Cracking JOOMLA salted hash with hashcat(cudaHashcat-plus)

Hashcat is a most fastest hash cracker. Hashcat really is a best hash cracking tools i ever seen. You can compare this tool with other tools and you will see what I mean. I rarely use any other tools instead hashcat to crack hash. Today I will show you that how we can crack joomla hash. My system is optimus technology. If your Computer also Optimus then you need to install bumblebee : www.bumblebee-project.org



Download:
science@BAD-LUCK:~/tools$ mkdir tools
science@BAD-LUCK:~/tools$ cd tools
science@BAD-LUCK:~/tools$wget -c http://hashcat.net/files/oclHashcat-plus-0.09.7z
science@BAD-LUCK:~/tools$ 7z x *
science@BAD-LUCK:~/tools$ cd oclHashcat-*
Note: I renamed my oclHashcat folder
science@BAD-LUCK:~/tools/hashcat-plus$ ls
cudaExample400.cmd cudaHashcat-plus32.exe example0.hash hashcat.pot oclExample400.sh oclHashcat-plus64.bin
charsets cudaExample400.sh cudaHashcat-plus64.bin example400.hash kernels oclExample500.cmd oclHashcat-plus64.exe
cudaExample500.cmd cudaHashcat-plus64.exe example500.hash oclExample0.cmd oclExample500.sh pass.txt
cudaExample0.cmd cudaExample500.sh docs example.dict oclExample0.sh oclHashcat-plus32.bin rules
cudaExample0.sh cudaHashcat-plus32.bin eula.accepted hashcat.hcstat oclExample400.cmd oclHashcat-plus32.exe vclHashcat-plus64.bin


In the 7z file hashcat for windows and Linux (32+64) both has been compressed. So plus(32/64).bin is for 64 bit or 32 bit. And the .exe file is for windows. So we need the cudaHashcat-plus64.bin.


Now see the all options:
science@BAD-LUCK:~/tools/hashcat-plus$ optirun ./cudaHashcat-plus64.bin --help
cudaHashcat-plus, advanced password recovery
Usage: cudaHashcat-plus [options]... hash|hashfile|hccapfile [dictionary|mask|directory]...
=======
Options
=======
* General:
-m, --hash-type=NUM Hash-type, see references below
-a, --attack-mode=NUM Attack-mode, see references below
-V, --version Print version
-h, --help Print help
--eula Print EULA
--quiet Suppress output
* Misc:
--runtime=NUM Abort session after NUM seconds of runtime
--hex-salt Assume salt is given in hex
--hex-charset Assume charset is given in hex
--force Ignore warnings
* Markov:
--markov-hcstat Specify hcstat file to use, default is hashcat.hcstat
--markov-disable Disables markov-chains, emulates classic brute-force
--markov-classic Enables classic markov-chains, no per-position enhancement
-t, --markov-threshold=NUM Threshold when to stop accepting new markov-chains
* Files:
-o, --outfile=FILE Define outfile for recovered hash
--outfile-format=NUM Define outfile-format for recovered hash, see references below
-p, --seperator=CHAR Define seperator char for hashlists and outfile
--show Show cracked passwords only
--left Show un-cracked passwords only
--username Enable ignoring of usernames in hashfile
--remove Enable remove of hash once it is cracked
--disable-potfile Do not write potfile
* Resources:
-c, --segment-size=NUM Size in MB to cache from the wordfile
--cpu-affinity=STR Locks to CPU devices, seperate with comma
--gpu-async Use non-blocking async calls (NV only)
-d, --gpu-devices=STR Devices to use, separate with comma
-n, --gpu-accel=NUM Workload tuning: 1, 8, 40, 80, 160
--gpu-loops=NUM Workload fine-tuning: 8 - 1024
--gpu-temp-disable Disable temperature and fanspeed readings and triggers
--gpu-temp-abort=NUM Abort session if GPU temperature reaches NUM degrees celsius
--gpu-temp-retain=NUM Try to retain GPU temperature at NUM degrees celsius (AMD only)
* Rules:
-j, --rule-left=RULE Single rule applied to each word from left dict
-k, --rule-right=RULE Single rule applied to each word from right dict
-r, --rules-file=FILE Rules-file, multi use: -r 1.rule -r 2.rule
-g, --generate-rules=NUM Generate NUM random rules
--generate-rules-func-min=NUM Force NUM functions per random rule min
--generate-rules-func-max=NUM Force NUM functions per random rule max
* Custom charsets:
-1, --custom-charset1=CS User-defined charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef
-4, --custom-charset4=CS Sets charset ?1 to 0123456789abcdef
* Increment:
-i, --increment Enable increment mode
--increment-min=NUM Start incrementing at NUM
--increment-max=NUM Stop incrementing at NUM
==========
References
==========
* Outfile Formats:
1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
* Built-in charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?a = ?l?u?d?s
?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?h = 8 bit characters from 0xc0 - 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet
?R = 8 bit characters from russian alphabet
* Attack modes:
0 = Straight
1 = Combination
3 = Brute-force
6 = Hybrid dict + mask
7 = Hybrid mask + dict
* Generic hash types:
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
300 = MySQL
400 = phpass, MD5(Wordpress), MD5(phpBB3)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials, mscash
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1500 = descrypt, DES(Unix), Traditional DES
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1800 = sha512crypt, SHA512(Unix)
2100 = Domain Cached Credentials2, mscash2
2400 = Cisco-PIX MD5
2500 = WPA/WPA2
2600 = Double MD5
3000 = LM
3100 = Oracle 7-10g, DES(Oracle)
3200 = bcrypt, Blowfish(OpenBSD)
* Specific hash types:
11 = Joomla
21 = osCommerce, xt:Commerce
101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
112 = Oracle 11g
121 = SMF > v1.1
122 = OSX v10.4, v10.5, v10.6
131 = MSSQL(2000)
132 = MSSQL(2005)
141 = EPiServer 6.x
1722 = OSX v10.7
2611 = vBulletin < v3.8.5
2711 = vBulletin > v3.8.5
2811 = IPB2+, MyBB1.2+
science@BAD-LUCK:~/tools/hashcat-plus$

 
Ah lots of options can be used!


We need few options:
-a //Attack mode
-m // hash type (11)
--increment // Need for try all length
--increment-min // Length start from minimum
--increment-max // Length Maximum.
-o // output for the cracked hash
path/target/hash/file //Tell where the hash file is located
-1 //mask 


So we need it like:
-a 3
-m 11
--increment
--increment-min=4
--increment-max=10
-o cracked.txt
crack/hash.txt
-1 ?l?u ?1?1?1?1?1?1?1?1?1?

Here, ?l=a-z, ?u=A-Z which should be declared in -1 option and in last ?1?1?1?1?1?1?1?1?1?1 mean how many length should be tested, In our case it 10th .


So All in one :
science@BAD-LUCK:~/tools/hashcat-plus$ optirun ./cudaHashcat-plus64.bin -a 3 -m 11 --increment --increment-min=4 –increment-max=10 -o crack/cracked.txt crack/hash.txt -1 ?l?d ?1?1?1?1?1?1?1?1?1?1
cudaHashcat-plus v0.09 by atom starting...
Hashes: 166 total, 166 unique salts, 166 unique digests
Bitmaps: 11 bits, 2048 entries, 0x000007ff mask, 8192 bytes
Workload: 256 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GT 525M, 1023MB, 1200Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0010_a3.sm_21.ptx
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
hashcat now trying to crack the hashes. If you type s the you will be able to see the progress of hashcat . For example:
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status.......: Running
Input.Mode...: Mask (?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type....: Joomla
Time.Running.: 58 secs
Time.Left....: 3 secs
Time.Util....: 58232.2ms/203.6ms Real/CPU, 0.4% idle
Speed........: 159.6M c/s Real, 160.3M c/s GPU
Recovered....: 2/166 Digests, 2/166 Salts
Progress.....: 9404743680/10037385216 (93.70%)
Rejected.....: 109117440/9404743680 (1.16%)
HWMon.GPU.#1.: -1% Util, 69c Temp, -1% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status.......: Running
Input.Mode...: Mask (?1?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type....: Joomla
Time.Running.: 6 mins, 3 secs
Time.Left....: 26 mins, 53 secs
Time.Util....: 363169.9ms/188.2ms Real/CPU, 0.1% idle
Speed........: 168.7M c/s Real, 168.8M c/s GPU
Recovered....: 14/166 Digests, 14/166 Salts
Progress.....: 64146636800/361345867776 (17.75%)
Rejected.....: 2866544640/64146636800 (4.47%)
HWMon.GPU.#1.: -1% Util, 74c Temp, -1% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status.......: Running
Input.Mode...: Mask (?1?1?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type....: Joomla
Time.Running.: 1 min, 21 secs
Time.Left....: 19 hours, 12 mins
Time.Util....: 81672.0ms/194.0ms Real/CPU, 0.2% idle
Speed........: 168.6M c/s Real, 169.1M c/s GPU
Recovered....: 17/166 Digests, 17/166 Salts
Progress.....: 17595105280/13008451239936 (0.14%)
Rejected.....: 3822059520/17595105280 (21.72%)
HWMon.GPU.#1.: -1% Util, 73c Temp, -1% Fan

Status says it cracked 17 hashes already. So :
science@BAD-LUCK:~/tools/hashcat-plus$ cat crack/cracked.txt
44e9fec8983b8d5b2519bc6cf43cfd5d:0rxvGVjsiQocyS3yDvce9Cwb1vZN9RHl:test
28643071c72373b01eb941ae4f3bb0a5:lq0jeJAZ1axYQOsK5Gu0XfEURqRicoDC:123456


Enjoy cracking!!!

Posted on sysexploits too