Skip to content

Cracking MD5 hashes (or passwords) ultra-fast with GPU acceleration

by mat on June 24th, 2010

Do you want to crack MD5 hashes in at a rate of ~300MHash/s without a massive rainbow table? Do you have a CUDA enabled GFX card? If you said yes or maybe to these questions then read on for a brief introduction on how to compile and run a CUDA accelerated MD5 cracker (coded by Benjamin “Titan” Vernoux ).

Pre-Requisites and Downloading

Building in Ubuntu 10.04

Extract the archive and do a make on the source code. When doing this I came across two problems that can be fixed by modifying the common.mk file.

Problem 1: (cannot be declared weak)

$ make
/usr/include/string.h:43: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/usr/include/string.h:64: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/usr/include/bits/string3.h:49: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/usr/include/bits/string3.h:78: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/common_functions.h:59: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/common_functions.h:62: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:422: error: inline function ‘int __signbit(double)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:427: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:440: error: inline function ‘int __signbitl(long double)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbit(double)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbitl(long double)’ cannot be declared weak
/usr/include/bits/mathinline.h:36: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/usr/include/bits/mathinline.h:42: error: inline function ‘int __signbit(double)’ cannot be declared weak
/usr/include/bits/mathinline.h:48: error: inline function ‘int __signbitl(long double)’ cannot be declared weak

Solution 1

# Debug/release configuration
ifeq ($(dbg),1)
COMMONFLAGS += -g
NVCCFLAGS += -D_DEBUG
BINSUBDIR := debug
LIBSUFFIX := D
else
##############Change the following line to have -O0 instead of -O2
COMMONFLAGS += -O0
BINSUBDIR := release
LIBSUFFIX :=
NVCCFLAGS += –compiler-options -fno-strict-aliasing
CXXFLAGS += -fno-strict-aliasing
CFLAGS += -fno-strict-aliasing
endif

Problem 2: (lcudart)

$ make
/usr/bin/ld: skipping incompatible /opt/cuda/lib/libcudart.so when searching for -lcudart
/usr/bin/ld: skipping incompatible /opt/cuda/lib/libcudart.so when searching for -lcudart
/usr/bin/ld: cannot find -lcudart
collect2: ld returned 1 exit status
make: *** [bin/linux/release/gpu_md5_crack_0.2.3] Error 1

Solution 2

############## Change lib to lib64 if using a 64 bit operating system
LIB := -L$(CUDA_INSTALL_PATH)/lib64 -L$(LIBDIR) -L$(COMMONDIR)/lib64/$(OSLOWER) -L$(NVIDIA_SDK_PATH)/lib

Remember that you should “make clean” in-between each attempt to compile.

Benchmarking

Once it has compiled nicely you can give it a testdrive with its build in benchmark (with an NVIDIA 260 GFX card). Just run with the -b option:

./gpu_md5_crack_0.2.3 -b
GPU_MD5_Crack v0.2.3 09 July 2009 LGPL for BackTrack 4.
Copyright (C) 2009 TitanMKD (titanmkd@gmail.com).

Benchmark Start
Using default CUDA GPU device:0
Cuda device ID:0, Device name:GeForce GTX 260, supporting CUDA:1.3,
multiProcessorCount:27, clockRate:1466.00 MHz, TotalMem:895.31 MB
******* Test 0 Start *******
Expected Password: 1234567890
MD5 Hash:e807f1fcf82d132f9bb018ca6738a19f, Start Password:1200000000, Total pwd to check:1000000000
Charset used 0:0123456789
MD5 brute force started

MD5 Cracked pwd=1234567890 hash=e807f1fcf82d132f9bb018ca6738a19f
Instant 200.02 Mhash/s(40.00 ms)
Average 190.49 Mhash/s, Total Time:0.21s(210.00 ms)
MD5 brute force finished
******* Test 0 End *******

******* Test 1 Start *******
Expected Password: azerty
MD5 Hash:ab4f63f9ac65152575886860dde480a1, Start Password:, Total pwd to check:1000000000
Charset used 1:abcdefghijklmnopqrstuvwxyz
MD5 brute force started

MD5 Cracked pwd=azerty hash=ab4f63f9ac65152575886860dde480a1
Instant 200.02 Mhash/s(40.00 ms)
Average 240.02 Mhash/s, Total Time:0.10s(100.00 ms)
MD5 brute force finished
******* Test 1 End *******

******* Test 2 Start *******
Expected Password: azer09
MD5 Hash:41b9cabe6033932eb3037fc933060adc, Start Password:, Total pwd to check:1000000000
Charset used 2:abcdefghijklmnopqrstuvwxyz0123456789
MD5 brute force started
Progress 5%, Pwd:6lmea, Instant 280.02 Mhash/s(28.57 ms)
MD5 Cracked pwd=azer09 hash=41b9cabe6033932eb3037fc933060adc
Instant 266.69 Mhash/s(30.00 ms)
Average 287.20 Mhash/s, Total Time:0.39s(390.00 ms)
MD5 brute force finished
******* Test 2 End *******

******* Test 3 Start *******
Expected Password: AZBVSD
MD5 Hash:fd049008572788d60140aaead79336cc, Start Password:, Total pwd to check:1000000000
Charset used 3:ABCDEFGHIJKLMNOPQRSTUVWXYZ
MD5 brute force started

MD5 Cracked pwd=AZBVSD hash=fd049008572788d60140aaead79336cc
Instant 266.69 Mhash/s(30.00 ms)
Average 240.02 Mhash/s, Total Time:0.10s(100.00 ms)
MD5 brute force finished
******* Test 3 End *******

******* Test 4 Start *******
Expected Password: AZ09AA
MD5 Hash:7a552dd9cdd49acc5320bad9c29c9722, Start Password:, Total pwd to check:1000000000
Charset used 4:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
MD5 brute force started
Progress 5%, Pwd:6LMEA, Instant 266.69 Mhash/s(30.00 ms)
MD5 Cracked pwd=AZ09AA hash=7a552dd9cdd49acc5320bad9c29c9722
Instant 266.69 Mhash/s(30.00 ms)
Average 280.02 Mhash/s, Total Time:0.40s(400.00 ms)
MD5 brute force finished
******* Test 4 End *******

******* Test 5 Start *******
Expected Password: zaZAab
MD5 Hash:aef49f70bb7b923b8bc0a018f916ef64, Start Password:zCAAAA, Total pwd to check:1000000000
Charset used 5:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
MD5 brute force started
Progress 17%, Pwd:zaDpoA, Instant 280.02 Mhash/s(28.57 ms)
MD5 Cracked pwd=zaZAab hash=aef49f70bb7b923b8bc0a018f916ef64
Instant 266.69 Mhash/s(30.00 ms)
Average 283.10 Mhash/s, Total Time:0.65s(650.00 ms)
MD5 brute force finished
******* Test 5 End *******

******* Test 6 Start *******
Expected Password: za0ZA9
MD5 Hash:062cc3b1302759722f48ac0b95b75803, Start Password:zaAAAA, Total pwd to check:1000000000
Charset used 6:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
MD5 brute force started

MD5 Cracked pwd=za0ZA9 hash=062cc3b1302759722f48ac0b95b75803
Instant 266.69 Mhash/s(30.00 ms)
Average 266.69 Mhash/s, Total Time:0.06s(60.00 ms)
MD5 brute force finished
******* Test 6 End *******

******* Test 7 Start *******
Expected Password: a^-*|
MD5 Hash:cf7dcf4c3eeb6255668393242fcce273, Start Password:a0000, Total pwd to check:1000000000
Charset used 7: !”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
MD5 brute force started

MD5 Cracked pwd=a^-*| hash=cf7dcf4c3eeb6255668393242fcce273
Instant 266.69 Mhash/s(30.00 ms)
Average 266.69 Mhash/s, Total Time:0.15s(150.00 ms)
MD5 brute force finished
******* Test 7 End *******

Benchmark End

So from the benchmark you can see that we are getting between 200 and 300 Mhash/s, that is about 250,000,000 hash attempts per second! AMAZING!!!

Number of combinations for different alphabets

Length 0-9 a-z a-z0-9 a-zA-Z a-zA-Z0-9
1 10 26 36 52 62
2 100 676 1,296 2,704 3,844
3 1,000 17,576 46,656 140,608 238,328
4 10,000 456,976 1,679,616 7,311,616 14,776,336
5 100,000 11,881,376 60,466,176 380,204,032 916,132,832
6 1,000,000 308,915,776 2,176,782,336 19,770,609,664 56,800,235,584
7 10,000,000 8,031,810,176 78,364,164,096 1,028,071,702,528 3,521,614,606,208
8 100,000,000 208,827,064,576 2,821,109,907,456 53,459,728,531,456 218,340,105,584,896
9 1,000,000,000 5,429,503,678,976 101,559,956,668,416 2,779,905,883,635,710 13,537,086,546,263,600
10 10,000,000,000 141,167,095,653,376 3,656,158,440,062,980 144,555,105,949,057,000 839,299,365,868,340,000

Estimated time (in seconds) to crack (at 250MHash/s)

Length 0-9 a-z a-z0-9 a-zA-Z a-zA-Z0-9
1 0.00 0.00 0.00 0.00 0.00
2 0.00 0.00 0.00 0.00 0.00
3 0.00 0.00 0.00 0.00 0.00
4 0.00 0.00 0.00 0.01 0.03
5 0.00 0.02 0.12 0.76 1.83
6 0.00 0.62 4.35 39.54 113.60
7 0.02 16.06 156.73 2,056.14 7,043.23
8 0.20 417.65 5,642.22 106,919.46 436,680.21
9 2.00 10,859.01 203,119.91 5,559,811.77 27,074,173.09
10 20.00 282,334.19 7,312,316.88 289,110,211.90 1,678,598,731.74

Full calculations avaliable here: MD5 hash cracking time using GPU accelerated brute forcing

What now?
Well you can crack MD5’s at an extremely accelerated rate, so enjoy doing so responsibly (let your morals guide you :P). You could also explore the source code and make additions as you see fit, I am planning on modifying it to allow an extra parameter so that prefixes can be added if you already know how the password starts. This can be the case when someone has prefixed the password with a known salt.

One Comment
  1. hey whoever you are,
    please tell me how to translate salted md5 hash to the real md5 code
    i’m very curious to try it, please help.

Leave a Reply

Note: I am currently writing my thesis so probably wont have time to reply to your comment
Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS