Lanman Brute-Force Password Recovery
This set of FPGA cores and software provides a mechanism for doing fast brute-forcing of the password keyspace for Lanman passwords which are commonly found on Windows machines. It includes a modified DES core (original core provided by Rudolf Usselmann of OpenCores.org and ASICS.ws) and a key generator and comparator engine that scales from cracking 128 password hashes in parallel to 2 with varying cracking rates:
Hashes
|
Cooling
|
Clock Speed
|
Cores
|
Keys per Sec
|
Key Checks per Sec
|
|---|
128
|
Yes
|
175MHz
|
1
|
175,000,000
|
22,400,000,000
|
128
|
No
|
125MHz
|
1
|
125,000,000
|
16,000,000,000
|
2
|
Yes
|
175MHz
|
3
|
525,000,000
|
1,050,000,000
|
2
|
No
|
125MHz
|
3
|
375,000,000
|
750,000,000
|
NTLM Brute-Force Password Recovery
This implementation is very similar to the Lanman one but incorporates a custom MD4 core with a custom NTLM password generator and cracks full 128-bit hashes instead of the 64-bit lanman hash pairs. Because MD4 requires more gates than DES, we were only able to fit 32 compares on our slower cracking engine. For cracking only one hash, there is an optimized version that utilizes 3 MD4 cores to crack 3x faster.
Hashes
|
Cooling
|
Clock Speed
|
Cores
|
Keys per Sec
|
Key Checks per Sec
|
|---|
32
|
Yes
|
175MHz
|
1
|
175,000,000
|
5,600,000,000
|
32
|
No
|
125MHz
|
1
|
125,000,000
|
4,000,000,000
|
1
|
Yes
|
175MHz
|
3
|
525,000,000
|
525,000,000
|
1
|
No
|
125MHz
|
3
|
375,000,000
|
375,000,000
|
Chipper Software
To talk to the lanman cores we've created a software interface that currently works under Linux 2.4 and Windows to read in a pwdump file, compute the proper keyspace division calculations, and start up the cards for cracking the hashes. This consists of a basic wxWidgets based interface and a command line version for scripting jobs. The windows version of this ships standard with the Pico E-12 LO. See picocomputing.com for more information about ordering the Pico E-12 LO and the windows version.
|
