. Let's put these all in a list and run a permutation attack on it. Yes, success. Quite a few hits. Gather the results use the expander on them and bam, some more hits. Take all the new gathered plains and check all the other hashlists with rules. And again more hits. Feeling good, but tired.
"Where is atom?" someone asks on irc. "Didn't see him for hours!" comes back. He is now gone for 6-7 hours. What's he doing? "atom> YEEEAAAAAAA" out of nowhere. "atom> got it!!!!". "atom> mscash2! but only for ati". "Ok well pretty damn good" i think "but since my one box with ATI died an hour ago i better keep my work on the challenges and hashes i am able to crack". With one eye following the team on the irc channel hyping the new beta and fetching mscash2 i am trying to point the other eye on other things. The challenges are still not done. And now suddenly team insidepro is ahead. Hopefuly the mscash2 will do it's work.

I am now about 30 hours awake and can't remember when i have eat last. Hm...let's take a break. Hm..all stores are closed and i have nothing good at home...too late for my favorite bistro...suxx...let's drive to McD. The burger tastes like nothing. Well, at least as expected. Back to work.

Let's see what happened. A fair amount of mscash2 more, nice! Our last update with the contest-system was a couple hours ago, we are still behind insidepro. Let's run another round with the new gained plains on mssql, MD5-Unix, phpass and NTLM. Bingo, a couple more. Upload. The admin starts the sync and i am looking at the contest table to check our progress. Yes! Back at the top! Back on the journey on finding the lost pattern. Discussing with the other members on what we haven't tried, what we should do and what minga might have done. "are the other teams listening?" maybe not. But well who knows.

"Let's put in another bruteforce, maybe if have luck and just relax a few minutes." Getting the jobs started and put in a Starcraft2 replay. Man, my back could take a few minutes off, better i lay done on the couch till the replay ends.

The was the last thing i remember after about 36 hours awake. I even don't know how the SC2 match ended or who played. I woke up 3 hours after the contest ended. It was somehow bitter to find team insidepro ahead because of the bonus points minga has given for the most cracked hashes in a list. It was really close, we missed 5 NTLM for the bonus.

A few of you might noticed that the Defcon started today. And as every year the cracking contest is taking place and is managed by minga.

The contest started today at 0:00 PST. At this time the teams are working on the hashlists minga handed out!

Good Luck team Hashcat!

Update:
Live-Stats: http://contest.korelogic.com/stats.html

atom> current optimization status oclHashcat-lite 0.6->0.7: descrypt +16.9%, sl3 +1.0%, md5 +0.5%