The Cryptohaze Multiforcer is a multi-GPU (nVidia CUDA only right now) tool for high performance password cracking. Unlike some other tools, it is open source, and is focused on brute forcing entire password spaces - not rule-based cracking. This tends to be less effective on user-created passwords and more effective on policy-created passwords. Additionally, it has network support to allow multiple hosts to cleanly work on the same problem without needing to manually split and merge the work.
Concept of operation
The Multiforcer is a simple password brute forcing utility. It iterates through password space, creating passwords that fit the length and character set requirements specified, hashes them, and checks for a match. It's focused on brute forcing large numbers of randomly generated passwords. There is currently no wordlist support, though future versions may include something. Performance holds up very nicely with large lists, only slowing slightly between 10 passwords and 100000 passwords or more. The only limit to the number of hashes supported is the memory on your GPUs.
At a minimum, you need to provide the tool with the following:
- Hash type to crack (see supported hash types) - "-h"
- The list of hashes to crack - "-f"
- The character set to use - "-c" or "-u"
This will attempt to crack all password lengths using all GPUs on the system.
To demonstrate a basic attack, the following will work:
"CUDA-Multiforcer-CPP -h NTLM -f test_hashes/Hashes-NTLM-Full.txt -c charsets/charsetall"
On Windows, you may need to use "CUDA-Multiforcer-CPP.exe" and on Linux/OS X, you may need to use "./CUDA-Multiforcer-CPP" as the command.
This should start printing cracked passwords quickly as it attacks the sample list of hashes.
Supported hash types
See the list here: Cryptohaze Multiforcer Supported Hashes
Brief list of command line options
The following is a list of commonly used command line options. The full list of command line options is available here: Cryptohaze Multiforcer Parameters
Hash type: -h <hashtype>
This sets the type of hash that will be cracked. The options are fully enumerated here: Cryptohaze Multiforcer Supported Hashes
MD5, NTLM, and LM are commonly seen hash types.
Single charset file: -c, --charsetfile <filename>
For a single charset file, use the "-c" option. This will read the first line from the charset file and use it for all positions in the password. The charset file should have a single line with the desired characters on it. Example: "-c charsets/charsetsnumeric"
Per-position charset file: -u, --charsetfilemulti <filename>
For a per-position charset file, use the "-u" option. This will read a newline-separated file and use the character set found on each line for the corresponding position in the password. If the password length is longer than the number of lines in the charset file, the program will not continue. Example: "-u charsets/charsetlikely" See below for more details on per-position charsets.
Hash file: -f, --hashfile <filename>
The input file of hashes is set with the "-f" option. This references a file of the hashes to crack in the format required by the specific hash type. Example: "-f test_hashes/Hashes-NTLM-Full.txt"
Found hashes output file: -o, --outputfile <filename>
The "-o" option sets the name of a file to append found hashes to. Hashes will be written to the file as found, so this can be used for a script to monitor progress. If the file exists, hashes will be appended to the file - it will not overwrite the file.
Password lengths to try: --min, --max <password length>
The options "--min" and "--max" set the minimum and maximum password lengths to test. Default behavior, if these are not specified, is to start at length 1 & continue until the maximum supported length of the hash. Example: "--min 5 --max 8" (checks passwords of lengths 5, 6, 7, 8). The two can be the same to only check one length.
Enable Network Server: --enableserver
This enables the network server and puts the multiforcer into server mode, where it listens for clients to connect. Currently, not all hash types are supported in this mode, but unsalted hashes should work properly. Salted hash types will be fully supported in a future release.
Server Only Mode: --serveronly
This runs the network server as ONLY a server daemon - it does not attempt to launch any GPU compute threads. This is useful if running on a system with no CUDA devices as the server. It is also useful to keep the server running in case of a CUDA device related crash. The client can be run on the same system and pointed at localhost, and if it crashes, the server will continue to run.
Network client: mode: --remoteip <hostname>
This option puts the multiforcer into client mode and connects to the specified remote hostname or IP address. No other option should be specified if this is used.
Device query: -q, --device-query
Running the multiforcer with "-q" as the only option will list all CUDA devices detected in your system.
Resume from save file: --resumefile <filename>
This will resume a previously terminated cracking session based on the .mfr file present.
Per-position charset support
One of the more powerful features of the multiforcer is the ability to support per-position character sets. This allows for a much more targeted attack on password spaces.
To use this feature, simply specify a charset file with "-u" instead of "-c" - the rest happens automatically. The file specified with "-u" should have one character set per line, and these will be used in the corresponding positions in the password.
As an example:
abcd abcd ABCDabcd 1234 !@#$
This will crack passwords "ab", "abc", "abC", "abc1!", "abC1!", "abc4$", etc. It uses each line for the position in the password.
This file will not crack passwords longer than length 5. An error will occur if this is tried.
If this file is used with the "-c" option instead of the "-u" option, it will only use "abcd" for all positions in the password.
The integrated network support is a very useful feature of the Multiforcer. It allows multiple hosts to participate in shared cracking for the same task without any of the complicated splitting of the workspace and integrating results that other tools often require. It also does not require OpenMPI or other cluster tools to be installed and configured. Hosts of radically different speeds are handled properly, with each host handling the amount of work it can handle. The network bandwidth requirements are relatively low (after sending the initial hash list), so systems can cooperate across the internet for a single task. With the new robust workunit support, a network client connecting and disconnecting does not cause any work to be lost (incomplete workunits are requeued for execution), so clients can join in for a short period of time, do some work, and leave, without interfering with the results. A roomful of laptops can cooperate, or a laptop can have a powerful compute server assist with a task, or a collection of powerful cracking servers can collaborate on a single task, even if they are scattered about the internet.
Right now, network support only works properly with unsalted hashes. It will eventually support salted hashes. Additionally, the network protocol is still in relatively frequent flux, so clients and servers should have the same version of the Multiforcer running or results may be undefined.
The clients will sit and idle after the server they are looking for terminates. They will then poll for a new server periodically. This allows client machines to be sitting with an instance of the Multiforcer client active and waiting for the server to start. When a server starts on the IP and port the clients are looking for, they will join in. If the clients are purely compute daemons, pass the "--daemon" flag in to inhibit output from the clients - they will not make much output at all, and will not display any cracked passwords locally (though they will still transmit everything to the server).
Despite the best efforts of nVidia and Bitweasil, GPUs can still crash and take down a process. To prevent this from killing an entire server process, the server should be run with the "--serveronly" parameter, even on a host with GPUs. This runs the server without any compute taking place - all the work is done over the network. To utilize the local GPUs, run another instance of the Multiforcer with "--remoteip localhost" - this will connect to the server instance, but if it crashes, it will not kill the server. Remote hosts should then connect to the server.
There is currently no intention to support the Multiforcer with untrusted clients. While this could be done, right now it is not being done. This means that exposing your server to the internet may allow clients to lie about work they have done, or will allow anyone to connect and receive your target hash list. For security purposes, DO NOT EXPOSE YOUR SERVER TO THE INTERNET unless you are intending to do so. It means anyone on the internet can access your service, your list of hashes to crack, and can submit false results or lie about having completed a workunit. You've been warned. Future versions of the Multiforcer may implement an authentication protocol for clients, but currently there is not one, so don't let random internet IPs access your server. It's intended for use on LANs and VPNs only (though it does work just fine over the 'net).