Cracking NTLMv2 Hashes With A 1080Ti Graphics Card & Kali
As far as I’m aware it’s not possible to use the power of your graphics card inside VMware Player or VitualBox. Given GPUs are so much quicker at performing that type of computing I installed Kali on a separate drive so I could optionally boot into it.
The first thing I did after install was update the system by running:
apt update && apt dist-upgrade -y && reboot
After the system has updated and restarted I ran the following:
apt install -y ocl-icd-libopencl1 nvidia-driver nvidia-cuda-toolkit
To verify it has installed correctly you can run “nvidia-smi” which will return driver version number and formation about the GPU (such as temps/utilization).
Finally if you run the command below you should be able to see if hashcat will now use your.
hashcat -I
For the full guide I followed follow this link https://docs.kali.org/general-use/install-nvidia-drivers-on-kali-linux.
Cracking NTLMv2 Hashes
I spent a while looking for wordlists to use, after running each of the word lists I managed to crack 3 out of the sample 10 hashes I had.
The command I used was:
hashcat -m 5600 hashfile.txt wordlist.txt
Next I looked at brute force and input masks, after a couple days of solid running it had cracked a further 1 password.
hashcat -m 5600 hashfile.txt -a 3
It was then while looking at a blog by someone I recently meet at SteelCon I came across a wordlist called Rocktastic that looked very promising. I downloaded it and gave it ago, instantly it cracked 7 out of the 10 hashes 🙂
More information on the Rocktastic list and a download for it can be found at Nettitude and credit for the list @myexploit2600.
Hashcat Benchmark For The 1080ti
Hashtype: MD5 Speed.Dev.#1.....: 35127.0 MH/s (53.46ms) Hashtype: NetNTLMv1 / NetNTLMv1+ESS Speed.Dev.#1.....: 31061.7 MH/s (60.46ms) Hashtype: NetNTLMv2 Speed.Dev.#1.....: 2327.2 MH/s (50.43ms) Hashtype: WPA/WPA2 Speed.Dev.#1.....: 587.0 kH/s (92.61ms)
The full benchmark output:
hashcat (pull/1273/head) starting in benchmark mode...
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080 Ti, 2792/11169 MB allocatable, 28MCU
OpenCL Platform #2: The pocl project
====================================
* Device #2: pthread-AMD Ryzen 7 1800X Eight-Core Processor, skipped.
Hashtype: MD4
Speed.Dev.#1.....: 65302.5 MH/s (57.52ms)
Hashtype: MD5
Speed.Dev.#1.....: 35127.0 MH/s (53.46ms)
Hashtype: Half MD5
Speed.Dev.#1.....: 22266.5 MH/s (84.36ms)
Hashtype: SHA1
Speed.Dev.#1.....: 11643.8 MH/s (80.66ms)
Hashtype: SHA-256
Speed.Dev.#1.....: 4498.6 MH/s (51.98ms)
Hashtype: SHA-384
Speed.Dev.#1.....: 1419.7 MH/s (82.68ms)
Hashtype: SHA-512
Speed.Dev.#1.....: 1524.4 MH/s (77.01ms)
Hashtype: SHA-3 (Keccak)
Speed.Dev.#1.....: 1179.7 MH/s (99.51ms)
Hashtype: SipHash
Speed.Dev.#1.....: 41994.6 MH/s (89.46ms)
Hashtype: Skip32 (PT = $salt, key = $pass)
Speed.Dev.#1.....: 5815.3 MH/s (5.74ms)
Hashtype: RIPEMD-160
Speed.Dev.#1.....: 6888.0 MH/s (68.17ms)
Hashtype: Whirlpool
Speed.Dev.#1.....: 364.4 MH/s (160.96ms)
Hashtype: GOST R 34.11-94
Speed.Dev.#1.....: 342.7 MH/s (85.64ms)
Hashtype: GOST R 34.11-2012 (Streebog) 256-bit
Speed.Dev.#1.....: 72120.4 kH/s (201.13ms)
Hashtype: GOST R 34.11-2012 (Streebog) 512-bit
Speed.Dev.#1.....: 72162.0 kH/s (201.01ms)
Hashtype: DES (PT = $salt, key = $pass)
Speed.Dev.#1.....: 25297.2 MH/s (74.20ms)
Hashtype: 3DES (PT = $salt, key = $pass)
Speed.Dev.#1.....: 786.9 MH/s (74.59ms)
Hashtype: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Speed.Dev.#1.....: 9990.2 kH/s (90.33ms)
Hashtype: scrypt
Speed.Dev.#1.....: 841.5 kH/s (131.36ms)
Hashtype: PBKDF2-HMAC-MD5
Speed.Dev.#1.....: 10441.9 kH/s (56.44ms)
Hashtype: PBKDF2-HMAC-SHA1
Speed.Dev.#1.....: 4756.2 kH/s (94.75ms)
Hashtype: PBKDF2-HMAC-SHA256
Speed.Dev.#1.....: 1703.3 kH/s (57.78ms)
Hashtype: PBKDF2-HMAC-SHA512
Speed.Dev.#1.....: 628.9 kH/s (83.19ms)
Hashtype: Skype
Speed.Dev.#1.....: 18456.4 MH/s (50.87ms)
Hashtype: WPA/WPA2
Speed.Dev.#1.....: 587.0 kH/s (92.61ms)
Hashtype: IKE-PSK MD5
Speed.Dev.#1.....: 2513.8 MH/s (93.04ms)
Hashtype: IKE-PSK SHA1
Speed.Dev.#1.....: 1023.7 MH/s (57.28ms)
Hashtype: NetNTLMv1 / NetNTLMv1+ESS
Speed.Dev.#1.....: 31061.7 MH/s (60.46ms)
Hashtype: NetNTLMv2
Speed.Dev.#1.....: 2327.2 MH/s (50.43ms)
Hashtype: IPMI2 RAKP HMAC-SHA1
Speed.Dev.#1.....: 2385.8 MH/s (49.19ms)
Hashtype: Kerberos 5 AS-REQ Pre-Auth etype 23
Speed.Dev.#1.....: 418.2 MH/s (70.16ms)
Hashtype: Kerberos 5 TGS-REP etype 23
Speed.Dev.#1.....: 417.3 MH/s (70.33ms)
Hashtype: DNSSEC (NSEC3)
Speed.Dev.#1.....: 4844.6 MH/s (48.26ms)
Hashtype: PostgreSQL CRAM (MD5)
Speed.Dev.#1.....: 9556.2 MH/s (49.13ms)
Hashtype: MySQL CRAM (SHA1)
Speed.Dev.#1.....: 3340.9 MH/s (70.00ms)
Hashtype: SIP digest authentication (MD5)
Speed.Dev.#1.....: 2862.7 MH/s (81.70ms)
Hashtype: SMF (Simple Machines Forum) > v1.1
Speed.Dev.#1.....: 9826.2 MH/s (95.58ms)
Hashtype: vBulletin < v3.8.5
Speed.Dev.#1.....: 9956.8 MH/s (94.33ms)
Hashtype: vBulletin >= v3.8.5
Speed.Dev.#1.....: 6952.0 MH/s (67.54ms)
Hashtype: IPB2+ (Invision Power Board), MyBB 1.2+
Speed.Dev.#1.....: 7156.3 MH/s (65.61ms)
Hashtype: WBB3 (Woltlab Burning Board)
Speed.Dev.#1.....: 1840.1 MH/s (63.79ms)
Hashtype: OpenCart
Speed.Dev.#1.....: 2961.2 MH/s (78.98ms)
Hashtype: Joomla < 2.5.18
Speed.Dev.#1.....: 34854.0 MH/s (53.88ms)
Hashtype: PHPS
Speed.Dev.#1.....: 9952.3 MH/s (94.37ms)
Hashtype: Drupal7
Speed.Dev.#1.....: 82137 H/s (87.09ms)
Hashtype: osCommerce, xt:Commerce
Speed.Dev.#1.....: 18465.1 MH/s (50.85ms)
Hashtype: PrestaShop
Speed.Dev.#1.....: 11803.2 MH/s (79.57ms)
Hashtype: Django (SHA-1)
Speed.Dev.#1.....: 9804.9 MH/s (95.79ms)
Hashtype: Django (PBKDF2-SHA256)
Speed.Dev.#1.....: 86366 H/s (67.80ms)
Hashtype: MediaWiki B type
Speed.Dev.#1.....: 9410.5 MH/s (49.89ms)
Hashtype: Redmine
Speed.Dev.#1.....: 3968.0 MH/s (58.93ms)
Hashtype: PunBB
Speed.Dev.#1.....: 3963.9 MH/s (58.99ms)
Hashtype: PostgreSQL
Speed.Dev.#1.....: 34899.9 MH/s (53.82ms)
Hashtype: MSSQL (2000)
Speed.Dev.#1.....: 11858.6 MH/s (79.20ms)
Hashtype: MSSQL (2005)
Speed.Dev.#1.....: 11901.6 MH/s (78.91ms)
Hashtype: MSSQL (2012, 2014)
Speed.Dev.#1.....: 1453.9 MH/s (80.74ms)
Hashtype: MySQL323
Speed.Dev.#1.....: 74731.5 MH/s (50.26ms)
Hashtype: MySQL4.1/MySQL5
Speed.Dev.#1.....: 5387.3 MH/s (87.17ms)
Hashtype: Oracle H: Type (Oracle 7+)
Speed.Dev.#1.....: 1350.0 MH/s (86.96ms)
Hashtype: Oracle S: Type (Oracle 11+)
Speed.Dev.#1.....: 11542.8 MH/s (81.36ms)
Hashtype: Oracle T: Type (Oracle 12+)
Speed.Dev.#1.....: 154.1 kH/s (90.85ms)
Hashtype: Sybase ASE
Speed.Dev.#1.....: 372.8 MH/s (78.72ms)
Hashtype: Episerver 6.x < .NET 4
Speed.Dev.#1.....: 9826.6 MH/s (95.58ms)
Hashtype: Episerver 6.x >= .NET 4
Speed.Dev.#1.....: 3958.7 MH/s (59.07ms)
Hashtype: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Speed.Dev.#1.....: 14627.4 kH/s (61.33ms)
Hashtype: ColdFusion 10+
Speed.Dev.#1.....: 2536.5 MH/s (92.21ms)
Hashtype: hMailServer
Speed.Dev.#1.....: 3958.2 MH/s (59.08ms)
Hashtype: nsldap, SHA-1(Base64), Netscape LDAP SHA
Speed.Dev.#1.....: 11542.5 MH/s (81.37ms)
Hashtype: nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
Speed.Dev.#1.....: 11538.4 MH/s (81.39ms)
Hashtype: SSHA-256(Base64), LDAP {SSHA256}
Speed.Dev.#1.....: 4468.4 MH/s (52.33ms)
Hashtype: SSHA-512(Base64), LDAP {SSHA512}
Speed.Dev.#1.....: 1513.9 MH/s (77.54ms)
Hashtype: LM
Speed.Dev.#1.....: 23287.2 MH/s (80.61ms)
Hashtype: NTLM
Speed.Dev.#1.....: 58914.5 MH/s (63.75ms)
Hashtype: Domain Cached Credentials (DCC), MS Cache
Speed.Dev.#1.....: 16484.3 MH/s (56.97ms)
Hashtype: Domain Cached Credentials 2 (DCC2), MS Cache 2
Speed.Dev.#1.....: 477.6 kH/s (95.93ms)
Hashtype: DPAPI masterkey file v1 and v2
Speed.Dev.#1.....: 103.5 kH/s (94.14ms)
Hashtype: MS-AzureSync PBKDF2-HMAC-SHA256
Speed.Dev.#1.....: 14593.7 kH/s (47.54ms)
Hashtype: descrypt, DES (Unix), Traditional DES
Speed.Dev.#1.....: 1316.2 MH/s (89.14ms)
Hashtype: BSDi Crypt, Extended DES
Speed.Dev.#1.....: 2195.1 kH/s (69.12ms)
Hashtype: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Speed.Dev.#1.....: 14630.9 kH/s (61.30ms)
Hashtype: bcrypt $2*$, Blowfish (Unix)
Speed.Dev.#1.....: 22213 H/s (39.31ms)
Hashtype: sha256crypt $5$, SHA256 (Unix)
Speed.Dev.#1.....: 541.5 kH/s (83.95ms)
Hashtype: sha512crypt $6$, SHA512 (Unix)
Speed.Dev.#1.....: 217.5 kH/s (53.17ms)
Hashtype: OSX v10.4, OSX v10.5, OSX v10.6
Speed.Dev.#1.....: 9830.6 MH/s (95.54ms)
Hashtype: OSX v10.7
Speed.Dev.#1.....: 1354.3 MH/s (86.68ms)
Hashtype: OSX v10.8+ (PBKDF2-SHA512)
Speed.Dev.#1.....: 17610 H/s (95.04ms)
Hashtype: AIX {smd5}
Speed.Dev.#1.....: 14399.9 kH/s (62.13ms)
Hashtype: AIX {ssha1}
Speed.Dev.#1.....: 62760.5 kH/s (49.00ms)
Hashtype: AIX {ssha256}
Speed.Dev.#1.....: 24644.7 kH/s (68.39ms)
Hashtype: AIX {ssha512}
Speed.Dev.#1.....: 9549.5 kH/s (89.75ms)
Hashtype: Cisco-PIX MD5
Speed.Dev.#1.....: 23197.0 MH/s (80.97ms)
Hashtype: Cisco-ASA MD5
Speed.Dev.#1.....: 25793.0 MH/s (72.82ms)
Hashtype: Cisco-IOS type 4 (SHA256)
Speed.Dev.#1.....: 4464.8 MH/s (52.37ms)
Hashtype: Cisco-IOS $8$ (PBKDF2-SHA256)
Speed.Dev.#1.....: 86657 H/s (67.58ms)
Hashtype: Cisco-IOS $9$ (scrypt)
Speed.Dev.#1.....: 14298 H/s (8014.67ms)
Hashtype: Juniper NetScreen/SSG (ScreenOS)
Speed.Dev.#1.....: 18165.6 MH/s (51.69ms)
Hashtype: Juniper IVE
Speed.Dev.#1.....: 14671.4 kH/s (61.15ms)
Hashtype: Samsung Android Password/PIN
Speed.Dev.#1.....: 7939.2 kH/s (57.04ms)
Hashtype: Citrix NetScaler
Speed.Dev.#1.....: 10651.6 MH/s (88.17ms)
Hashtype: RACF
Speed.Dev.#1.....: 3645.9 MH/s (64.39ms)
Hashtype: GRUB 2
Speed.Dev.#1.....: 62994 H/s (92.98ms)
Hashtype: Radmin2
Speed.Dev.#1.....: 12119.9 MH/s (77.49ms)
Hashtype: SAP CODVN B (BCODE)
Speed.Dev.#1.....: 2325.2 MH/s (50.48ms)
Hashtype: SAP CODVN F/G (PASSCODE)
Speed.Dev.#1.....: 1322.7 MH/s (88.75ms)
Hashtype: SAP CODVN H (PWDSALTEDHASH) iSSHA-1
Speed.Dev.#1.....: 8833.4 kH/s (51.13ms)
Hashtype: Lotus Notes/Domino 5
Speed.Dev.#1.....: 306.6 MH/s (95.72ms)
Hashtype: Lotus Notes/Domino 6
Speed.Dev.#1.....: 102.6 MH/s (71.48ms)
Hashtype: Lotus Notes/Domino 8
Speed.Dev.#1.....: 968.4 kH/s (93.84ms)
Hashtype: PeopleSoft
Speed.Dev.#1.....: 11915.5 MH/s (78.82ms)
Hashtype: PeopleSoft PS_TOKEN
Speed.Dev.#1.....: 4635.9 MH/s (50.44ms)
Hashtype: 7-Zip
Speed.Dev.#1.....: 13005 H/s (68.67ms)
Hashtype: WinZip
Speed.Dev.#1.....: 1554.5 kH/s (63.08ms)
Hashtype: RAR3-hp
Speed.Dev.#1.....: 41861 H/s (42.75ms)
Hashtype: RAR5
Speed.Dev.#1.....: 52782 H/s (67.71ms)
Hashtype: AxCrypt
Speed.Dev.#1.....: 167.1 kH/s (139.86ms)
Hashtype: AxCrypt in-memory SHA1
Speed.Dev.#1.....: 11052.6 MH/s (84.97ms)
Hashtype: TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit
Speed.Dev.#1.....: 399.0 kH/s (67.94ms)
Hashtype: TrueCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit
Speed.Dev.#1.....: 590.6 kH/s (82.21ms)
Hashtype: TrueCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit
Speed.Dev.#1.....: 52937 H/s (267.52ms)
Hashtype: TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit + boot-mode
Speed.Dev.#1.....: 754.9 kH/s (62.44ms)
Hashtype: VeraCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit
Speed.Dev.#1.....: 1277 H/s (69.49ms)
Hashtype: VeraCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit
Speed.Dev.#1.....: 1269 H/s (91.79ms)
Hashtype: VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit
Speed.Dev.#1.....: 93 H/s (273.28ms)
Hashtype: VeraCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit + boot-mode
Speed.Dev.#1.....: 2554 H/s (69.48ms)
Hashtype: VeraCrypt PBKDF2-HMAC-SHA256 + XTS 512 bit
Speed.Dev.#1.....: 1665 H/s (70.26ms)
Hashtype: VeraCrypt PBKDF2-HMAC-SHA256 + XTS 512 bit + boot-mode
Speed.Dev.#1.....: 4152 H/s (70.45ms)
Hashtype: Android FDE <= 4.3
Speed.Dev.#1.....: 1193.1 kH/s (94.90ms)
Hashtype: Android FDE (Samsung DEK)
Speed.Dev.#1.....: 419.4 kH/s (67.98ms)
Hashtype: eCryptfs
Speed.Dev.#1.....: 19307 H/s (92.74ms)
Hashtype: MS Office <= 2003 $0/$1, MD5 + RC4
Speed.Dev.#1.....: 327.2 MH/s (89.69ms)
Hashtype: MS Office <= 2003 $0/$1, MD5 + RC4, collider #1
Speed.Dev.#1.....: 467.5 MH/s (62.77ms)
Hashtype: MS Office <= 2003 $3/$4, SHA1 + RC4
Speed.Dev.#1.....: 427.5 MH/s (68.63ms)
Hashtype: MS Office <= 2003 $3, SHA1 + RC4, collider #1
Speed.Dev.#1.....: 485.0 MH/s (60.51ms)
Hashtype: MS Office 2007
Speed.Dev.#1.....: 192.2 kH/s (97.67ms)
Hashtype: MS Office 2010
Speed.Dev.#1.....: 96096 H/s (97.66ms)
Hashtype: MS Office 2013
Speed.Dev.#1.....: 12719 H/s (92.07ms)
Hashtype: PDF 1.1 - 1.3 (Acrobat 2 - 4)
Speed.Dev.#1.....: 481.8 MH/s (60.91ms)
Hashtype: PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1
Speed.Dev.#1.....: 539.2 MH/s (54.42ms)
Hashtype: PDF 1.4 - 1.6 (Acrobat 5 - 8)
Speed.Dev.#1.....: 23674.5 kH/s (36.94ms)
Hashtype: PDF 1.7 Level 3 (Acrobat 9)
Speed.Dev.#1.....: 4481.5 MH/s (52.17ms)
Hashtype: PDF 1.7 Level 8 (Acrobat 10 - 11)
Speed.Dev.#1.....: 44038 H/s (271.21ms)
Hashtype: Password Safe v2
Speed.Dev.#1.....: 438.9 kH/s (42.02ms)
Hashtype: Password Safe v3
Speed.Dev.#1.....: 1756.5 kH/s (59.15ms)
Hashtype: LastPass + LastPass sniffed
Speed.Dev.#1.....: 3376.9 kH/s (49.89ms)
Hashtype: 1Password, agilekeychain
Speed.Dev.#1.....: 4801.5 kH/s (70.44ms)
Hashtype: 1Password, cloudkeychain
Speed.Dev.#1.....: 15784 H/s (92.69ms)
Hashtype: Bitcoin/Litecoin wallet.dat
Speed.Dev.#1.....: 6345 H/s (92.29ms)
Hashtype: Blockchain, My Wallet
Speed.Dev.#1.....: 71958.3 kH/s (17.48ms)
Hashtype: Blockchain, My Wallet, V2
Speed.Dev.#1.....: 481.2 kH/s (94.88ms)
Hashtype: KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Speed.Dev.#1.....: 197.7 kH/s (197.11ms)
Hashtype: JKS Java Key Store Private Keys (SHA1)
Speed.Dev.#1.....: 11314.7 MH/s (83.00ms)
Hashtype: Ethereum Wallet, PBKDF2-HMAC-SHA256
Speed.Dev.#1.....: 6593 H/s (67.62ms)
Hashtype: ArubaOS
Speed.Dev.#1.....: 9752.7 MH/s (96.30ms)
Hashtype: ChaCha20
Speed.Dev.#1.....: 6378.0 MH/s (73.62ms)
Started: Sat Aug 5 09:36:09 2017
Stopped: Sat Aug 5 09:47:32 2017