Left To My Own Devices - NT hash tools

Related tags

Cryptography ntcrack
Overview

ntcrack

Left To My Own Devices - NT cracker

A full writeup of how it works is available at the SensePost blog

Invocation

./ntcrack <input hashlist> <wordlist>

e.g.

./ntcrack crackme.hashes rockyou.txt

It expects the hashes to be NT hashes one per line, with nothing else. So strip out hashcat or john mode information.

Compilation

cargo build --release

You'll find it in target/release/ntcrack

If you don't have rust and cargo, the easiest way to get it is with rustup.

Prerequisites

Apart from needing hashes and a wordlist, not much.

Tuning

The code makes reasonable choices for tuning, but you could improve it for your system with some testing.

There are three primary performance stats you can use to tune efficiency:

  • Crack speed (aka number of kilo hashes generated per second)
  • Read speed (aka the number of megabytes read from the wordlist per second)
  • Wait speed (aka the number of times a thread sat waiting for a chunk)

If the read speed is low, check the cache and block size. If the waits are high, and you've checked the cache and block size, then experiment with changing the chunk size. Crack speed should be the result of doing those successfully.

Block Size for Disk Reads

Right now it's using a block size to read files with of 8M. You can test which is best for your system with something like the following, and seeing which is fastest:

for x in 1M 1M 2M 4M 8M 12M; do time dd if=somefile of=/dev/null bs=$x; done

I run 1M twice in the above to get the file cache'd to kernel for consisten results.

Cache Size

Assuming 16G of ram, on a Mac you get about 10G of file cache, and on Linux it looks like it can grow to fill available RAM. In both cases this drops if you have memory intensive stuff loaded (Microsoft Teams is my goto test).

I've set it to 2G, which should be reasonable for most systems. But if you have significantly more or less RAM change it.

Chunk Size

The chunk size controls the size of the chunks of the wordlist that the main program sends to the threads. I've done pretty extensive testing on a small number of systems and I think this is a good value.

If you want to do some tests, uncomment the code to switch it to an argument and do some of your own testing.

I'd recommend changing this last, and checking block and cache size first.

Speed Benchmarks

Hyperfine runs comparing ntcrack to hashcat. Run on my M1 Pro MBP. Prepare drops the wordlist from file cache, but puts the binary and hashlist in file cache. Run after hashcat has done its custom wordlist cache'ing.

Keeping these here so I have some version control.

[+] First hash in rockyou wordlist
Benchmark 1: target/release/ntcrack first  wordlists/rockyou.txt
  Time (mean ± σ):      51.2 ms ±   0.7 ms    [User: 225.8 ms, System: 20.7 ms]
  Range (min … max):    50.1 ms …  52.4 ms    10 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet first wordlists/rockyou.txt
  Time (mean ± σ):      1.302 s ±  0.017 s    [User: 0.095 s, System: 0.200 s]
  Range (min … max):    1.279 s …  1.338 s    10 runs
 
[+] Last hash in rockyou wordlist
Benchmark 1: target/release/ntcrack last  wordlists/rockyou.txt
  Time (mean ± σ):     193.2 ms ±   1.1 ms    [User: 1575.8 ms, System: 41.2 ms]
  Range (min … max):   191.7 ms … 195.7 ms    10 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet last wordlists/rockyou.txt
  Time (mean ± σ):      1.301 s ±  0.007 s    [User: 0.506 s, System: 0.219 s]
  Range (min … max):    1.285 s …  1.310 s    10 runs
 
[+] 143 hash list against rockyou wordlist
Benchmark 1: target/release/ntcrack test.hashes  wordlists/rockyou.txt
  Time (mean ± σ):     229.8 ms ±   1.7 ms    [User: 1922.2 ms, System: 43.0 ms]
  Range (min … max):   227.7 ms … 233.0 ms    10 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet test.hashes wordlists/rockyou.txt
  Time (mean ± σ):      1.295 s ±  0.007 s    [User: 0.507 s, System: 0.218 s]
  Range (min … max):    1.287 s …  1.304 s    10 runs
 
[+] All rockyou hashes against rockyou wordlist
Benchmark 1: target/release/ntcrack nthasher/rockyou.txt.utf8.hashes  wordlists/rockyou.txt
  Time (mean ± σ):      4.911 s ±  0.007 s    [User: 14.084 s, System: 0.538 s]
  Range (min … max):    4.903 s …  4.922 s    5 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet nthasher/rockyou.txt.utf8.hashes wordlists/rockyou.txt
  Time (mean ± σ):     560.816 s ±  7.839 s    [User: 245.798 s, System: 338.184 s]
  Range (min … max):   555.273 s … 566.359 s    2 runs
 
[+] 143 hash list against insidepro 1G wordlist
Benchmark 1: target/release/ntcrack test.hashes  wordlists/insidepro.dic
  Time (mean ± σ):      1.655 s ±  0.006 s    [User: 14.214 s, System: 0.310 s]
  Range (min … max):    1.647 s …  1.664 s    5 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet test.hashes wordlists/insidepro.dic
  Time (mean ± σ):      5.339 s ±  0.002 s    [User: 3.228 s, System: 0.348 s]
  Range (min … max):    5.336 s …  5.341 s    5 runs
 
[+] 143 hash list against 5G wordlist
Benchmark 1: target/release/ntcrack test.hashes  small
  Time (mean ± σ):      5.820 s ±  0.003 s    [User: 52.020 s, System: 1.623 s]
  Range (min … max):    5.816 s …  5.822 s    3 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet test.hashes small
  Time (mean ± σ):     14.427 s ±  0.005 s    [User: 10.101 s, System: 0.908 s]
  Range (min … max):   14.423 s … 14.433 s    3 runs
 
[+] 143 hash list against 11G wordlist
Benchmark 1: target/release/ntcrack test.hashes  med
  Time (mean ± σ):     11.973 s ±  0.052 s    [User: 108.656 s, System: 3.784 s]
  Range (min … max):   11.915 s … 12.015 s    3 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet test.hashes med
  Time (mean ± σ):     29.785 s ±  0.590 s    [User: 21.074 s, System: 1.741 s]
  Range (min … max):   29.432 s … 30.466 s    3 runs
 
[+] 143 hash list against 110G wordlist
Benchmark 1: target/release/ntcrack test.hashes  big
  Time (mean ± σ):     139.968 s ±  0.081 s    [User: 961.547 s, System: 117.786 s]
  Range (min … max):   139.881 s … 140.041 s    3 runs
 
Benchmark 1: hashcat -m1000 --potfile-disable -O --self-test-disable --backend-ignore-opencl --hwmon-disable --quiet test.hashes big
  Time (mean ± σ):     255.648 s ±  0.855 s    [User: 183.174 s, System: 16.709 s]
  Range (min … max):   254.690 s … 256.334 s    3 runs
You might also like...
Generates a unique hash/identifier for a system given a set of parameters.

uniqueid 🔍 Generates a unique hash/identifier for a system given a set of parameters. Example usage use uniqueid; pub fn main() { let data = vec

Checksum 2 Aug 19, 2022
MD5/SHA256 HASH ATTACK IN RUST
MD5/SHA256 HASH ATTACK IN RUST

hashraccoon Installation Install cargo curl https://sh.rustup.rs -sSf | sh Install the hashraccoon crate cargo install hashraccoon Download the rockyo

null 3 Nov 5, 2022
Blazing fast Pedersen hash implementation for Node.JS

pedersen-fast Blazing fast Pedersen hash implementation for Node.JS Exposes starknet-crypto's implementation written in Rust as WASM package. Usage np

L2BEAT 7 Mar 10, 2023
Hash trait that is object-safe

Hash trait that is object-safe This crate provides a DynHash trait that can be used in trait objects. Types that implement the standard library's std:

David Tolnay 19 Nov 12, 2023
ARYA Network is a polkadot/substrate based chain for Non-fungible Token platform on which we can own sell and buy the NFT's on polkadot network.

ARYA Network ARYA Network is a polkadot/substrate based chain for Non-fungible Token platform on which we can own sell and buy the NFT's on polkadot n

Pankaj Chaudhary 6 Dec 20, 2022
Starknet Stack let's you easily create new Cairo Starknet chains with their own sequencers, provers and verifiers

Starknet Stack flowchart LR A("Client") ==|"Starknet Transactions"| subGraph0["Sequencer"] subGraph0 -.-|"Blocks with txs"| 300319["Watcher prover

Lambdaclass 7 Jul 11, 2023
Private payments for mobile devices.

MobileCoin Fog This is the README file for MobileCoin Fog. Note to Developers MobileCoin Fog is a prototype. Expect substantial changes before and aft

MobileCoin Foundation 36 May 6, 2022
Scrub dm-integrity devices

Synopsis This tool attempts to read all logical sectors of a block device, overwriting any sector that cannot be read due to an I/O error with zeros.

Mikael 1 Feb 26, 2022
Private payments for mobile devices.
Private payments for mobile devices.

Testing your first payment Please see TESTNET.md for instructions on participating in the TestNet! Sending your first payment Please see MAINNET.md fo

MobileCoin Foundation 1.1k Dec 30, 2022
Comments
  • feature: change output format to hash:plain

    feature: change output format to hash:plain

    Most cracking utilities use hash:plain format.

    Among other benefits, since many hashes are a fixed length, this significantly improves readability. It also makes it easier to parse plains with spaces, colons, etc. as part of a commandline workflow.

    opened by roycewilliams 1
  • error[E0425]: cannot find value `ret` in this scope

    error[E0425]: cannot find value `ret` in this scope

    Hello,

    I have an issue when I try to install ntrack. I follow the readme, download and install rustup on my win11 and when i want to build i have an error[E0425].

    cargo build --release Updating crates.io index Downloaded hash_hasher v2.0.3 Downloaded ripline v0.1.0 Downloaded page_size v0.4.2 Downloaded memmap2 v0.5.5 Downloaded crossbeam-channel v0.5.6 Downloaded crossbeam-utils v0.8.11 Downloaded libc v0.2.127 Downloaded once_cell v1.13.0 Downloaded cfg-if v1.0.0 Downloaded num_cpus v1.13.1 Downloaded hex v0.4.3 Downloaded bytecount v0.6.3 Downloaded memchr v2.5.0 Downloaded bstr v0.2.17 Downloaded winapi v0.3.9 Downloaded 15 crates (2.5 MB) in 1.90s (largest was winapi at 1.2 MB) Compiling memchr v2.5.0 Compiling crossbeam-utils v0.8.11 Compiling winapi v0.3.9 Compiling libc v0.2.127 Compiling cfg-if v1.0.0 Compiling once_cell v1.13.0 Compiling bytecount v0.6.3 Compiling hex v0.4.3 Compiling num_cpus v1.13.1 Compiling memmap2 v0.5.5 Compiling hash_hasher v2.0.3 Compiling crossbeam-channel v0.5.6 Compiling bstr v0.2.17 Compiling ripline v0.1.0 Compiling page_size v0.4.2 Compiling ntcrack v0.1.0 (C:\Users\admin.rt\App\ntcrack-main) error[E0425]: cannot find value ret in this scope --> src\main.rs:62:13 | 62 | assert!(ret == 0, "mincore failed with error {}", ret); | ^^^ not found in this scope

    error[E0425]: cannot find value ret in this scope --> src\main.rs:62:55 | 62 | assert!(ret == 0, "mincore failed with error {}", ret); | ^^^ not found in this scope

    For more information about this error, try rustc --explain E0425. error: could not compile ntcrack due to 2 previous errors

    rustc --explain E0425 An unresolved name was used.

    Erroneous code examples:

    something_that_doesnt_exist::foo; // error: unresolved name something_that_doesnt_exist::foo

    // or:

    trait Foo { fn bar() { Self; // error: unresolved name Self } }

    // or:

    let x = unknown_variable; // error: unresolved name unknown_variable

    Please verify that the name wasn't misspelled and ensure that the identifier being referred to is valid for the given situation. Example:

    enum something_that_does_exist { Foo, }

    opened by ttev 4
Owner
SensePost
Orange Cyberdefense's Ethical Hacking Team
SensePost
GitHub
Left Recursive PEG for rust

Left Recursive Parsing Expression Grammar (PEG) lrpeg allows left recursive rules, and uses ratpack parsing for speed. I wrote a blog post to introduc

Sean Young 66 Jun 13, 2022
Highly modular & configurable hash & crypto library

Octavo Highly modular & configurable hash & crypto library written in pure Rust. Installation [dependencies] octavo = { git = "https://github.com/libO

Octavo Developers 139 Dec 29, 2022
Collection of cryptographic hash functions written in pure Rust

RustCrypto: hashes Collection of cryptographic hash functions written in pure Rust. All algorithms reside in the separate crates and implemented using

Rust Crypto 1.2k Jan 8, 2023
A rust binding for nodejs to generate md5 hash value

Hasher A rust binding for creating node module to generate md5 hash value This project was bootstrapped by create-neon. Installing hasher Installing h

Md. Al-Amin 0 Nov 7, 2021
Reference implementation for the Poseidon Snark-friendly Hash algorithm.

Dusk-Poseidon Reference implementation for the Poseidon Hashing algorithm. Reference Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof

Dusk Network 96 Jan 2, 2023
the official Rust and C implementations of the BLAKE3 cryptographic hash function

BLAKE3 is a cryptographic hash function that is: Much faster than MD5, SHA-1, SHA-2, SHA-3, and BLAKE2. Secure, unlike MD5 and SHA-1. And secure again

BLAKE3 team 3.7k Jan 6, 2023
paq files to hash.

paq paq files to hash. Hash a single file or all files in directory recursively. Installation Requires cargo. Run cargo install paq. Usage Run paq [sr

gregory langlais 3 Oct 10, 2022
Fastmurmur3 - Fast non-cryptographic hash, with the benchmarks to prove it.

Fastmurmur3 Murmur3 is a fast, non-cryptographic hash function. fastmurmur3 is, in my testing, the fastest implementation of Murmur3. Usage let bytes:

Kurt Wolf 13 Dec 2, 2022
An implementation of Jakobsson's Fractal Hash Sequence Traversal algorithm

fractal-hash-traversal An implementation of Jakobsson's Fractal Hash Sequence Traversal algorithm. There is at least one hash traversal algorithm that

Dan Cline 1 Jan 12, 2022
computed data's hash by webAssembly

wasm-hasher computed data's hash by webAssembly support md5,sha1,sha2-224,sha2-356,sha2-384,sha2-512,sha3-224,sha3-256,sha3-384,sha3-512,china-sm3 typ

fuyoo 2 Oct 13, 2022