Note: all versions of oclHashcat have been replaced by a unified OpenCL CPU/GPU version, now known simply as hashcat.
oclHashcat-plus is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.
Last version was 0.15 before it was replaced by oclHashcat.
The main problem with the first GPGPU hashcat version oclHashcat was to do with it's architecture. It was designed for doing Combinator attack. That worked well with fast algorithms but in combination with slow (modern, highly iterated and salted) algorithms,that was an inefficient strategy.
As a consequence, people still used the CPU-based hashcat for serious hash-cracking. This is because it is possible to work with simple dictionary-based attacks. To be able to do dictionary-based attacks on a GPU, it was neccessary to deal with the architecture problem of oclHashcat first. The only solution was a complete new approach. This second oclHashcat version, which is designed for dictionary-based attacks, is called “oclHashcat-plus”.
Notes about simple dictionary attack on GPU:
An additional major feature of oclHashcat-plus is the GPU-based rule engine. With this it is possible to do Rule-based attack.
As a result, oclHashcat-plus is a lot more like the original CPU-based hashcat.
The first official release was v0.02, released on 30.01.2011.
Another important release was v0.06, released on 16.09.2011: It was the first version that supported the WPA/WPA2 algorithm.
With release of v0.07, oclHashcat-plus replaced regular oclHashcat when it ported Brute-Force Attack, Mask Attack, Combination Attack and Hybrid Attack.
oclHashcat-plus, advanced password recovery Usage: oclHashcat-plus [options]... hash|hashfile|hccapfile [dictionary|mask|directory]... ======= Options ======= * General: -m, --hash-type=NUM Hash-type, see references below -a, --attack-mode=NUM Attack-mode, see references below -V, --version Print version -h, --help Print help --eula Print EULA --quiet Suppress output * Misc: --hex-salt Assume salt is given in hex --hex-charset Assume charset is given in hex --force Ignore warnings --status Enable automatic update of the status-screen --status-timer=NUM Seconds between status-screen update * Markov: --markov-hcstat Specify hcstat file to use, default is hashcat.hcstat --markov-disable Disables markov-chains, emulates classic brute-force --markov-classic Enables classic markov-chains, no per-position enhancement -t, --markov-threshold=NUM Threshold when to stop accepting new markov-chains * Session: --runtime=NUM Abort session after NUM seconds of runtime --session=STR Define specific session name --restore Restore session from --session --restore-timer=NUM Save restore file each NUM seconds * Files: -o, --outfile=FILE Define outfile for recovered hash --outfile-format=NUM Define outfile-format for recovered hash, see references below -p, --seperator=CHAR Define seperator char for hashlists and outfile --show Show cracked passwords only --left Show un-cracked passwords only --username Enable ignoring of usernames in hashfile --remove Enable remove of hash once it is cracked --disable-potfile Do not write potfile * Resources: -c, --segment-size=NUM Size in MB to cache from the wordfile --cpu-affinity=STR Locks to CPU devices, seperate with comma --gpu-async Use non-blocking async calls (NV only) -d, --gpu-devices=STR Devices to use, separate with comma -n, --gpu-accel=NUM Workload tuning: 1, 8, 40, 80, 160 -u, --gpu-loops=NUM Workload fine-tuning: 8 - 1024 --gpu-temp-disable Disable temperature and fanspeed readings and triggers --gpu-temp-abort=NUM Abort session if GPU temperature reaches NUM degrees celsius --gpu-temp-retain=NUM Try to retain GPU temperature at NUM degrees celsius (AMD only) * Rules: -j, --rule-left=RULE Single rule applied to each word from left dict -k, --rule-right=RULE Single rule applied to each word from right dict -r, --rules-file=FILE Rules-file, multi use: -r 1.rule -r 2.rule -g, --generate-rules=NUM Generate NUM random rules --generate-rules-func-min=NUM Force NUM functions per random rule min --generate-rules-func-max=NUM Force NUM functions per random rule max * Custom charsets: -1, --custom-charset1=CS User-defined charsets -2, --custom-charset2=CS Example: -3, --custom-charset3=CS --custom-charset1=?dabcdef -4, --custom-charset4=CS Sets charset ?1 to 0123456789abcdef * Increment: -i, --increment Enable increment mode --increment-min=NUM Start incrementing at NUM --increment-max=NUM Stop incrementing at NUM ========== References ========== * Outfile Formats: 1 = hash[:salt] 2 = plain 3 = hash[:salt]:plain 4 = hex_plain 5 = hash[:salt]:hex_plain 6 = plain:hex_plain 7 = hash[:salt]:plain:hex_plain * Built-in charsets: ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?a = ?l?u?d?s ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?h = 8 bit characters from 0xc0 - 0xff ?D = 8 bit characters from german alphabet ?F = 8 bit characters from french alphabet ?R = 8 bit characters from russian alphabet * Attack modes: 0 = Straight 1 = Combination 3 = Brute-force 6 = Hybrid dict + mask 7 = Hybrid mask + dict * Generic hash types: 0 = MD5 10 = md5($pass.$salt) 20 = md5($salt.$pass) 30 = md5(unicode($pass).$salt) 40 = md5($salt.unicode($pass)) 100 = SHA1 110 = sha1($pass.$salt) 120 = sha1($salt.$pass) 130 = sha1(unicode($pass).$salt) 140 = sha1($salt.unicode($pass)) 300 = MySQL 400 = phpass, MD5(Wordpress), MD5(phpBB3) 500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 900 = MD4 1000 = NTLM 1100 = Domain Cached Credentials, mscash 1400 = SHA256 1410 = sha256($pass.$salt) 1420 = sha256($salt.$pass) 1500 = descrypt, DES(Unix), Traditional DES 1600 = md5apr1, MD5(APR), Apache MD5 1700 = SHA512 1710 = sha512($pass.$salt) 1720 = sha512($salt.$pass) 1800 = sha512crypt, SHA512(Unix) 2100 = Domain Cached Credentials2, mscash2 2400 = Cisco-PIX MD5 2500 = WPA/WPA2 2600 = Double MD5 3000 = LM 3100 = Oracle 7-10g, DES(Oracle) 3200 = bcrypt, Blowfish(OpenBSD) 5000 = SHA-3(Keccak) 5100 = Half MD5 5200 = Password Safe SHA-256 5300 = IKE-PSK MD5 5400 = IKE-PSK SHA1 5500 = NetNTLMv1-VANILLA / NetNTLMv1+ESS 5600 = NetNTLMv2 5700 = Cisco-IOS SHA256 * Specific hash types: 11 = Joomla 21 = osCommerce, xt:Commerce 101 = nsldap, SHA-1(Base64), Netscape LDAP SHA 111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA 112 = Oracle 11g 121 = SMF > v1.1 122 = OSX v10.4, v10.5, v10.6 131 = MSSQL(2000) 132 = MSSQL(2005) 141 = EPiServer 6.x 1722 = OSX v10.7 2611 = vBulletin < v3.8.5 2711 = vBulletin > v3.8.5 2811 = IPB2+, MyBB1.2+
– section needs update –
Attribute | Value | Note |
---|---|---|
--version | false | |
--help | false | |
--eula | false | |
--quiet | false | |
--show | false | |
--left | false | |
--username | false | |
--remove | false | |
--force | false | |
--outfile | NULL | |
--outfile-format | 3 | |
--runtime | 0 | |
--hex-salt | false | |
--hex-charset | false | |
--segment-size | 1 | |
--gpu-async | false | |
--gpu-devices | NULL | |
--gpu-accel | 0 | * |
--gpu-loops | 0 | * |
--gpu-watchdog | 90 | |
--rules-file | NULL | |
--generate-rules | 0 | |
--generate-rules-func-min | 1 | |
--generate-rules-func-max | 4 | |
--hash-type | 0 | |
--increment | 0 | |
--increment-min | 1 | |
--increment-max | 15 |
* Indicates that the value is dependent on the algorithm and GPU platform vendor (see below)
– section needs update –
Hash-Type | --gpu-accel (NVidia) | --gpu-loops (NVidia) | --gpu-accel (AMD) | --gpu-loops (AMD) |
---|---|---|---|---|
MD5 | 8 | 128 | 40 | 128 |
Joomla | 8 | 128 | 40 | 128 |
osCommerce, xt:Commerce | 8 | 128 | 40 | 128 |
SHA1 | 8 | 64 | 40 | 64 |
nsldap, SHA-1(Base64), Netscape LDAP SHA | 8 | 64 | 40 | 64 |
nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | 8 | 64 | 40 | 64 |
Oracle 11g | 8 | 64 | 40 | 64 |
SMF > v1.1 | 8 | 64 | 40 | 64 |
OSX v10.4, v10.5, v10.6 | 8 | 64 | 40 | 64 |
MSSQL(2000) | 8 | 64 | 40 | 64 |
MSSQL(2005) | 8 | 64 | 40 | 64 |
MySQL > v4.1 | 8 | 32 | 40 | 32 |
phpass, MD5(Wordpress), MD5(phpBB3) | 1 | 64 | 16 | 64 |
md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 | 1 | 64 | 16 | 64 |
MD4 | 8 | 128 | 40 | 128 |
NTLM | 8 | 128 | 40 | 128 |
Domain Cached Credentials, mscash | 8 | 64 | 40 | 64 |
SHA256 | 8 | 32 | 40 | 32 |
descrypt, DES(Unix), Traditional DES | 1 | 8 | 8 | 8 |
md5apr1, MD5(APR), Apache MD5 | 1 | 64 | 16 | 64 |
SHA512 | 8 | 32 | 40 | 32 |
OSX v10.7 | 8 | 32 | 40 | 32 |
Domain Cached Credentials2, mscash2 | 1 | 64 | 16 | 64 |
Cisco-PIX MD5 | 8 | 128 | 40 | 128 |
WPA/WPA2 | 1 | 64 | 16 | 128 |
Double MD5 | 8 | 64 | 40 | 64 |
vBulletin < v3.8.5 | 8 | 64 | 40 | 64 |
vBulletin > v3.8.5 | 8 | 32 | 40 | 32 |
IPB2+, MyBB1.2+ | 8 | 32 | 40 | 32 |
LM | 1 | 8 | 8 | 8 |
Oracle 7-10g, DES(Oracle) | 1 | 8 | 8 | 8 |
The reason behind the special loading of the dictionary is that some kernels require all plaintexts to be of the same length to process them efficiently.
Brute-force crackers usually do not have this problem because the length of the generated plaintext is always the same. But it's not so in wordlists. Usually the words in wordlists are not sorted by their length. So the idea was oclHashcat-plus would cache each of the loaded words once, and store them into specific buffers. Each word-length has one unique buffer. If a word has the length 8; it sorts it into buffer number 8. Then, if buffer 8's threshold is reached, it processes them and clears it afterwards. This is why it is so hard for oclHashcat-plus to have a restore / resume position.
Hint: You can optimize your wordlists for oclhashcat-plus usage. You just need to sort them by their length. It is recommended that you generate seperate wordlists sorted by their length. The hashcat-utils ship with a tool called: “splitlen”, which was written for this task. (Note: sorting wordlists by length order is no longer necessary in modern versions of hashcat.)
The following Informations are outdated. With version 0.12 oclHashcat-plus got real resume support added.
While it is not officially supported, one of our users, undeath , had a neat idea:
To gain the possibility of resuming wordlists with oclHashcat-plus, you can pipe the words into stdin using hashcat. It is then recommended that you sort your wordlists by length as described above prior to this.
hashcat --stdout wordlists/list.dict | oclhashcat-plus ...
On aborting using CTRL+C, you will see the well known message: “To restore Session use Parameter -s xxx” so you can restore the cracking process later as with the cpu version. Also, you are able to use all word altering functions provided by hashcat (like Table Lookup attack or Permutation attack).
If you are interested in writing .hccap files, it's structure is explained here: HCCAP format description
Please refer to the homepage to get the latest benchmarks.
Real c/s is derived from dividing all tested passwords from zero to present from the moment oclHashcat-plus started. This is often a lower figure as it takes into account copying wordlists into GPU memory and also the PCI-Express overhead.
GPU c/s is derived from dividing the time for the last 32 kernel launches by the number of finished passwords from the previous 32 kernel launches. This figure is usually higher than Real c/s as there is no time lost copying the wordlist or PCI-Express overhead.
In general GPU c/s is a more accurate representation of oclHashcat-plus's performance as wordlist loading is dependant on the I/O performance of the users computer.