flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > MD5 Password Recovery Tool

Goto page Previous  1, 2, 3, 4  Next
Author
Thread Post new topic Reply to topic
Turok



Joined: 05 Jun 2005
Posts: 23
Turok 17 Jun 2006, 21:53
I'm not sure what is the actual difference in speed of the programs becose your program first tests a-z and my program first tests 0-9 so a different password should be required to test each of both programs. Let say you can test my tool for hash of string "000000" and test your tool for hash of string "aaaaaa". I think that should give both tools the same test of dificulty.
Post 17 Jun 2006, 21:53
View user's profile Send private message Reply with quote
Turok



Joined: 05 Jun 2005
Posts: 23
Turok 20 Jun 2006, 02:17
Feryno thanks for advice and sample of using MMX Very Happy Now the tool uses normal, MMX and SSE registers so it calculates 7 hashes in one pass. However the benefit is "only" 50% (i was expecting more Confused ). Its probably due to more memory reads and slower execution of MMX and SSE instructions. Or it might be some error i made in the code Very Happy Anyhow its still quite a substantial gain and i hope we will be able to improve it further Smile


Description:
Download
Filename: md5prt.zip
Filesize: 12.83 KB
Downloaded: 977 Time(s)

Post 20 Jun 2006, 02:17
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 20 Jun 2006, 05:47
to Turok:
Wow, that's the real creative science thinking! I have ever thought that using xmm and 4 hashes in 1 cycle is limit, but now I see, one more clever brain thought 7 hashes in 1 cycle!!! (Older people are loosing their child's sense of combinations and doing things simple...)

the problem is that there aren't instructions of rotation with mm/xmm registers (ROL and ROR with 32-bit general purpose registers)
you must use
mov for save xmm to second xmm
pslld first xmm (like shl with 32-bit GPR)
psrld second xmm (like shr with 32-bit GPR)
or first xmm, second xmm

if you compare MD5 speeds between 32 bit general purpose registers and 64 bit mm registers, the speedup is only about 10% (2 hashes instead of 1, but some extra instructions). But speedup between 64 bit mm and 128 bit xmm should be about 50% because 4 hashes instead of 2 and no extra instructions
Don't forget to align 16 datas for xmm to be able to use movdqa instead of slower movdqu
I'm sure you can rearrange instructions order according to optimalization rules, see AMD or Intel CPU optimalization manuals (I didn't follow the rules very exactly and I stopped development after decrypting some doc files which I stole - lamer admin in my previous job - even I had an idea how to make 4 hashes of RC4 in 1 cycle using AMD64 in long mode).
Post 20 Jun 2006, 05:47
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
UCM



Joined: 25 Feb 2005
Posts: 285
Location: Canada
UCM 30 Jun 2006, 20:32
Another version, based on Turok's latest code:
Changes:
    Compacted existing text boxes (moved them in front of their labels), to make room
    Added logging capabilites
    Created icons for the program*
    Added an XP manifest*

I have split the resource into a seperate file, which now has 4 versions for combinations of icons and manifest on/off.
Files in enhanced.zip:
    MD5password.ico - icons
    MD5password.svg - icon in SVG format
    md5prt+.asm - source code
    md5prt+.exe - executable (compiled with icons and manifest)
    md5prt-icon.res - resource file, with icons
    md5prt-icon-man.res resource file, with icons and manifest
    md5prt-man.res - resource file, with manifest
    md5prt-mini.res - resource file, with no icons or manifest


An example log:
Code:

- 16:05:57.0596 - MD5 password recovery begins with hash: 12227AC1EA36D1AB2C0656099BE9F8CB
- 16:05:57.0596 - Testing length: 1
- 16:05:57.0596 - Testing length: 2
- 16:05:57.0596 - Testing length: 3
- 16:05:57.0612 - Testing length: 4
- 16:05:57.0690 - MD5 password recovery complete, password: fasm
    

Time format goes like this: Hours:Minutes:Seconds.Milliseconds
Please share your comments.

* Icons and manifest can be turned on/off in source code

_________________
This calls for... Ultra CRUNCHY Man!
Ta da!! *crunch*
Post 30 Jun 2006, 20:32
View user's profile Send private message Reply with quote
Turok



Joined: 05 Jun 2005
Posts: 23
Turok 01 Jul 2006, 12:11
Really nice job UCM Very Happy You aded a lot of usefull things Very Happy Also if you have the time please correct all inc reg instructions for add reg,1 and dec reg for sub reg,1 (supposed to be faster) i dont want to double post that minor change Very Happy
Post 01 Jul 2006, 12:11
View user's profile Send private message Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32 01 Jul 2006, 17:32
but its really slow now Sad
Post 01 Jul 2006, 17:32
View user's profile Send private message Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32 01 Jul 2006, 17:37
It´s not working!


- 19:28:49.0981 - MD5 password recovery begins with hash: 7a071b35544b4bc4a21a0791dc43f213
- 19:28:49.0981 - Testing length: 1
- 19:28:49.0997 - Testing length: 2
- 19:28:49.0997 - Testing length: 3
- 19:28:49.0997 - Testing length: 4
- 19:28:50.0262 - Testing length: 5
- 19:29:00.0997 - Testing length: 6
- 19:35:28.0669 - Testing length: 7


HASH WAS: 7a071b35544b4bc4a21a0791dc43f213
HASH PHRASE: fuckya
Post 01 Jul 2006, 17:37
View user's profile Send private message Reply with quote
UCM



Joined: 25 Feb 2005
Posts: 285
Location: Canada
UCM 01 Jul 2006, 18:12
What are you doing?
the hash should be be5ebe9f3c2ddca54d3a76cda105e008

Code:

- 14:12:02.879 - MD5 password recovery begins with hash: be5ebe9f3c2ddca54d3a76cda105e008
- 14:12:02.879 - Testing length: 1
- 14:12:02.879 - Testing length: 2
- 14:12:02.879 - Testing length: 3
- 14:12:02.879 - Testing length: 4
- 14:12:03.005 - Testing length: 5
- 14:12:08.190 - Testing length: 6
- 14:13:05.316 - MD5 password recovery complete, password: fuckya
    
Post 01 Jul 2006, 18:12
View user's profile Send private message Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32 01 Jul 2006, 20:27
Still it doesnt work
Code:
- 22:27:19.0856 - MD5 password recovery begins with hash: be5ebe9f3c2ddca54d3a76cda105e008
- 22:27:19.0856 - Testing length: 1
- 22:27:19.0872 - Testing length: 2
- 22:27:19.0872 - Testing length: 3
- 22:27:19.0887 - Testing length: 4
- 22:27:20.0153 - Testing length: 5
- 22:27:30.0903 - Testing length: 6
- 22:33:58.0309 - Testing length: 7    


Last edited by sylwek32 on 05 Oct 2006, 12:12; edited 2 times in total
Post 01 Jul 2006, 20:27
View user's profile Send private message Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32 05 Oct 2006, 12:10
for example
here:

md5 sum of "hans" is
f2a0ffe83ec8d44f2be4b624b0f47dde

and i enter f2a0ffe83ec8d44f2be4b624b0f47dde to the md5 bruteforcer
and nothing happends. it just comes up to 10chrs


- 14:11:52.0828 - MD5 password recovery begins with hash: f2a0ffe83ec8d44f2be4b624b0f47dde
- 14:11:52.0828 - Testing length: 1
- 14:11:52.0828 - Testing length: 2
- 14:11:52.0828 - Testing length: 3
- 14:11:52.0828 - Testing length: 4
- 14:11:53.0093 - Testing length: 5
Post 05 Oct 2006, 12:10
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 05 Oct 2006, 12:26
Now you need to make it multithreaded Razz
Post 05 Oct 2006, 12:26
View user's profile Send private message Visit poster's website Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 05 Oct 2006, 12:47
Maybe it breaks on some OSs. It works on 2K.
Post 05 Oct 2006, 12:47
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 05 Oct 2006, 14:57
Hm, there's probably something wrong with the tool - it didn't find the source value for a 7-digit string with lower-case ascii and numeric values.

_________________
Image - carpe noctem
Post 05 Oct 2006, 14:57
View user's profile Send private message Visit poster's website Reply with quote
UCM



Joined: 25 Feb 2005
Posts: 285
Location: Canada
UCM 05 Oct 2006, 21:45
Maybe this will work:


Description:
Download
Filename: enhanced.zip
Filesize: 36.29 KB
Downloaded: 912 Time(s)


_________________
This calls for... Ultra CRUNCHY Man!
Ta da!! *crunch*
Post 05 Oct 2006, 21:45
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 05 Oct 2006, 22:07
That one works, at least for "f0dd", "f0dde", "f0dder" Smile. Didn't work for uppercase stuff though, so I assume you only do lowercase and numerals.
Post 05 Oct 2006, 22:07
View user's profile Send private message Visit poster's website Reply with quote
Turok



Joined: 05 Jun 2005
Posts: 23
Turok 06 Oct 2006, 13:38
Yeah it only does lowercase and numerals becose 90% people use this Smile. Some interesting password analysis:
http://cyber-knowledge.net/blog/2006/09/16/analyzing-20000-myspace-passwords/

I'll probably implement uppercase with settings so you could choose what char set you will be using (i dont mind if somebody else does it for me Very Happy). Anyhow i need to write comments too i guess (i'm kindoff lazy Wink).

I was also thinking of making it run in 1,2 or 4 threads so that it uses all the cores in multicore cpus. Even further i was thinking of making it for 64bit cpus but i dont own one atm so i guess i'll have to wait :/ On 64bit cpu an algorithm could be implemented that could calculate 16 hashes in one pass!

Also salting should be implemented to calculate password from salted hashes if salt is known (one of the things this project is really usefull for):
http://en.wikipedia.org/wiki/Salt_%28cryptography%29

Later also algorithms for other hashes could be added (some use double or triple hashing for "more" protection). So you could calculate these hashes as well.

Anyhow i would be really glad if more people would be working on this project, as when i was starting it i thought of it as a fasm community project and i still do Very Happy

I hope it will gather more people and fasten its developement Smile
Post 06 Oct 2006, 13:38
View user's profile Send private message Reply with quote
weiss



Joined: 03 Jan 2006
Posts: 25
weiss 17 Nov 2006, 15:14
when i was writing an ntlm1 cracker, i found that the best way was to use 32-bit code with 2 hashes at once.
i never tried using SSE2, so maybe it is better..but as someone said, the main problem with SSE2 is that it doesn't support bit-rotations efficiently.

source code to mdcrack is very good example of how to crack md5 hashes efficiently.
if you can read C source code, i would highly recommend you peek into the core* source files.
also, take a look at the assembly sources of Eric Leays ssl project (old source code you can find on packetstormsecurity.org

it is macro based output from GCC with optimised instructions.
i based my md4 code on it..have a look at link below.

http://board.flatassembler.net/topic.php?t=4574
Post 17 Nov 2006, 15:14
View user's profile Send private message Reply with quote
weiss



Joined: 03 Jan 2006
Posts: 25
weiss 17 Nov 2006, 15:56
i just thought i would show this output from 2 programs to show
why using MMX or SSE* is not always a winner.

The NTLM1 hash to be cracked is:297d8acb5039800a26e496543aa1fc85
which is composed of 5 Z's (ZZZZZ)

First using MDCrack-SSE Version 1.7 on single-core P4.

Code:
X:\>mdcrack-sse -M NTLM1 297d8acb5039800a26e496543aa1fc85

( System ) MDCrack v1.7 ( Win32 | Pentium built )
( System ) Running as mdcrack-sse -M NTLM1 297d8acb5039800a26e496543aa1fc85
( System ) Detected processor(s): 1 x INTEL Pentium IV | MMX | SSE | SSE2
( System ) Charset is: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTU
VWXYZ
( System ) Target hash: 297d8acb5039800a26e496543aa1fc85
( System ) >> Entering NTLM1 Core 1: candidate/salt max size: 9.
( System ) Press a key at any time to see Core statistics (Ctrl-C to quit)

** console text omitted**

----------------------------------------------------------/ Thread #0 (Success)
\----
( Core ) Collision found: ZZZZZ
( Core ) Candidate/Hash pairs tested: 931151402 ( 9.31e+008 ) in 1min 44s 533ms.

( Core ) Total key space: 4.85e+028 candidates, 0.00% done.
( Core ) Average speed: 8907724 ( 8.91e+006 ) h/s.    


We see an average of 8 million 907 thousand 724 hashes per second.
Now this is just the output of the next program Wink

Code:
Found password: ZZZZZ
Average speed 9162000 p/s.    


roughly 200 thousand more hashes per second & using only 386 32-bit code Smile
Post 17 Nov 2006, 15:56
View user's profile Send private message Reply with quote
asmdemon



Joined: 18 Jan 2004
Posts: 97
Location: Virginia Beach, VA
asmdemon 24 Jan 2007, 05:07
i have noticed a prob, unless there is a simple edit i can do to fix.

- 00:02:53.859 - MD5 password recovery begins with hash: 02c425157ecd32f259548b33402ff6d3
- 00:02:53.859 - Testing length: 1
- 00:02:53.859 - Testing length: 2
- 00:02:53.859 - Testing length: 3
- 00:02:53.875 - Testing length: 4
- 00:02:54.125 - MD5 password recovery complete, password: zzzz

this is good, but "ZZZZ" hash is 4ddf7fd96ffcf749d2f1ee6efb64cc88 and it doesn't find it.
is it not doing upper case letters. and does it do special chars like ":;,." etc.
Post 24 Jan 2007, 05:07
View user's profile Send private message Visit poster's website Reply with quote
weiss



Joined: 03 Jan 2006
Posts: 25
weiss 09 Jun 2007, 02:33
hi, i wrote this md5 cracker using sse2, its just experimental, but has good potential if studied and worked on more.
i've only done this in another assembler, won't say...just look Embarassed
you saw it here first! Smile


Description:
Download
Filename: md5c.zip
Filesize: 10.91 KB
Downloaded: 728 Time(s)

Post 09 Jun 2007, 02:33
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.