Never Ending Security

It starts all here

Category Archives: Cracking

Install AMD ATI Proprietary FGLRX Driver + AMD APP SDK + Pyrit + CAL++ + Helpful ATIconfig FGLRX Commands

Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6

Kali dev team added new version of AMD ATI proprietary fglrx driver which is now available via Kali Linux repositories. That means, This guide is less complicated and everything should work out of the box instead of messing about with Debian Jessie repository.

Step by step guide to install proprietary fglrx driver in Kali Linux

Following instructions were tested on 64-bit Kali Linux 1.0.6 running Kernel version 3.12.6:

lsb_release -a


No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux Kali Linux 1.0.6
Release:    Kali Linux 1.0.6
Codename:   n/a

Step 1 (add official Kali Linux Repositories)

Check your /etc/apt/sources.list. If it’s anything different to the following, you need to fix it. You can follow this guide to add official Kali Linux Repositories if you’re not too sure on how to do it. For the sake of clarity I will keep things simple here.

leafpad /etc/apt/sources.list

Remove or comment out existing lines and add the following:

## Kali Regular repositories
deb kali main non-free contrib
deb kali/updates main contrib non-free
## Kali Source repositories
deb-src kali main non-free contrib
deb-src kali/updates main contrib non-free

Step 2 (update with apt-get)

Now we need to update and make sure we get the latest list from Kali Linux official repositories. So perform an apt-get update.

apt-get update

Step 3 (install Linux headers and recommended softwares)

Now that we have the correct repositories we can add these following recommended apps. The most important part is to add the correct headers.

apt-get install firmware-linux-nonfree 
apt-get install amd-opencl-icd 
apt-get install linux-headers-$(uname -r)

NOTE: You should be able to get all these from Kali Linux repositories as added/updated from Step 1 above. When this guide was written, all these were available in the Kali Repositories.

Step 4 (install fglrx drivers and control)

Almost done, just install fglrx drivers and control. The best part is that it’s all you need to do. Debian Jessie fixed the issues with fglrx and latest driver, so once you install these drivers, everything just works.

apt-get install fglrx-atieventsd fglrx-driver fglrx-control fglrx-modules-dkms -y

NOTE: At this point, you will see bunch of popups (we see those hardly in Linux, but aptitude pops up with request to update some libraries(opencl and glx) and restart services such as network etc., I have chosen YES to all of them. My installation of Kali is still working and I am yet to find a problem. Your experience might be different.

Once the installation if finished, we need to test if it was all good.

Step 5 (testing your installation and generate xorg.conf file)

Now that our installation is all good and went without an error, we need to test fglrx drivers. You can test fglrx using the following two commands:


Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 - Final - 11 - blackMORE Ops

If everything worked well, you can generate xorg.conf file using the following command

aticonfig --initial -f

xorg.conf file will be located at /etc/X11 folder.

Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 - Final - 2 - blackMORE Ops

Step 6 (update grub.cfg file and reboot)

Almost there. AMD cards needs the following parameters passed into grub.cfg during boot. Let’s do that: Edit the grub.cfg file:

leafpad /boot/grub/grub.cfg

you see this:

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Debian GNU/Linux, with Linux 3.12-kali1-amd64' --class debian --class gnu-linux --class gnu --class os {
    insmod gzio
    insmod part_msdos
    insmod ext2
    set root='(hd0,msdos5)'
    search --no-floppy --fs-uuid --set=root 129deb3c-0edc-473b-b8e8-507f0f2dc3f9
    echo    'Loading Linux 3.12-kali1-amd64 ...'
    linux    /boot/vmlinuz-3.12-kali1-amd64 root=UUID=129deb3c-0edc-473b-b8e8-507f0f2dc3f9 ro initrd=/install/gtk/initrd.gz quiet
    echo    'Loading initial ramdisk ...'
    initrd    /boot/initrd.img-3.12-kali1-amd64

add radeon.modeset=0 in the end of the following line

linux    /boot/vmlinuz-3.12-kali1-amd64 root=UUID=129deb3c-0edc-473b-b8e8-507f0f2dc3f9 ro initrd=/install/gtk/initrd.gz quiet

So the line above becomes this:

linux    /boot/vmlinuz-3.12-kali1-amd64 root=UUID=129deb3c-0edc-473b-b8e8-507f0f2dc3f9 ro initrd=/install/gtk/initrd.gz quiet radeon.modeset=0

Note: 129deb3c-0edc-473b-b8e8-507f0f2dc3f9 UUID would be different for every PC. Use your one here.

grub.cfg - Install AMD ATI proprietary driver (fglrx) in Kali Linux 1.0.6 running Kernel version 3.12.6 - blackMORE Ops

Save and exit. Then reboot.


Once you reboot, your should be able to login in GUI and enjoy your AMD ATI proprietary driver (fglrx) in Kali Linux 1.0.6 running Kernel version 3.12.6.

Step 7 (run ATI Catalyst Control Center)

Run ATI Catalyst Control Center from Applications Menu > System Tools > Preferences > ATI Catalyst Control Center.

You should be able to launch amdcccle and make changes as required.


There’s more that you can do using Aticonfig. You can change fan speed or setup multiple monitors or directly check GPU temperatures. I have show them in the end of this post with a compilation of useful aticonfig commands. However, I found that some commands were removed from this version aticonfig. (AMD does it everytime they release a new driver). But most of the commands work. So feel free to check and report them back.

How To Install AMD APP SDK In Kali Linux?

Check FGLRX Installation

First check if fglrx module is installed:

lsmod | grep fglrx

You should get a response similar to:

fglrx 2635205 82
button 12945 1 fglrx

Installing AMD APP SDK

What is AMD APP Technology?

AMD APP technology is a set of advanced hardware and software technologies that enable AMD graphics processing cores (GPU), working in concert with the system’s x86 cores (CPU), to execute heterogeneously to accelerate many applications beyond just graphics. This enables better balanced platforms capable of running demanding computing tasks faster than ever, and sets software developers on the path to optimize for AMD Accelerated Processing Units (APUs).

What is the AMD APP Software Development Kit?

The AMD APP Software Development Kit (SDK) is a complete development platform created by AMD to allow you to quickly and easily develop applications accelerated by AMD APP technology. The SDK provides samples, documentation, and other materials to quickly get you started leveraging accelerated compute using OpenCL™, Bolt, or C++ AMP in your C/C++ application, or Aparapi for your Java application.

What is OpenCL™?

OpenCL™ is the first truly open and royalty-free programming standard for general-purpose computations on heterogeneous systems. OpenCL™ allows programmers to preserve their expensive source code investment and easily target both multi-core CPUs and the latest APUs and discrete GPUs, such as those from AMD. Developed in an open standards committee with representatives from major industry vendors, OpenCL™ gives users what they have been demanding: a cross-vendor, non-proprietary solution for accelerating their applications on their CPU and GPU cores.

Download AMD APP SDK x2.7

Download AMD APP SDK v2.7 from:

AMD Download Archive

Install SDK

Install the SDK:

mkdir amdappsdk
cp AMD-APP-SDK-v2.7-lnx64.tar amdappsdk/
cd amdappsk
tar -xvf AMD-APP-SDK-v2.7-lnx64.tar

Edit /root/.bashrc, add the following lines to the end of the file:


Save and quit, then issue the following command:

source ~/.bashrc

How To Install Pyrit In Kali Linux?

Check FGLRX Installation

First check if fglrx module is installed:

lsmod | grep fglrx

You should get a response similar to:

fglrx 2635205 82
button 12945 1 fglrx

Check AMD APP SDK Installation

Check if AMD APP SDK is installed. If not installed, follow this guide to install it.

Check CAL++ Installation

Check if CAL++ is installed. If not installed, follow this guide to install it.

Why Pyrit?

Pyrit allows to create massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the world’s most used security-protocols.

Install Pyrit in Kali

Install prerequisites

apt-get install libpcap-dev

Remove existing installation of pyrit

apt-get remove --purge pyrit

If you are not using a clean install of Kali (not recommended), you may need to issue the following command:

rm -r /usr/local/lib/python2.7/dist-packages/cpyrit/

Download pyrit

svn checkout pyrit_svn

Install Pyrit

cd pyrit_svn/pyrit/
./ build install

Install CAL++ plugin

cd ../cpyrit_calpp/


Edit file and modify/replace the followings:
find VERSION = '0.4.0-dev' and replace with VERSION = '0.4.1-dev'
find CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include')) and replace with

CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include/CAL'))

Save and quit, then issue the following command:

./ build install

There will be several warnings, but hopefully no errors and everything will be installed.

Test cpyrit

List available core

pyrit list_cores


The following cores seem available...

#1: 'CAL++ Device #1 'AMD GPU DEVICE''
#2: 'CPU-Core (SSE2)'
#3: 'CPU-Core (SSE2)'
#4: 'CPU-Core (SSE2)'

Benchmark Pyrit

pyrit benchmark


Computed 7548.89 PMKs/s total.
#1: 'CAL++ Device #1 'AMD GPU DEVICE'': 5599.3 PMKs/s (RTT 1.4)
#2: 'CPU-Core (SSE2)': 685.6 PMKs/s (RTT 3.0)
#3: 'CPU-Core (SSE2)': 688.5 PMKs/s (RTT 3.0)
#4: 'CPU-Core (SSE2)': 691.9 PMKs/s (RTT 3.0)

How to install CAL++ in Kali Linux?

Check FGLRX Installation

First check if fglrx module is installed:

lsmod | grep fglrx

You should get a response similar to:

fglrx 2635205 82
button 12945 1 fglrx

If not installed follow this guide to install it.

Check AMD APP SDK Installation

Check if AMD APP SDK is installed. If not installed follow this guide to install it.

Installing CAL++

CAL++ is a simple library to allow writing ATI CAL kernels directly in C++. The syntax is very similar to OpenCL. Also C++ wrapper for CAL is included.

This project was registered on on Feb 19, 2010.

Install prerequisites:

apt-get install cmake libboost-all-dev

Download CAL++

Download calpp 0.90 from: SourceForge CAL++ Website

Install CAL++

tar -xvf calpp-0.90.tar.gz
cd calpp-0.90/

Edit CMakeLists.txt:

Find the lines starting with FIND_LIBRARY and FIND_PATH and replace them with this:


Save and quit,

Make and Install CAL++

Issue the following commands:

cmake .
make install

Helpful ATIconfig FGLRX Commands

ATI Proprietary Linux Driver (ATIconfig fglrx) Features

The ATI Proprietary Linux driver (ATIconfig fglrx) provides TV Output support for ATI graphics cards that support TV out. The ATI Proprietary Linux (ATIconfig fglrx) driver also allows for the following monitor arrangements:

  1. Single Head Mode (single display)
  2. Clone Mode (same content on both screens)
  3. Mirror Mode (same content on both screens, with identical display resolution and refresh rates)
  4. Big Desktop (one desktop stretched across two screens)
  5. Dual Head (separate instances of X running on each screen)

ATI Config Linux Edition - blackMORE Ops

ATI Workstation Product Support

The ATI Proprietary Linux driver is designed to support the following ATI Workstation products:

  • FireGL™ V7350
  • FireGL™ V3300
  • FireGL™ X1-128
  • FireGL™ V7300
  • FireGL™ V3200
  • FireGL™ X1-256p
  • FireGL™ V7200
  • FireGL™ V3100
  • FireGL™ 8800
  • FireGL™ V7100
  • FireGL™ X3-256
  • FireGL™ 8700
  • FireGL™ V5200
  • FireGL™ X3
  • FireMV™ 2200 (Single card configuration)
  • FireGL™ V5100
  • FireGL™ X2-256
  • Mobility™ FireGL™ V5000
  • FireGL™ V5000
  • FireGL™ Z1-128
  • Mobility™ FireGL™ 9100
  • FireGL™ V3400
  • FireGL™ T2-128
  • Mobility™ FireGL™ T2

ATI Mobility™ Product Support

The ATI Proprietary Linux driver is designed to support the following ATI Mobility™ products:

  • Mobility™ Radeon® X1800
  • Mobility™ Radeon® 9800
  • Mobility™ Radeon® X1600
  • Mobility™ Radeon® 9600
  • Mobility™ Radeon® X1400
  • Mobility™ Radeon® 9550
  • Mobility™ Radeon® X1300
  • Mobility™ Radeon® 9500
  • Mobility™ Radeon® X800
  • Mobility™ Radeon® 9000
  • Mobility™ Radeon® X700
  • Mobility™ Radeon® 9200
  • Mobility™ Radeon® X600
  • Radeon® Xpress 200M series
  • Mobility™ Radeon® X300

ATI Integrated Product Support

The ATI Proprietary Linux driver is designed to support the following ATI Integrated products:

  • Radeon® Xpress 200 series
  • Radeon® 9100 IGP
  • Radeon® 9200 IGP
  • Mobility™ Radeon® 9000 IGP series
  • Mobility™ Radeon® 9100 IGP series

Caution: This software driver provides 2D support only for the ATI Radeon® 9100 IGP and ATI Radeon® 9100 PRO IGP.

ATI Desktop Product Family Support

The ATI Proprietary Linux driver is designed to support the following ATI desktop products:

  • Radeon® X1900 series
  • Radeon® 9800 series
  • Radeon® X1800 series
  • Radeon® 9600 series
  • Radeon® X1600 series
  • Radeon® 9200 series
  • Radeon® X1300 series
  • Radeon® 9000 series
  • Radeon® X850 series
  • Radeon® 9700 series
  • Radeon® X800 series
  • Radeon® 9550 series
  • Radeon® X700 series
  • Radeon® 9500 series
  • Radeon® X600 series
  • Radeon® 9100 series
  • Radeon® X300/X550 series
  • Radeon® 8500 series

Just make sure your product is listed here, otherwise following commands are not supported.

Helpful ATIconfig commands

Initial setup (creates device section using fglrx)

 aticonfig --initial

Enable Video acceleration (Xv Overlay)

     aticonfig -overlay-type=Xv

Force fglrx to use kernel’s AGP driver instead of own implementation

(only use when internal agpgart doesn’t work)

    aticonfig --internal-agp=off

Note: Newer fglrx driver versions do not include an internal AGPGART so the kernel agpgart is used no matter what.

Use extended desktop with two monitors (dual-head and big desktop)

    aticonfig --initial=dual-head --screen-layout=right

This command will generate a dual head configuration file with the second screen located to the right of the first screen.

Setup big Desktop to Horizontal and Set Overlay on the Secondary Display

    aticonfig --dtop=horizontal --overlay-on=1

This command will set up big desktop to horizontal and set overlay on the secondary display.

If black borders doesn’t remove try this :

 aticonfig --query-monitor # to see monitors
 aticonfig --query-dispattrib=tmds2 #to see supported values
 aticonfig --set-dispattrib=tmds2,sizeX:1920 # to set X resolution
 aticonfig --set-dispattrib=tmds2,sizey:1080 # to set Y resolution
 aticonfig --set-dispattrib=tmds2,positionX:0 # to set X position to 0
 aticonfig --set-dispattrib=tmds2,positionY:0 # to set Y position to 0

 Print information about power states.

    aticonfig --list-powerstates

Or, for us lazy folk, the shorter version is

   aticonfig --lsp

Set a power state to the lowest (battery friendly)

    aticonfig --set-powerstate=1

Note: check out available power states using aticonfig –list-powerstates
Note: this option does not work when an external monitor is connected

Print information about connected and enabled monitors

    aticonfig --query-monitor

How to enable two monitors on the fly

Assume you have two monitors already setup correctly
This example enables laptop internal monitor (lvds) and external monitor (crt1)

    aticonfig --enable-monitor=lvds,crt1 --effective=now

Note: aticonfig –enable-monitor=STRING,STRING where STRING can be one of the following set, separated by commas: none,crt1,crt2,lvds,tv,tmds1,tmds2,auto.

Only 2 displays can be enabled at the same time. Any displays that are not on the list will be disabled.

Note: check out connected and enabled monitors using aticonfig –query-monitor

Turn off the second monitor on the fly and start to use only laptop internal monitor (lvds)

    aticonfig --enable-monitor=lvds --effective=now

Swap monitors on the fly when using big desktop mode

    aticonfig --swap-monitor --effective=now

Note: This only works for big desktop setup. This will swap the contents on the two monitors.

Get temperature:

   aticonfig --odgt

Get Fan speed:

   aticonfig --pplib-cmd "get fanspeed 0"

Replace 0 with the FAN number. i.e. 0, 1. etc.

Set Fan Speed:

   aticonfig --pplib-cmd "set fanspeed 0 40"

Where 0 is the fan number and 40 is the percent of speed you want it to run.

ATIConfigHelp Page

Install Proprietary NVIDIA Driver + kernel Module CUDA and Pyrit on Kali Linux

Install Proprietary NVIDIA Driver On Kali Linux – NVIDIA Accelerated Linux Graphics Driver

This guide explains how to install proprietary “NVIDIA Accelerated Linux Graphics Driver” or NVIDIA driver on Kali Linux system. If you are using Kali Linux and have NVIDIA graphics card then most likely you are using open source NVIDIA driver nouveau. You can see it by lsmod | grep nouveau command. nouveaudriver works quite well, but if you want to use 3D acceleration feature or want to use GPU based applications (such as CUDA and GPU pass through) then you need to install proprietary NVIDIA driver. The proprietary “NVIDIA Accelerated Linux Graphics Driver” provides optimized hardware acceleration of OpenGL applications via a direct-rendering X server. It is a binary-only Xorg driver requiring a Linux kernel module for its use. The first step is to fully update your Kali Linux system and make sure you have the kernel headers installed.

Where you had to download NVIDIA Driver (CUDA) manually and edit grub.cfg file to make everything work. Because it will be a long guide, I had to divide it into two parts:

You use the first guide to install NVIDIA Driver. If you want GPU acceleration, (cudahashcat, GPU pass through etc.) keep reading and follow the second guide to complete your installation. I’ve included as much details I can, including troubleshooting steps and checks but I would like to hear your part of the story, so leave a comment with your findings and issues.

The new NVIDIA Driver

The new Linux binary NVIDIA drivers nvidia-kernel-dkms builds the NVIDIA Xorg binary kernel module needed by NVIDIA driver, using DKMS. Provided that you have the kernel header packages installed, the kernel module will be built for your running kernel and automatically rebuilt for any new kernel headers that are installed. The binary NVIDIA drivers provide optimized hardware acceleration of OpenGL applications via a direct-rendering X Server for graphics cards using NVIDIA chip sets. AGP, PCIe, SLI, TV-out and flat panel displays are also supported. NVIDIA Added support for the following GPU including fixing some issues: (existing GPU’s are already supported).

  • GeForce GT 710
  • GeForce 825M
  1. Fixed a regression that prevented NVIDIA-installer from cleaning up directories created as part of the driver installation.
  2. Added a new X configuration option “InbandStereoSignaling” to enable/disable DisplayPort in-band stereo signaling.
  3. Fixed a bug that caused PBO downloads of cube map faces to retrieve incorrect data.
  4. Fixed a bug in NVIDIA-installer that resulted in spurious error messages when opting out of installing the NVIDIA kernel module or source files for the kernel module.
  5. Added experimental support for ARGB GLX visuals when Xinerama and Composite are enabled at the same time on X.Org xserver 1.15.

See the details about this driver in NVIDIA official website:

Debian Linux usually ports that Official Driver to fit it’s requirements. The NVIDIA driver graphics processing unit (GPU) series/codename of an installed video card can usually be identified using the lspci command. For example:

lspci -nn | grep VGA

My settings

My PC got the following configuration:

I’ve installed everything in a brand new Kali Linux 1.0.6 installation, fully updated and upgraded. Before you do anything, you of course add the Official Kali Linux repository. Once I’ve added the correct Kali Official repositories, I’ve issued the following commands to update, upgrade and dist-upgrade my Kali Linux.

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

If you’ve completed this part, move on to the next instruction.

Step 1: Install Linux headers

Install Linux headers as those will be required to build NVIDIA Driver modules.

aptitude -r install linux-headers-$(uname -r)

Where -r means install all recommended packages as well.   

Step 2: Install NVIDIA Kernel

Next I installed NVIDIA Kernel

apt-get install nvidia-kernel-$(uname -r)

Step 3: Install NVIDIA Driver Kernel DKMS

We’re almost ready. You can now install new NVIDIA driver nvidia-kernel-dkms by using the following command:

aptitude install nvidia-kernel-dkms

Including dependencies, this is about 24MB is size, depending on how fast Kali repo is working, you might have to wait few minutes. You will get 2 popups, the first one about rebooting after you’ve installed NVIDIA drivernvidia-kernel-dkms that it will disable open source NVIDIA driver nouveau and the second one about xorg.conf file in /etc/X11/ folder.

Press OK on both popups.

Step 4: Install xconfig NVIDIA driver application

If you go through the NVIDIA driver README document, you will see you need to create new XORG server configuration file xorg.conf or modify existing xorg.conf to tell it to load NVIDIA Driver module.nvidia-xconfig package make this task quite easier. All you need to do is to install and execute it.

aptitude install nvidia-xconfig

Step 5: Generate Xorg server configuration file

Now that we have installed nvidia-xconfig package, issue the following command to generate Xorg server configuration file.


It will rename any existing xorg.conf file and create a new one. As directed by NVIDIA drivernvidia-kernel-dkms, reboot your machine to complete installation.

Step 6: Confirming your installation

At this point you should be able to login to your system in Graphical User Mode (GUI). In case you can’t, follow the troubleshooting section at the bottom of this article. As always, we need to check if everything went as expected.

Step 6.a: Check GLX Module

First check if system is using glx module.

glxinfo | grep -i "direct rendering"

It should output “direct rendering: Yes”

Run glxinfo- 7 - Install proprietary NVIDIA driver on Kali Linux - blackMORE Ops

If you do not have glxinfo then first install mesa-utils package then again issue above command and check output

aptitude install mesa-utils

Step 6.b: Check NVIDIA Driver Module

Check if NVIDIA module loaded.

lsmod | grep nvidia

If it produces output like nvidia 9442880 28 or something similar (numbers could be different at your system) then NVIDIA module is loaded.

Step 6.c: Check for Open source NVIDIA Driver nouveau module

Just to be sure Open source NVIDIA Driver nouveau module NOT loaded, issue following command

lsmod | grep nouveau

Run lsmod grep nouveau- 9 - Install proprietary NVIDIA driver on Kali Linux - blackMORE Ops

It should NOT produce any output. If it produces output then something is wrong.

Step 6.d: Confirm if open source NVIDIA Driver nouveau was blacklisted

I like this new NVIDIA Driver. It blacklists Open source NVIDIA Driver nouveau by default. That means less work for us to do. You can confirm it by checking files in the following directory:

cat /etc/modprobe.d/nvidia.conf
cat /etc/modprobe.d/nvidia-blacklists-nouveau.conf
cat /etc/modprobe.d/nvidia-kernel-common.conf


You might get a black screen after installing NVIDIA Driver. Following are your options to fix it:

Troubleshooting Step A: Fixing black screen with a cursor problem

Simply press CTRL + ALT + F1 and login. Type the following


You should now be able to log in using the GDM3 GUI.

Troubleshooting Step B: Delete xorg.conf file

Press CTRL + ALT + F1 and login. Type the following

rm /etc/X11/xorg.conf

After reboot, you should be able to log in using the GDM3 GUI.

Troubleshooting Step C: remove NVIDIA Driver

Press CTRL + ALT + F1 and login. Type the following

apt-get remove nvidia-kernel-dkms

After reboot, you should be able to log in using the GDM3 GUI.


This concludes my general instructions on how to install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver. NVIDIA Optimus users should be able to follow the same instructions, however, as I said before, feel free to share your side of story on how your installation went and correct my guide if required. I am open for discussion and will try to reply back to your comments the earliest possible. For those curious minds, try installing nvidia-settings and see how that goes. NVIDIA Settings will remove NVIDIA Driver but I did manage to make it work with some tinkering. I will try to write another guide on that (NVIDIA Settings presents you with a GUI X Config Window and you can see GPU Temperature and more info)… The proprietary “NVIDIA Accelerated Linux Graphics Driver” provides optimized hardware acceleration of OpenGL applications via a direct-rendering X server, in shoty your NVIDIA Driver give you better display and 3D rendering then you’re all done. You can now play 3D Games. Let me know if you want any specific Linux supported games on Kali and I can write up an article on that. But if you want to run applications that uses NVIDIA Kernel Module CUDA, Pyrit and Cpyrit for GPU processing then you will also need to install CUDA drivers, replace offical Pyrit and install Cpyrit. Find out if your Graphics Card supports CUDA in the following page from NVIDIA

Mine does,

  • GeForce 210.

Next guide will show you how to Install NVIDIA Kernel Module CUDA and Pyrit in Kali Linux – CUDA, pyrit and cpyrit.   Thanks for reading. If this guide helped you to install NVIDIA Driver, please share this article and follow us in Facebook/Twitter.

Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda

In this guide, I will show how to install NVIDIA driver kernel Module CUDA, replace stock Pyrit, and install Cpyrit.At the end of this guide, you will be able to use GPU acceleration for enabled applications such as cudaHashcat, Pyrit, crunch etc.

You use the first guide to install NVIDIA Driver on Kali Linux. I would assume you followed the first guide and completed all steps there and would like to enable GPU acceleration, (cudahashcat, GPU pass through etc.) on your Kali Linux.

CUDA Toolkit

The NVIDIA® CUDA® Toolkit provides a comprehensive development environment for C and C++ developers building GPU-accelerated applications. The CUDA Toolkit includes a compiler for NVIDIA GPUs, math libraries, and tools for debugging and optimizing the performance of your applications. You’ll also find programming guides, user manuals, API reference, and other documentation to help you get started quickly accelerating your application with GPUs. You can read a lot more here in NVIDIA Developers official webpage:

CUDA Toolkit


Following are the prerequisite before you start following this guide:

Prerequisite 1: add Official Kali Linux repository.

I’ve added the correct Kali Official repositories and issued the following commands to update, upgrade and dist-upgrade my Kali Linux.

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Prerequisite 2: Install proprietary NVIDIA driver on Kali Linux

I’ve installed the correct official proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver using the previous guide.

If you’ve completed both, move to next instruction.

Step 1: Install NVIDIA CUDA toolkit and openCL

At first we need to install NVIDIA CUDA toolkit and NVIDIA openCL

aptitude install nvidia-cuda-toolkit nvidia-opencl-icd

This will install CUDA packages in your Kali Linux. The total package is pretty large including dependencies, (282MB something), you be patient and let it finish.

Step 2: Download Pyrit and Cpyrit

Download Pyrit and Cpyrit from the official website:

Save them in your /root folder.

Step 3: Install Pyrit

Follow the instructions below to install Pyrit and it’s prerequisites.

Step 3.a: Install Pyrit prerequisites

apt-get install python2.7-dev python2.7-libpcap libpcap-dev

Step 3.b: Remove existing installation of Pyrit

Remove stock Pyrit using the following command:

apt-get remove pyrit

You get a message stating that it will also remove kali-linux-full package. It actually doesn’t. All it does updating Kali repo and remove Pyrit. Finish removing Pyrit.

If you are not using a clean install of Kali (not recommended), you may need to issue the following command:

rm -r /usr/local/lib/python2.7/dist-packages/cpyrit/

Step 3.c: Install new Pyrit

Copy paste the following commands to extract downloaded Pyrit in your Kali Linux /root directory

tar -xzf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0

Now build the package

python build

Once build is complete, you can install Pyrit.

python install

Up to this point, you shouldn’t receive any errors.

Step 4: Install CPyrit-cuda

Copy paste the following commands to extract downloaded CPyrit-cuda in your Kali Linux /root directory

tar -xzf cpyrit-cuda-0.4.0.tar.gz 
cd cpyrit-cuda-0.4.0

Now build the package

python build

Once build is complete, you can install CPyrit-cuda.

python install

Again, you shouldn’t receive any errors, if there’s error, go back and review each steps.

Step 5: Testing and troubleshooting

Now that we’ve installed NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux, we should be able to test it. The best way to test is by issuing the following command:

pyrit list_cores

This gave me an error “ bash: /usr/bin/pyrit: No such file or directory “.

It seems this Pyrit puts its binaries in wrong folder than you’d expect. The actual path for Pyrit is now/usr/local/bin/pyrit

Step 5.a Softlink them or add path to profile

There’s two different ways you can resolve it. You can either softlink or add this /usr/local/bin/ path to your profile. Choice is again yours.

Step 5.a.i: Softlinking
This is what I’ve followed
ln -s /usr/local/bin/pyrit /usr/bin/pyrit

Step 5.a.ii: Add path

If you want only to specific user edit ~/.bash_profile or ~/.bashrc and put there

export PATH=$PATH:/usr/local/bin

If you want for all users edit /etc/profile and scroll down until you see something like

 PATH="/bin:/usr/bin:/sbin:/usr/sbin" export PATH

Append to the end /usr/local/bin. it will be


and Finally

Once you’ve either Softlinked or added the correct path to your profile, then following is what you get

root@kali:~# pyrit list_cores
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg
This code is distributed under the GNU General Public License v3+

The following cores seem available...
#1:  'CUDA-Device #1 'GeForce 210''
#2:  'CPU-Core (SSE2)'
#3:  'CPU-Core (SSE2)'
#4:  'CPU-Core (SSE2)'

and of course I did a benchmark with my GeForce 210 card:

root@kali:~# pyrit benchmark
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg
This code is distributed under the GNU General Public License v3+

Running benchmark (2744.1 PMKs/s)... -

Computed 2744.11 PMKs/s total.
#1: 'CUDA-Device #1 'GeForce 210'': 853.1 PMKs/s (RTT 3.0)
#2: 'CPU-Core (SSE2)': 648.1 PMKs/s (RTT 2.8)
#3: 'CPU-Core (SSE2)': 647.6 PMKs/s (RTT 2.9)
#4: 'CPU-Core (SSE2)': 658.5 PMKs/s (RTT 3.0)


Pyrit allows to create massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSKauthentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA and OpenCL, it is currently by far the most powerful attack against one of the world’s most used security-protocols.

Here’s a great benchmark done with Pyrit and CUDA for different GPU’s

Thanks for reading. If this guide helped you to install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda, please share this article and follow me in Facebook/Twitter.

ah and don’t forget to show off your Pyrit Benchmark. ;)

Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux

Hashcat or cudaHashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat or cudaHashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others.

Hashcat or cudaHashcat comes in two main variants:

  1. Hashcat – A CPU-based password recovery tool
  2. oclHashcat or cudaHashcat – A GPU-accelerated tool

Many of the algorithms supported by Hashcat or cudaHashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat or cudaHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs.

Hashcat or cudaHashcat is available for Linux, OSX and Windows. oclHashcat or cudaHashcat is only available for Linux and Windows due to improper implementations in OpenCL on OSX.

My Setup

My setup is simple. I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for this whole exercise. In this post, I will show How to crack few of the most common hashes

  1. MD5
  2. MD5 – phpBB
  3. MySQL and
  4. SHA1

I will use 2 commands for every hash, hashcat and then cudahashcat. Because I am using a NVIDIA GPU, I get to use cudaHashcat. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Correct me if I am wrong here!

AMD is currently much faster in terms of GPU cracking, but then again it really depends on your card.

You can generate more hashes or collect them and attempt to crack them. Becuase I am using a dictionary, (it’s just 135MB), I am limited to selection number of passwords. The bigger your dictionary is, the more you’ll have success cracking an unknown hash. There are other ways to cracking them without using Dictionary (such as RainBow Tables etc.). I will try to cover and explain as much I can. Advanced users, I’m sure you already know these, so I would appreciate constructive comments. As always, read the manual and help file before you ask for help. Most of the things are covered in manuals and wiki available in

A big thanks goes to the Hashcat or cudaHashcat Dev team, they are the ones who created and maintained this so well. Cudos!.

Getting hashes:

First of all, we need to get our hashes. You can download hash generator applications, but there’s online sites that will allow you to create them. I will use InsidePro who kindly created a page that allows you create hashes on the fly and it’s publicly available. Visit them and feel free to browse their website to understand more about hashes.

The password I am using is simple: abc123

All you need to do is enter this in password field of this page and click on generate.


Cracking hashed MD5 passwords

From the site, I copied the md5 hashed password and put it into a file.

vi md5-1.txt
cat md5-1.txt

MD5 cracking using hashcat and cudahashcat

Now it’s simple, I just typed in the following command and it took few seconds.

hashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt

Similarly, I can use cudahashcat.

cudahashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt

Cracking hashed MD5 – phpBB passwords

From the site, copy the phpBB hashed password and put it into a file.

vi md5phpbb-1.txt
cat md5phpbb-1.txt

What I didn’t explain in previous section, is that how do you know who mode to use or which attack code. You can type in hashcat --helpor cudahashcat --help and read through it. Because I will stick with attack mode 0 (Straight Attack Mode), I just need to adjust the value for -m where you specify which type of hash is that.

hashcat --help | grep php

So it’s 400

MD5 – phpBB cracking using hashcat and cudahashcat

Let’s adjust our command and run it.

hashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt

and cudahashcat

cudahashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt

Cracking hashed MySQL passwords

Similar step, we get the file from the website and stick that into a file.

vi mysql-1.txt
cat mysql-1.txt

NOTE: *6691484EA6B50DDDE1926A220DA01FA9E575C18A <– this was the hash from the website, remove * from this one before you save this hash.


First of all let’s find out the mode we need to use for MYSQL password hashes.

hashcat --help | grep My

Ah, I’m not sure which one to use here …

MySQL hashed password cracking using hashcat and cudahashcat

I’ll try 200 and see how that goes …

hashcat -m 200 -a 0 /root/mysql-1.txt /root/rockyou.txt

Nope not good, Let’s try 300 this time…

hashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt

and cudahashcat

cudahashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt

Cracking hashed SHA1 passwords

Similar step, we get the file from the website and stick that into a file.

vi sha1-1.txt
cat sha1-1.txt

Let’s find out the mode we need to use for SHA1 password hashes.

hashcat --help | grep SHA1


SHA1 password cracking using hashcat and cudahashcat

We already know what to do next…

hashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt

and cudahashcat

cudahashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt


Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot


Creating HASH’es using Kali

As always, great feedback from zimmaro, Thanks. See his comment below: (I’ve removed IP and email details for obvious reasons).

dude got some massive screen!!! 1920×1080 16:9 HD 1080p!!!

<email truncated>
<ip address truncared>

all always(our-friend):
excellent explanation and thank you for sharing your knowledge / experiences

PS:if I may :-)
some “” basic-hash “” can be generated directly with our KALI



This guide is here to show you how you can crack passwords using simple attack mode.You might ask why I showed the same command over and over again! Well, by the end of this guide, you will never forget the basics. There’s of course advanced usage, but you need to have a strong basics.

I would suggest to read Wiki and Manuals from to get a better understanding of rule based attacks because that’s the biggest strength of Hashcat. The guys in Hashcat forums are very knowledgeable and know what they are doing. If you need to know anything, you MUST read manuals before you go and ask something. Usually RTFM is the first response … so yeah, tread lightly.

Thanks for reading. Feel free to share this article.

Website Password & User Credentials Sniffing/Hacking Using WireShark

Did you knew every time you fill in your username and password on a website and press ENTER, you are sending your password. Well, of course you know that. How else you’re going to authenticate yourself to the website?? But, (yes, there’s a small BUT here).. when a website allows you to authenticate using HTTP (PlainText), it is very simple to capture that traffic and later analyze that from any machine over LAN (and even Internet). That bring us to this website password hacking guide that works on any site that is using HTTP protocol for authentication. Well, to do it over Internet, you need to be able to sit on a Gateway or central HUB (BGP routers would do – if you go access and the traffic is routed via that).

But to do it from a LAN is easy and at the same time makes you wonder, how insecure HTTP really is. You could be doing to to your roommate, Work Network or even School, College, University network assuming the network allows broadcast traffic and your LAN card can be set to promiscuous mode.

So lets try this on a simple website. I will hide part of the website name (just for the fact that they are nice people and I respect their privacy.). For the sake of this guide, I will just show everything done on a single machine. As for you, try it between two VirtualBox/VMWare/Physical machines.

p.s. Note that some routers doesn’t broadcast traffic, so it might fail for those particular ones.

Step 1: Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to

Application > Kali Linux > Top 10 Security Tools > Wireshark

In Wireshark go to Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0.

Website Password hacking using WireShark - blackMORE Ops - 1

Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to Capture > Interface > Start

Website Password hacking using WireShark - blackMORE Ops - 2

Step 2: Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark.

Usually you see a lot of data in Wireshark. However are are only interested on POST data.

Why POST only?

Because when you type in your username, password and press the Login button, it generates a a POSTmethod (in short – you’re sending data to the remote server).

To filter all traffic and locate POST data, type in the following in the filter section

http.request.method == “POST”

See screenshot below. It is showing 1 POST event.

Website Password hacking using WireShark - blackMORE Ops - 3

Step 3: Analyze POST data for username and password

Now right click on that line and select Follow TCP Steam

Website Password hacking using WireShark - blackMORE Ops - 4

This will open a new Window that contains something like this:

HTTP/1.1 302 Found 
Date: Mon, 10 Nov 2014 23:52:21 GMT 
Server: Apache/2.2.15 (CentOS) 
X-Powered-By: PHP/5.3.3 
Set-Cookie: non=non; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Set-Cookie: password=e4b7c855be6e3d4307b8d6ba4cd4ab91; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Set-Cookie: scifuser=sampleuser; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Location: loggedin.php 
Content-Length: 0 
Connection: close 
Content-Type: text/html; charset=UTF-8

I’ve highlighted the user name and password field.

So in this case,

  1. username: sampleuser
  2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91

But hang on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real password. It must be a hash value.

Note that some website’s doesn’t hash password’s at all even during sign on. For those, you’ve already got the username and password. In this case, let’s go bit far and identify this hash value

Step 4: Identify hash type

I will use hash-identifier to find out which type of hash is that. Open terminal and type in hash-identifier and paste the hash value. hash-identifier will give you possible matches.

See screenshot below:

Website Password hacking using WireShark - blackMORE Ops - 6

Now one thing for sure, we know it’s not a Domain Cached Credential. So it must be a MD5 hash value.

I can crack that using hashcat or cudahashcat.

Step 5: Cracking MD5 hashed password

I can easily crack this simple password using hashcat or similar softwares.

root@kali:~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
root@kali:~# cudahashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
root@kali:~# cudahashcat32 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
root@kali:~# cudahashcat64 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

Because this was a simple password that existed in my password list, hashcat cracked it very easily.

Cracking password hashes

Website Password hacking using WireShark - blackMORE Ops - 7

Out final outcome looks like this:

  1. username: sampleuser
  2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword


Well, to be honest it’s not possible for every website owner to implement SSL to secure password, some SSL’s cost you upto 1500$ per URL (well, you can get 10$ ones too but I personally never used those so I can’t really comment). But the least website owners (public ones where anyone can register) should do is to implement hashing during login-procedures. In that way, at least the password is hashed and that adds one more hurdle for someone from hacking website password easily. Actually it’s a big one as SSL encryption (theoretically) can take 100+years even with the best SuperComputer of today.

Enjoy and use this guide responsibly. Please Share and RT. Thanks.

Router Hack – How to hack ADSL router using NMAP

Asynchronous digital subscriber line (DSL or ADSL) modem is a device used to connect a computer or router to a telephone line which provides the digital subscriber line service for connectivity to the Internet, which is often called DSL or ADSL broadband. In this guide I will show you show you how to scan IP range for connected ADSL or DSL modem routers and find DSL ADSL router hack remotely. This guide applies to Windows, Linux or Mac, so it doesn’t matter what’s your Operating system is, you can try the same steps from all these operating systems. The term DSL or ADSL modem is technically used to describe a modem which connects to a single computer, through a USB port or is installed in a computer PCI slot. The more common DSL or ADSL router which combines the function of a DSL or ADSL modem and a home router, is a standalone device which can be connected to multiple computers through multiple Ethernet ports or an integral wireless access point. Also called a residential gateway, a DSL or ADSL router usually manages the connection and sharing of the DSL or ADSL service in a home or small office network.

Put this together with Wireshark hacking for http websites, you got a nightmare for the user behind that router as all their passwords and details can be tracked very easily.

What’s in a DSL ADSL Router?

A DSL or ADSL router consists of a box which has an RJ11 jack to connect to a standard subscriber telephone line. It has several RJ45 jacks for Ethernet cables to connect it to computers or printers, creating a local network. It usually also has a USB jack which can be used to connect to computers via a USB cable, to allow connection to computers without an Ethernet port. A wireless DSL or ADSL router also has antennas to allow it to act as a wireless access point, so computers can connect to it forming a wireless network. Power is usually supplied by a cord from a wall wart transformer. It usually has a series of LED status lights which show the status of parts of the DSL or ADSL communications link:

  1. Power light – indicates that the modem is turned on and has power.
  2. Ethernet lights – There is usually a light over each Ethernet jack. A steady (or sometimes flashing) light indicates that the Ethernet link to that computer or device is functioning
  3. DSL or ADSL light – a steady light indicates that the modem has established contact with the equipment in the local telephone exchange (DSL or ADSLAM) so the DSL or ADSL link over the telephone line is functioning
  4. Internet light – a steady light indicates that the IP address and DHCP protocol are initialized and working, so the system is connected to the Internet
  5. Wireless light – only in wireless DSL or ADSL modems, this indicates that the wireless network is initialized and working

Almost every ADSL DSL modem router provides a management web-page available via Internal network (LAN or Local area network) for device management, configuration and status reporting. You are supposed to login to the management web-page, configure a username password combination provided by your ISP (Internet service provider) which then allows you to connect to internet. The network is divided into two parts:

External Network

External network indicates the part where ADSL DSL modem routers connects to upstream provider for internet connectivity. Once connected to the ISP via a Phone line (ADSL DSL Modem routers can use conventional Copper Phone lines to connect to ISP at a much higher speed), the router gets an IP address. This is usually a Publicly routable IP address which is open to the whole world.

Internal Network

Internal network indicates the part where devices in Local Area Network connects to the ADSL DSL modem router via either Wireless or Ethernet cable. Most modem DSL ADSL Modem routers runs a DHCP server internally which assigns an Internall IP address to the connected device. When I say device, this can be anything from a conventional computer, a laptop, a phone (Android, Apple, Nokia or Blackberry etc.), A smart TV, A Car, NAS, SAN, An orange, A banana, A cow, A dragon, Harry Potter … I mean anything that’s able to connect to internet! So you get the idea. Each device get’s it’s own IP address, a Gateway IP and DNS entries. Depending on different DSL ADSL Modem router, this can be slightly different, but the idea remains the same, the DSL ADSL Router allows users to share internet connectivity. These DSL ADSL Modem Routers are like miniature Gateway devices that can have many services running on them. Usually they all use BusyBox or similar proprietary Linux applications on them. You want to know what a DSL ADSL Router can do? Here’s a list of common services that can run on a DSL ADSL Modem Router:

  1. ADSL2 and/or ADSL2+ support
  2. Antenna/ae (wireless)
  3. Bridge/Half-bridge mode
  4. Cookie blocking
  5. DHCP server
  6. DDNS support
  7. DoS protection
  8. Switching
  9. Intrusion detection
  10. LAN port rate limiting
  11. Inbuilt firewall
  12. Inbuilt or Free micro-filter
  13. Java/ActiveX applet blocking
  14. Javascript blocking
  15. MAC address filtering
  16. Multiple public IP address binding
  17. NAT
  18. Packet filter
  19. Port forwarding/port range forwarding
  20. POP mail checking
  21. QoS (especially useful for VoIP applications)
  22. RIP-1/RIP-2
  23. SNTP facility
  24. SPI firewall
  25. Static routing
  26. So-called “DMZ” facility
  27. RFC1483 (bridged/routed)
  28. IPoA
  29. PPPoE
  30. PPPoA
  31. Embedded PPPoX login clients
  32. Parental controls
  33. Print server inbuilt
  34. Scheduling by time/day of week
  35. USB print server
  36. URL blocking facility
  37. UPnP facility
  38. VPN pass-through
  39. Embedded VPN servers
  40. WEP 64/128/256 bit (wireless security)
  41. WPA (wireless security)
  42. WPA-PSK (wireless security)

That’s a lot of services running on a small device that are configured by nanny, granny, uncle, aunt and the next door neighbour, in short many non technical people around the world. How many of those configured badly? Left ports open left right and center? Didn’t change default admin passwords? Many! I mean MANY! In this guide we will use namp to scan a range of IP addresses, from output we will determine which are DSL ADSL Routers and have left their Management ports open to External Network. (again read top section to know which one is a external network). A typical ADSL Router’s Management interface is available via following URL:

This is the Management page for DSL ADSL modem router and it’s always protected by a password. By default, this password is written below a DSL ADSL modem router in a sticker and they are one of these combinations: Username/Password


A lot of the home users doesn’t change this password. Well, that’s ok. It doesn’t hurt much cause this is only available via a connected device. But what’s not OKAY is when users open up their management to the external network. All you need to know what’s the Public IP address for your target and just try to access this management page externally.

Installing NMAP

I use Kali Linux which comes with NMAP Preinstalled. If you are using Windows or Mac (or any other flavour of Linux) go to the following website to download and install NMAP.

Linux Installation:

For Ubuntu, Debian or aptitude based system NMAP is usually made available via default repository. Install NMAP using the following command:

sudo apt-get install nmap

For YUM Based systems such as Redhat, CentOS, install via

sudo yum install nmap

For PACMAN based systems such as Arch Linux, install via

sudo pacman -S nmap

Windows Installation:

For Windows Computers, download installer and run the executable. Link:

Mac Installation:

For Mac users, download installer and install Link:

Official NMAP site

You can read more about NMAP here:

Search for Vulnerable Routers

Now that we have NMAP sorted, we are going to run the following command to scan for ADSL Modem Routers based on their Banner on Port 80 to start our ADSL router hack. All you need is to pick an IP range. I’ve used an example below using range.

Search from Linux using command Line

In Linux run the following command:

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'

In Windows or Mac open NMAP and copy paste this line:

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG -

Once it finds the results, search for the word ‘open’ to narrow down results. A typical Linux NMAP command would return outputs line below: (and of course I’ve changed the IP details)

Host: ()  Ports: 80/open/tcp//tcpwrapped///
Host: ()  Ports: 80/open/tcp//http//micro_httpd/
Host: ()  Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//ssl|http//thttpd/
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: () Ports: 80/open/tcp//http//Apache httpd/
Host: () Ports: 80/open/tcp//http//micro_httpd/
Host: ()        Ports: 80/open/tcp//http?///
Host: ()        Ports: 80/open/tcp//http?///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//micro_httpd/
Host: ()        Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: ()        Ports: 80/open/tcp//http?///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/

This was taking a long time (we are after all try to scan 256 hosts using the command above). Me being just impatient, I wanted to check if my Kali Linux was actually doing anything to ADSL router hack. I used the following command in a separate Terminal to monitor what my PC was doing… it was doing a lot …

tcpdump -ni eth0

That’s a lot of connected hosts with TCP Port 80 open. Some got ‘tcpwrapped’ marked on them. It means they are possibly not accessible.

Search from Windows, Mac or Linux using GUI – NMAP or Zenmap

Assuming you got NMAP installation sorted, you can now open NMAP (In Kali Linux or similar Linux distro, you can use Zenmap which is GUI version of NAMP cross platform). Copy paste the following line in Command field

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG -

another version of this command is using different representation of Subnet MASK.

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG -

Press SCAN Button and wait few minutes till the scan is over.

Remote Router Hack - Hack ADSL router using NMAP - blackMORE Ops - 4

Once you have some results, then you need to find the open devices with open ports. In search Result page:

  1. Click on Services Button
  2. Click on http Service
  3. Click on Ports/Hosts TAB (Twice to sort them by status)

As you can see, I’ve found a few devices with open http port 80.

Remote Router Hack - Hack ADSL router using NMAP - blackMORE Ops - 5

It is quite amazing how many devices got ports open facing outer DMZ.

Access Management Webpage

Pick one at a time. For example try this:

You get the idea. If it opens a webpage asking for username and password, try one of the following combinations:


If you can find the Router’s model number and make, you can find exact username and password from this webpage: Before we finish up, I am sure you were already impatient like me as a lot of the routers had ‘tcpwrapped’ on them which was actually stopping us from accessing the web management interface to ADSL router hack. Following command will exclude those devices from our search. I’ve also expanded my search to a broader range using a slightly different Subnet MASK.

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'

In this command I am using /22 Subnet Mask with 2 specific outputs: I am looking for the work ‘open’ and excluding ‘tcpwrapped’ on my output. As you can see, I still get a lot of outputs.


You’ll be surprised how many have default username and passwords enabled. Once you get your access to the router, you can do a lot more, like DNS hijacking, steal username and passwords (for example: Social Media username passwords (FaceBook, Twitter, WebMail etc.)) using tcpdump/snoop on router’s interface and many more using ADSL router hack …

There’s many things you can do after you’ve got access to a router. You can change DNS settings, setup a tcpdump and later snoop all plaintext passwords using wireshark etc. If you know a friends, family. colleague or neighbor who didn’t change their routers default password, let them know of the risks.

But I am not here to judge whether it should be done or not, but this is definitely a way to gain access to a router. So hacking is not always bad, it sometime is required when you loose access or a system just wouldn’t respond. As a pentester, you should raise awareness. Share this guide as anyone who uses a Linux, Windows, Mac can use this guide to test their own network and fix ADSL router hack issue.

Hack PDF Password By ParanoiDF PDF Analysis Tool

ParanoiDF is a PDF Analysis Suite based on PeePDF by Jose Miguel Esparza. The tools/features that have been added are – Password cracking, redaction recovery, DRM removal, malicious JavaScript extraction, and more.


These are only the newly added features, not the original peepdf features which can be found here.

crackpw –
This executes Nacho Barrientos Arias’s PDFCrack tool by performing an OS call. The command allows the user to input a custom dictionary, perform a benchmark or continue from a saved state file. If no custom dictionary is input, this command will attempt to brute force a password using a modifiable charset text file in directory “ParanoiDF/pdfcrack”.

decrypt – This uses an OS call to Jay Berkenbilt’s “QPDF” which decrypts the PDF document and outputs the decrypted file. This requires the user-password.
encrypt – Encrypts an input PDF document with any password you specify. Uses 128-bit RC4 encryption.

embedf – Create a blank PDF document with an embedded file. This is for research purposes to show how files can be embedded in PDFs. This command imports Didier Stevens script as a module.

embedjs – Similiar to “embedf”, but embeds custom JavaScript file inside a new blank PDF document. If no custom JavaScript file is input, a default app.alert messagebox is embedded.

extractJS – This attempts to extract any embedded JavaScript in a PDF document. It does this by importing Blake Hartstein’s Jsunpackn’s “” JavaScript tool as a module, then executing it on the file.

redact – Generate a list of words that will fit inside a redaction box in a PDF document. The words (with a custom sentence) can then be parsed in a grammar parser and a custom amount can be displayed depending on their score. This command requires a tutorial to use. Please read “redactTutorial.pdf” in directory “ParanoiDF/docs”.

removeDRM – Remove DRM (editing, copying etc.) restrictions from PDF document and output to a new file. This does not need the owner-password and there is a possibility the document will lose some formatting. This command works by calling Kovid Goyal’s Calibre’s “ebook-convert” tool.


  • In order to crack passwords:
    • PdfCrack needed (apt-get install pdfcrack)
  • In order to remove DRM (editing, copying Etc.):
    • Calibre’s ebook-convert needed (apt-get install calibre)
  • In order to decrypt PDFs:
    • qpdf needed (apt-get install qpdf)
  • In order to use the command redact:
    • NLTK (Natural Language ToolKit) needed (apt-get install python-nltk)
    • Java (Stanford parser is written in Java) needed (apt-get install default-jre)

Programs can be downloaded here: and here:

OclHashCat – Is Worlds Fastest Password Cracker

OclHashcat is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack. This tool is available for all Windows and Linux versions should work on both 32 and 64 bit.

GPU Driver requirements:
1. NV users require ForceWare 331.67 or later
2. AMD users require Catalyst 14.4 or later

This GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite, both very well-known suites at that time, but now deprecated. There also existed a now very old oclHashcat GPU cracker that was replaced w/ plus and lite, which – as said – were then merged into oclHashcat 1.00 again.

Worlds fastest password cracker
Worlds first and only GPGPU based rule engine
Multi-GPU (up to 128 gpus)
Multi-Hash (up to 100 million hashes)
Multi-OS (Linux & Windows native binaries)
Multi-Platform (OpenCL & CUDA support)
Multi-Algo (see below)
Low resource utilization, you can still watch movies or play games while cracking
Focuses highly iterated modern hashes
Focuses dictionary based attacks
Supports distributed cracking
Supports pause / resume while cracking
Supports sessions
Supports restore
Supports reading words from file
Supports reading words from stdin
Supports hex-salt
Supports hex-charset
Built-in benchmarking system
Integrated thermal watchdog
100+ Algorithms implemented with performance in mind
… and much more


Straight *
Hybrid dict + mask
Hybrid mask + dict
* accept Rules


SHA-3 (Keccak)
GOST R 34.11-94
HMAC-MD5 (key = $pass)
HMAC-MD5 (key = $salt)
HMAC-SHA1 (key = $pass)
HMAC-SHA1 (key = $salt)
HMAC-SHA256 (key = $pass)
HMAC-SHA256 (key = $salt)
HMAC-SHA512 (key = $pass)
HMAC-SHA512 (key = $salt)
Kerberos 5 AS-REQ Pre-Auth etype 23
AIX {smd5}
AIX {ssha1}
AIX {ssha256}
AIX {ssha512}
OpenBSD Blowfish
OSX v10.4
OSX v10.5
OSX v10.6
OSX v10.7
OSX v10.8
OSX v10.9
Juniper Netscreen/SSG (ScreenOS)
Samsung Android Password/PIN
1Password, cloudkeychain
1Password, agilekeychain
Password Safe SHA-256
TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES
TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES
TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES
TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + boot-mode
TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume
TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES + hidden-volume
TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES + hidden-volume
TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume + boot-mode
Citrix Netscaler
Apache MD5-APR
Woltlab Burning Board
Half MD5 (left, mid, right)
Double MD5
Double SHA1

OCL Hashcat options:

oclHashcat, advanced password recovery

Usage: oclHashcat [options]... hash|hashfile|hccapfile [dictionary|mask|directory]...


* General:

  -m,  --hash-type=NUM               Hash-type, see references below
  -a,  --attack-mode=NUM             Attack-mode, see references below
  -V,  --version                     Print version
  -h,  --help                        Print help
       --eula                        Print EULA
       --quiet                       Suppress output

* Benchmark:

  -b,  --benchmark                   Run benchmark
       --benchmark-mode=NUM          Benchmark-mode, see references below

* Misc:

       --hex-salt                    Assume salt is given in hex
       --hex-charset                 Assume charset is given in hex
       --force                       Ignore warnings
       --status                      Enable automatic update of the status-screen
       --status-timer=NUM            Seconds between status-screen update

* Markov:

       --markov-hcstat=FILE          Specify hcstat file to use, default is hashcat.hcstat
       --markov-disable              Disables markov-chains, emulates classic brute-force
       --markov-classic              Enables classic markov-chains, no per-position enhancement
  -t,  --markov-threshold=NUM        Threshold when to stop accepting new markov-chains

* Session:

       --runtime=NUM                 Abort session after NUM seconds of runtime
       --session=STR                 Define specific session name
       --restore                     Restore session from --session
       --restore-timer=NUM           Save restore file each NUM seconds
       --disable-restore             Do not write restore file

* Files:

  -o,  --outfile=FILE                Define outfile for recovered hash
       --outfile-format=NUM          Define outfile-format for recovered hash, see references below
  -p,  --separator=CHAR              Define separator char for hashlists and outfile
       --show                        Show cracked passwords only
       --left                        Show un-cracked passwords only
       --username                    Enable ignoring of usernames in hashfile (recommended: also use --show)
       --remove                      Enable remove of hash once it is cracked
       --disable-potfile             Do not write potfile

* Resources:

  -c,  --segment-size=NUM            Size in MB to cache from the wordfile
       --cpu-affinity=STR            Locks to CPU devices, seperate with comma
       --gpu-async                   Use non-blocking async calls (NV only)
  -d,  --gpu-devices=STR             Devices to use, separate with comma
  -n,  --gpu-accel=NUM               Workload tuning: 1, 8, 40, 80, 160
  -u,  --gpu-loops=NUM               Workload fine-tuning: 8 - 1024
       --gpu-temp-disable            Disable temperature and fanspeed readings and triggers
       --gpu-temp-abort=NUM          Abort session if GPU temperature reaches NUM degrees celsius
       --gpu-temp-retain=NUM         Try to retain GPU temperature at NUM degrees celsius (AMD only)

* Rules:

  -j,  --rule-left=RULE              Single rule applied to each word from left dict
  -k,  --rule-right=RULE             Single rule applied to each word from right dict
  -r,  --rules-file=FILE             Rules-file, multi use: -r 1.rule -r 2.rule
  -g,  --generate-rules=NUM          Generate NUM random rules
       --generate-rules-func-min=NUM Force NUM functions per random rule min
       --generate-rules-func-max=NUM Force NUM functions per random rule max
       --cleanup-rules               Saves all working rules to disk and removes the others, while creating a backup file

* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets
  -2,  --custom-charset2=CS          Example:
  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef
  -4,  --custom-charset4=CS          -2 mycharset.hcchr : sets charset ?2 to chars contained in file

* Increment:

  -i,  --increment                   Enable increment mode
       --increment-min=NUM           Start incrementing at NUM
       --increment-max=NUM           Stop incrementing at NUM


* Benchmark Settings:

    0 = Manual Tuning
    1 = Performance Tuning, default

* Outfile Formats:

    1 = hash[:salt]
    2 = plain
    3 = hash[:salt]:plain
    4 = hex_plain
    5 = hash[:salt]:hex_plain
    6 = plain:hex_plain
    7 = hash[:salt]:plain:hex_plain

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz
   ?d = 0123456789
   ?a = ?l?u?d?s
   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

* Attack modes:

    0 = Straight
    1 = Combination
    3 = Brute-force
    6 = Hybrid dict + mask
    7 = Hybrid mask + dict

* Generic hash types:

    0 = MD5
   10 = md5($pass.$salt)
   20 = md5($salt.$pass)
   30 = md5(unicode($pass).$salt)
   40 = md5($salt.unicode($pass))
   50 = HMAC-MD5 (key = $pass)
   60 = HMAC-MD5 (key = $salt)
  100 = SHA1
  110 = sha1($pass.$salt)
  120 = sha1($salt.$pass)
  130 = sha1(unicode($pass).$salt)
  140 = sha1($salt.unicode($pass))
  150 = HMAC-SHA1 (key = $pass)
  160 = HMAC-SHA1 (key = $salt)
  190 = sha1(LinkedIn)
  300 = MySQL
  400 = phpass, MD5(WordPress), MD5(phpBB3)
  500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
  900 = MD4
 1000 = NTLM
 1100 = Domain Cached Credentials, mscash
 1400 = SHA256
 1410 = sha256($pass.$salt)
 1420 = sha256($salt.$pass)
 1430 = sha256(unicode($pass).$salt)
 1440 = sha256($salt.unicode($pass))
 1450 = HMAC-SHA256 (key = $pass)
 1460 = HMAC-SHA256 (key = $salt)
 1500 = descrypt, DES(Unix), Traditional DES
 1600 = md5apr1, MD5(APR), Apache MD5
 1700 = SHA512
 1710 = sha512($pass.$salt)
 1720 = sha512($salt.$pass)
 1730 = sha512(unicode($pass).$salt)
 1740 = sha512($salt.unicode($pass))
 1750 = HMAC-SHA512 (key = $pass)
 1760 = HMAC-SHA512 (key = $salt)
 1800 = sha512crypt, SHA512(Unix)
 2100 = Domain Cached Credentials2, mscash2
 2400 = Cisco-PIX MD5
 2500 = WPA/WPA2
 2600 = Double MD5
 3000 = LM
 3100 = Oracle 7-10g, DES(Oracle)
 3200 = bcrypt, Blowfish(OpenBSD)
 5000 = SHA-3(Keccak)
 5100 = Half MD5
 5200 = Password Safe SHA-256
 5300 = IKE-PSK MD5
 5400 = IKE-PSK SHA1
 5500 = NetNTLMv1-VANILLA / NetNTLMv1+ESS
 5600 = NetNTLMv2
 5700 = Cisco-IOS SHA256
 5800 = Samsung Android Password/PIN
 6000 = RipeMD160
 6100 = Whirlpool
 621Y = TrueCrypt 5.0+ PBKDF2-HMAC-RipeMD160
 622Y = TrueCrypt 5.0+ PBKDF2-HMAC-SHA512
 623Y = TrueCrypt 5.0+ PBKDF2-HMAC-Whirlpool
 624Y = TrueCrypt 5.0+ PBKDF2-HMAC-RipeMD160 boot-mode
 6300 = AIX {smd5}
 6400 = AIX {ssha256}
 6500 = AIX {ssha512}
 6600 = 1Password
 6700 = AIX {ssha1}
 6800 = Lastpass
 6900 = GOST R 34.11-94
 7100 = OSX v10.8
 7200 = GRUB 2
 7400 = sha256crypt, SHA256(Unix)
 7500 = Kerberos 5 AS-REQ Pre-Auth etype 23

* Specific hash types:

   11 = Joomla
   21 = osCommerce, xt:Commerce
  101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
  111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
  112 = Oracle 11g
  121 = SMF > v1.1
  122 = OSX v10.4, v10.5, v10.6
  131 = MSSQL(2000)
  132 = MSSQL(2005)
  141 = EPiServer 6.x < v4
 1441 = EPiServer 6.x > v4
 1711 = SSHA-512(Base64), LDAP {SSHA512}
 1722 = OSX v10.7
 1731 = MSSQL(2012)
 2611 = vBulletin < v3.8.5
 2711 = vBulletin > v3.8.5
 2811 = IPB2+, MyBB1.2+
 62XY = TrueCrypt 5.0+
   X  = 1 = PBKDF2-HMAC-RipeMD160
   X  = 2 = PBKDF2-HMAC-SHA512
   X  = 3 = PBKDF2-HMAC-Whirlpool
   X  = 4 = PBKDF2-HMAC-RipeMD160 boot-mode
   Y  = 1 = XTS AES

More information can be found at:

MOSCRACK Perl Application Tool For Cracking WPA Keys

Moscrack Multifarious On-demand Systems Cracker is a Perl application designed to facilitate cracking WPA keys in parallel on a group of computers.

This is accomplished by use of either Mosix clustering software, SSH or RSH access to a number of nodes. With Moscrack’s new plugin framework, hash cracking has become possible. SHA256/512, DES, MD5 and Blowfish Unix password hashes can all be processed with the Dehasher Moscrack plugin.

Some of Moscrack’s features:

  • Basic API allows remote monitoring
  • Automatic and dynamic configuration of nodes
  • Live CD/USB enables boot and forget dynamic node configuration
  • Can be extended by use of plugins
  • Uses aircrack-ng (including 1.2 Beta) by default
  • CUDA/OpenCL support via Pyrit plugin
  • CUDA support via aircrack-ng-cuda (untested)
  • Does not require an agent/daemon on nodes
  • Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin
  • Checkpoint and resume
  • Easily supports a large number of nodes
  • Desgined to run for long periods of time
  • Doesn’t exit on errors/failures when possible
  • Supports mixed OS/protocol configurations
  • Supports SSH, RSH, Mosix for node connectivity
  • Effectively handles mixed fast and slow nodes or links
  • Architecture independent
  • Supports Mosix clustering software
  • Supports all popular operating systems as processing nodes
  • Node prioritization based on speed
  • Nodes can be added/removed/modified while Moscrack is running
  • Failed/bad node throttling
  • Hung node detection
  • Reprocessing of data on error
  • Automatic performance analysis and tuning
  • Intercepts INT and TERM signals for clean handling
  • Very verbose, doesn’t hide anything, logs agressively
  • Includes a “top” like status viewer
  • Includes CGI web status viewer
  • Includes an optional basic X11 GUI

More information can be found at:

PixieWPS – An Offline Bruteforce WPS Pin Exploiting Tool


Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.


Pixiewps requires libssl. To install it:

    sudo apt-get install libssl-dev


Pixiewps can be built and installed by running:

    ~/pixiewps$ cd src
    ~/pixiewps/src$ make
    ~/pixiewps/src$ sudo make install


 Usage: pixiewps <arguments>

 Required Arguments:

    -e, --pke           : Enrollee public key
    -r, --pkr           : Registrar public key
    -s, --e-hash1       : Enrollee Hash1
    -z, --e-hash2       : Enrollee Hash2
    -a, --authkey       : Authentication session key

 Optional Arguments:

    -n, --e-nonce       : Enrollee nonce (mode 2,3,4)
    -m, --r-nonce       : Registrar nonce
    -b, --e-bssid       : Enrollee BSSID
    -S, --dh-small      : Small Diffie-Hellman keys (PKr not needed)   [No]
    -f, --force         : Bruteforce the whole keyspace (mode 4)       [No]
    -v, --verbosity     : Verbosity level 1-3, 1 is quietest            [2]

    -h, --help          : Display this usage screen


    -e, --pke

        Enrollee's DH public key, found in M1.

    -r, --pkr

        Registrar's DH public key, found in M2 or can be avoided by specifying
        small Diffie-Hellman keys in both Reaver and Pixiewps.

    -s, --e-hash1

        Enrollee Hash-1, found in M3.

    -z, --e-hash2

        Enrollee Hash-2, found in M3.

    -a, --authkey

        Registration Protocol authentication session key. Although for this parameter a
        modified version of Reaver or Bully is needed, it can be avoided by specifying
        small Diffie-Hellman keys in both Reaver and Pixiewps and supplying --e-nonce,
        --r-nonce and --e-bssid.

    -n, --e-nonce

        Enrollee's nonce, found in M1.

    -m, --r-nonce

        Registrar's nonce, found in M2.

    -b, --e-bssid

        Enrollee's BSSID.

    -S, --dh-small

        Small Diffie-Hellman keys. The same option MUST be specified on Reaver
        (1.3 or later versions) too.

    -f, --force

        Force Pixiewps to bruteforce the whole keyspace for mode 4.
        It could take up to several minutes to complete.

    -v, --verbosity

        Verbosity level (1-3). Level 3 displays the most information.

    -h, --help

        Display usage screen.

More information can be found at:

UNIQPASS v15 – Large password list


UNIQPASS is a large password list for use with John the Ripper (JtR) wordlist mode to translate large number of hashes, e.g. MD5 hashes, into cleartext passwords. While we have had good success rate with our standard password list passwords.txt, we found that the list can be made more useful and relevant by including commonly used passwords from the recently leaked databases that have been made public. As a result, we have compiled millions of these unique passwords into UNIQPASS. Such list is especially handy for pentesters to perform comprehensive password audit and also for IT administrators to expose insecure passwords used by their users.


Version 15 released on January 10, 2015 with 243,779,397 entries
1. For use with JtR wordlist mode with –rules set
2. All passwords are unique and listed in sorted order according to their native byte values using UNIX sort command
3. 192,916 of the passwords (UNIQPASS v1) came from English dictionary
4. The remaining passwords were collected from leaked databases from various websites (including major sites e.g. Sony Pictures, Gawker)
5. Max. password length is 30 characters long
6. Password may consist of a-z, 0-9, spaces and special characters ` ~ ! @ # $ % ^ & * ( ) _ – + = { [ } ] | \ : ; ” ‘ < , > . ? /
7. UNIX end-of-line character is used as the newline character
8. Trailing spaces, trailing tabs and NULL bytes have been removed from all passwords
9. List compressed size is 435.8 MB, i.e. the downloadable size
10. The total unmangled entries, 243,779,397, is based on UNIX wc -l output


In the following test, we compare the success rate of JtR wordlist cracking mode against a list of 551,638 MD5 hashes using our standard password list passwords.txt vs. UNIQPASS v15. We use JtR 1.8.0 community-enhanced version for this test. The hashes are passwords for accounts from several leaked databases published by LulzSec back in June 2011.

$ john --format=raw-MD5 --wordlist=passwords.txt --rules hashes.txt
$ john --format=raw-MD5 --show hashes.txt
219722 password hashes cracked, 331916 left
passwords.txt cracked 40% of the hashes using JtR wordlist mode with rules enabled.
$ john --format=raw-MD5 --wordlist=uniq.txt --rules hashes.txt
$ john --format=raw-MD5 --show hashes.txt
515260 password hashes cracked, 36378 left
UNIQPASS v15 cracked 93% of the hashes using JtR wordlist mode with rules enabled.

Upon completing a dictionary attack (wordlist mode), the next step is to resume the same session with JtR incremental mode leaving it to run for a couple hours or until we achieve a desirable yield. This can done with e.g. john –format=raw-MD5 –incremental –max-run-time=3600 hashes.txt.

More information can be found on:

Break That Hash with HashCat

Break That Hash

When the Bitcoin mining craze hit its peak, people felt the tug to join this new community and make some easy money. The Concepts behind Bitcoin mining intrigued me, in particular the new use of graphics processors (GPUs). With a moderately expensive video card, you could bring in enough money to pay off your initial investment and your electricity bill in a relatively short time.

Get HashCat

Then Bitcoin tanked. That’s okay though, because I hadn’t gotten around to building my mining rig yet, and what’s more, I found an even more interesting use for Bitcoin mining hardware: password cracking. Bitcoin mining and password cracking are quite similar operations, and a GPU can crack passwords much faster than a CPU or even a small cluster of CPUs. In this we explain how to set up and use a password-cracking computer. In this first piece, We focus on the principles behind password cracking and the overall hardware setup. We’ll cover the specific attacks and command-line examples in the following article.

Legitimate Reasons to Crack Passwords

Before we get started, let’s admit that there are some pretty shady reasons to crack passwords. Every so often you will hear a story of a Web site that was hacked, a password database that was compromised and the thousands of weak passwords that were discovered. Often people get into password cracking because they are trying to break into someone else’s system, or they already broke into someone’s system, stole their password hashes and are cracking the passwords so they can attack yet another system.

That said, like with lock picking, there are legitimate reasons to crack passwords, particularly for a sysadmin or Webmaster:

  • Test local users’ password strength.
  • Prove that users follow your password policy.
  • Understand what your password policy should be.
  • Cryptography is interesting.
  • Bitcoin mining is no longer profitable.

In fact, many Linux systems will run a basic dictionary attack when you change your password to evaluate how weak it is. Although it’s true that these days most password systems will not allow users to enter passwords that don’t fit the password policy, some systems simply let users know their passwords are weak but store them anyway. In either case, it makes sense to audit your passwords at a company just to ensure that a random hacker with a $300 video card can’t crack your passwords in a day or two. When you put yourself in the role of the password cracker, you’ll start to realize which passwords are easy to crack and which ones are almost impossible, and that will help inform you when it’s time to update your password policy.

An Introduction to Password Hashes

Password hashes were created to solve a particularly tricky problem. If users must enter passwords to log in, you have to store those passwords on the system somehow. How do you store those passwords so that they’re not plain text, yet when users enter their passwords, you can tell that they are correct? The solution is to encrypt passwords with a one-way hash. The idea behind a one-way hash is that it is relatively easy for input to get encrypted into the hash, but almost impossible to convert the hash back to the original input. If you’ve ever downloaded a Linux .iso and ran md5sum on it to make sure it matched the original, you were using a very popular one-way hashing algorithm, MD5. Other popular one-way hashes include the SHA family (SHA1, SHA256 and SHA512), and phpass is the modern default for PHP-based sites like WordPress.

When you log in to a Linux system, the password you enter gets converted into a hash with the same algorithm originally used when you first set your password. The system compares this new hash with the hash it has stored on the system, and if they match, it assumes you entered the correct password and you are logged in. So for instance, on a modern PHP site, if your password was 123456, it might get stored as $P$BPlIiO5xdHmThnjjSyJ1jBICfPkpay1.

How Password Cracking Works

On a very basic level, password cracking works much like a regular login. You take a password guess, run it through a hashing algorithm and compare it to the existing hash. If it matches, you cracked the password. The main difference between cracking and a regular login is that you are doing hundreds of thousands if not millions of these comparisons a second.

/etc/passwd and /etc/shadow

The most important thing you need before you crack a password is the password hash. Because we are talking about perfectly legitimate uses of password cracking, this is simple. After all, you should have root access on your own systems or databases, and it should be easy to retrieve the password hashes. In the case of Linux logins, these password hashes used to be stored in /etc/passwd. That seems like a logical place to store passwords on a Linux system. The problem is, that file also stored the user names and user IDs in use on the system, and because of that, the file needs to be world-readable. Back when passwords were stored in that file, any local user could pull the full list of password hashes and start cracking. These days, Linux stores the password hashes in /etc/shadow, where they are readable only by root. In the case of Web site passwords, the hashes usually are stored either somewhere on the filesystem itself or often in a special user table in a database.

The second important thing you need is to know what hashing algorithm was used for those hashes. Without that, you won’t know what type of hashing algorithm to use for your attack. In the case of login hashes, the hash type is stored in the password hash itself. If you look at a password hash in /etc/shadow, you’ll notice a log of strange characters along with a few $ thrown in. These $ characters delimit different sections of the hash as follows:

$id $salt $encrypted

The id section tells you what hash is being used:

  • 1 = MD5
  • 5 = SHA-256
  • 6 = SHA-512

These days, you are most likely to run into SHA-256 and SHA-512 passwords. Because the hashing algorithm and the salt are stored along with the password itself, Linux password hashes are pretty portable. If you have one hash, you can copy it to another system and use the same password to log in.

Why Use a GPU?

The simple reason to use a GPU instead of a CPU for password cracking is that it’s much faster. It turns out that cracking passwords is a lot like mining Bitcoins, so the same reasons GPUs are faster for Bitcoin mining apply to password cracking. The short answer is that there are many more specialized chips on a GPU that perform 32-bit operations really quickly. Although a CPU can perform a lot of general-purpose calculations, the chips on a GPU can perform specific types of operations much faster, and in a much more parallel way. If you want more specifics,this site explains in more detail from the perspective of Bitcoin mining

The Hardware

The most important piece of hardware you need to crack passwords is a fast GPU. Because cracking passwords is like mining Bitcoins, you can get a good idea of how your GPU would perform by how well it would mine Bitcoins.

This site provides a good list of available video cards and describes their performance. When you look at that site, what you’ll notice is that AMD GPUs tend to be much faster than NVIDIA GPUs, even though for gaming often the reverse is true. The reason for this is explained in detail in the explanation of why a GPU mines faster than a CPU, but in short, AMD GPUs tackle the problem of graphics rending with a lot of small, simple chips that perform 32-bit operations quickly. NVIDIA GPUs have fewer, but more sophisticated chips that are closer to a CPU in complexity. For the purposes of Bitcoin mining or password cracking, which can be highly parallel, those larger number of simple chips work the fastest. Also note that cracking software can take advantage of multiple GPUs, so if you can afford it, and your motherboard can support it, you may find you’ll get the same performance out of two cheaper GPUs than a single expensive one.

If you already have a desktop that supports a modern video card, you may need to purchase only the GPU and power supply. Keep in mind that modern high-performance video cards require a lot of power, so you’ll want at least a 700W power supply in your case, and more than that if you intend to chain two video cards together.

Proprietary Video Drivers

For those of you who, like me, believe in open-source software, this next section may be a bit disappointing. To get hardware-accelerated password-cracking software working on your system, you need to install the proprietary video drivers from either AMD or NVIDIA. That said, if you already have been using your system for Bitcoin mining, you already have the drivers and libraries you need, so you can skip to the next section about Hashcat. Honestly, you also could just follow the Bitcoin mining HOWTOs for Linux, and that would describe how to get all the drivers and libraries you need.

Many modern desktops make it relatively easy to pull down and install the proprietary video drivers ( and they may even be included in your current driver version). For instance, an Ubuntu desktop will prompt you that restricted drivers are available to install both for AMD and NVIDIA cards. Most other popular distributions provide good documentation on how to pull down the proprietary drivers as well. In the worst case, you may have to download the software directly from the AMD or NVIDIA and install it that way—they both have clear instructions and software available for Linux just like for other OSes.

Once you have the proprietary drivers installed, you also need the AMD APP SDK for its OpenCL libraries or the NVIDIA CUDA libraries, depending on who made your video card. You likely will need to get these libraries directly from AMD or NVIDIA Web sites. The install is straightforward though.


Many different password-cracking suites exist both for CPU- and GPU-based cracking. After reviewing all the options, We decided on the Hashcat family of cracking tools available at On the site, you will see that a number of different tools are available. At first glance, it can be a bit confusing, as you can choose from hashcat, oclHashcat, oclHashcat-plus, oclHashcat-lite and even software called maskprocessor. Each program has its purpose though, depending on what you intend to do.


  • CPU-based, so slower than the GPU-based software.
  • Supports the widest range of hashing algorithms.


  • GPU-based password cracker.
  • Supports a moderate number of hashing algorithms.
  • Built-in support for dictionary, brute-force and mask attacks.


  • GPU-based.
  • Supports the most hashing algorithms of the GPU-based hashcat crackers.
  • Optimized for dictionary attacks against multiple hashes.
  • Can support dictionary input from a pipe, so brute-force is possible.


  • GPU-based.
  • Optimized for attacks against a single password hash.
  • Fastest of the hashcat family, but with the most-limited password support.

Even with the above lists, it may not always be clear which software to use. Basically, it comes down to what type of password you want to crack and what kind of attack you want to use. The page on devoted to each piece of software provides a list of the hashing algorithms they support along with benchmark speeds of how many comparisons they can do per second on different types of hardware. For a given password hash, go through those pages and see which type of Hashcat software supports your hash and has the highest benchmarks. Beyond that, use oclHashcat for mask or brute-force attacks against multiple hashes, oclHashcat-lite for single hashes or oclHashcat-plus if, as was the case with me, it’s the only GPU-accelerated version that supported your hash.

Once you decide which type of Hashcat software to use, installation is relatively simple, if old-school. Just download the .7z package that corresponds to the software, and use the 7za command-line tool (which should be packaged for your distribution) to extract it. The software will extract into its own directory that provides 32- and 64-bit versions for both Linux and Windows. If you have NVIDIA hardware, you will use the binaries that begin with cuda; otherwise, you will use the versions that start with ocl. The directory also will contain a number of example hashes and dictionaries and example shell scripts you can use to make sure your libraries and drivers are in place. For instance, here’s the example provided with the oclHashcat-plus software for cracking a phpass hash on a 64-bit system:

cat example.dict | ./oclHashcat-plus64.bin -m 400 example400.hash

Here’s another example of what the command output can look like

cat example.dict | ./oclHashcat-plus32.bin -m 400 example400.hash
oclHashcat-plus v0.06 by atom starting...

Hashes: 1
Unique salts: 1
Unique digests: 1
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 128
GPU-Accel: 16
Password lengths range: 1 - 15
Platform: AMD compatible platform found 
Watchdog: Temperature limit set to 90c  
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 52MB host-memory
Device #1: Kernel ./kernels/4098/m0400.Cayman.32.kernel (274238 bytes)

Starting attack in wordlist stdin mode...


Status.......: Cracked
Input.Mode...: Piped
Hash.Target..: $H$9y5boZ2wsUlgl2tI6b5PrRoADzYfXD1
Hash.Type....: phpass, MD5(WordPress), MD5(phpBB3)
Time.Running.: 1 sec
Time.Util....: 1008.2ms/0.0ms Real/CPU, 0.0% idle
Speed........:    65009 c/s Real,   619.7k c/s GPU
Recovered....: 1/1 Digests, 1/1 Salts   
Progress.....: 65543
Rejected.....: 0
HW.Monitor.#1:  0% GPU, 47c Temp

Started: Mon Dec  5 21:12:03 2011
Stopped: Mon Dec  5 21:12:04 2011

In this case, the password was hash234. For all of the hashcat commands, it’s simple enough just to open a terminal and change to the directory you extracted and run the commands locally from there. At the beginning of the command output, you will be able to see what GPUs the software can detect. If you have multiple GPUs in use (even if they aren’t chained), it should find them automatically. If it can’t find your GPU, you will need to revisit how you installed your proprietary drivers and extra libraries.

Get Cracking

Dictionary Attacks

The first attack you should try is a dictionary attack. With a dictionary attack, you provide the cracking software with a dictionary full of possible passwords to try, such as all the words in the English dictionary. The cracking software then tries each dictionary word until one matches your hash. Since the number of combinations in a dictionary attack is much smaller than with a brute-force attack, dictionary attacks complete much faster. As an example, when I was first researching this article, I let a brute-force attack run for days against a sample set of hashes without cracking one of them. I was able to crack three out of the five hashes with a dictionary attack in less than a minute.

To run a dictionary attack with oclHashcat-plus, first run the command with the --help argument. That will provide you with the number that corresponds to the algorithm you want to crack. In the case of phpass, that number is 400. Then, run the command a second time and specify the password hash to use with the -moption, the file in which to store the recovered passwords with the -o option, and then list the file that contains your hashes and the file or files you want to use as a dictionary. Here’s an example dictionary attack against phpass hashes:

/path/to/oclHashcat-plus32.bin -m 400 -o recovered_hashes 
 ↪example400.hash example.dict

If I had multiple dictionaries, I could list all of them on the command line or even use a shell glob. A dictionary attack is only as good as its dictionaries, but a number of good password dictionaries are available on the Web that you can find with a quick search for “password cracking wordlist”.

Calculating Cracking Speed

Before I discuss brute-force attacks in detail, it’s important to learn how to estimate how long a particular brute-force attack will take. With a brute attack, you aren’t just going through a dictionary of words, you are actually trying all possible combinations of a set of characters. In researching the article, I wasted days attempting a brute-force attack against an eight-character password before I finally did the math and realized it was completely impractical.

The first step is to figure out how fast your hardware can crack a particular type of hash. As you will discover, the number of comparisons per second your hardware can perform will vary widely depending on the hash type, so start a sample brute-force attack just long enough to get a bit of progress output, and then press Ctrl-c to exit. In my case, because I’m using oclHashcat-plus, I needed to download and extract the maskprocessor software from, so it, combined with oclHashcat-plus, could perform a brute-force attack against phpass (don’t worry about the command syntax for now, I discuss the specifics later):

/path/to/mp32.bin -1 ?d?l?u ?1?1?1?1?1?1 | \\
/path/to/oclHashcat-plus32.bin -m 400 \\
-o recovered_hashes phpass-hashes

oclHashcat-plus v0.06 by atom starting...

Hashes: 6
Unique salts: 6
Unique digests: 6
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 128
GPU-Accel: 16
Password lengths range: 1 - 15
Platform: AMD compatible platform found 
Watchdog: Temperature limit set to 90c  
Device #1: Cayman, 2048MB, 0Mhz, 22MCU  
Device #1: Allocating 264MB host-memory 
Device #1: Kernel ./kernels/4098/m0400.Cayman.32.kernel (274238 bytes)

Starting attack in wordlist stdin mode...

Status.......: Running
Input.Mode...: Piped
Has h.Type....: phpass, MD5(WordPress), MD5(phpBB3)
Time.Running.: 10 secs
Time.Util....: 10001.4ms/180.8ms Real/CPU, 1.8% idle
Speed........:   315.3k c/s Real,   351.4k c/s GPU
Recovered....: 0/6 Digests, 0/6 Salts   
Progress.....: 3153920
Rejected.....: 0
HW.Monitor.#1: 96% GPU, 54c Temp

The output line to pay attention to is the line that begins with Speed As you can see from that output, my GPU can do around 350,000 comparisons per second, so I’ll use that number for the rest of my calculations.

One good site I’ve found for doing cracking estimates is This site describes all sorts of different character sets and password lengths, and it describes how long anything from a single Pentium CPU to a mythical government supercomputer might take to brute-force all combinations. Otherwise, the math is pretty straightforward. Just take the number of characters in your character set (for instance, all lowercase letters would equal 26), then figure out how long of a password you want to brute-force, then raise the first number to the power of the second.

So, for instance, all mixed-case alphanumeric characters (A–Za–z0–9) equals 62 characters. If I wanted to brute force a six-character password, that would be 626 = 57 billion combinations.

If you divide 57 billion combinations by a system that can do 350,000 comparisons a second, you get approximately 45 hours to complete the brute-force attack. That’s not bad, but let’s do the same math for eight-character passwords: 628 = 218 trillion combinations.

At 350,000 comparisons per second, it would take me approximately 7,200 days, or 19 years, to complete the attack. On the plus side, for another $250, I could complete the attack in less than 10 years! If you add symbols to your brute-force attack, the number jumps to 7.2 quadrillion combinations, or around 652 years.

Brute-Force Attacks

Once you’ve figured out whether a brute-force attack will complete in your lifetime, the next step is to run maskprocessor and tell it what kind of word list to generate. The maskprocessor command supports a number of common character sets by default with the following symbols:

  • ?d = all decimals (0–9).
  • ?l = lowercase characters (a–z).
  • ?u = uppercase characters (A–Z).
  • ?s = symbols.

You also can define a custom character set with -1 (or -2-3) and then use ?1 to use that custom set. For instance, if I wanted to enumerate through all three-character passwords made up of lowercase characters and numbers, I could type:

/path/to/mp32.bin -1 ?d?l ?1?1?1
. . .

In our example brute-force attack, we wanted to run through all combinations of uppercase, lowercase and numbers in a six-character password. The resulting maskprocessor command would be:

/path/to/mp32.bin -1 ?d?l?u ?1?1?1?1?1?1

Then, I would pipe the output of that command to oclHashcat-plus:

/path/to/mp32.bin -1 ?d?l?u ?1?1?1?1?1?1 | \\
/path/to/oclHashcat-plus32.bin -m 400 \\
-o recovered_hashes phpass-hashes

As with our dictionary attack, the -m option specifies I want to crack phpass hashes, the -o lists the file in which I want to store my recovered hashes, and finally, I specify the file that contains the phpass hashes to crack. On my hardware, it took around two days to run fully through the above brute-force attack.

Now you should be ready to get cracking, but as you’ll find, the world of password cracking can get pretty dense, pretty quickly.

Tune Your Attack

Use More GPU Cycles

The first area where you can fine-tune your attacks is to put more or less load on your GPU. The -n option, when passed to oclhashcat, changes how much of your GPU will be used for an attack. The documentation says that this value is set to 80 by default; however, on our computer, it seemed like the default was set closer to 40. When we first ran a brute-force attack, the output told us it was using around 70–80% of my GPU. Once we added -n 80 to our oclhashcat command, we noticed we were using between 96–98% of our GPU and had added an extra 40,000 comparisons per second:

/path/to/mp32.bin -1 ?d?l?u ?1?1?1?1?1?1 | \\
/path/to/oclHashcat-plus32.bin -m 400 -n 80 \\
-o recovered_hashes phpass-hashes

Experiment with passing different values to -n, and see whether your comparisons per second and the percentage of GPU used increases. Be careful though; the higher the number, the more power your GPU is going to use (and if it’s not well-cooled, the hotter it will run). Also, if you plan to use the system for other things while you crack passwords, you may notice a greater impact on graphics performance.

Although it may seem like increasing the -n setting is a no-brainer, it turns out that a higher setting really only benefits brute-force attacks. The hashcat documentation recommends you try lower -n values when attempting dictionary attacks. Ultimately, the key is to experiment with both high and low values and see what gives you the best results.

Mask Attacks

With a dictionary attack, you provide the cracking software with a dictionary full of possible passwords to try, such as all of the words in the English dictionary. A brute-force attack iterates through all possible combinations for a password of a certain length. Because a dictionary attack generally has way fewer passwords to try, it is much faster than a brute-force attack. Although a brute-force attack takes a long time, it also ultimately will find the passwords you are looking for.

It turns out you aren’t limited by either a fast, possibly ineffective, attack or a highly effective, but slow, attack. With mask attacks, you can combine the speed of dictionary attacks with some of the thoroughness of a brute-force attack. Mask attacks work by making some educated guesses about the characters that might be used in a password. With a mask attack, you perform a brute-force attack only with a far smaller list of combinations to try all based on a pattern.

Mask attacks make more sense once you see an example. Let’s say that you are attempting to crack a password, and you know the password policy requires the user to select at least one uppercase letter and at least one number. As we mentioned before you can calculate how many combinations are in a particular type of password by taking the number of characters in the character set, figuring out how long the password is going to be, then raising the first number to the power of the second. So, for instance, if you wanted to do a thorough brute-force attack against the above password policy, you would have 62 characters in your character set (A–Za–z0–9) and with an eight-character password, the number of combinations would be: 628 = 218 trillion combinations.

At 350,000 comparisons per second on our password-cracking hardware, it would take us approximately 7,200 days, or 19 years, to complete the attack.

The fact of the matter is, when you tell most users to create an eight-character password that has at least one uppercase character and at least one number, most users aren’t going to generate a truly random password. Instead, they likely will make the first letter uppercase and then use lowercase characters until they get to the end of the password, where they either will add a single number to the end of the password or they will put a four-digit year at the end—usually the year they were born, the year they graduated high school or the current year. A mask attack against the same password policy would build a brute-force pattern where you would just try an uppercase letter as the first character, lowercase for the next three, then either lowercase or numbers for the final four characters. In that case, the number of combinations would be: (26) * (263) * (364) = ~ 767 billion combinations.

On our hardware, that would take a bit more than 600 hours, or 25 days. Although that’s a long time to crack a password, it’s still a lot better than 19 years and likely will be effective against a large number of weaker passwords.

To describe this pattern, we use the same custom pattern language with maskprocessor that we used in the previous example for regular brute-force attacks, only in this case, we combine a custom pattern that includes all lowercase characters and numbers with a regular set of character patterns. The final maskprocessor command would look like:

/path/to/mp32.bin -1 ?d?l ?u?l?l?l?1?1?1?1

As you can see, I defined a special mask of ?d?l (0–9a–z) and assigned it to 1, then we created a password pattern where the first character was ?u (A–Z), the next three were ?l (a–z), and the final four were ?1 (0–9a–z). The complete command to attempt this mask attack against our phpass hashes with our new custom GPU tuning would be:

/path/to/mp32.bin -1 ?d?l ?u?l?l?l?1?1?1?1 | \\
/path/to/oclHashcat-plus32.bin -m 400 -n 80 \\
-o recovered_hashes phpass-hashes

Attack Rules

The final way to improve your attacks further is by applying rules to your dictionary attacks. A rule allows you to perform some sort of transformation against all the words in your dictionary. You might, for instance, not only try all your dictionary words, but also create a rule that adds a single digit to the end of the dictionary word. That will catch even more weak passwords and only increases the number of overall combinations by ten times.

Here’s an even better example of how rules can help crack more tricky passwords. With the new requirement that users must have numbers in their password, a lot of users have resorted to “leet speak”. For instance, instead of using “password” they might use “p455w0rd”. The fact of the matter is, they still are using a dictionary word—they are just applying a basic transformation to it where a becomes 4, s becomes 5, o becomes 0, e becomes 3 and so on. When you want to crack such a password, all you have to do is add the -r option to hashcat and point it to a file that contains the rule you want to apply. Hashcat uses a custom language to define rules, but it’s not too tricky to figure out, and the installation directory for oclhashcat has a rules directory that contains a number of rule files you can use as a reference. It even already includes a rule for leet speak, so if you wanted to perform a dictionary attack that took leet speak into account, it would look something like this if you ran it from within the oclhashcat-plus directory:

/path/to/oclHashcat-plus32.bin -m 400 \\
-r ./rules/leetspeak.rule \\
-o recovered_hashes example400.hash example.dict

For more information about rules, check out the documentation on the Hashcat Wiki at

You now should have everything you need to refine your (completely legitimate and white hat) password-cracking attacks. On the Hashcat Wiki, you will find even more examples of types of attacks and examples you can use to improve your odds of cracking a password #ash.

More information can be found at:

Best Password Audit Tools

Best Password Audit Tools

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to repeatedly try guesses for the password.

The purpose of password cracking might be to help a user recover a forgotten password, to gain unauthorized access to a system, or as a preventive measure by System Administrators to check for easily crackable passwords. On a file-by-file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file’s access is restricted.

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

The time to crack a password is related to bit strength which is a measure of the password’s information entropy. Most methods of password cracking require the computer to produce many candidate passwords, each of which is checked. One example is brute-force cracking, in which a computer tries every possible key or password until it succeeds. More common methods of password cracking, such as dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force. Higher password bit strength increases exponentially the number of candidate passwords that must be checked, on average, to recover the password and reduces the likelihood that the password will be found in any cracking dictionary.

The ability to crack passwords using computer programs is also a function of the number of possible passwords per second which can be checked. If a hash of the target password is available to the attacker, this number can be quite large.

In this post, we are covering a few of the most popular password cracking tools.


RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. A brute force hash cracker generate all possible plaintexts and compute the corresponding hashes on the fly, then compare the hashes with the hash to be cracked. Once a match is found, the plaintext is found. If all possible plaintexts are tested and no match is found, the plaintext is not found. With this type of hash cracking, all intermediate computation results are discarded.

A time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table. It is time consuming to do this kind of computation. But once the one time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker.

Several TB of generated rainbow tables for LM, NTLM, MD5 and SHA1 hash algorithms are listed on their website too.


  • Full time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
  • Support rainbow table of any hash algorithm
  • Support rainbow table of any charset
  • Support rainbow table in raw file format (.rt) and compact file format (.rtc)
  • Computation on multi-core processor support
  • GPU acceleration with NVIDIA GPUs (CUDA technology)
  • GPU acceleration with AMD GPUs (OpenCL technology)
  • GPU acceleration with multiple GPUs
  • Runs on Windows operating systems
  • Windows XP 32-bit / 64-bit
  • Windows Vista 32-bit / 64-bit
  • Windows 7 32-bit / 64-bit
  • Windows 8 32-bit / 64-bit
  • Runs on Linux operating systems (x86 and x86_64)
  • Unified rainbow table file format on all supported operating systems
  • Command line user interface
  • Graphics user interface

Source && Download at:


Wfuzz is a tool designed to brutefore web applications, It was created to facilitate the task in web applications assessments, it’s a tool by pentesters for pentesters ;) It can also be used to find hidden resources like directories, servlets and scripts.


  • Capability of injection via multiple points with multiple dictionary
  • Output in colored HTML
  • Post, headers and authentication data brute forcing
  • Proxy and SOCK Support, Multiple Proxy Support
  • Multi Threading
  • Brute force HTTP Password
  • POST and GET Brute forcing
  • Time delay between requests
  • Cookies fuzzing

Source && Download at:

Cain and Abel

Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel


  • WEP cracking
  • Speeding up packet capture speed by wireless packet injection
  • Ability to record VoIP conversations
  • Decoding scrambled passwords
  • Calculating hashes
  • Traceroute
  • Revealing password boxes
  • Uncovering cached passwords
  • Dumping protected storage passwords
  • ARP spoofing
  • IP to MAC Address resolver
  • Network Password Sniffer
  • LSA secret dumper
  • Ability to crack:
  • LM & NTLM hashes
  • NTLMv2 hashes
  • Microsoft Cache hashes
  • Microsoft Windows PWL files
  • Cisco IOS – MD5 hashes
  • Cisco PIX – MD5 hashes
  • APOP – MD5 hashes
  • CRAM-MD5 MD5 hashes
  • OSPF – MD5 hashes
  • RIPv2 MD5 hashes
  • VRRP – HMAC hashes
  • Virtual Network Computing (VNC) Triple DES
  • MD2 hashes
  • MD4 hashes
  • MD5 hashes
  • SHA-1 hashes
  • SHA-2 hashes
  • RIPEMD-160 hashes
  • Kerberos 5 hashes
  • RADIUS shared key hashes
  • IKE PSK hashes
  • MSSQL hashes
  • MySQL hashes
  • Oracle and SIP hashes

Source && Download at:

John the Ripper

John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

Source && Download at:


Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. It is available free of charge, although it has a proprietary codebase. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others.

Hashcat has made its way into the news many times for the optimizations and flaws discovered by its creator, which become exploited in subsequent hashcat releases. (For example, the flaw in 1Password’s hashing scheme.)

Hashcat comes in two main variants:

  • Hashcat – A CPU-based password recovery tool
  • oclHashcat – A GPU-accelerated tool

Many of the algorithms supported by Hashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Bcrypt is a good example of this. Due to factors such as data dependant branching, serialization, and Memory (to name just a few), oclHashcat is not a catchall replacement for Hashcat.

Attack types

Hashcat offers multiple attack modes for obtaining effective and complex coverage over a hash’s keyspace. These modes are:

  • Brute-Force attack
  • Combinator attack
  • Dictionary attack
  • Fingerprint attack
  • Hybrid attack
  • Mask attack
  • Permutation attack
  • Rule-based attack
  • Table-Lookup attack
  • Toggle-Case attack

The traditional bruteforce attack is considered outdated, and the Hashcat core team recommends the Mask-Attack as a full replacement.

Source && Download at:

THC Hydra

THC Hydra is a fast network logon password cracking tool. When it is compared with other similar tools, it shows why it is faster. New modules are easy to install in the tool. You can easily add modules and enhance the features. It is available for Windows, Linux, Free BSD, Solaris and OS X. This tool supports various network protocols. Currently it supports Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Source && Download at:


Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It claims to be a speedy parallel, modular and login brute forcing tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet. While cracking the password, host, username and password can be flexible input while performing the attack.

Source && Download at:


Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.


  • Runs on Windows, Linux/Unix, Mac OS X, …
  • Cracks LM and NTLM hashes.
  • Free tables available for Windows XP and Vista/7.
  • Brute-force module for simple passwords.
  • Audit mode and CSV export.
  • Real-time graphs to analyze the passwords.
  • LiveCD available to simplify the cracking.
  • Dumps and loads hashes from encrypted SAM recovered from a Windows partition.
  • Free and open source software (GPL).

Source && Download at:


L0phtCrack is a password auditing and recovery application (now called L0phtCrack 6) originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the crackers’ tools of choice, although most use old versions because of its low price and high availability.

The application was produced by @stake after the L0pht merged with @stake in 2000. @stake was then acquired by Symantec in 2004. Symantec later stopped selling this tool to new customers, citing US Government export regulations, and discontinued support in December 2006.

In January 2009, L0phtCrack was acquired by the original authors Zatko, Wysopal, and Rioux from Symantec. L0phtCrack 6 was announced on 11 March 2009 at the SOURCE Boston Conference. L0phtCrack 6 contains support for 64-bit Windows platforms as well as upgraded rainbow tables support.

Source && Download at:


Cryptohaze is the home of high performance, open source, network-enabled, US-based cross-platform GPU and OpenCL accelerated password auditing tools for security professionals. Currently, many security professionals are at a serious disadvantage in auditing as they cannot submit hashes to online hash databases due to the terms of their auditing agreement. Cryptohaze tools are aimed at providing high quality tools that run on any platform – Windows, Linux, or OS X. The tools run on all platforms that support CUDA or OpenCL (currently Windows, Linux, OS X). If you don’t have a GPU – the OpenCL code will run just fine on your host CPU!

Tools Overview:

Cryptohaze Multiforcer

The Cryptohaze Multiforcer is a high performance CUDA password cracker that is designed to target large lists of hashes. Performance holds very solid with large lists, such that on a suitable server, cracking a list of 1 000 000 passwords is not significantly slower than cracking a list of 10. For anyone who deals with large lists of passwords, this is a very useful tool! Algorithm support includes MD5, NTLM, LM, SHA1, and many others.

Multiforcer New (MFN)

The Multiforcer New is a total ground up rewrite of the Cryptohaze Multiforcer with CUDA, OpenCL, and CPU (SSE/AVX/etc) support. It remains focused on brute forcing large hash lists, and scales very well. It also is designed for network clustering of machines – no longer are you limited to running your hashes with a single machine! Other tools have varying levels of network support, but Cryptohaze is the only open source tool with easy to use built in networking.

Cryptohaze GPU Rainbow Tables

There has been very little development in the promising Rainbow Table technology over the past several years. Cryptohaze GPU Rainbow table are a totally fresh implementation of rainbow tables, leveraging the strengths of the nVidia GPUs and OpenCL devices to allow for much larger table spaces and coverage. While the stock RainbowCrack tables use chain lengths of 10 000, the Cryptohaze tables use a chain length of 200 000. This allows much larger attack spaces – NTLM tables for full US charset (95 characters) length 8 are available, and other tables will become available as they are created. While doing this, cracking times on a high performance server remain very reasonable – in some cases, under 2 minutes per password!

Source && Download at:


Large scale brute force cryptanalysis needs a tremendous amount of computational power that government agencies like the NSA and companies like Google® have.

An average security researcher might want to have such capabilities as well but they do not have the tools or the computational resources. Moreover, they might not be skilled in writing software that takes advantage of the computational resources provided by commercial-off-the-shelf systems with CUDA and OpenCL capable GPUs and computational clusters provided by Amazon EC2® and Microsoft Azure®.

With Wisecracker™ we bridge this gap by providing an open source framework for security researchers to write their own cryptanalysis tools that can distribute brute force cryptanalysis work across multiple systems with multiple multi-core processors and GPUs. Security researchers can also use the sample tools provided as part of Wisecracker™ out-of-the-box.The differentiating aspect of Wisecracker™ is that it uses OpenCL and MPI together to distribute the work across multiple systems each having multiple CPUs and/or GPUs. We support the OpenCL libraries provided by Intel®, AMD® and NVIDIA®, and support multiple operating systems such as Linux®, Microsoft Windows® and Apple’s Mac OSX®.

Source && Download at:


Moscrack facilitates the use of a WPA cracker on a cluster. Currently it works with Mosix (clustering software), SSH, RSH and Pyrit. It works by reading a word list from STDIN or a file, breaking it into chunks and passing those chunks off to seperate processes that run in parallel. The parallel processes can then execute on different nodes in your cluster. All results are checked and recorded on your master node. Logging, error handling, etc… are all handled for you. Moscrack capable of running for long periods of time (days/weeks/months/etc…) reliably and without risk of losing data or having to restart.


  • Basic API allows remote monitoring
  • Automatic and dynamic configuration of nodes
  • Live CD/USB enables boot and forget dynamic node configuration
  • Can be extended by use of plugins
  • Uses aircrack-ng by default
  • CUDA/OpenCL support via Pyrit plugin
  • CUDA support via aircrack-ng-cuda (untested)
  • Does not require an agent/daemon on nodes
  • Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin
  • Checkpoint and resume
  • Easily supports a large number of nodes
  • Desgined to run for long periods of time
  • Doesn’t exit on errors/failures when possible
  • Supports mixed OS/protocol configurations
  • Supports SSH, RSH, Mosix for node connectivity
  • Effectively handles mixed fast and slow nodes or links
  • Architecture independent
  • Supports Mosix clustering software
  • Supports all popular operating systems as processing nodes
  • Node prioritization based on speed
  • Nodes can be added/removed/modified while Moscrack is running
  • Failed/bad node throttling
  • Hung node detection
  • Reprocessing of data on error
  • Automatic performance analysis and tuning
  • Intercepts INT and TERM signals for clean handling
  • Very verbose, doesn’t hide anything, logs agressively
  • Includes a “top” like status viewer
  • Includes CGI web status viewer
  • Includes an optional basic X11 GUI

Source && Download at:

Reaver: WPS Nightmare

Reaver-wps takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or WPS. It’s a feature that exists on many routers, intended to provide an easy setup process, and it’s tied to a PIN that’s hard-coded into the device. Reaver exploits a flaw in these PINs; the result is that, with enough time, it can reveal your WPA or WPA2 password. The

People assume that because their wireless encryption key is WPA2 standard, they are safe from cyber attack. They are wrong. This is a program that allows an attacker to easily compromise your routers password by attacking the PIN authorization process between your router and other devices. See, with your router’s PIN, a password is not needed. In fact, because Reaver doesn’t use a dictionary file to brute-force your password, it doesn’t matter how strong or long it is.  Reaver WILL eventually crack the PIN!

Source && Download at:


Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs under Linux and Windows; the Linux version is packaged for OpenWrt and has also been ported to the Zaurus and Maemo platforms; and a proof of concept port has been made to the iPhone.

In April 2007 a team at the Darmstadt University of Technology in Germany developed a new attack method based on a paper released on the RC4 cipher by Adi Shamir. This new attack, named ‘PTW’, decreases the number of initialization vectors or IVs needed to decrypt a WEP key and has been included in the aircrack-ng suite since the 0.9 release.

Aircrack-ng is a fork of the original Aircrack project.

Source && Download at:

What can you do ?

Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include wiretapping, phishing, keystroke logging, social engineering, dumpster diving, shoulder surfing, side-channel attacks, and software vulnerabilities.

Always use longer password: Password length is a very important factor in auditing process. If you use short password, password auditing tools can easily go through all possible combinations and crack your password rather quick. A long password drastically increase time and resource requirements needed to crack the password. Rule of thumb ? No less than 8 characters long.

Always use a combination of characters, numbers and special characters: Password cracking tools try all combinations, one by one. Have a combination of small characters, capital letters, numbers and special characters drastically increases the time which would take to go through all of those cases.

Variety in passwords: Never use same password everywhere. Cyber criminals often steal passwords from one website and then try it on other websites.

Never use a dictionary word – Rainbow crackers usually have all of those words pre-hashed. Also avoid using your pet’s name, parent name, your phone number, driver’s license number or anything else that can be easy to guess. Avoid using passwords with sequence or repeated characters: For Ex: 1111111, 12345678 or qwerty, asdfgh.

Presenting SplashData’s “Worst Passwords of 2013″:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123
  6. 123456789
  7. 111111
  8. 1234567
  9. iloveyou
  10. adobe123
  11. 123123
  12. admin
  13. 1234567890
  14. letmein
  15. photoshop
  16. 1234
  17. monkey
  18. shadow
  19. sunshine
  20. 12345
  21. password1
  22. princess
  23. azerty
  24. trustno1
  25. 000000

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.



Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and  some not so common utilities related to network and system security.

more information at: and at:

Louisville Lock Picking And Bypass Class Hosted At LVL1

LUKS-Volume-Cracker Perform Dictionary Attacks On Cryptoloop, DM-Crypt and LUKS Volumes

Brute Force Luks Volume to crack the Luks Password


Get it HERE

Application and Source


An application for performing a dictionary attack on encrypted volumes. Basically a wrapper around FreeOTFE, which also supports Linux volumes (Cryptoloop, dm-crypt, LUKS).

By design these encrpytion systems are very slow to brute force, so a dictionary based attack is only appropriate for poorly chosen passphrases.


  • Check if your passphrase is secure

How it works

  • Count the initial number of drives in the system
  • Loop through the input in the dictionary
    • Execute a command line statement to mount the encrypted image using the current passphrase (/mount /volume volume /password password /silent N:\\)
    • If it’s a Linux drive, use the WinAPI to automatically fill in the GUI prompt
    • When the number of drives has changed a volume has been mounted, so one of the recently tried passwords was used


Uses the excellent FreeOTFE by SDean



[0x00] What is THC-SMARTBRUTE ?

Link to Tool   HERE

This tool finds undocumented and secret commands implemented in a smartcard.
An instruction is divided into Class (CLA), Instruction-Number (INS) and the
parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible
values of CLA and INS to find a valid combination.

Furthermore it tries to find out what parameters are valid for a given class and instruction number.

  [0x01] Compiling

You need the pcsc-lite library installed which u can get from

Edit Makefile to your needs and run make.

  [0x02] Command line arguments
        prints a lot of debugging messages to stderr *FIXME*
        only prints found instruction if its not element of the standard
        instruction list
        before iterating through all possible combinates of class and
        instruction-number typical class/instruction-values are verified for
        After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
        prints out the usage
--chv1 pin1
        a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
        a VERIFY CHV2 instruction with pin2 as argument is executed
        finds valid parameter p1 and p2 combinations for the instruction
        the user defined with --cla and --ins .
        For parameter p1 the value 0x00 is assumed.
        find valid p3 values for given --cla, --ins, --p1 and --p2
--cla CLASS
        sets the instruction class to CLASS
--ins INS
        sets the instruction-number to INS
--p1 P1
        sets parameter p1 to P1
--p2 P2
        sets parameter p2 to P2
--p3 P3
        sets parameter p3 to P3
  [0x03] Examples
1. ~$ ./thc-smartbrute
        run thcsmartbrute without any arguments to brute force for valid instructions
2. ~$ ./thc-smartbrute --undoconly
        find valid instructions but only print out non-standard instructions
3. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
        find the first two arguments for the GSM instruction SELECT FILE
4. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
        find the 3rd argument for the already found first two arguments
        for the GSM instruction SELECT FILE
  [0x04] Some interesting smartcard links
1. ISO 7816 - the standard for general purpose smartcards

[0x05] Download Link

Grab the latest release thcsmartbrute-1.0.tar.gz

Yours sincerly,

The Hackers Choice

Crack ftp passwords with thc hydra – tutorial

Brute force password cracking

Hydra is a popular password cracking tool that can be used to brute force many services to find out the login password from a given wordlist. It is included in kali linux and is in the top 10 list. On ubuntu it can be installed from the synaptic package manager.

For brute forcing hydra needs a list of passwords. There are lots of password lists available out there. In this example we are going to use the default password list provided with john the ripper which is another password cracking tool. Another password list is available at dazzlepod.

John is pre-installed on Kali linux and its password list can be found at the following location


It looks like this

#!comment: This list has been compiled by Solar Designer of Openwall Project,
#!comment: This list is based on passwords most commonly seen on a set of Unix
#!comment: systems in mid-1990's, sorted for decreasing number of occurrences
#!comment: (that is, more common passwords are listed first).  It has been
#!comment: revised to also include common website passwords from public lists
#!comment: of "top N passwords" from major community website compromises that
#!comment: occurred in 2006 through 2010.
#!comment: Last update: 2011/11/20 (3546 entries)

Create a copy of that file to your desktop or any location and remove the comment lines (all the lines above the password 123456). Now our wordlist of passwords is ready and we are going to use this to brute force an ftp server to try to crack its password.

Here is the simple command with output

root@kali:~# hydra -t 1 -l admin -P /root/Desktop/password.lst -vV ftp
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra ( starting at 2013-05-13 04:32:18
[DATA] 1 task, 1 server, 3546 login tries (l:1/p:3546), ~3546 tries per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target - login "admin" - pass "123456" - 1 of 3546 [child 0]
[ATTEMPT] target - login "admin" - pass "12345" - 2 of 3546 [child 0]
[ATTEMPT] target - login "admin" - pass "password" - 3 of 3546 [child 0]
[21][ftp] host:   login: admin   password: password
[STATUS] attack finished for (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2013-05-13 04:32:33

Check the line “[21][ftp]”. It mentions the username/password combination that worked for the ftp server. Quite easy!
Now lets take a look at the options. The t option tells how many parallel threads hydra should create. In this case I used 1 because many routers cannot handle multiple connections and would freeze or hang for a shortwhile. To avoid this its better to do 1 attempt at a time. The next option is “l” which tells the username or login to use. In this case its admin. Next comes the capital “P” option which provides the wordlist to use. Hydra will pickup each line as a single password and use it.

The “v” option is for verbose and the capital “V” option is for showing every password being tried. Last comes the host/ip address followed by the service to crack.

Brute forcing is the most basic form of password cracking techniques. In works well with devices like routers etc which are mostly configured with their default passwords. However when it comes to other systems, brute forcing will not work unless you are too lucky.

However still brute forcing is a good practice for hackers so you should keep trying all techniques to hack a system. So keep hacking!!


Cracking linux password with john the ripper – tutorial

John the ripper – crack passwords

John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and then tries to crack a given password hash using each of the password from the wordlist. In other words its called brute force password cracking and is the most basic form of password cracking. It is also the most time and cpu consuming technique. More the passwords to try, more the time required.

John is different from tools like hydra. Hydra does blind bruteforcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

But still if you want to crack a password locally on your system then john is one of the good tools to try. John is in the top 10 security tools in Kali linux. On ubuntu it can be installed from synaptic package manager.

In this post I am going to show you, how to use the unshadow command along with john to crack the password of users on a linux system. On linux the username/password details are stored in the following 2 files


The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I will create a new user on my linux system named happy, with password chess.

root@kali:~# adduser happy
Adding user `happy' ...
Adding new group `happy' (1001) ...
Adding new user `happy' (1000) with group `happy' ...
Creating home directory `/home/happy' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for happy
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

For demonstration purpose, its better to use a simple password so that you do not have to wait too long. Now that our new user is created its time to crack his password.


The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. Usage is quite simple.

root@kali:~# unshadow

root@kali:~# unshadow /etc/passwd /etc/shadow > ~/file_to_crack

We redirected the output of unshadow command to a new file called file_to_crack.

crack with john

Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with john on kali linux. It is located at the following path


You can use your own password lists too.

root@kali:~# john --wordlist=/usr/share/john/password.lst ~/file_to_crack 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 2 password hashes with 2 different salts (sha512crypt [64/64])
chess            (happy)
guesses: 1  time: 0:00:00:21 DONE (Tue May 14 06:47:58 2013)  c/s: 300  trying: sss
Use the "--show" option to display all of the cracked passwords reliably

So in the above command john was able to crack the hash and get us the password “chess” for the user “happy”. Now john was able to crack, only because the password “chess” was present in the password list. If it were not there then john would have failed.

Use the show option to list all the cracked passwords.

root@kali:~# john --show ~/file_to_crack 

1 password hash cracked, 1 left

The 1 password that was left, was of user root. No password in the provided wordlist could crack it.

Without wordlist

The simpler way to crack password with john without using a password list is like this

root@kali:~# john  ~/file_to_crack

According to the documentation

This will try "single crack" mode first, then use a wordlist with rules, and finally go for "incremental" mode.

Check the documentation on MODES.


MASSIVE COLLECTIONS: Awesome, Awesome All, Awesome-Awesome, Awesome-Awesomes, Awesome Awesomeness, Awesome-Collection, Lists, Lists Of Github Lists, List of Lists, Must-Watch-List and Wiki China Lists


A curated list of awesome lists
For more info check:


Programming languages

Front-end development

Back-end development

Computer science

Big data



Awesome All

A curated list of all the awesome lists of awesome frameworks, libraries and software
For more info check:


Please take a quick gander at the contribution guidelines first. Thanks to all contributors; you rock!



A curated list of awesome curated lists! Inspired by inspiration.
For more info check:

Awesome Awesome

A curated list of amazingly awesome curated lists of amazingly awesome libraries, resources and shiny things for various languages and frameworks.
For more info check:



Common Lisp










Awesome collection of awesome lists of libraries, tools, frameworks and software for any programming language, or closely related :D
For more info check:

Feel free to add new lists or categories! Remember, it’s not mandatory that name starts with awesome- ;)

Programming languages | Frameworks, platforms, etc | Related and useful

Programming Languages


  • Awesome C – A curated list of awesome C libraries, frameworks and other shinies.


  • Awesome Clojure – A curated list of awesome clojure libraries and software

Common Lisp

  • Awesome Common Lisp – A curated list of awesome Common Lisp libraries, software and other shinies.


  • Awesome D – A curated list of awesome D documents, frameworks, libraries and software


  • Awesome Elixir – A curated list of amazingly awesome Elixir libraries, resources and shiny things



  • Awesome Go – A curated list of awesome Go frameworks, libraries and software


  • Awesome Haskell – A curated list of awesome Haskell frameworks, libraries and software



  • Awesome JavaScript – A curated list of amazingly awesome browser-side JavaScript libraries, resources and shiny things


  • Awesome PHP – A curated list of amazingly awesome PHP libraries, resources and shiny things


  • Awesome Python – A curated list of awesome Python frameworks, libraries and software



  • Awesome Scala – A curated list of awesome Scala frameworks, libraries and software

Frameworks, platforms, etc



  • Awesome Node.js – A curated list of astonishing Node.js frameworks, libraries and resources

Ruby on Rails

  • Awesome Rails – A curated list of amazingly awesome open source rails related resources


Related and useful



  • Awesome Dev Env – A curated list of awesome tools, resources and workflow tips making an awesome development environment.


  • Awesome Shell – A curated list of awesome command-line frameworks, toolkits, guides and gizmos


  • Awesome Sysadmin – A curated list of amazingly awesome open source sysadmin resources


  • Awesome Talks – List of online talks that you would love to watch


  • Awesome Machine Learning – A curated list of awesome machine learning frameworks, libraries and software (by language).


  • Awesome Awesomes – This one!! ;) Awesome collection of awesome lists of libraries, tools, frameworks and software for any programming language :D
  • Awesome Awesomeness – A curated list of awesome awesomeness
  • Awesome Awesome – A curated list of awesome curated lists! Inspired by inspiration

Awesome Awesomeness

A curated list of amazingly awesome awesomeness. Also available on:
And Github:

Awesome Awesome

A curated list of awesome curated lists of many topics, can also found on:

Computer management

  • awesome-shell – Command-line frameworks, toolkits, guides and gizmos.
  • awesome-sysadmin – Backups, configuration management, DNS, IMAP/POP3, LDAP, monitoring, SSH, statistics, troubleshooting, virtualization, VPN and more.

Data processing

Programming languages

  • awesome-clojure – Package management, audio, HTTP, database, websocket and testing.
  • awesome-c – C frameworks, libraries, resources and other cool stuff.
  • awesome-cpp – C/C++ frameworks, libraries, and resources.
  • awesome-cobol – Web frameworks, template engine, forms, authentication & OAuth, database, e-mail, messaging, imagery, text processing, machine learning, testing, audio, video and logging.
  • awesome-common-lisp – Common Lisp frameworks, libraries, resources and other shinies.
  • awesome-d – Build tools, compilers, IDE, GUI, database clients.
  • awesome-elixir – Elixir libraries, resources and shiny things.
  • awesome-go – Go frameworks, libraries and software.
  • awesome-java – Build tool, code analysis, database, GUI, IDE, JSON, machine learning, PDF, science, testing and web crawling.
  • awesome-javascript – JavaScript libraries, resources and shiny things.
  • awesome-julia – List of Julia resources and packages.
  • awesome-perl – Benchmarks, databases, images, logging, profiling, testing, text processing and web frameworks.
  • awesome-php – Frameworks, templating, URL, e-mail, files, imagery, testing, security, documentation, geolocation, date, PDF, search and authentication.
  • awesome-python – Files, dates, text processing, NLP, imagery, audio, video, geolocation, web frameworks, OAuth, web crawling, networking, GUI, game development, testing, science and data analysis and machine learning.
  • [awesome-R] – Not yet! Do it yourself!
  • awesome-ruby – Ruby libraries, tools, frameworks and software
  • awesome-scala – Scala frameworks, libraries and software.
  • awesome-swift – Swift documentation, projects, tutorials, updates, etc


  • [awesome-biology] – Not yet! Do it yourself!
  • [awesome-chemistry] – Not yet! Do it yourself!
  • [awesome-geography] – Not yet! Do it yourself!
  • [awesome-math] – Not yet! Do it yourself!
  • [awesome-physics] – Not yet! Do it yourself!

Web browsers

  • [awesome-firefox] – Not yet! Do it yourself!


  • [awesome-github] – Not yet! Do it yourself!
  • [awesome-flickr] – Not yet! Do it yourself!
  • [awesome-twitter] – Not yet! Do it yourself!
  • awesome-wikipedia – Datasets, frameworks, libraries and other software related to Wikipedia.
  • [awesome-youtube] – Not yet! Do it yourself!

Web platforms


  • [awesome-music] – Not yet! Do it yourself!


a list of awesome repos
For more info check:

awesome lists

  • Awesome – A curated list of awesome lists
  • awesome-all – A curated list of awesome lists of awesome frameworks, libraries and software
  • awesome-awesome by @emijrp – A curated list of awesome curated lists of many topics.
  • awesome-awesome by @erichs – A curated list of awesome curated lists! Inspired by inspiration.
  • awesome-awesome by @oyvindrobertsen – A curated list of curated lists of libraries, resources and shiny things for various languages.
  • awesome-awesomeness – A curated list of awesome awesomeness
  • awesome-awesomes – Awesome collection of awesome lists of libraries, tools, frameworks and software for any programming language
  • lists – The definitive list of (awesome) lists curated on GitHub. (comment: No awesome, but more awesome)

Programming languages



The definitive list of (awesome) lists curated on GitHub.
For more info check:
List of useful, silly and awesome lists curated on GitHub. Contributions welcome!




Lists of lists

  • awesome – A curated list of awesome lists.
  • awesome-all – A curated list of awesome lists of awesome frameworks, libraries and software
  • awesome-awesome by @emijrp – A curated list of awesome curated lists of many topics.
  • awesome-awesome by @erichs – A curated list of awesome curated lists! Inspired by inspiration.
  • awesome-awesome by @oyvindrobertsen – A curated list of curated lists of libraries, resources and shiny things for various languages.
  • awesome-awesomeness – A curated list of awesome awesomeness
  • awesome-awesomes – Awesome collection of awesome lists of libraries, tools, frameworks and software for any programming language
  • awesome-collection – A list of awesome repos.
  • ListOfGithubLists – List of github lists
  • list-of-lists – A meta list of lists of useful open source projects and developer tools.
  • must-watch-list – List of must-watch lists.
  • this one
  • wiki In Chinese – A curated list of awesome lists.

Lists of lists of lists

Lists of lists of lists of lists

Lists of lists of lists of lists of lists

List of github lists

Creating a github list is so trendy nowadays, so here’s another one.
Fore more info check:

Pull requests are welcome



A meta list of lists of useful open source projects and developer tools
For more info check:


Frameworks / Libraries


Other lists of lists



A list of must-watch lists
For more info check:

Overview of all lists from this post:
Awesome All:
Awesome Awesome:
Awesome Awesome:
List Of Github Lists:
Wiki China Lists:

Awesome-Awesomeness (zeef):


Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake.

More info on: