Database Reference
In-Depth Information
What follows is an example of CUDA-based password cracking on the author's workstation, which is running
Oracle Database 11g. The file pw.txt is a file containing 147 million pre-prepared potential passwords (half a gigabyte).
This file is an amalgam of many commercial and free password lists combined with private values that can be tuned.
[~/hashcat/hashcat/oclHashcat-plus-0.14]
root@linuxbox $ ./cudaHashcat-plus64.bin -m 112
BE882CDCBAB1D500A54FE6D160E8981A8606F87B:29DCD52B6F86C4D2C585 pw.txt
cudaHashcat-plus v0.14 by atom starting...
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
Workload: 128 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce 9800 GT, 511MB, 1500Mhz, 14MCU
Device #1: Kernel ./kernels/4318/m0110_a0.sm_11.64.ptx
Generated dictionary stats for pw.txt: 1608608477 bytes, 154759253 words, 147470121 keyspace
Session.Name...: cudaHashcat-plus
Status.........: Exhausted
Input.Mode.....: File (pw.txt)
Hash.Target....: be882cdcbab1d500a54fe6d160e8981a8606f87b:29dcd52b6f86c4d2c585
Hash.Type......: Oracle 11g
Time.Started...: Sat May 25 20:56:10 2013 (37 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 18924.6k/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 147470121/147470121 (100.00%)
Rejected.......: 1/147470121 (0.00%)
HWMon.GPU.#1...: -1% Util, 58c Temp, 39% Fan
Started: Sat May 25 20:56:10 2013
Stopped: Sat May 25 20:56:54 2013
As you can see, the CUDA Oracle password-cracking system has been able to make 3.5 million encryption
guesses per second using only a low-cost graphics card. The CPUs in the machine are still idling and available for
normal usage while the graphics card does all the password cracking.
CUDA tips the balance toward the attacker. Additionally, the algorithms used to attack the password are
improving. So with Hashcat, for example, hybrid attacks and masks can be used to specify a password format that a
human is likely to use, for instance Leet-spelling dictionary words starting with a capital letter and ending with an
exclamation mark, i.e., P4ssw0rd! Also, Markov-chain statistical techniques can be used to speed brute force on the
probability of one letter following another based on how words tend to be formed linguistically.
Strong Password Philosophy
The protective defense to CUDA-based hacking is to use longer random passwords. However, they need to be
memorable. For that reason, it is common to choose a passphrase. For example, one might choose “To be or not 2B!”
as a password, and such a text would be referred to as a passphrase.
