Thursday, January 22, 2015

OCLHASHCAT - Cracking passwords with a low-cost GPU - Preview

This was all done with a low-cost GPU (graphics card), a dictionary list and a laptop.

I benchmarked the stats on a standard mobile workstation as well, these are the results from an MD5 password list:

Dictionary Attack:

Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: File (/****/Desktop/rockyou.txt)
Hash.Target....: File (/****/Desktop/hashes)
Hash.Type......: MD5
Time.Started...: Mon Jan 19 19:13:41 2015 (4 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...:  3631.2 kH/s
Recovered......: 11/12 (91.67%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343297/14343297 (100.00%)
Skipped........: 0/14343297 (0.00%)
Rejected.......: 1599/14343297 (0.01%)
HWMon.GPU.#1...:  0% Util, 60c Temp, 48% Fan


11/12 passwords in 4 seconds, all from a commonly used password list that was hashed and the standard "rockyou.txt" dictionary file that is widely distributed.

Brute Force


Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2) [6]
Hash.Target....: File (/****/Desktop/hashes)
Hash.Type......: MD5
Time.Started...: Mon Jan 21 19:15:33 2015 (18 secs)
Time.Estimated.: Wed Jan 21 19:16:11 2015 (14 secs)
Speed.GPU.#1...:   114.5 MH/s
Recovered......: 4/12 (33.33%) Digests, 0/1 (0.00%) Salts
Progress.......: 2101215232/3748902912 (56.05%)
Skipped........: 0/2101215232 (0.00%)
Rejected.......: 0/2101215232 (0.00%)
HWMon.GPU.#1...: 94% Util, 61c Temp, 50% Fan

4 passwords from the same list in 18 seconds using brute force and the same password list.

Most of the others finished in under an hour or so, longer passwords took under 4 hours.

I'll be posting more detailed data shortly, along with a detailed post about this. It's nothing new or groundbreaking, just an example of how easy it is to defeat password encryption these days. You can do the same for PDF documents and ZIP files, amongst others.

Most sites use MD5 or SHA1 to hash their passwords. Of those, quite a few are using unsalted hashes.

If you're not using stronger hash algorithms, it's an invitation for disaster.