
Hashcat 6.0 - miles
https://hashcat.net/forum/thread-9303.html
======
sam_goody
That's ~5 commits a DAY on average since the last release a year ago,
primarily from 29 contributors.

That is a rate of development that bests most paid teams that I know of.

I am very impressed. How do you manage so much commitment for an open source
project?

~~~
Cthulhu_
Security researchers / developers are employed by companies and organizations
that have an interest in this technology, e.g. law enforcement, secret
services.

I suspect most serious / active open source projects have a number of paid for
developers like that. TBH, they need it, if their scale is beyond a small
library / utility.

~~~
derefr
hashcat is also one of those tools that is both 1. a “core” that can be used
in other software; while also being 2. in a class of software that benefits
heavily from network effects (i.e. when someone contributes new algorithms to
it, everyone gets just a little further in cracking the “mystery hashes” they
have laying about.)

Hash reversing as a problem having property #2, virtually guarantees that the
landscape of hash-reversing software would look like an oligopoly, because
people would use the tools with the most algorithms, and so contribute to
those, and so “the rich get richer.”

But hashcat having property #1 means that there’s no _political_ reason (e.g.
your enterprise wanting to ship something with your own branded GUI on it) to
be unable to use hashcat, and so no reason for anyone to create their own
_new_ full-stack hash reversing system, when hashcat already exists to be used
_within_ such software.

Effectively, these properties are the same thing that made ffmpeg the “winner”
in its own space, as discussed yesterday
([https://news.ycombinator.com/item?id=23540704](https://news.ycombinator.com/item?id=23540704)).

------
capableweb
Grandest addition that I can see is the various WPA/WPA2 changes. Not only did
it get ~13% faster with this release, but PBKDF2 and PMK support been added
too. Also CUDA support is obviously a godsend from above as well.

Fantastic piece of software. Authors: thank you for your hard work!

------
SloopJon
Hashcat has long been a user of OpenCL. I wondered whether that was because
CUDA really wasn't much better for this application, but this release puts
that to rest:

> One of the biggest advantages of CUDA compared to OpenCL is the full use of
> shared memory ... This and other optimizations are the reason we improved
> the performance of bcrypt by 46.90%.

Also interesting that they specifically call out CUDA on ARM devices like the
Jetson Nano and Xavier. I suspect that the GPU in the Nano is better than the
MX150 in my laptop.

~~~
penagwin
Not a hash at dev, but my understanding is that historically, AMD has had
"more raw power" GPUS then Nvidia - but has historically suffered worse driver
and game implementations. This is even though the 1000x series by Nvidia, AMD
cards were usually still the most used cards for crypto mining (which is
basically a hash function)

As CUDA only really runs on Nvidia hardware, it makes sense that they might be
motivated to be as compatible as possible.

------
mhasbini
Congrats on the release! I was following up the development progress on
GitHub.

I'm pretty excited about "Plugin Interface". I think we can this refactor
effort as a success story: simpler code + improved performance + more testing.

It's amazing that they've added this tutorial for adding new algorithm:
[https://github.com/hashcat/hashcat/blob/master/docs/hashcat-...](https://github.com/hashcat/hashcat/blob/master/docs/hashcat-
plugin-development-guide.md) (previously information was scattered around
PRs).

Thanks atom and all the other contributors!

------
Hamuko
Is there a Hashcat-as-a-Service or is everyone just renting out EC2 GPU
instances by the hour?

~~~
jrwr
Most hashes can be cracked with onlinehashcrack.com -- They are free if its
under 8 characters and something like 5$ if its not. You can submit as many as
you want and if they don't crack it. its free

~~~
Tenoke
Is there something similar for Ethereum presale wallet hashes?

I have a wallet of which I know enough of the password to reduce the space to
< 10 chars that need to be guessed.

~~~
TecoAndJix
Check out the configuration for a masked attack [0]. You could create a custom
character set with the portion that you know and then brute the rest. You
could then rent a p2.16xlarge [1] from AWS at about $15 per hour. If you know
how much coin is in there you can do a cost/benefit analysis.

[0]
[https://hashcat.net/wiki/doku.php?id=mask_attack#custom_char...](https://hashcat.net/wiki/doku.php?id=mask_attack#custom_charsets)
[1] [https://aws.amazon.com/ec2/instance-
types/p2/](https://aws.amazon.com/ec2/instance-types/p2/)

~~~
Tenoke
Thanks! That looks fairly simple, I'll try to set it up on my machine first
but even a p2 instance will be worth it in this case.

------
Vadim_M
Any way to use Metal instead of OpenCL now?

~~~
jeroenhd
What's the benefit of Metal in this use case? Are there any noticeable
speedups in other brute forcing tools that switched to Apple's proprietary
API?

Given that OpenCL works on every decent modern platform and GPU brand I doubt
much effort will be put into Metal unless someone familiar with the API and
willing to put in the extra work joins the team of maintainers or creates a
fork.

~~~
Hamuko
> _What 's the benefit of Metal in this use case?_

Continued usage on macOS if you care about that kind of a thing since Apple
has deprecated OpenCL support.

~~~
jeroenhd
TIL. That's awful, but then again I'd expect nothing less from Apple. It's a
miracle they even supported open standards in the first place.

As long as Apple keeps OpenCL around, even if it's deprecated, these tools
should still work. I'd expect that only the announcement of complete removal
of OpenCL support would be enough to actually make hashcat put in the extra
effort of writing a special Apple backend like that. Maybe they're generous or
bored and do it before that, but I wouldn't expect them to in the near future.

~~~
continuational
It's not such a miracle - all companies like standards until they have
sufficiently many apps on their platform - then they switch to proprietary to
prevent app portability to competing platforms.

------
_tk_
All new major features look like incredible additions, and OTOH do not seem to
water down what the software is supposed to do in the first place. I can only
applaud the contributors for their dedication. This really looks amazing.

------
hangonhn
Anyone know why Java's object hash is even on the list given how small it is?
It's not even mean to be cryptographically secure.

~~~
mmm_grayons
Because hashcat doesn't really reject PRs hash algorithms, at least to the
extent of my knowledge, so long as the code quality is decent. Or in other
words, "Why not?"

------
j88439h84
How many hashes per second can a high end GPU do?

~~~
TecoAndJix
I ran it recently on my 1080ti:

Session..........: hashcat

Status...........: Exhausted

Hash.Type........: MS Office 2010

Hash.Target......: $office$ _2010_ 100000 _128_ 16*[removed]

Time.Started.....: Sat Apr 18 09:05:24 2020 (3 mins, 35 secs)

Time.Estimated...: Sat Apr 18 09:08:59 2020 (0 secs)

Guess.Base.......: File (merged.txt)

Guess.Queue......: 1/1 (100.00%)

Speed.#1.........: 92589 H/s (2.67ms) @ Accel:256 Loops:128 Thr:64 Vec:1

Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts

Progress.........: 19922208/19922208 (100.00%)

Rejected.........: 0/19922208 (0.00%)

Restore.Point....: 19922208/19922208 (100.00%)

Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:99968-100000

Candidates.#1....:

Hardware.Mon.#1..: Temp: 74c Fan: 55% Util: 89% Core:1949MHz Mem:5508MHz Bus:8

Started: Sat Apr 18 09:05:07 2020

Stopped: Sat Apr 18 09:09:00 2020

~~~
jonluca
Is that saying ~92k hashes per second? What's the MS Office 2010 hash type?

~~~
TecoAndJix
I think that is what it is saying! The hash type is AES-128 with SHA-1 hash
stretching x100,000[0][1]. The Office 2010 hashmode is 9200[2].

At work, someone of importance wanted access to a password protected file from
an employee that left. I ran it through several wordlists to demonstrate an
attempt was made and shared the cost/time required for 100% recovery. Never
solved it and the cost/time analysis was enough to make them say oh well!

[0]
[https://en.m.wikipedia.org/wiki/Microsoft_Office_password_pr...](https://en.m.wikipedia.org/wiki/Microsoft_Office_password_protection)
[1]
[https://en.m.wikipedia.org/wiki/Key_stretching](https://en.m.wikipedia.org/wiki/Key_stretching)
[2]
[https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes)

------
paulpauper
this is why you should use scrypt vs bcrypt or some other memory intensive
algo to generate hashes.

------
umvi
So what's the difference between hashcat and johntheripper?

Any reason to use one over the other?

~~~
gen3
I’ve used johntheripper for wordlists and hashcat for brute-forcing, but the
ethos might have changed.

~~~
Bnshsysjab
Hashcat supports wordlists with large rule sets, search ‘best64 ruleset’ for
instance

~~~
gen3
Awesome, thank you!

------
jkubrynski
1800 commits since the last release - that's not the "continuous delivery" ;)

~~~
capableweb
Smiley indicates that you're joking, but in case you're not, I don't see any
commitment from their side about doing continuous delivery and it's neither
the best way for ALL projects to do development. Most web startups seems to
default to it these days, but that doesn't mean it's a MUST for all types of
application building.

