Project 3c. Cracking Linux password with hashcat using AWS t2.

micro CPU

In this project we learn

• How to clone an AWS t2.micro instance from an image created by me from
coursera_cs5910c_im1 image which is generated from Deep Learning AMI GPU
PyTorch 1.12.1 (Ubuntu Linux) image with cracking password hashcat software installed
and related project 3c data files.
• How to crack a password using dictionary lookup.
• How to crack a password based on a known pattern.

The assignment will be graded by checking

1. Whether the learner know how to clone the instance and connect to it.
2. Whether the learner can use hashcat with the dictionary look up to find the password.
3. Whether the learner can specify the password pattern for cracking password using mask
feature provided by hashcat.

Note that since AWS Academy only allow you to run t2.micro free tier instance. We can only
utilize the Xeon CPU provided to run the hashcat software to crack the password. It is much
slower than using the GPU instances that are available if you have a regular AWS account. But
we can still can crack the passwords for the exercises in this project within reasonable amount of
time, e.g., the password in shadow2.txt with 6 digits unknown pattern was cracked in 25 second
with p2.xlarge GPU but on a Xeon CPU it takes 7 mins, 46 seconds. It is almost 19 times faster
with p2.xlarge GPU instance. For password in top100password list, the hashcat with Xeon CPU
can crack two passwords within a second. If you have regular AWS account and willing to pay
for p2.xlarge GPU instance usage (just a few minutesJ), I strongly recommend you to do that to
gain the experience of speed difference.

You can find the more recent price information about AWS offering at
https://aws.amazon.com/ec2/instance-types/p2/
RAM Network RI Price /
Name GPUs vCPUs Price/Hour*
(GiB) Bandwidth Hour**
p2.xlarge 1 4 61 High $0.900 $0.425
p2.8xlarge 8 32 488 10 Gbps $7.200 $3.400
p2.16xlarge 16 64 732 20 Gbps $14.400 $6.800
For our exercise, you only need less than an hour of time using p2.xlarge, no need to pick the
bigger one. Actually each hacking session only takes about 30 seconds for the type of
passwords we have. There are students reported using t2.micro with hashcat and was able to
perform dictionary attack in Step 2 in very short time.
If you prepare the hash data on your own computer, then transfer the hash data to your p2
instance, you could save a lot of time.

Stop your instance right away when you finish your exercise. For p2.xlarge instance, it is
almost a dollar an hour!

Step A. Clone the instance with Cuda support .

After login to your AWS management console, select ec2 service and click “Launch Instance”.
Then Enter Instance Parameters.
This includes the instance name, the AMI image to clone, the instance type, and the key pair
name.
1. Enter <login>_cs5910c_i1 as instance name.
2. Enter “coursera_cs5910c_im1” for the AMI image and found the image with Cuda
CPU support.
3. Choose “t2.micro” instance type.
4. Select the existing key pair name <login>_awsac_cs5910_pkey or create a new one.
5. Click “Launch instance”
Go to the instance list and select instance just created. Its name is <login>_cs5910_i1.
Wait for its status to change from pending, initializing, to running.
Select it and find out its public IP address in the lower panel.
I found the cchow_cs5910c_i1 instance is associated with 3.87.239.113 public IP address.
Note that the public IP address will change if we stop and start it again. You can create and
associate it with an elastic IP address to make its public IP address “permanent”.

Step B. Connect to the Instance using ssh command on Mac/Linux/Powershell with

Windows or bitvise app on Windows.

Here we show how to connect on a mac laptop. First, make sure your private key file is only
readable by you.
For example, I run the following command before I attempt to launch the ssh command.

chmod 400 jchow_awsac_cs5910_pkey.pem

We will the use following command on a macOS, Linux, or powershell with Windows.

ssh -i <private key file> ubuntu@<yourInstanceIPAddr>.

Note that the normal user account is ubuntu, not ec2-user. This is due to the use of ubuntu OS
image, not Amazon Linux 2 OS image.

For Windows users, you can set up bitwise. Follow the instructions in Section 3.2.2 (page 27) of
http://ciast.uccs.edu/coursera/pub/project1aV9.pdf to setup bitwise for ssh access to your
instance.
cchow@MacBook-Pro privateKey % ssh -i jchow_awsac_cs5910_pkey.pem
[email protected]
=============================================================================
__| __|_ )
_| ( / Deep Learning AMI GPU PyTorch 1.12.1 (Ubuntu 20.04)
___|\___|___|
=============================================================================

Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.0-1020-aws x86_64v)

* To activate pre-built pytorch environment, run: 'source activate pytorch'

* To activate base conda environment upon login, run: 'conda config --set auto_activate_base
true'
* NVIDIA driver version: 510.73.08
* CUDA version: 11.6

AWS Deep Learning AMI Homepage: https://aws.amazon.com/machine-learning/amis/

Release Notes: https://docs.aws.amazon.com/dlami/latest/devguide/appendix-ami-release-
notes.html
Support: https://forums.aws.amazon.com/forum.jspa?forumID=263
For a fully managed experience, check out Amazon SageMaker at
https://aws.amazon.com/sagemaker
Security scan reports for python packages are located at: /opt/aws/dlami/info/
=============================================================================

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Sun Oct 2 13:56:36 UTC 2022

System load: 0.03 Processes: 109

Usage of /: 53.9% of 43.55GB Users logged in: 0
Memory usage: 26% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for eth0: 172.31.83.187

0 updates can be applied immediately.

New release '22.04.1 LTS' available.

Run 'do-release-upgrade' to upgrade to it.

1 updates could not be installed automatically. For more details,

see /var/log/unattended-upgrades/unattended-upgrades.log
Last login: Sun Oct 2 13:55:18 2022 from 114.46.159.121
ubuntu@ip-172-31-83-187:~$ ls
BUILD_FROM_SOURCE_PACKAGES_LICENCES PYTHON_PACKAGES_LICENSES
LINUX_PACKAGES_LICENSES THIRD_PARTY_SOURCE_CODE_URLS
LINUX_PACKAGES_LIST proj3c
ubuntu@ip-172-31-83-187:~$ cd proj3c
ubuntu@ip-172-31-83-187:~/proj3c$ ls
10-million-password-list-top-100.txt hcmask4 shadow1.txt shadow4.txt
found1.txt hcmask5 shadow2 top100passwd.txt
hcmask shadow shadow2.txt
hcmask2 shadow.txt shadow3
hcmask3 shadow1 shadow3.txt
ubuntu@ip-172-31-83-187:~/proj3c$

The proj3c home directory already contains a few data files for our exercises.
Make sure you switch to that directory with “cd proj3c”.
The instance is installed and tuned with new hashcat software package.

Step C. Benchmark Hashcat.

In our case, we do not have GPU or optimized kernel installed, therefore we can use “hashcat --
force -b” to see if hashcat works. To generate all benchmark results will take very long time, we
will hit control-c to stop it when we see “Hasmode: 100 – SHA1 “ output. We do not have wait
for it to complete.

ubuntu@ip-172-31-83-187:~/proj3c$ hashcat --force -b

hashcat (v5.1.0) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.

You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 256/724 MB allocatable,
1MCU

Benchmark relevant options:

===========================
* --force
* --optimized-kernel-enable

Hashmode: 0 - MD5
Speed.#1.........: 65073.7 kH/s (14.64ms) @ Accel:1024 Loops:1024 Thr:1 Vec:8
Hashmode: 100 - SHA1

Speed.#1.........: 38416.9 kH/s (25.90ms) @ Accel:1024 Loops:1024 Thr:1 Vec:8

^C
ubuntu@ip-172-31-83-187:~/proj3c$

Step D. Discover the password using the dictionary lookup.

Here we will demonstrate to use hashcat to discover passwords if it is within the dictionary of
top100 passwords. We will select the two passwords from a popular top 100 password list.
Create two user accounts on ubuntu with these two passwords. We will then extract the
encrypted passwords from the /etc/shadow file, and feed them to the hashcat program with
the dictionary file as inputs.

Step D1. Locate top100 password list in proj3c.

In your proj3c directory locate the file top100passwd.txt. You can type “ls” to do that.
The previous page contains the result of “ls” command.
If you cannot find it, you can always download it from the following url.

https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-
million-password-list-top-100.txt

We will use top100passwd.txt for dictionary lookup password cracking.

Step D2. Pick two of those passwords in the list and create two Linux user accounts.

In the list, I pick 666666 and access respectively for csr and nsa. You can pick different ones in
the list of that top 100 passwords.
Create two users: csr and nsa using

ubuntu@ip-172-31-26-153:~$ sudo useradd csr

ubuntu@ip-172-31-26-153:~$ sudo useradd nsa

Set their passwords using

ubuntu@ip-172-31-26-153:~$ sudo passwd csr

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ubuntu@ip-172-31-26-153:~$ sudo passwd nsa
Enter new UNIX password:
Retype new UNIX password:
Copy the /etc/shadow password file to current directory using

ubuntu@ip-172-31-26-153:~$ sudo cp /etc/shadow shadow.txt

ubuntu@ip-172-31-26-153:~$ sudo chown ubuntu:ubuntu shadow.txt

remove all other entries and only leave the last two.
It will be something like this:

ubuntu@ip-172-31-26-153:~$ cat shadow.txt

csr:$6$wrGtJUbA$tExdPUKg8aEXrmyJ11cUkhCQloNy.XUrzTVtSHXCClKpVAorXNC8TztKqR2wAu
Wbga6Y.sZWwpHXCX1RE4kpY0:17425:0:99999:7:::
nsa:$6$wfQm.MJt$NK.xz71C1q5GVix77FfTvtjg1C2KgC7CtfCeeaa.BZqh6fxBwj8txvuZvyifrdApJ8N
Tv/r7T/Wvd447XJgb.0:17425:0:99999:7:::

Step D3. Extract encrypted passwords from the password file.

Since hashcat only deal with hash password portion of the password, we remove the account
name and the : after it. We also remove the “:17425:0:99999:7:::” at the end. Note that the
numbers before “0:99999:7:::” may be different. If do not remove this, the hashcat will complain
that the length of the hash is too long.

The resulting file should like this:

$6$wrGtJUbA$tExdPUKg8aEXrmyJ11cUkhCQloNy.XUrzTVtSHXCClKpVAorXNC8TztKqR2wAuWbg
a6Y.sZWwpHXCX1RE4kpY0
$6$wfQm.MJt$NK.xz71C1q5GVix77FfTvtjg1C2KgC7CtfCeeaa.BZqh6fxBwj8txvuZvyifrdApJ8NTv/r
7T/Wvd447XJgb.0

The “Features in glibc” Section in the crypt() function man page described in
http://man7.org/linux/man-pages/man3/crypt.3.html
the format of the encrypted password with three fields separated by ‘$’: $id$salt@encrypted
The first field indicates the encryption method or Linux system password mode. It has the value
of 6, which indicate SHA-512 hashing method is used.
The second field is the salt. It is the 16 characters encoded in BASE64 format. It is used to
defend against brute force dictionary look up attack.
The third field is the encrypted value after the plain password and salt is run through the hashing
method, sometime multiple rounds.

Note that the hashcat will cache the previous matched results in ~/.hashcat/hashcat.potfile to
speedup the next hashcat operations. If you would like to measure the actual hashcat time
without the improved performance using cached match, then you need to remove
~/.hashcat/hashcat.potfile file similar to the following:

ubuntu@ip-172-31-83-187:~/proj3c$ rm ~/.hashcat/hashcat.potfile
Now let us run the hashcat command.

Step D4. Cracking password with dictionary lookup.

We will use the following command:

hashcat --force -m 1800 -o found1.txt shadow.txt top100passwd.txt

where --force indicates to hashcat we do not have special GPU device, just use CPU
-m 1800 specifies the hash is related to Linux system password mode 6 using SHA512.
-o specifies the output will be saved in found1.txt file. The first parameter is the file
containing the encrypted password. The second parameter is the dictionary file.

Without force option, you will get the following error:

ubuntu@ip-172-31-83-187:~/proj3c$ hashcat -m 1800 -o found1.txt shadow.txt

top100passwd.txt
hashcat (v5.1.0) starting...

* Device #1: Not a native Intel OpenCL runtime. Expect massive speed loss.
You can use --force to override, but do not report related errors.
No devices found/left.

Started: Sun Oct 2 14:30:15 2022

Stopped: Sun Oct 2 14:30:15 2022
ubuntu@ip-172-31-83-187:~/proj3c$

Here is the result:

ubuntu@ip-172-31-83-187:~/proj3c$ hashcat --force -m 1800 -o found1.txt shadow.txt

top100passwd.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 256/724 MB allocatable,
1MCU

Hashes: 2 digests; 2 unique digests, 2 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Uses-64-Bit
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.

This enables cracking passwords and salts > length 32 but for the price of drastically reduced
performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D

LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -
D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D
DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
Dictionary cache hit:
* Filename..: top100passwd.txt
* Passwords.: 101
* Bytes.....: 754
* Keyspace..: 101

The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: shadow.txt
Time.Started.....: Sun Oct 2 14:35:41 2022 (1 sec)
Time.Estimated...: Sun Oct 2 14:35:42 2022 (0 secs)
Guess.Base.......: File (top100passwd.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 143 H/s (3.70ms) @ Accel:256 Loops:64 Thr:1 Vec:4
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 202/202 (100.00%)
Rejected.........: 0/202 (0.00%)
Restore.Point....: 0/101 (0.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: 123456 -> minecraft

Started: Sun Oct 2 14:35:36 2022

Stopped: Sun Oct 2 14:35:44 2022
ubuntu@ip-172-31-83-187:~/proj3c$ cat found1.txt
$6$OujROnpDKP/ihSZu$KGP/shTokC4zV6RhX/TOd9/Wjtj14sVKicoM0RZIR.TWjq5mvHTZHeRka
mZjhxOSwTbajH2j6PSFUlomylMae0:666666
$6$QuSaXpt6luqddEbI$TLmjadOfpsdpkIQS.rdM6Z.2d3GTV7.GVYM8.97vVW/PNyC55PfEIh2v6N
BeicQZufT1CAFTPR6PSl3GwszHb0:access
ubuntu@ip-172-31-83-187:~/proj3c$

found1.txt content above shows that the passwords are indeed 666666 and access.

With dictionary lookup, it only takes about 1 second. Note that if you run the command again, it
will return with cached results right away. This is due to hashcat software cached/kept track all
cracked results. For learning reason, we turn off searching the cache results with option
--potfile-disable

ubuntu@ip-172-30-1-171:~/proj3c$ hashcat --force -m 1800 -o found1.txt

shadow.txt top100passwd.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 256/724 MB
allocatable, 1MCU

INFO: All hashes found in potfile! Use --show to display them.

Started: Mon Mar 13 09:14:51 2023

Stopped: Mon Mar 13 09:14:51 2023
ubuntu@ip-172-30-1-171:~/proj3c$ hashcat --force --potfile-disable -m 1800 -o
found1.txt shadow.txt top100passwd.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 256/724 MB
allocatable, 1MCU

Hashes: 2 digests; 2 unique digests, 2 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Uses-64-Bit
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.

This enables cracking passwords and salts > length 32 but for the price of
drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your
commandline.

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL

-D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D
VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D
DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
Dictionary cache hit:
* Filename..: top100passwd.txt
* Passwords.: 101
* Bytes.....: 754
* Keyspace..: 101

The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: shadow.txt
Time.Started.....: Mon Mar 13 09:15:40 2023 (2 secs)
Time.Estimated...: Mon Mar 13 09:15:42 2023 (0 secs)
Guess.Base.......: File (top100passwd.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 141 H/s (3.72ms) @ Accel:256 Loops:64 Thr:1 Vec:4
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 202/202 (100.00%)
Rejected.........: 0/202 (0.00%)
Restore.Point....: 0/101 (0.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: 123456 -> minecraft

Started: Mon Mar 13 09:15:36 2023

Stopped: Mon Mar 13 09:15:43 2023
ubuntu@ip-172-30-1-171:~/proj3c$

Step E. Cracking Linux password with known simple pattern.

Step E1. Retrieve password files with special encoding pattern.

Assume that we are able to retrieve the Linux shadow files with the content through the
vulnerability of the Linux system. Here we simulate with the command “sudo vi /etc/shadow”.
The last two entries happen to be

dt:$6$9UqPAQStBoddxyWm$avoZN97rwo0RIr6nr8f80EXLlS7yY7RqdICFvC0wOwE2I7S7ceX70EK
aXckz2z2K9nOx.551azDebdUmQ4tY0.:19267:0:99999:7:::
jb:$6$Bm.4RFKj/WgSmWAq$Uid7TeGw0UJlSqoIhjHnXsX2S89lZQnhJscjmma4wMx5eQDF5T77tp
uOJPsNhsSTRzgI63VQWY525/f9FOGct1:19267:0:99999:7:::

Know that the unix password file are separated by ‘:’ separator token. The first field is the login.
The 2nd field is the encrypted password. The rest fields are related user ID, group ID, and other
account info. What hashcat needs as input is the encrypted password.

Let us save the following line as shadow4.txt

$6$9UqPAQStBoddxyWm$avoZN97rwo0RIr6nr8f80EXLlS7yY7RqdICFvC0wOwE2I7S7ceX70EKaX
ckz2z2K9nOx.551azDebdUmQ4tY0.

Step E2. Create mask file containing the pattern.

Through the email announcement to the users, we also know the password was created with the
login of the user followed by 4 digits of the birth month and birth day of the user. The question
now is “How can we utilize the knowledge of this pattern and hashcat to discover the password?”

The hashcat supports the pattern matching. The mask file can be created with .hcmask file
extension. Each line in the mask file is one pattern. ?d present digits, ?l represent letter.
In our case, we further assume some of leading 3 digits are 101.

Here is the built-in character set:

§ ?l = abcdefghijklmnopqrstuvwxyz
§ ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
§ ?d = 0123456789
§ ?h = 0123456789abcdef
§ ?H = 0123456789ABCDEF
§ ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
§ ?a = ?l?u?d?s
§ ?b = 0x00 - 0xff

Now the pattern in the mask file for cracking this account becomes

dt?d?d?d?d

Let us save this line as hcmask4

Step E3. Cracking passwords with encoding patterns.

Now let us apply the hashcat command for the pattern search with hcmask4. Know that the
software will prompt you to decide whether to check status, pause, or quit, while it is running. In
the session below, I type ‘s’ a few times to see the progress. It shows how many patterns in terms
of percentage have been searched.

Permutation attack-mode options (-a)

Outfile formats
1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain

The found4.txt file the last field after : is the plain password.

ubuntu@ip-172-31-83-187:~/proj3c$ hashcat –force --potfile-disable -m 1800 -o

found4.txt -a 3 shadow4.txt hcmask4
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 256/724 MB allocatable,
1MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Uses-64-Bit

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.

This enables cracking passwords and salts > length 32 but for the price of drastically reduced
performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D

LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -
D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D
DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$9UqPAQStBoddxyWm$avoZN97rwo0RIr6nr8f80EXLlS7yY7R...Q4tY0.
Time.Started.....: Sun Oct 2 15:21:18 2022 (16 secs)
Time.Estimated...: Sun Oct 2 15:21:34 2022 (0 secs)
Guess.Mask.......: dt?d?d?d?d [6]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 333 H/s (9.50ms) @ Accel:256 Loops:64 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 5120/10000 (51.20%)
Rejected.........: 0/5120 (0.00%)
Restore.Point....: 4864/10000 (48.64%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: dt4060 -> dt9984

Started: Sun Oct 2 15:21:12 2022

Stopped: Sun Oct 2 15:21:35 2022
ubuntu@ip-172-31-83-187:~/proj3c$ cat found4.txt
$6$9UqPAQStBoddxyWm$avoZN97rwo0RIr6nr8f80EXLlS7yY7RqdICFvC0wOwE2I7S7ceX70EKaX
ckz2z2K9nOx.551azDebdUmQ4tY0.:dt0614
ubuntu@ip-172-31-83-187:~/proj3c$

Note that you can verify if 0614 is indeed is the birthday of recent US president.

Deliverable of Project 3c: Here is your task: The last entry of the shadow file is that for the
account of another US president with jb as initials. Try to create related shadow5.txt and mask
file hcmask5 and run the hashcat command to crack its password.

Deliverable: Save the above session text as hcresult.txt. Submit it as your deliverable of
project3c.

Hint: http://ciast.uccs.edu/coursera/pub/proj3c/ans/
Very important!!
Stop your instance right away when you finish your exercise. You should consider terminate
it if you do not intend to crack passwords soon.

Here are my captured session on a t2.2xlarge instance with 32GB, 8 vcpu. It takes just
87sec, 55sec, and 350sec for cracking shadow1, shadow2, and shadow3 respectively. It is much
faster than that of t2.micro. The passwords have the pattern of #a followed by 101 and six
digits. Due to its longer processing, I change the project3c exercise to a simpler ?l?l?d?d?d?d
pattern and replace ?l?l with actual letters to speedup the processing.

cchow@MacBook-Pro privateKey % ssh -i cchow_cs691_NV_privatekey.pem

[email protected]
The authenticity of host '54.242.47.91 (54.242.47.91)' can't be established.
ED25519 key fingerprint is SHA256:wy2ThQjpIeBVMitkWGLHwFhkyrtDGOKSj2yzgsJ+7O8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '54.242.47.91' (ED25519) to the list of known hosts.
=============================================================================
__| __|_ )
_| ( / Deep Learning AMI GPU PyTorch 1.12.1 (Ubuntu 20.04)
___|\___|___|
=============================================================================

Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.0-1020-aws x86_64v)

* To activate pre-built pytorch environment, run: 'source activate pytorch'

* To activate base conda environment upon login, run: 'conda config --set auto_activate_base
true'
* NVIDIA driver version: 510.73.08
* CUDA version: 11.6

AWS Deep Learning AMI Homepage: https://aws.amazon.com/machine-learning/amis/

Release Notes: https://docs.aws.amazon.com/dlami/latest/devguide/appendix-ami-release-
notes.html
Support: https://forums.aws.amazon.com/forum.jspa?forumID=263
For a fully managed experience, check out Amazon SageMaker at
https://aws.amazon.com/sagemaker
Security scan reports for python packages are located at: /opt/aws/dlami/info/
=============================================================================

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
 System information as of Fri Sep 30 15:36:21 UTC 2022

System load: 1.15 Processes: 184

Usage of /: 53.9% of 43.55GB Users logged in: 0
Memory usage: 1% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for eth0: 172.30.1.184

0 updates can be applied immediately.

New release '22.04.1 LTS' available.

Run 'do-release-upgrade' to upgrade to it.

1 updates could not be installed automatically. For more details,

see /var/log/unattended-upgrades/unattended-upgrades.log

Last login: Fri Sep 30 14:39:39 2022 from 114.46.182.189

ubuntu@ip-172-30-1-184:~$ cd proj3c
ubuntu@ip-172-30-1-184:~/proj3c$ ls
10-million-password-list-top-100.txt shadow.txt shadow3
found1.txt shadow1 shadow3.txt
hcmask shadow2 top100passwd.txt
ubuntu@ip-172-30-1-184:~/proj3c$ hashcat --force -m 1800 -o found3.txt -a 3 shadow3.txt
hcmask
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 8192/30055 MB allocatable,
8MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Uses-64-Bit

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.

This enables cracking passwords and salts > length 32 but for the price of drastically reduced
performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D

LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -
D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D
DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
* Device #1: Kernel m01800-pure.0b6f6c9a.kernel not found in cache! Building may take a
while...
* Device #1: Kernel markov_le.681df291.kernel not found in cache! Building may take a while...
* Device #1: Kernel amp_a3.681df291.kernel not found in cache! Building may take a while...
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$9XO7r56HUdnP4BVM$XC47J/U9ZHyE4RL4l9P9Ps6zXZnZofr...0JCcv/
Time.Started.....: Fri Sep 30 15:37:54 2022 (11 secs)
Time.Estimated...: Fri Sep 30 15:44:06 2022 (6 mins, 1 sec)
Guess.Mask.......: #a101?d?d?d?d?d?d [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2687 H/s (9.03ms) @ Accel:128 Loops:128 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 28672/1000000 (2.87%)
Rejected.........: 0/28672 (0.00%)
Restore.Point....: 28672/1000000 (2.87%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:256-384
Candidates.#1....: #a101153878 -> #a101496423

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$9XO7r56HUdnP4BVM$XC47J/U9ZHyE4RL4l9P9Ps6zXZnZofr...0JCcv/
Time.Started.....: Fri Sep 30 15:37:54 2022 (5 mins, 50 secs)
Time.Estimated...: Fri Sep 30 15:43:44 2022 (0 secs)
Guess.Mask.......: #a101?d?d?d?d?d?d [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2754 H/s (9.00ms) @ Accel:128 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 962560/1000000 (96.26%)
Rejected.........: 0/962560 (0.00%)
Restore.Point....: 961536/1000000 (96.15%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: #a101514157 -> #a101793096

Started: Fri Sep 30 15:37:14 2022

Stopped: Fri Sep 30 15:43:44 2022
ubuntu@ip-172-30-1-184:~/proj3c$ hashcat --force -m 1800 -o found2.txt -a 3 shadow2.txt
hcmask
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 8192/30055 MB allocatable,
8MCU

Hash 'shadow2.txt': Separator unmatched

No hashes loaded.

Started: Fri Sep 30 15:47:19 2022

Stopped: Fri Sep 30 15:47:19 2022
ubuntu@ip-172-30-1-184:~/proj3c$ vi shadow2.txt
ubuntu@ip-172-30-1-184:~/proj3c$ ls
10-million-password-list-top-100.txt hcmask shadow2 top100passwd.txt
found1.txt shadow.txt shadow3
found3.txt shadow1 shadow3.txt
ubuntu@ip-172-30-1-184:~/proj3c$ cp shadow2 shadow2.txt
ubuntu@ip-172-30-1-184:~/proj3c$ vi shadow2.txt
ubuntu@ip-172-30-1-184:~/proj3c$ hashcat --force -m 1800 -o found2.txt -a 3 shadow2.txt
hcmask
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 8192/30055 MB allocatable,
8MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Uses-64-Bit

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.

This enables cracking passwords and salts > length 32 but for the price of drastically reduced
performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D

LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -
D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D
DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$mvGQ9ZN.JvN8XT5F$mJC8rN3Liu4BGzX3/oWFHOIpi/AcfXQ...Me0xa.
Time.Started.....: Fri Sep 30 15:48:29 2022 (55 secs)
Time.Estimated...: Fri Sep 30 15:49:24 2022 (0 secs)
Guess.Mask.......: #a101?d?d?d?d?d?d [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2745 H/s (9.04ms) @ Accel:128 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 149504/1000000 (14.95%)
Rejected.........: 0/149504 (0.00%)
Restore.Point....: 148480/1000000 (14.85%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: #a101933866 -> #a101005710

Started: Fri Sep 30 15:48:22 2022

Stopped: Fri Sep 30 15:49:24 2022
ubuntu@ip-172-30-1-184:~/proj3c$ ls
10-million-password-list-top-100.txt found3.txt shadow1 shadow3
found1.txt hcmask shadow2 shadow3.txt
found2.txt shadow.txt shadow2.txt top100passwd.txt
ubuntu@ip-172-30-1-184:~/proj3c$ cp shadow1 shadow1.txt
ubuntu@ip-172-30-1-184:~/proj3c$ vi shadow1.txt
ubuntu@ip-172-30-1-184:~/proj3c$ hashcat --force -m 1800 -o found1.txt -a 3 shadow1.txt
hcmask
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 8192/30055 MB allocatable,
8MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Uses-64-Bit

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.

This enables cracking passwords and salts > length 32 but for the price of drastically reduced
performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D

LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -
D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D
DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$bqFBwOpWR8foxB2L$3wM6Gsq0dRp970aCkAm0Es1KGDO1M7D...Fjdu20
Time.Started.....: Fri Sep 30 15:51:04 2022 (1 min, 27 secs)
Time.Estimated...: Fri Sep 30 15:52:31 2022 (0 secs)
Guess.Mask.......: #a101?d?d?d?d?d?d [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2753 H/s (9.01ms) @ Accel:128 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 237568/1000000 (23.76%)
Rejected.........: 0/237568 (0.00%)
Restore.Point....: 236544/1000000 (23.65%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: #a101336521 -> #a101862619

Started: Fri Sep 30 15:50:57 2022

Stopped: Fri Sep 30 15:52:32 2022
ubuntu@ip-172-30-1-184:~/proj3c$ cat found1.txt
$6$OujROnpDKP/ihSZu$KGP/shTokC4zV6RhX/TOd9/Wjtj14sVKicoM0RZIR.TWjq5mvHTZHeRka
mZjhxOSwTbajH2j6PSFUlomylMae0:666666
$6$QuSaXpt6luqddEbI$TLmjadOfpsdpkIQS.rdM6Z.2d3GTV7.GVYM8.97vVW/PNyC55PfEIh2v6N
BeicQZufT1CAFTPR6PSl3GwszHb0:access
$6$bqFBwOpWR8foxB2L$3wM6Gsq0dRp970aCkAm0Es1KGDO1M7DVNzuxM7vIQfNNG7OnOv8
jIw/z.aSbZyVBZeQk7KTaGAzkSMHiFjdu20:#a101957521
ubuntu@ip-172-30-1-184:~/proj3c$ cat found2.txt
$6$mvGQ9ZN.JvN8XT5F$mJC8rN3Liu4BGzX3/oWFHOIpi/AcfXQtaw.0EUGPXw.4PZog54yuhYh4s
ybXpMKH9sPd41QLYldXrlFmMe0xa.:#a101465920
ubuntu@ip-172-30-1-184:~/proj3c$ cat found3.txt
$6$9XO7r56HUdnP4BVM$XC47J/U9ZHyE4RL4l9P9Ps6zXZnZofraeukRZXmTCuXE2P8CUAOnbFjb
SYLAR7eReNTcOvDV45vgAzm70JCcv/:#a101754157
ubuntu@ip-172-30-1-184:~/proj3c$

for the t2.micro instance, it took 1 hour 19 min to reach 41.96 patterns.
Not complete!

Session..........: hashcat
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$9XO7r56HUdnP4BVM$XC47J/U9ZHyE4RL4l9P9Ps6zXZnZofr...0JCcv/
Time.Started.....: Fri Sep 30 15:03:20 2022 (1 hour, 19 mins)
Time.Estimated...: Fri Sep 30 18:12:37 2022 (1 hour, 49 mins)
Guess.Mask.......: #a101?d?d?d?d?d?d [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 88 H/s (98.00ms) @ Accel:256 Loops:64 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 419584/1000000 (41.96%)
Rejected.........: 0/419584 (0.00%)
Restore.Point....: 419584/1000000 (41.96%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1664-1728
Candidates.#1....: #a101370433 -> #a101704908

for the t3.large instance we get the following constant buffer size too small error!

ubuntu@ip-172-31-18-152:~/proj3c$ hashcat --force -m 1800 -o found3.txt -a 3 shadow3.txt

hcmask
hashcat (v5.1.0) starting...

* Device #1: This device's constant buffer size is too small.

* Device #1: This device's local mem size is too small.

No devices found/left.

The following are the hash modes supported by hashcat: 1800 is one of them.

- [ Hash modes ] -

# | Name | Category

======+==================================================+====================
==================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA-224 | Raw Hash
1400 | SHA-256 | Raw Hash
10800 | SHA-384 | Raw Hash
1700 | SHA-512 | Raw Hash
5000 | SHA-3(Keccak) | Raw Hash
10100 | SipHash | Raw Hash
6000 | RipeMD160 | Raw Hash
6100 | Whirlpool | Raw Hash
6900 | GOST R 34.11-94 | Raw Hash
11700 | GOST R 34.11-2012 (Streebog) 256-bit | Raw Hash
11800 | GOST R 34.11-2012 (Streebog) 512-bit | Raw Hash
10 | md5($pass.$salt) | Raw Hash, Salted and / or Iterated
20 | md5($salt.$pass) | Raw Hash, Salted and / or Iterated
30 | md5(unicode($pass).$salt) | Raw Hash, Salted and / or Iterated
 40 | md5($salt.unicode($pass))
3800 | md5($salt.$pass.$salt)
3710 | md5($salt.md5($pass))
2600 | md5(md5($pass))
4300 | md5(strtoupper(md5($pass)))
4400 | md5(sha1($pass))
110 | sha1($pass.$salt)
120 | sha1($salt.$pass)
130 | sha1(unicode($pass).$salt)
140 | sha1($salt.unicode($pass))
4500 | sha1(sha1($pass))
4700 | sha1(md5($pass))
4900 | sha1($salt.$pass.$salt)
14400 | sha1(CX)
1410 | sha256($pass.$salt)
1420 | sha256($salt.$pass)
1430 | sha256(unicode($pass).$salt)
1440 | sha256($salt.unicode($pass))
1710 | sha512($pass.$salt)
1720 | sha512($salt.$pass)
1730 | sha512(unicode($pass).$salt)
1740 | sha512($salt.unicode($pass))
50 | HMAC-MD5 (key = $pass)
60 | HMAC-MD5 (key = $salt)
150 | HMAC-SHA1 (key = $pass)
160 | HMAC-SHA1 (key = $salt)
1450 | HMAC-SHA256 (key = $pass)
1460 | HMAC-SHA256 (key = $salt)
1750 | HMAC-SHA512 (key = $pass)
1760 | HMAC-SHA512 (key = $salt)
14000 | DES (PT = $salt, key = $pass)
14100 | 3DES (PT = $salt, key = $pass)
400 | phpass
8900 | scrypt
11900 | PBKDF2-HMAC-MD5
12000 | PBKDF2-HMAC-SHA1
10900 | PBKDF2-HMAC-SHA256
12100 | PBKDF2-HMAC-SHA512
23 | Skype
2500 | WPA/WPA2
4800 | iSCSI CHAP authentication, MD5(Chap)
5300 | IKE-PSK MD5
5400 | IKE-PSK SHA1
5500 | NetNTLMv1
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Salted and / or Iterated
| Raw Hash, Authenticated
| Raw Hash, Authenticated
| Raw Hash, Authenticated
| Raw Hash, Authenticated
| Raw Hash, Authenticated
| Raw Hash, Authenticated
| Raw Hash, Authenticated
| Raw Hash, Authenticated
| Raw Cipher, Known-Plaintext attack
| Raw Cipher, Known-Plaintext attack
| Generic KDF
| Generic KDF
| Generic KDF
| Generic KDF
| Generic KDF
| Generic KDF
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
5500 | NetNTLMv1 + ESS
5600 | NetNTLMv2
7300 | IPMI2 RAKP HMAC-SHA1
7500 | Kerberos 5 AS-REQ Pre-Auth etype 23
8300 | DNSSEC (NSEC3)
10200 | Cram MD5
11100 | PostgreSQL CRAM (MD5)
11200 | MySQL CRAM (SHA1)
11400 | SIP digest authentication (MD5)
13100 | Kerberos 5 TGS-REP etype 23
121 | SMF (Simple Machines Forum)
400 | phpBB3
2611 | vBulletin < v3.8.5
2711 | vBulletin > v3.8.5
2811 | MyBB
2811 | IPB (Invison Power Board)
8400 | WBB3 (Woltlab Burning Board)
11 | Joomla < 2.5.18
400 | Joomla > 2.5.18
400 | Wordpress
2612 | PHPS
7900 | Drupal7
21 | osCommerce
21 | xt:Commerce
11000 | PrestaShop
124 | Django (SHA-1)
10000 | Django (PBKDF2-SHA256)
3711 | Mediawiki B type
7600 | Redmine
13900 | OpenCart
12 | PostgreSQL
131 | MSSQL(2000)
132 | MSSQL(2005)
1731 | MSSQL(2012)
1731 | MSSQL(2014)
200 | MySQL323
300 | MySQL4.1/MySQL5
3100 | Oracle H: Type (Oracle 7+)
112 | Oracle S: Type (Oracle 11+)
12300 | Oracle T: Type (Oracle 12+)
8000 | Sybase ASE
141 | EPiServer 6.x < v4
1441 | EPiServer 6.x > v4
1600 | Apache $apr1$
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Network protocols
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Forums, CMS, E-Commerce, Frameworks
| Database Server
| Database Server
| Database Server
| Database Server
| Database Server
| Database Server
| Database Server
| Database Server
| Database Server
| Database Server
| Database Server
| HTTP, SMTP, LDAP Server
| HTTP, SMTP, LDAP Server
| HTTP, SMTP, LDAP Server
 12600 | ColdFusion 10+ | HTTP, SMTP, LDAP Server
1421 | hMailServer | HTTP, SMTP, LDAP Server
101 | nsldap, SHA-1(Base64), Netscape LDAP SHA | HTTP, SMTP, LDAP Server
111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | HTTP, SMTP, LDAP Server
1711 | SSHA-512(Base64), LDAP {SSHA512} | HTTP, SMTP, LDAP Server
11500 | CRC32 | Checksums
3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems
1100 | Domain Cached Credentials (DCC), MS Cache | Operating-Systems
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 | Operating-Systems
12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating-Systems
1500 | descrypt, DES(Unix), Traditional DES | Operating-Systems
12400 | BSDiCrypt, Extended DES | Operating-Systems
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
122 | OSX v10.4, OSX v10.5, OSX v10.6 | Operating-Systems
1722 | OSX v10.7 | Operating-Systems
7100 | OSX v10.8, OSX v10.9, OSX v10.10 | Operating-Systems
6300 | AIX {smd5} | Operating-Systems
6700 | AIX {ssha1} | Operating-Systems
6400 | AIX {ssha256} | Operating-Systems
6500 | AIX {ssha512} | Operating-Systems
2400 | Cisco-PIX | Operating-Systems
2410 | Cisco-ASA | Operating-Systems
500 | Cisco-IOS $1$ | Operating-Systems
5700 | Cisco-IOS $4$ | Operating-Systems
9200 | Cisco-IOS $8$ | Operating-Systems
9300 | Cisco-IOS $9$ | Operating-Systems
22 | Juniper Netscreen/SSG (ScreenOS) | Operating-Systems
501 | Juniper IVE | Operating-Systems
5800 | Android PIN | Operating-Systems
13800 | Windows 8+ phone PIN/Password | Operating-Systems
8100 | Citrix Netscaler | Operating-Systems
8500 | RACF | Operating-Systems
7200 | GRUB 2 | Operating-Systems
9900 | Radmin2 | Operating-Systems
125 | ArubaOS | Operating-Systems
7700 | SAP CODVN B (BCODE) | Enterprise Application Software (EAS)
7800 | SAP CODVN F/G (PASSCODE) | Enterprise Application Software (EAS)
10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 | Enterprise Application Software
(EAS)
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
8700 | Lotus Notes/Domino 6 | Enterprise Application Software (EAS)
9100 | Lotus Notes/Domino 8 | Enterprise Application Software (EAS)
133 | PeopleSoft | Enterprise Application Software (EAS)
13500 | PeopleSoft Token | Enterprise Application Software (EAS)
11600 | 7-Zip | Archives
12500 | RAR3-hp | Archives
13000 | RAR5 | Archives
13200 | AxCrypt | Archives
13300 | AxCrypt in memory SHA1 | Archives
13600 | WinZip | Archives
62XY | TrueCrypt | Full-Disk encryptions (FDE)
X | 1 = PBKDF2-HMAC-RipeMD160 | Full-Disk encryptions (FDE)
X | 2 = PBKDF2-HMAC-SHA512 | Full-Disk encryptions (FDE)
X | 3 = PBKDF2-HMAC-Whirlpool | Full-Disk encryptions (FDE)
X | 4 = PBKDF2-HMAC-RipeMD160 + boot-mode | Full-Disk encryptions (FDE)
Y | 1 = XTS 512 bit pure AES | Full-Disk encryptions (FDE)
Y | 1 = XTS 512 bit pure Serpent | Full-Disk encryptions (FDE)
Y | 1 = XTS 512 bit pure Twofish | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit pure AES | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit pure Serpent | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit pure Twofish | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit cascaded AES-Twofish | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit cascaded Serpent-AES | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit cascaded Twofish-Serpent | Full-Disk encryptions (FDE)
Y | 3 = XTS 1536 bit all | Full-Disk encryptions (FDE)
8800 | Android FDE < v4.3 | Full-Disk encryptions (FDE)
12900 | Android FDE (Samsung DEK) | Full-Disk encryptions (FDE)
12200 | eCryptfs | Full-Disk encryptions (FDE)
137XY | VeraCrypt | Full-Disk encryptions (FDE)
X | 1 = PBKDF2-HMAC-RipeMD160 | Full-Disk encryptions (FDE)
X | 2 = PBKDF2-HMAC-SHA512 | Full-Disk encryptions (FDE)
X | 3 = PBKDF2-HMAC-Whirlpool | Full-Disk encryptions (FDE)
X | 4 = PBKDF2-HMAC-RipeMD160 + boot-mode | Full-Disk encryptions (FDE)
X | 5 = PBKDF2-HMAC-SHA256 | Full-Disk encryptions (FDE)
X | 6 = PBKDF2-HMAC-SHA256 + boot-mode | Full-Disk encryptions (FDE)
Y | 1 = XTS 512 bit pure AES | Full-Disk encryptions (FDE)
Y | 1 = XTS 512 bit pure Serpent | Full-Disk encryptions (FDE)
Y | 1 = XTS 512 bit pure Twofish | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit pure AES | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit pure Serpent | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit pure Twofish | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit cascaded AES-Twofish | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit cascaded Serpent-AES | Full-Disk encryptions (FDE)
Y | 2 = XTS 1024 bit cascaded Twofish-Serpent | Full-Disk encryptions (FDE)
 Y | 3 = XTS 1536 bit all | Full-Disk encryptions (FDE)
9700 | MS Office <= 2003 $0|$1, MD5 + RC4 | Documents
9710 | MS Office <= 2003 $0|$1, MD5 + RC4, collider #1 | Documents
9720 | MS Office <= 2003 $0|$1, MD5 + RC4, collider #2 | Documents
9800 | MS Office <= 2003 $3|$4, SHA1 + RC4 | Documents
9810 | MS Office <= 2003 $3|$4, SHA1 + RC4, collider #1 | Documents
9820 | MS Office <= 2003 $3|$4, SHA1 + RC4, collider #2 | Documents
9400 | MS Office 2007 | Documents
9500 | MS Office 2010 | Documents
9600 | MS Office 2013 | Documents
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Documents
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Documents
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Documents
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Documents
10600 | PDF 1.7 Level 3 (Acrobat 9) | Documents
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Documents
9000 | Password Safe v2 | Password Managers
5200 | Password Safe v3 | Password Managers
6800 | Lastpass + Lastpass sniffed | Password Managers
6600 | 1Password, agilekeychain | Password Managers
8200 | 1Password, cloudkeychain | Password Managers
11300 | Bitcoin/Litecoin wallet.dat | Password Managers
12700 | Blockchain, My Wallet | Password Managers
13400 | Keepass 1 (AES/Twofish) and Keepass 2 (AES) | Password Managers
99999 | Plaintext | Plaintext