GPU Cracking: Putting It All Together

In the first blog of this series, we showed you how to set up the hardware for your own GPU cracking box.

In the second blog of this series, we showed you how to set up the OS, drivers, and software for your own GPU cracking box.

In this blog, we will simply go over common ways to get hashes along with methods and strategies for cracking the hashes. We will touch on most of these topics at a high level, and add links to help you get more information on each topic. Again, this is a pretty basic intro, but hopefully it will serve as a starter’s guide for those looking into password cracking.

Common Ways to Get Hashes

We could write an entire post on ways to capture these, but we will just touch on some high level common methods for getting the hashes.


One of the most common hashes that we crack are Windows LANMAN and/or NTLM hashes.

For systems where you have file read rights on the SYSTEM and SAM files (local admin rights, web directory traversal, etc.), you will want to copy them off of the host for hash extraction.

Windows XP/Vista/Server 2003 Paths:

  • C:WindowsSystem32configSAM
  • C:WindowsSystem32configSYSTEM

Windows 7 and Server 2008

  • C:WindowsSystem32configRegBackSAM
  • C:WindowsSystem32configRegBackSYSTEM

Once you have these files, there are a number of tools that you can use to extract the hashes. Personally, I just import the files into Cain and export the hashes.

If you have a meterpreter session on the system and “nt-authoritysystem” rights on the host, you can easily run the smart_hashdump module to dump out the local password hashes.

Dumping hashes on a Server 2008 domain controller can be a little trickier. Pauldotcom has a great writeup on the process.

Additionally, you can get password hashes from the network with tools like responder and the smb_capture module in Metasploit. These can be captured in both LM and NTLM formats. The LM format can be cracked with a combination of rainbow tables and cracking. I’ve also automated that process with a script. The cracking of network NTLM hashes is now supported by OCLHashcat. Previously, Cain was the only tool (that I knew of) that could crack them, and Cain was doing CPU cracking, not GPU cracking.

Linux Hashes

Dumping hashes from Linux systems can be fairly straightforward for most systems. If you have root access on the host, you can use the unshadow tool to get the hashes out into a john compatible format. Often times you will have arbitrary file read access, where you will want to get the /etc/shadow and /etc/passwd files for offline cracking of the hashes.

Web App Hashes

Many web applications store their password hashes in their databases. So those hashes may end up getting compromised from SQL injection or other attacks. Web content management systems (wordpress, drupal, etc.), more specifically their plugins, are also common targets for SQL injection and other attacks that expose password hashes. These hashes can vary in format (MD5, SHA1, etc.) but most that I have seen are typically unsalted, making them easier to crack. While some web application hashes are salted, you may get lucky and find the salts in the database with the hashes. It’s not as common, but you may get lucky.

Cracking the Hashes

At this point we’re going to assume that you have taken the time to set up your hardware and software for cracking. If you want some tips, check out the links at the top of this post.

For some of your cracking needs, you will want to start with a simple dictionary attack. This will quickly catch any of the simple or commonly used passwords in your hashes. Given a robust dictionary, a good rule set, and a solid cracking box, it can be pretty easy to crack a lot of passwords with little effort.

Here’s some basic dictionaries to get you started:

  • Skull Security has a great list (including the Rockyou list) of dictionaries
  • Crackstation has a 15 GB dictionary available with pay what you want/can pricing
  • A uniqued copy of Wikipedia can make for an interesting dictionary

You will probably want to get some hashes for benchmarking your cards’ or CPU’s performance. There are tons of possible benchmarking hashes from the cracking requests sections on the InsidePro forums. Here you can frequently find large dumps of hashes from users requesting that someone crack their hashes for them. While the sources of these hashes are rarely disclosed, you could get a great sample of hashes to practice cracking.

As for software, the three main pieces of cracking software that we use are Cain, John the Ripper, and OCLhashcat. I won’t include commands on how to run those, as those are very well documented other places.


Hopefully this blog has given you some tips on getting started on gathering and cracking hashes. If you have any questions on the hardware, software, or anything else, feel free to leave us a comment.

Discover why security operations teams choose NetSPI.