Monday, August 22, 2011

Cryptohaze GPU Rainbow Cracker - test 1

Well, not exactly my very first test, but my first blog post about Bitweasil's sweet little piece of software, which can be found at his site First of all: it seems *FAST*. Second: MUCH needs to be done, which is the reason for this short little blog post. I'll start out with just a single request: HEX display of all found passwords, in addition to the standard display on screen. Here's what I did:

Using the hash generator at, I created 2 NTLM hashes, one for Passord, and one for Passor  (a single space character replacement - ASCII Hex20 - for the letter d at the end there).

Passord : 72892f1b58f8708c3f07639f6c08daea
Passor  : 42ae7b3af2c5c22514b89355dfa8b3be

Using GRTCrack.exe -h NTLM -s (hashvalue) GRT-NTLM-len7-fullcharset-perfect\*.grt --threads 512 --blocks 512 -m 500, my GTX580 goes to 99%. Tables are stored on a 2x1TB soft striped array on SATA, i7 cpu, 24GB memory and W7x64.

Passord is found in the second table, while Passor  is found in the first table after a few seconds. Here are screenshots of the output:
GRTCrack output for Passord)

GRTCrack output for Passor )
As you can see: 2 different passwords, different hash values, but you can't trust the output in case of HEX20 padding at the end. One out of several tricks I've told some of those with an genuine interest in blocking me from cracking their passwords in "the early days". (You are not alone; Cain from doesn't show any hex values either, and that's just one example.)

Chances are rather slim for finding a Windows domain controller with LM disabled and no LM hashes available. Add to that one or more users "padding" their password with one or more HEX20's at the end up to and including length 7, and charset limited within full US ASCII (or 8, with the Terabyte NTLM tableset that Bitweasil offers to ship to you for USD 500,-)... Well, not many does that.

However; I NEED to see the HEX output of the passwords as well Bitweasil! :-)
Even better: As soon as the password is found, calculate its hash value and compare it to the original input value - for added confidence in the results. Allow me to output the results to a TAB separated file (optional parameter?), making it easier to work with the results when users have used those darn ::::: colons in their passwords - for the fun of seeing me get angry. :-)


  1. It is kind of easy to tell if there are spaces at the end. All of his tables are of a single length. So if you crack a hash on the length 8 table set and it looks like it's length 7 then there's a space at the end.

    Also you don't need to output tabs if you output "hash:hex:password" because you can do "cut -d : -f 3-" to get the passwords and "cut -d : -f 2" to get the hex of the passwords. Well unless the hash has a colon in it.

  2. "Unless the hash has a colon in it". My point exactly Steve! ;-)

    See; it's been many years since I told some friends and colleagues about some of the shortcomings of several password crackers; the lack of password HEX display. Because of that, tabbed passwords with spaces, using character substitutions that looks very similar (simplest example being 0 and O) makes the day just a bit more annoying for the password cracker.

    That's the reason for my HEX request. :-)

  3. Not sure if you guys noticed, Multiforcer 1.1 has the "--hexoutput" option - it adds the hex output to the found hashes.

    The next release of the rainbow table code will have this as well. Thanks for the suggestions!


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.