# Password Brute Force

* <https://weakpass.com/>
* <https://habr.com/ru/company/deiteriylab/blog/584160/>

## hashcat

```
$ hashcat --example-hashes | grep -B1 -i md5
$ hashcat -m 500 hashes/file.hash /usr/share/wordlists/rockyou.txt --username
$ hashcat -m 500 hashes/file.hash --username --show
```

Benchmarks:

```
$ nvidia-smi.exe

 # MD5
$ hashcat -m 0 -b
 # NTLM
$ hashcat -m 1000 -b
```

| Единица хэшрейта | Хэшрейт                       | Хэши в секунду  |
| ---------------- | ----------------------------- | --------------- |
| 1kH/s            | 1000                          | Тысяча          |
| 1MH/s            | 1000000                       | Одинмиллион     |
| 1GH/s            | 1000000000                    | Одинмиллиард    |
| 1TH/s            | 1.000.000.000.000             | Одинтриллион    |
| 1PH/s            | 1.000.000.000.000.000         | Одинквадриллион |
| 1EH/s            | 1.000.000.000.000.000.000     | Одинквинтиллион |
| 1ZH/s            | 1.000.000.000.000.000.000.000 | Одинсекстиллион |

### TGS-REP with NTLM Wordlist

* <https://github.com/hashcat/hashcat/pull/2607#issuecomment-850653034>

Remove the following lines from `m13100_a0-optimized.cl` and compile:

```
  // K=MD4(Little_indian(UNICODE(pwd))

  append_0x80_2x4 (w0_t, w1_t, pw_len);

  make_utf16le (w1_t, w2_t, w3_t);
  make_utf16le (w0_t, w0_t, w1_t);

  w3_t[2] = pw_len * 8 * 2;
  w3_t[3] = 0;

  digest[0] = MD4M_A;
  digest[1] = MD4M_B;
  digest[2] = MD4M_C;
  digest[3] = MD4M_D;

  md4_transform (w0_t, w1_t, w2_t, w3_t, digest);

  // K1=MD5_HMAC(K,1); with 2 encoded as little indian on 4 bytes (02000000 in hexa);

  w0_t[0] = digest[0];
  w0_t[1] = digest[1];
  w0_t[2] = digest[2];
  w0_t[3] = digest[3];
  w1_t[0] = 0;
  w1_t[1] = 0;
  w1_t[2] = 0;
  w1_t[3] = 0;
  w2_t[0] = 0;
  w2_t[1] = 0;
  w2_t[2] = 0;
  w2_t[3] = 0;
  w3_t[0] = 0;
  w3_t[1] = 0;
  w3_t[2] = 0;
  w3_t[3] = 0;
```

To crack:

```
$ hashcat -m 13100 -O tgsrep.in ntlm.wordlist --self-test-disable --hex-wordlist
```