When performing an on-site penetration test, there is usually a need to crack observed password hashes in a hurry. The quicker a hash is cracked and the password is recovered, the quicker privilege can be escalated and further information uncovered. However, with various wordlists, rules and masks available, it is always a bit of a guessing game to know which combination can give you results the quickest.

In order to rate all the combinations in terms of their efficiency we need to take a step back and do some research. To this end, I’ve written some scripts that will firstly analyse the performance of as many permutations as possible, giving each one a maximum of 15 minutes to run. These combinations are run against various password hash collections to gauge their performance under time pressure. This will prevent the focus on a single hash list to which a certain ruleset (for instance) is tweaked in order to gain maximum efficiency, as can be seen in many other articles that aim to pursue a similar goal as the one described above.

We also must discuss the term efficiency (or performance) in this context, as there could be a few different interpretations of this. The key hash cracking performance indicators are hash calculations per second (H/s) and the size of the key space that is being searched through for a particular list/rule/mask combination.
Efficiency can then be thought of as different things, for example:

  1. The % of the total hashes cracked by a given combination per time unit
  2. The average % of passwords per keyspace unit that a combination produces on average
  3. The % of password cracked by this combination alone, i.e. those not found by any other combination
  4. Total % of hashes cracked upon combination completion.

When dealing with “slow” hashes, such as Sha512crypt, Scrypt, Blowfish and the like, the first two ways of measuring efficiency may be very useful in deciding the combinations to use. However, with fast hashes such as plain NTLM, the final two ways may be preferable.

In the next part of this series, I’ll focus on determining the types of metadata that contribute to helping us crack more hashes.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch