Cracking NTLMv2 Hashes With A 1080Ti Graphics Card & Kali

As far as I’m aware it’s not possible to use the power of your graphics card inside VMware Player or VitualBox. Given GPUs are so much quicker at performing that type of computing I installed Kali on a separate drive so I could optionally boot into it.

The first thing I did after install was update the system by running:

apt update && apt dist-upgrade -y && reboot

After the system has updated and restarted I ran the following:

apt install -y ocl-icd-libopencl1 nvidia-driver nvidia-cuda-toolkit

To verify it has installed correctly you can run “nvidia-smi” which will return driver version number and formation about the GPU (such as temps/utilization).

Finally if you run the command below you should be able to see if hashcat will now use your.

hashcat -I

For the full guide I followed follow this link https://docs.kali.org/general-use/install-nvidia-drivers-on-kali-linux.

Cracking NTLMv2 Hashes

I spent a while looking for wordlists to use, after running each of the word lists I managed to crack 3 out of the sample 10 hashes I had.
The command I used was:

hashcat -m 5600 hashfile.txt wordlist.txt

Next I looked at brute force and input masks, after a couple days of solid running it had cracked a further 1 password.

hashcat -m 5600 hashfile.txt -a 3

It was then while looking at a blog by someone I recently meet at SteelCon I came across a wordlist called Rocktastic that looked very promising. I downloaded it and gave it ago, instantly it cracked 7 out of the 10 hashes 🙂

More information on the Rocktastic list and a download for it can be found at Nettitude and credit for the list @myexploit2600.

Hashcat Benchmark For The 1080ti

Hashtype: MD5
Speed.Dev.#1.....: 35127.0 MH/s (53.46ms)

Hashtype: NetNTLMv1 / NetNTLMv1+ESS
Speed.Dev.#1.....: 31061.7 MH/s (60.46ms)

Hashtype: NetNTLMv2
Speed.Dev.#1.....:  2327.2 MH/s (50.43ms)

Hashtype: WPA/WPA2
Speed.Dev.#1.....:   587.0 kH/s (92.61ms)

The full benchmark output:

hashcat (pull/1273/head) starting in benchmark mode...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080 Ti, 2792/11169 MB allocatable, 28MCU

OpenCL Platform #2: The pocl project
====================================
* Device #2: pthread-AMD Ryzen 7 1800X Eight-Core Processor, skipped.

Hashtype: MD4

Speed.Dev.#1.....: 65302.5 MH/s (57.52ms)

Hashtype: MD5

Speed.Dev.#1.....: 35127.0 MH/s (53.46ms)

Hashtype: Half MD5

Speed.Dev.#1.....: 22266.5 MH/s (84.36ms)

Hashtype: SHA1

Speed.Dev.#1.....: 11643.8 MH/s (80.66ms)

Hashtype: SHA-256

Speed.Dev.#1.....:  4498.6 MH/s (51.98ms)

Hashtype: SHA-384

Speed.Dev.#1.....:  1419.7 MH/s (82.68ms)

Hashtype: SHA-512

Speed.Dev.#1.....:  1524.4 MH/s (77.01ms)

Hashtype: SHA-3 (Keccak)

Speed.Dev.#1.....:  1179.7 MH/s (99.51ms)

Hashtype: SipHash

Speed.Dev.#1.....: 41994.6 MH/s (89.46ms)

Hashtype: Skip32 (PT = $salt, key = $pass)

Speed.Dev.#1.....:  5815.3 MH/s (5.74ms)

Hashtype: RIPEMD-160

Speed.Dev.#1.....:  6888.0 MH/s (68.17ms)

Hashtype: Whirlpool

Speed.Dev.#1.....:   364.4 MH/s (160.96ms)

Hashtype: GOST R 34.11-94

Speed.Dev.#1.....:   342.7 MH/s (85.64ms)

Hashtype: GOST R 34.11-2012 (Streebog) 256-bit

Speed.Dev.#1.....: 72120.4 kH/s (201.13ms)

Hashtype: GOST R 34.11-2012 (Streebog) 512-bit

Speed.Dev.#1.....: 72162.0 kH/s (201.01ms)

Hashtype: DES (PT = $salt, key = $pass)

Speed.Dev.#1.....: 25297.2 MH/s (74.20ms)

Hashtype: 3DES (PT = $salt, key = $pass)

Speed.Dev.#1.....:   786.9 MH/s (74.59ms)

Hashtype: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)

Speed.Dev.#1.....:  9990.2 kH/s (90.33ms)

Hashtype: scrypt

Speed.Dev.#1.....:   841.5 kH/s (131.36ms)

Hashtype: PBKDF2-HMAC-MD5

Speed.Dev.#1.....: 10441.9 kH/s (56.44ms)

Hashtype: PBKDF2-HMAC-SHA1

Speed.Dev.#1.....:  4756.2 kH/s (94.75ms)

Hashtype: PBKDF2-HMAC-SHA256

Speed.Dev.#1.....:  1703.3 kH/s (57.78ms)

Hashtype: PBKDF2-HMAC-SHA512

Speed.Dev.#1.....:   628.9 kH/s (83.19ms)

Hashtype: Skype

Speed.Dev.#1.....: 18456.4 MH/s (50.87ms)

Hashtype: WPA/WPA2

Speed.Dev.#1.....:   587.0 kH/s (92.61ms)

Hashtype: IKE-PSK MD5

Speed.Dev.#1.....:  2513.8 MH/s (93.04ms)

Hashtype: IKE-PSK SHA1

Speed.Dev.#1.....:  1023.7 MH/s (57.28ms)

Hashtype: NetNTLMv1 / NetNTLMv1+ESS

Speed.Dev.#1.....: 31061.7 MH/s (60.46ms)

Hashtype: NetNTLMv2

Speed.Dev.#1.....:  2327.2 MH/s (50.43ms)

Hashtype: IPMI2 RAKP HMAC-SHA1

Speed.Dev.#1.....:  2385.8 MH/s (49.19ms)

Hashtype: Kerberos 5 AS-REQ Pre-Auth etype 23

Speed.Dev.#1.....:   418.2 MH/s (70.16ms)

Hashtype: Kerberos 5 TGS-REP etype 23

Speed.Dev.#1.....:   417.3 MH/s (70.33ms)

Hashtype: DNSSEC (NSEC3)

Speed.Dev.#1.....:  4844.6 MH/s (48.26ms)

Hashtype: PostgreSQL CRAM (MD5)

Speed.Dev.#1.....:  9556.2 MH/s (49.13ms)

Hashtype: MySQL CRAM (SHA1)

Speed.Dev.#1.....:  3340.9 MH/s (70.00ms)

Hashtype: SIP digest authentication (MD5)

Speed.Dev.#1.....:  2862.7 MH/s (81.70ms)

Hashtype: SMF (Simple Machines Forum) > v1.1

Speed.Dev.#1.....:  9826.2 MH/s (95.58ms)

Hashtype: vBulletin < v3.8.5

Speed.Dev.#1.....:  9956.8 MH/s (94.33ms)

Hashtype: vBulletin >= v3.8.5

Speed.Dev.#1.....:  6952.0 MH/s (67.54ms)

Hashtype: IPB2+ (Invision Power Board), MyBB 1.2+

Speed.Dev.#1.....:  7156.3 MH/s (65.61ms)

Hashtype: WBB3 (Woltlab Burning Board)

Speed.Dev.#1.....:  1840.1 MH/s (63.79ms)

Hashtype: OpenCart

Speed.Dev.#1.....:  2961.2 MH/s (78.98ms)

Hashtype: Joomla < 2.5.18

Speed.Dev.#1.....: 34854.0 MH/s (53.88ms)

Hashtype: PHPS

Speed.Dev.#1.....:  9952.3 MH/s (94.37ms)

Hashtype: Drupal7

Speed.Dev.#1.....:    82137 H/s (87.09ms)

Hashtype: osCommerce, xt:Commerce

Speed.Dev.#1.....: 18465.1 MH/s (50.85ms)

Hashtype: PrestaShop

Speed.Dev.#1.....: 11803.2 MH/s (79.57ms)

Hashtype: Django (SHA-1)

Speed.Dev.#1.....:  9804.9 MH/s (95.79ms)

Hashtype: Django (PBKDF2-SHA256)

Speed.Dev.#1.....:    86366 H/s (67.80ms)

Hashtype: MediaWiki B type

Speed.Dev.#1.....:  9410.5 MH/s (49.89ms)

Hashtype: Redmine

Speed.Dev.#1.....:  3968.0 MH/s (58.93ms)

Hashtype: PunBB

Speed.Dev.#1.....:  3963.9 MH/s (58.99ms)

Hashtype: PostgreSQL

Speed.Dev.#1.....: 34899.9 MH/s (53.82ms)

Hashtype: MSSQL (2000)

Speed.Dev.#1.....: 11858.6 MH/s (79.20ms)

Hashtype: MSSQL (2005)

Speed.Dev.#1.....: 11901.6 MH/s (78.91ms)

Hashtype: MSSQL (2012, 2014)

Speed.Dev.#1.....:  1453.9 MH/s (80.74ms)

Hashtype: MySQL323

Speed.Dev.#1.....: 74731.5 MH/s (50.26ms)

Hashtype: MySQL4.1/MySQL5

Speed.Dev.#1.....:  5387.3 MH/s (87.17ms)

Hashtype: Oracle H: Type (Oracle 7+)

Speed.Dev.#1.....:  1350.0 MH/s (86.96ms)

Hashtype: Oracle S: Type (Oracle 11+)

Speed.Dev.#1.....: 11542.8 MH/s (81.36ms)

Hashtype: Oracle T: Type (Oracle 12+)

Speed.Dev.#1.....:   154.1 kH/s (90.85ms)

Hashtype: Sybase ASE

Speed.Dev.#1.....:   372.8 MH/s (78.72ms)

Hashtype: Episerver 6.x < .NET 4

Speed.Dev.#1.....:  9826.6 MH/s (95.58ms)

Hashtype: Episerver 6.x >= .NET 4

Speed.Dev.#1.....:  3958.7 MH/s (59.07ms)

Hashtype: Apache $apr1$ MD5, md5apr1, MD5 (APR)

Speed.Dev.#1.....: 14627.4 kH/s (61.33ms)

Hashtype: ColdFusion 10+

Speed.Dev.#1.....:  2536.5 MH/s (92.21ms)

Hashtype: hMailServer

Speed.Dev.#1.....:  3958.2 MH/s (59.08ms)

Hashtype: nsldap, SHA-1(Base64), Netscape LDAP SHA

Speed.Dev.#1.....: 11542.5 MH/s (81.37ms)

Hashtype: nsldaps, SSHA-1(Base64), Netscape LDAP SSHA

Speed.Dev.#1.....: 11538.4 MH/s (81.39ms)

Hashtype: SSHA-256(Base64), LDAP {SSHA256}

Speed.Dev.#1.....:  4468.4 MH/s (52.33ms)

Hashtype: SSHA-512(Base64), LDAP {SSHA512}

Speed.Dev.#1.....:  1513.9 MH/s (77.54ms)

Hashtype: LM

Speed.Dev.#1.....: 23287.2 MH/s (80.61ms)

Hashtype: NTLM

Speed.Dev.#1.....: 58914.5 MH/s (63.75ms)

Hashtype: Domain Cached Credentials (DCC), MS Cache

Speed.Dev.#1.....: 16484.3 MH/s (56.97ms)

Hashtype: Domain Cached Credentials 2 (DCC2), MS Cache 2

Speed.Dev.#1.....:   477.6 kH/s (95.93ms)

Hashtype: DPAPI masterkey file v1 and v2

Speed.Dev.#1.....:   103.5 kH/s (94.14ms)

Hashtype: MS-AzureSync PBKDF2-HMAC-SHA256

Speed.Dev.#1.....: 14593.7 kH/s (47.54ms)

Hashtype: descrypt, DES (Unix), Traditional DES

Speed.Dev.#1.....:  1316.2 MH/s (89.14ms)

Hashtype: BSDi Crypt, Extended DES

Speed.Dev.#1.....:  2195.1 kH/s (69.12ms)

Hashtype: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)

Speed.Dev.#1.....: 14630.9 kH/s (61.30ms)

Hashtype: bcrypt $2*$, Blowfish (Unix)

Speed.Dev.#1.....:    22213 H/s (39.31ms)

Hashtype: sha256crypt $5$, SHA256 (Unix)

Speed.Dev.#1.....:   541.5 kH/s (83.95ms)

Hashtype: sha512crypt $6$, SHA512 (Unix)

Speed.Dev.#1.....:   217.5 kH/s (53.17ms)

Hashtype: OSX v10.4, OSX v10.5, OSX v10.6

Speed.Dev.#1.....:  9830.6 MH/s (95.54ms)

Hashtype: OSX v10.7

Speed.Dev.#1.....:  1354.3 MH/s (86.68ms)

Hashtype: OSX v10.8+ (PBKDF2-SHA512)

Speed.Dev.#1.....:    17610 H/s (95.04ms)

Hashtype: AIX {smd5}

Speed.Dev.#1.....: 14399.9 kH/s (62.13ms)

Hashtype: AIX {ssha1}

Speed.Dev.#1.....: 62760.5 kH/s (49.00ms)

Hashtype: AIX {ssha256}

Speed.Dev.#1.....: 24644.7 kH/s (68.39ms)

Hashtype: AIX {ssha512}

Speed.Dev.#1.....:  9549.5 kH/s (89.75ms)

Hashtype: Cisco-PIX MD5

Speed.Dev.#1.....: 23197.0 MH/s (80.97ms)

Hashtype: Cisco-ASA MD5

Speed.Dev.#1.....: 25793.0 MH/s (72.82ms)

Hashtype: Cisco-IOS type 4 (SHA256)

Speed.Dev.#1.....:  4464.8 MH/s (52.37ms)

Hashtype: Cisco-IOS $8$ (PBKDF2-SHA256)

Speed.Dev.#1.....:    86657 H/s (67.58ms)

Hashtype: Cisco-IOS $9$ (scrypt)

Speed.Dev.#1.....:    14298 H/s (8014.67ms)

Hashtype: Juniper NetScreen/SSG (ScreenOS)

Speed.Dev.#1.....: 18165.6 MH/s (51.69ms)

Hashtype: Juniper IVE

Speed.Dev.#1.....: 14671.4 kH/s (61.15ms)

Hashtype: Samsung Android Password/PIN

Speed.Dev.#1.....:  7939.2 kH/s (57.04ms)

Hashtype: Citrix NetScaler

Speed.Dev.#1.....: 10651.6 MH/s (88.17ms)

Hashtype: RACF

Speed.Dev.#1.....:  3645.9 MH/s (64.39ms)

Hashtype: GRUB 2

Speed.Dev.#1.....:    62994 H/s (92.98ms)

Hashtype: Radmin2

Speed.Dev.#1.....: 12119.9 MH/s (77.49ms)

Hashtype: SAP CODVN B (BCODE)

Speed.Dev.#1.....:  2325.2 MH/s (50.48ms)

Hashtype: SAP CODVN F/G (PASSCODE)

Speed.Dev.#1.....:  1322.7 MH/s (88.75ms)

Hashtype: SAP CODVN H (PWDSALTEDHASH) iSSHA-1

Speed.Dev.#1.....:  8833.4 kH/s (51.13ms)

Hashtype: Lotus Notes/Domino 5

Speed.Dev.#1.....:   306.6 MH/s (95.72ms)

Hashtype: Lotus Notes/Domino 6

Speed.Dev.#1.....:   102.6 MH/s (71.48ms)

Hashtype: Lotus Notes/Domino 8

Speed.Dev.#1.....:   968.4 kH/s (93.84ms)

Hashtype: PeopleSoft

Speed.Dev.#1.....: 11915.5 MH/s (78.82ms)

Hashtype: PeopleSoft PS_TOKEN

Speed.Dev.#1.....:  4635.9 MH/s (50.44ms)

Hashtype: 7-Zip

Speed.Dev.#1.....:    13005 H/s (68.67ms)

Hashtype: WinZip

Speed.Dev.#1.....:  1554.5 kH/s (63.08ms)

Hashtype: RAR3-hp

Speed.Dev.#1.....:    41861 H/s (42.75ms)

Hashtype: RAR5

Speed.Dev.#1.....:    52782 H/s (67.71ms)

Hashtype: AxCrypt

Speed.Dev.#1.....:   167.1 kH/s (139.86ms)

Hashtype: AxCrypt in-memory SHA1

Speed.Dev.#1.....: 11052.6 MH/s (84.97ms)

Hashtype: TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit

Speed.Dev.#1.....:   399.0 kH/s (67.94ms)

Hashtype: TrueCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit

Speed.Dev.#1.....:   590.6 kH/s (82.21ms)

Hashtype: TrueCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit

Speed.Dev.#1.....:    52937 H/s (267.52ms)

Hashtype: TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit + boot-mode

Speed.Dev.#1.....:   754.9 kH/s (62.44ms)

Hashtype: VeraCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit

Speed.Dev.#1.....:     1277 H/s (69.49ms)

Hashtype: VeraCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit

Speed.Dev.#1.....:     1269 H/s (91.79ms)

Hashtype: VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit

Speed.Dev.#1.....:       93 H/s (273.28ms)

Hashtype: VeraCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit + boot-mode

Speed.Dev.#1.....:     2554 H/s (69.48ms)

Hashtype: VeraCrypt PBKDF2-HMAC-SHA256 + XTS 512 bit

Speed.Dev.#1.....:     1665 H/s (70.26ms)

Hashtype: VeraCrypt PBKDF2-HMAC-SHA256 + XTS 512 bit + boot-mode

Speed.Dev.#1.....:     4152 H/s (70.45ms)

Hashtype: Android FDE <= 4.3

Speed.Dev.#1.....:  1193.1 kH/s (94.90ms)

Hashtype: Android FDE (Samsung DEK)

Speed.Dev.#1.....:   419.4 kH/s (67.98ms)

Hashtype: eCryptfs

Speed.Dev.#1.....:    19307 H/s (92.74ms)

Hashtype: MS Office <= 2003 $0/$1, MD5 + RC4

Speed.Dev.#1.....:   327.2 MH/s (89.69ms)

Hashtype: MS Office <= 2003 $0/$1, MD5 + RC4, collider #1

Speed.Dev.#1.....:   467.5 MH/s (62.77ms)

Hashtype: MS Office <= 2003 $3/$4, SHA1 + RC4

Speed.Dev.#1.....:   427.5 MH/s (68.63ms)

Hashtype: MS Office <= 2003 $3, SHA1 + RC4, collider #1

Speed.Dev.#1.....:   485.0 MH/s (60.51ms)

Hashtype: MS Office 2007

Speed.Dev.#1.....:   192.2 kH/s (97.67ms)

Hashtype: MS Office 2010

Speed.Dev.#1.....:    96096 H/s (97.66ms)

Hashtype: MS Office 2013

Speed.Dev.#1.....:    12719 H/s (92.07ms)

Hashtype: PDF 1.1 - 1.3 (Acrobat 2 - 4)

Speed.Dev.#1.....:   481.8 MH/s (60.91ms)

Hashtype: PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1

Speed.Dev.#1.....:   539.2 MH/s (54.42ms)

Hashtype: PDF 1.4 - 1.6 (Acrobat 5 - 8)

Speed.Dev.#1.....: 23674.5 kH/s (36.94ms)

Hashtype: PDF 1.7 Level 3 (Acrobat 9)

Speed.Dev.#1.....:  4481.5 MH/s (52.17ms)

Hashtype: PDF 1.7 Level 8 (Acrobat 10 - 11)

Speed.Dev.#1.....:    44038 H/s (271.21ms)

Hashtype: Password Safe v2

Speed.Dev.#1.....:   438.9 kH/s (42.02ms)

Hashtype: Password Safe v3

Speed.Dev.#1.....:  1756.5 kH/s (59.15ms)

Hashtype: LastPass + LastPass sniffed

Speed.Dev.#1.....:  3376.9 kH/s (49.89ms)

Hashtype: 1Password, agilekeychain

Speed.Dev.#1.....:  4801.5 kH/s (70.44ms)

Hashtype: 1Password, cloudkeychain

Speed.Dev.#1.....:    15784 H/s (92.69ms)

Hashtype: Bitcoin/Litecoin wallet.dat

Speed.Dev.#1.....:     6345 H/s (92.29ms)

Hashtype: Blockchain, My Wallet

Speed.Dev.#1.....: 71958.3 kH/s (17.48ms)

Hashtype: Blockchain, My Wallet, V2

Speed.Dev.#1.....:   481.2 kH/s (94.88ms)

Hashtype: KeePass 1 (AES/Twofish) and KeePass 2 (AES)

Speed.Dev.#1.....:   197.7 kH/s (197.11ms)

Hashtype: JKS Java Key Store Private Keys (SHA1)

Speed.Dev.#1.....: 11314.7 MH/s (83.00ms)

Hashtype: Ethereum Wallet, PBKDF2-HMAC-SHA256

Speed.Dev.#1.....:     6593 H/s (67.62ms)

Hashtype: ArubaOS

Speed.Dev.#1.....:  9752.7 MH/s (96.30ms)

Hashtype: ChaCha20

Speed.Dev.#1.....:  6378.0 MH/s (73.62ms)

Started: Sat Aug  5 09:36:09 2017
Stopped: Sat Aug  5 09:47:32 2017

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.