Copyright (C) 2009-2010 Ivan Golubev, http://golubev.com
Read notes about v0.90 at my blog first if you're curious why ATI version is so limited now.
This software using ATI RV 7X0/8X0 and nVidia "CUDA" video cards to brute-force MD4, MD5 & SHA1 hashes. Speed depends on GPU,
~3650M/s single MD5
~1360M/s single SHA1
~1075M/s single MD5
~350M/s single SHA1
~570M single MD5
~175M single SHA1
As ighashgpu supports salted hashes it's possible to use it for:
- Plain MD4, MD5, SHA1.
- Domain Cached Credentials
- Oracle 11g
- Invision Power Board
- and more ...
Only supported ATI cards are: HD RV7X0 and RV830/870. Which means -- 4550, 4670, 4830, 4730, 4770, 4850, 4870, 4890, 5750, 5770, 5850, 5870, 5970.
Catalyst 9.9+ must be installed. Catalyst 10.2/10.3 recommended.
Catalysts 10.4-10.6 and 5970 are incompatible.
Catalyst 10.7 not heavily tested but looks like working.
Only supported nVidia cards are: the ones with CUDA support, i.e. G80+.
Systems with multiple GPUs supported.
No major updates are planned till 2011. Specifically there won't be any ($salt.$pass) schemes implemented in nearest future.
It is console application, so should be run from command line.
ighashgpu.exe [switch:param] [hashfile.txt]
hashfile.txt only used with unsalted MD5 and NTLM hashes. This file must contains plain MD4/MD5 hashes (32 HEX digits) in form username:hash or simply hash at each line. For example:
aaaa:74b87337454200d4d33f80c4663dc5e5 aaab:4c189b020ceb022e0ecc42482802e2b8 aaac:3963a2ba65ac8eb1c6e2140460031925 aaad:aa836f154f3bf01eed8df286a1fbb388
-c:csdepa Charset definition (caps, smalls (default), digits, special, space, all)
-u:[chars] User-defined characters
-uh:[HEX] User-defined characters in HEX (2 chars each)
-uhh:[HEX] User-defined characters in Unicode HEX (4 chars each)
-uf:[filename] Load characters from file. Not used with Unicode.
By default charset processed as ANSI one. (i.e. WideCharToMultiByte(CP_ACP, ...)) You can change this with:
-unicode Use unicode
-oem Use oem encoding
-codepage:[page] Convert charset to specific codepage (need to have it at system of course)
-sf:[password] Password to start attack from
-m:[mask] Password mask
-ms:[symbol] Mask symbol
-salt:[hex] Append salt after password
-asalt:[string] Append salt in ascii after password
-usalt:[string] Append salt in unicode after password
-ulsalt:[string] Same as above but unicode string firstly transformed to lower case
-min:[value] Minimum length (default == 4), must be >= 4
-max:[value] Maximum length (default == 6), must be <= 31 (not counting salt length)
-h:[hash] Hash to attack (16 or 20 bytes in HEX)
-t:[type] Type of hash to attack
- md4 (Single byte/Unicode)
- sha1 (Single byte/Unicode)
- md5x2 md5(md5($pass).ascii) No idea how to call it, some forum's type
- md5x2s md5(md5($pass).$salt) Same as above except salt added after first md5
(without salt md5x2 and md5x2s are the same).
Can be used for vBulletin hashes especially with asalt switch
- mysql5 sha1(sha1($password))
- ipb md5(md5($salt).$md5($pass))
- dcc md4(md4($password).lowercase($username))
-devicemask:[N] Bit mask for GPUs usage, bit 0 == first GPU (default 0xFF, i.e. all GPUs).
Special parameters (like " or /) can be passed by using single or double quotes:
-cpudontcare From v0.60 ighashgpu trying to use cpu as low as possible, however it can cause reduced GPU performance. This switch tells ighashgpu that we want maximum from GPU and so don't care about CPU usage at all (and it means one CPU core at 100% per one GPU).
-hm:[N] Set threshold temperature for hardware monitoring, default is 90C. You can disable monitoring by setting this value to zero.
-blocksize:[N] Set block size, by default N = 23 which means 2^23 = 8388608 passwords offloaded to GPU in a single batch. As GPU job cannot be interrupted the video system will freeze until all passwords processed. So, for example, with rate of 980M and block size = 23 it means that screen updates will freeze for about 8-9ms which is generally normal. While if speed is only around 100M it'll takes ~83ms and so screen cannot be updated more than 12 times per second and thus you'll notice video lags. If you want smooth video response you can lower block size (values 16..23 are supported) but of course it'll reduce performance of the program as well.
Most special switch is:
-fun which in fact is +fun! It's really important to have fun even if it costs two additional lines.
Brute-force attack examples
ighashgpu.exe -h:239361613fe5281d8efb90e7f8e0ceb0 -t:md5 -c:sd -m:????assw???1234 ighashgpu.exe /h:a2b7caddbc353bd7d7ace2067b8c4e34db2097a3 /t:sha1 /max:6 ighashgpu.exe /h:cbe1d6d5800ec1e03a5f2a64882a0d41 /t:md5 /c:sd /max:7 ighashgpu.exe /c:d /max:10 /h:e807f1fcf82d132f9bb018ca6738a19f /t:md5 ighashgpu.exe -h:47c8fb7775aec7a11e1d141bc26a5a33726e5d6e -t:mysql5 -c:sd -max:6
MSSQL can be processed as:
ighashgpu.exe -h:a72befac3e58eb24d559d9fe0045cfdf090782e2 -t:sha1 -unicode -max:6 -salt:e16bed51
ighashgpu.exe -h:9D4518F84296B9CE26D02F229870D2D4 -t:md4 -c:a -unicode ighashgpu.exe /h:252bb1fe4ecb040ebc8c78d2a1b89218 /t:md4 /c:sd /m:????00pa?? /unicode
ighashgpu.exe -h:a4e5e1fd2cb7ae7d2961470ce50b966c -t:md5x2s -asalt:_~Y /max:7
ighashgpu.exe /t:md5 /c:csd /max:6 test.md5 ighashgpu.exe /t:md4 /c:a /max:6 /unicode test.txt
ighashgpu.exe -c:sd -salt:01234567890123456789 -h:bedfe061a33474a9d403c809dd93a8cc79b46f74 -t:sha1 ighashgpu.exe -c:a -salt:02B03D5D74B6841CEA2E -h:D39F4CC16573323279E5E4E16D359D6C55DCC092 -t:sha1
ighashgpu.exe /t:ipb /h:a8b35664407b264c6de709705f0b1dd4 /asalt:"]#/R_" /c:s
Domain Cached Credentials, note the -ulsalt switch usage, not just -usalt.
ighashgpu.exe -t:dcc -ulsalt:DelPotro -h:89af0c6c397bc879d7206ea8a41a11bb -c:sc
- Passwords (plus optional salt) must be >= 4 && <= 31 symbols.
- First 4 symbols cannot be masked.
- Probably some more limitations I've forgotten to mention.
- When running on 4870x2 it's possible that only first GPU core will go full speed while second core will stay in 2D mode, so speed looks like 1145+775 = 1920M instead of expected ~2300M for single MD5. Second core can be forced to run in full speed by executing some 3D application in background.
- Commercial version of this program.
- Multi-Hash support for other hash types.
- More algos support.
- CPU support including multicores.
- Distributed version.
This software includes parts of LZMA SDK written by Igor Pavlov.
Thanks to Dalibor from hashcat forums for MD5's 3rd round optimization idea.
Comments are welcome.
ighashgpu (?) golubev.com