New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OSX with AMD GPU fails to crack NTLM hashes #1348

Closed
kureeoffsec opened this Issue Aug 29, 2017 · 11 comments

Comments

Projects
None yet
5 participants
@kureeoffsec

kureeoffsec commented Aug 29, 2017

I recently ran into an issue with hashcat installed on OSX when attempting to crack NTLM (-m 1000).

The current build is unable to crack NTLM hashes. I attempted to replicate this issue by using the example hash for "hashcat" b4b9b02e6f09a9bd760f388b67351e2b and still was unable to get hashcat to crack the hash.

Additional information:

Openssl version 1.0.2l installed with homebrew
AMD R9 M370X graphics card

@philsmd

This comment has been minimized.

Show comment
Hide comment
@philsmd

philsmd Aug 30, 2017

Member

What's the version of hashcat that you use?
What's your command line parameters?
Did you try with other attack types? Did you try with different masks etc?

BTW: some users make the mistake to use something like "./hashcat -m 1000 hash -a 3 hashcat"
but they forget that whenever there is a file called "hashcat" in this particular directory, the mask will be seen as a mask file

Furthermore, newest versions of hashcat (beta, see https://hashcat.net/beta/) have self-tests enabled and therefore you will see a warning whenever there is a problem with the kernels (false negatives) etc

Member

philsmd commented Aug 30, 2017

What's the version of hashcat that you use?
What's your command line parameters?
Did you try with other attack types? Did you try with different masks etc?

BTW: some users make the mistake to use something like "./hashcat -m 1000 hash -a 3 hashcat"
but they forget that whenever there is a file called "hashcat" in this particular directory, the mask will be seen as a mask file

Furthermore, newest versions of hashcat (beta, see https://hashcat.net/beta/) have self-tests enabled and therefore you will see a warning whenever there is a problem with the kernels (false negatives) etc

@kureeoffsec

This comment has been minimized.

Show comment
Hide comment
@kureeoffsec

kureeoffsec Aug 30, 2017

Hashcat Version: v3.6.0-456-g6d112aeb

Built following instructions for OSX on https://github.com/hashcat/hashcat/blob/master/BUILD.md

Device #3: AMD Radeon R9 M370X Compute Engine, 512/2048 MB allocatable, 10MCU

hashcat/hashcat -a 0 -m 1000 -r hashcat/rules/best64.rule testNtlmHash.txt hashcatTestPass.txt --potfile-path testNtlmHash.pot -d 3

I know that I can crack the password with JohnTheRipper, and that in order to properly compile JTR on OSX, I need to point to homebrew's version of openssl as you can see in the bottom of the info section.

$brew info openssl
openssl: stable 1.0.2l (bottled) [keg-only]
SSL/TLS cryptography library
https://openssl.org/
/usr/local/Cellar/openssl/1.0.2l (1,709 files, 12.2MB)
Poured from bottle on 2017-08-29 at 19:10:34
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/openssl.rb
==> Dependencies
Build: makedepend ✘
==> Options
--without-test
Skip build-time tests (not recommended)
==> Caveats
A CA file has been bootstrapped using certificates from the SystemRoots
keychain. To add additional certificates (e.g. the certificates added in
the System keychain), place .pem files in
/usr/local/etc/openssl/certs

and run
/usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local,
because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries.

If you need to have this software first in your PATH run:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile

For compilers to find this software you may need to set:
LDFLAGS: -L/usr/local/opt/openssl/lib
CPPFLAGS: -I/usr/local/opt/openssl/include

Could it be an issue with OSX's native installed libraries, and if so, how could I point the hashcat compiler at the homebrew installed libraries?

kureeoffsec commented Aug 30, 2017

Hashcat Version: v3.6.0-456-g6d112aeb

Built following instructions for OSX on https://github.com/hashcat/hashcat/blob/master/BUILD.md

Device #3: AMD Radeon R9 M370X Compute Engine, 512/2048 MB allocatable, 10MCU

hashcat/hashcat -a 0 -m 1000 -r hashcat/rules/best64.rule testNtlmHash.txt hashcatTestPass.txt --potfile-path testNtlmHash.pot -d 3

I know that I can crack the password with JohnTheRipper, and that in order to properly compile JTR on OSX, I need to point to homebrew's version of openssl as you can see in the bottom of the info section.

$brew info openssl
openssl: stable 1.0.2l (bottled) [keg-only]
SSL/TLS cryptography library
https://openssl.org/
/usr/local/Cellar/openssl/1.0.2l (1,709 files, 12.2MB)
Poured from bottle on 2017-08-29 at 19:10:34
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/openssl.rb
==> Dependencies
Build: makedepend ✘
==> Options
--without-test
Skip build-time tests (not recommended)
==> Caveats
A CA file has been bootstrapped using certificates from the SystemRoots
keychain. To add additional certificates (e.g. the certificates added in
the System keychain), place .pem files in
/usr/local/etc/openssl/certs

and run
/usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local,
because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries.

If you need to have this software first in your PATH run:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile

For compilers to find this software you may need to set:
LDFLAGS: -L/usr/local/opt/openssl/lib
CPPFLAGS: -I/usr/local/opt/openssl/include

Could it be an issue with OSX's native installed libraries, and if so, how could I point the hashcat compiler at the homebrew installed libraries?

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Aug 31, 2017

Member

If you use the latest hashcat version then hashcat is doing a self-test on startup on which it cracks a known hash with a known password. If this fails, it gives you a warning message. If you do not see this, something else with your input data is wrong.

Member

jsteube commented Aug 31, 2017

If you use the latest hashcat version then hashcat is doing a self-test on startup on which it cracks a known hash with a known password. If this fails, it gives you a warning message. If you do not see this, something else with your input data is wrong.

@hubert3

This comment has been minimized.

Show comment
Hide comment
@hubert3

hubert3 Sep 5, 2017

See #1350

Possibly related - I found that my AMD Radeon device on a new MacBook Pro fails to crack hashes that it should

hubert3 commented Sep 5, 2017

See #1350

Possibly related - I found that my AMD Radeon device on a new MacBook Pro fails to crack hashes that it should

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Sep 5, 2017

Member

@kureeoffsec It turns out that there's a problem with AMD OpenCL runtime on OSX which leads to invalid results. However, to compare it with other cracking tools you need to use -D 1 and eventually -O, since hashcat does not use CPU by default.

Member

jsteube commented Sep 5, 2017

@kureeoffsec It turns out that there's a problem with AMD OpenCL runtime on OSX which leads to invalid results. However, to compare it with other cracking tools you need to use -D 1 and eventually -O, since hashcat does not use CPU by default.

@hubert3

This comment has been minimized.

Show comment
Hide comment
@hubert3

hubert3 Sep 5, 2017

@kureeoffsec would you be able to test the commands I posted in #1350 to confirm that your AMD GPU device on OSX is showing the same behaviour as mine? i.e. no warnings, but fails to find passwords that it should.

hubert3 commented Sep 5, 2017

@kureeoffsec would you be able to test the commands I posted in #1350 to confirm that your AMD GPU device on OSX is showing the same behaviour as mine? i.e. no warnings, but fails to find passwords that it should.

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Oct 14, 2017

Member

We're short to release of v4.0.0 please do a check with latest github version.

Member

jsteube commented Oct 14, 2017

We're short to release of v4.0.0 please do a check with latest github version.

@jsteube jsteube changed the title from OSX fails to crack NTLM hashes to OSX with AMD GPU fails to crack NTLM hashes Oct 15, 2017

@dylib

This comment has been minimized.

Show comment
Hide comment
@dylib

dylib Nov 22, 2017

@hubert3, @jsteube: I've tested hashcat 4.0 (built from source) on macOS 10.13 using the described method in issue #1350 and did not appear to encounter any problems:

$ hashcat -m 5600 example.hash example.wordlist -O                        
hashcat (v4.0.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz, skipped.
* Device #2: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU
* Device #3: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Password length minimum: 0
Password length maximum: 27

Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

Dictionary cache built:
* Filename..: example.wordlist
* Passwords.: 4
* Bytes.....: 40
* Keyspace..: 4
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

ADMIN::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030:hashcat
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: ADMIN::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966...783030
Time.Started.....: Wed Nov 22 11:43:41 2017 (0 secs)
Time.Estimated...: Wed Nov 22 11:43:41 2017 (0 secs)
Guess.Base.......: File (example.wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:        0 H/s (0.17ms)
Speed.Dev.#3.....:        0 H/s (0.00ms)
Speed.Dev.#*.....:        0 H/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Candidates.#2....: hashcat -> hellopass
Candidates.#3....: [Copying]

Started: Wed Nov 22 11:43:34 2017
Stopped: Wed Nov 22 11:43:43 2017

Second pass...

$ hashcat -m 5600 example.hash example.wordlist -O
hashcat (v4.0.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz, skipped.
* Device #2: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU
* Device #3: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU

INFO: All hashes found in potfile! Use --show to display them.

Started: Wed Nov 22 11:43:45 2017
Stopped: Wed Nov 22 11:43:46 2017

The configuration is entirely AMD, however, seemingly no issues here.

dylib commented Nov 22, 2017

@hubert3, @jsteube: I've tested hashcat 4.0 (built from source) on macOS 10.13 using the described method in issue #1350 and did not appear to encounter any problems:

$ hashcat -m 5600 example.hash example.wordlist -O                        
hashcat (v4.0.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz, skipped.
* Device #2: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU
* Device #3: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Password length minimum: 0
Password length maximum: 27

Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

Dictionary cache built:
* Filename..: example.wordlist
* Passwords.: 4
* Bytes.....: 40
* Keyspace..: 4
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

ADMIN::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030:hashcat
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: ADMIN::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966...783030
Time.Started.....: Wed Nov 22 11:43:41 2017 (0 secs)
Time.Estimated...: Wed Nov 22 11:43:41 2017 (0 secs)
Guess.Base.......: File (example.wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:        0 H/s (0.17ms)
Speed.Dev.#3.....:        0 H/s (0.00ms)
Speed.Dev.#*.....:        0 H/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Candidates.#2....: hashcat -> hellopass
Candidates.#3....: [Copying]

Started: Wed Nov 22 11:43:34 2017
Stopped: Wed Nov 22 11:43:43 2017

Second pass...

$ hashcat -m 5600 example.hash example.wordlist -O
hashcat (v4.0.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz, skipped.
* Device #2: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU
* Device #3: AMD Radeon HD - FirePro D700 Compute Engine, 1536/6144 MB allocatable, 32MCU

INFO: All hashes found in potfile! Use --show to display them.

Started: Wed Nov 22 11:43:45 2017
Stopped: Wed Nov 22 11:43:46 2017

The configuration is entirely AMD, however, seemingly no issues here.

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Feb 1, 2018

Member

I've add some code to disable code caching, a shot in the dark. Can you please pull master, recompile and retry?

Member

jsteube commented Feb 1, 2018

I've add some code to disable code caching, a shot in the dark. Can you please pull master, recompile and retry?

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Feb 3, 2018

Member

System was tested by someone else with a R9 M370X. Error did not occur. Therefore I'll close the issue, feel free to reopen if still exists.

Member

jsteube commented Feb 3, 2018

System was tested by someone else with a R9 M370X. Error did not occur. Therefore I'll close the issue, feel free to reopen if still exists.

@jsteube jsteube closed this Feb 3, 2018

@kureeoffsec

This comment has been minimized.

Show comment
Hide comment
@kureeoffsec

kureeoffsec Feb 21, 2018

Code recompiled on 10.13.3 with the same hardware and up to date homebrew. Hashcat version is 4.1.0. Issue seems to be resolved.

I am unsure which configurations changed, but the update to the new version of OSX seems to have resolved the issue.

Awesome update in that version by the way!

kureeoffsec commented Feb 21, 2018

Code recompiled on 10.13.3 with the same hardware and up to date homebrew. Hashcat version is 4.1.0. Issue seems to be resolved.

I am unsure which configurations changed, but the update to the new version of OSX seems to have resolved the issue.

Awesome update in that version by the way!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment