2

To polish my penetration testing skills I want to attempt to crack NTLM/NTLMv2 hashes (via dictionary/wordlist attack) extracted from Active Directory / SAM database, where the underlying passwords consist of 14+ characters, and have a few questions regarding this:

  • What tools would be the most effective and cost/time-efficient for such a job? Googling seems to point at hashcat or John the Ripper.
  • What would be the recommended computer specs for a workstation for such a task?
  • Regarding the computer specs it seems like most of the tools either rely on GPU or CPU. Is there anything else I should consider?
  • Any other aspects I should be aware of?

Thank you in advance!

Dino
  • 33
  • 1
  • 2
  • 7
  • https://sagitta.pw/hardware/ – atdre May 08 '18 at 17:00
  • 3
    The tool you use will inform you of the specs that you need and what you should consider - which leaves you with choosing a tool, and that falls under the "product recommendation" rule for off-topic questions. – schroeder May 08 '18 at 19:19

1 Answers1

2

Your question is very broad, so honestly all I can do is give some very broad advise. You need to provide more information to get a more precise answer. In particular, try to ask yourself:

  1. What is your budget, both monetary and power-wise?

  2. How fast do you need these hashes cracked?

  3. How many hashes do you have that you will try to crack?

  4. What kind of people are creating the passwords? What language do they speak?

Without knowing this, only a very vague, broad answer can be given.

What tools would be the most effective and cost/time-efficient for such a job? Googling seems to point at hashcat or John the Ripper.

Those are both two of the most efficient hash crackers. Hashcat in particular supports extremely efficient GPU-based hash cracking using OpenCL and hand-optimized shader kernels.

What would be the recommended computer specs for a workstation for such a task?

This entirely depends on how fast you want to achieve success. A fast GPU (or better yet, multiple GPUs) would be a must if you want ideal performance. Historically, AMD GPUs tend to be better for this than Nvidia GPUs. AMD often has simpler and more limited cores, but a huge number of them. Nvidia has fewer cores, but they are more sophisticated. Since all you need to do is process NTLM hashes, a fast GPU with a large number of simple cores is ideal. The faster the better.

This question lacks information. Depending on your exact situation, you could use anything from a single slightly-overclocked i7 processor and a popular wordlist to a tower of fast servers with 16 high-end GPUs each and a very large and heavily-customized wordlist. Or 50 acres of Cray supercomputers and a private power plant. What is your budget? Etc.

Regarding the computer specs it seems like most of the tools either rely on GPU or CPU. Is there anything else I should consider?

If you wish, you can buy an ASIC which is designed specifically for processing hashes. You will likely need to use a custom program for this, but a high-quality ASIC can be extremely efficient for a single task. Most likely however, for NTLM, all you will need is a good GPU (or several).

Any other aspects I should be aware of?

You can greatly improve efficiency by using better dictionaries, better hybrid rules (Hashcat supports a number of good rulesets), etc. Raw hash-rate is only one part of the equation.

Although you can use a rainbow table, the best rainbow tables for brute forcing NTLM hashes go up to around 10 characters. Since you said all the passwords were longer than 14 characters, this may not be useful for your use-case. A (hybrid) dictionary attack may be all you can do.

forest
  • 64,616
  • 20
  • 206
  • 257