FAQ v1.2

Karma's note: I've tried to update as much as possible, the FAQ file is getting old these days... I've changed a lot of the wording too... Hope Gregory doesn't get too mad :p


Question: I only use Windows, am I out of luck?
Answer: There is a compiled Windows version of MDcrack at the MDcrack Homepage.

Question: I have a shadow password file that use BSD style md5 hashes, how do i crack them with MDcrack ?
Answer: You simply can't... at least not yet. If you look at the "To do" section, you'll see that a BSD-style cracking routine will be in the works. Until that time, John the Ripper by Solar Designer is among the fastest crackers capable of BSD-style MD5 hashes - you can find it here: www.openwall.com/john

Question: Then, what am i supposed to crack with it ??
Answer: Passwords hashes, but preferably your own hashes ;). At this time, a bunch of applications are using MD5/MD4 hashes in a network authentication scheme like apop and radius.
Then you can test your hashed passwords and see if you are vulnerable.
By the way, NTLM v1 module gives you the ability to test your NT server passwords as well.

Question: How can i test my network passwords?
Answer: use a sniffer and grab the server challenge, if the targeted protocol use a suffix/prefix challenge all you have to do is something like: mdcrack -b challenge (or/and -e challenge) -M MD5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx See the Readme section for a list of flags.

Question: I would like to test the NTLM cores with my NT passwords, where can i get the needed hashes?
Answer: In the same file usually located in "{WINROOT}\system32\sam". I suggest you to use pwdump2.exe to grab a copy of the file in a clear form. The first hash after the username is a Lanmanager hash (weak) and the second one is this you want (NTLM).

Question: When i use -S x and NTLM1, mdcrack starts with 2x password size?
Answer: NTLM v1 uses a unicode version of password before sending it to the MD4 generator, then passwords size are twice as big as their original size, each char is padded with a NULL byte in the little endian order whatever is the architecture used.

Question: And now, which options should i use?
Answer: NTLM hashed passwords in Sam doesn't use any challenge, the command line needed is likely short, for instance: mdcrack -M NTLM1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx if you already know the original password size then rather use: mdcrack -M NTLM1 -S size xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to avoid making useless comparisons.

Question: I already know that the mdcrack default charset doesn't match whith the password generator in use.
Answer: No problem, use -s and feed a new charset.

Question: What are -f -r and -F for ?
Answer: It's a special mode that use precomputed hashes from a file. You must first generate a hash file with -W and -F for fast mode and then use it with -R. This mode is currently in a frozen state but might be unfrozen when the time has come to start the cluster mode.

Question: I'm looking for collisions rather than just a password crack.
Answer: No problem, mdcrack offers a -a option that gives you all found collisions for an input hash, but be aware that you may find the computing time very long. Probability to find 2 collisions of a given input is 1/2^128.

Question: I'm using a Big endian processor, what should i do before compiling ?
Answer: See the bottom of the Readme section.

Question: How fast is MDcrack ?
Answer: As far as i know, MDcrack is the fastest for these three algorithms MD4/MD5/NTLM1 (MD4 based) and is the result of a conjoint effort of optimization with Simeon Pilgrim. The main technique used here is commonly called "meet in the middle attack" and needed a lot of pain, headaches and coffee since it was necessary to design many cores to give the maximal performance for each configuration used (pass size, challenge size appended/prepended etc...). That's why you have core1 core1b core2 core2b core3 core3b for each algorithm.

Question: I noticed some differences between prepended and appended challenge performances, why ?
Answer: Appended challenges should run faster since they use a double-hashing algorithm; two hashes are generated in the same time thus benefiting from the use of the L1 cpu cache. This is the case for NTLM passwords too.
I'm currently working on saved states to make things going faster for prepended challenges but there will be many problems (boundary checking, multi cores...) to resolve, not speaking about headaches. Anyway it will be done.

Question: Why are performances so low in verbose modes ?
Answer: Because of additionnal function calls and write operations on the device. Never, never use any verbose mode during benchmarks, use bench.sh (Someone has already asked me why his performances was only 1/1000 these i claimed to have :) )

Question: I would like to share my benchmarks.
Answer: Great! i need them, the merely thing you have to do is launching bench.sh and wait a few minutes, then the script will ask you if you agree to automatically send the report, just type yes. Thank you.
You can see the latest benchmarks at the MDcrack Homepage.

Question: What is the Ncurses interface for?
Answer: for fun, i'm considering making a gtk one, some day. If you don't like colour, try commenting NCURSE in the Makefile or just use ./install.sh and say no when prompted.

Question: What can I do to help you?
Answer: I need help for many things, translators for text files are welcome, if you can host a mirror it would be great, send me your benchmarks, if you have already worked on optimization for any hash algorithms and want to share your work it would be fine and finally if you are a windoz developer and want to live a hard time....

Question: I want to host a mirror, how can we do that?
Answer: no problem, just give me an ftp access to your web site, i will do the rest.

Question: I still have a question that's unanswered...
Answer: If it's an *EDUCATED* question, you can e-mail Gregory here.