Hack and / - Password Cracking with GPUs, Part II: Get Cracking
Your hardware is ready. Now, let's load up some software and get cracking.
In Part I of this series, I explained how password cracking works in general terms and described my specific password-cracking hardware. In this article, I dig into the software side of things and describe how to put that hardware to use cracking passwords. I also discuss the two main types of attacks: dictionary and brute-force attacks. As I describe each attack, I also give specific examples of how I used the software to attack phpass, the hashing algorithm currently used for PHP-based software like WordPress.
For the purposes of this article, I created a sample WordPress blog on my server and created a few custom accounts—some with weak passwords and others with truly random passwords. Then, I went into the database for the site and pulled out the phpass password hashes for each account and put them into a file that looked like this:
$P$BpgwVqlfEwuaj.FlM7.YCZ6GQMu15D/ $P$BGMZP8qAHPjTTiTMdSxGhjfQMvkm2D1 $P$BOPzST0vwsR86QfIsQdspt4M5wUGVh. $P$BjAZ1S3pmcGOC8Op808lOK4l25Q3Ph0 $P$BPlIiO5xdHmThnjjSyJ1jBICfPkpay1 $P$BReStde51ZwKHVtiTgTJpB2zzmGJW91
The above hashes are legitimate phpass hashes created from six-character passwords. I could tell you the passwords, but that would defeat the fun of cracking them yourself.
Proprietary Video Drivers
For those of you who, like me, believe in open-source software, this next section may be a bit disappointing. To get hardware-accelerated password-cracking software working on your system, you need to install the proprietary video drivers from either AMD or NVIDIA. That said, if you already have been using your system for Bitcoin mining, you already have the drivers and libraries you need, so you can skip to the next section about Hashcat. Honestly, you also could just follow the Bitcoin mining HOWTOs for Linux, and that would describe how to get all the drivers and libraries you need.
Many modern desktops make it relatively easy to pull down and install the proprietary video drivers. For instance, an Ubuntu desktop will prompt you that restricted drivers are available to install both for AMD and NVIDIA cards. Most other popular distributions provide good documentation on how to pull down the proprietary drivers as well. In the worst case, you may have to download the software directly from the AMD or NVIDIA and install it that way—they both have clear instructions and software available for Linux just like for other OSes.
Once you have the proprietary drivers installed, you also need the AMD APP SDK for its OpenCL libraries or the NVIDIA CUDA libraries, depending on who made your video card. You likely will need to get these libraries directly from AMD or NVIDIA Web sites. The install is straightforward though. In my case, I downloaded the AMD-APP-SDK-v2.5-lnx32.tgz file from AMD, extracted it, and ran the provided Install-AMD-APP.sh shell script as root.
Many different password-cracking suites exist both for CPU- and GPU-based cracking. After reviewing all the options, I decided on the Hashcat family of cracking tools available at http://hashcat.net. On the site, you will see that a number of different tools are available. At first glance, it can be a bit confusing, as you can choose from hashcat, oclHashcat, oclHashcat-plus, oclHashcat-lite and even software called maskprocessor. Each program has its purpose though, depending on what you intend to do.
CPU-based, so slower than the GPU-based software.
Supports the widest range of hashing algorithms.
GPU-based password cracker.
Supports a moderate number of hashing algorithms.
Built-in support for dictionary, brute-force and mask attacks.
Supports the most hashing algorithms of the GPU-based hashcat crackers.
Optimized for dictionary attacks against multiple hashes.
Can support dictionary input from a pipe, so brute-force is possible.
Optimized for attacks against a single password hash.
Fastest of the hashcat family, but with the most-limited password hash support.
Generates dictionaries based on patterns you supply.
Not a password cracker in its own right, but can pipe output to oclHashcat-plus for a brute-force attack.
Even with the above lists, it may not always be clear which software to use. Basically, it comes down to what type of password you want to crack and what kind of attack you want to use. The page on hashcat.net devoted to each piece of software provides a list of the hashing algorithms they support along with benchmark speeds of how many comparisons they can do per second on different types of hardware. For a given password hash, go through those pages and see which type of Hashcat software supports your hash and has the highest benchmarks. Beyond that, use oclHashcat for mask or brute-force attacks against multiple hashes, oclHashcat-lite for single hashes or oclHashcat-plus if, as was the case with me, it's the only GPU-accelerated version that supported your hash.
Once you decide which type of Hashcat software to use, installation is relatively simple, if old-school. Just download the .7z package that corresponds to the software, and use the 7za command-line tool (which should be packaged for your distribution) to extract it. The software will extract into its own directory that provides 32- and 64-bit versions for both Linux and Windows. If you have NVIDIA hardware, you will use the binaries that begin with cuda; otherwise, you will use the versions that start with ocl. The directory also will contain a number of example hashes and dictionaries and example shell scripts you can use to make sure your libraries and drivers are in place. For instance, here's the example provided with the oclHashcat-plus software for cracking a phpass hash on a 64-bit system:
cat example.dict | ./oclHashcat-plus64.bin -m 400 example400.hash
Here's what the command output looked like when I ran the example against the 32-bit version on my test rig:
cat example.dict | ./oclHashcat-plus32.bin -m 400 example400.hash oclHashcat-plus v0.06 by atom starting... Hashes: 1 Unique salts: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes Rules: 1 GPU-Loops: 128 GPU-Accel: 16 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 52MB host-memory Device #1: Kernel ./kernels/4098/m0400.Cayman.32.kernel (274238 bytes) Starting attack in wordlist stdin mode... $H$9y5boZ2wsUlgl2tI6b5PrRoADzYfXD1:hash234 Status.......: Cracked Input.Mode...: Piped Hash.Target..: $H$9y5boZ2wsUlgl2tI6b5PrRoADzYfXD1 Hash.Type....: phpass, MD5(Wordpress), MD5(phpBB3) Time.Running.: 1 sec Time.Util....: 1008.2ms/0.0ms Real/CPU, 0.0% idle Speed........: 65009 c/s Real, 619.7k c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 65543 Rejected.....: 0 HW.Monitor.#1: 0% GPU, 47c Temp Started: Mon Dec 5 21:12:03 2011 Stopped: Mon Dec 5 21:12:04 2011
In this case, the password was hash234. For all of the hashcat commands, it's simple enough just to open a terminal and change to the directory you extracted and run the commands locally from there. At the beginning of the command output, you will be able to see what GPUs the software can detect. If you have multiple GPUs in use (even if they aren't chained), it should find them automatically. If it can't find your GPU, you will need to revisit how you installed your proprietary drivers and extra libraries.
Kyle Rankin is a director of engineering operations in the San Francisco Bay Area, the author of a number of books including DevOps Troubleshooting and The Official Ubuntu Server Book, and is a columnist for Linux Journal.