Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Jun 2017 20:39:17 +0200
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Cc: apingis@...nwall.net
Subject: Re: DES-based crypt(3) cracking on ZTEX 1.15y FPGA boards (descrypt-ztex)

On Sun, Nov 06, 2016 at 03:06:53PM +0100, Solar Designer wrote:
> A couple of weeks ago, we merged into bleeding-jumbo this pull request
> by Denis:
> 
> https://github.com/magnumripper/JohnTheRipper/pull/2307
> 
> with some implementation detail described here:
> 
> http://www.openwall.com/lists/john-dev/2016/10/12/1
> 
> This implements descrypt aka traditional DES-based crypt(3) hash
> cracking on ZTEX 1.15y quad Spartan-6 LX150 FPGA boards.  Some of you in
> here have these or compatibles (such as the US clones of the originally
> German ZTEX boards).  Most of these boards previously worked as Bitcoin
> miners, and were then resold on eBay and such at a fraction of the
> original price.  Those we bought for development cost us between 100 EUR
> (lately) and 250 EUR each (earlier).  They became rare on eBay now, but
> I guess some asking around in cryptocurrency forums will do the trick
> since there were a lot of those boards around, and only a fraction ever
> reached eBay.  ZTEX itself does not sell them anymore.
> 
> As implemented by Denis, the "descrypt-ztex" format supports "mask mode"
> (with on-device mask), hybrid modes (where you add a mask on top of
> another mode, referring to the previous mode's generated portions of
> candidate passwords with the "?w" mask), up to 2047 hashes per salt
> (with on-device comparator) so up to a few million hashes loaded total
> perhaps (given a good salt distribution), and it can work with one or
> multiple ZTEX boards at once.

Besides his recently committed work on bcrypt-ztex Denis has also been
trying to redesign descrypt-ztex.  While his attempts were promising
(with ~50% greater expected speeds), they mostly failed so far with
difficult to debug issues.  Given the low demand for any of this (with
it being mostly an experiment), I asked Denis that rather than keep
trying to get much better speeds he gathers whatever minor optimizations
he could get working quickly and commits those - and he did.  The result
is a design that should run approx. 19/17 times = ~12% faster, and can
be overclocked slightly (5% or so) on top of that.  This went into
bleeding-jumbo earlier today, and we welcome testing by others (Royce?)

> Performance is up to about 740M hash computations per second (with room
> for further improvement).

I am now getting ~806M c/s at standard clocks, ~840M at 5% overclocking
(which appears stable on this board, but YMMV).  This is with the same
Qubes USB pass-through as I described for my bcrypt-ztex testing here:

http://www.openwall.com/lists/john-users/2017/06/25/1

Performance should be higher without the virtualization (or with USB
controller pass-through rather than individual device proxying).

The overclocking is done through editing two clock rates (separately for
the pipelined DES rounds and for the comparators) in the "[ZTEX:descrypt]"
section in john.conf.

Last time, one of the tests I ran was:

> $ ./john -form=descrypt-ztex -inc=alpha -min-len=8 -max-len=8 -mask='?w?l?l?l?l' pw-fake-unix
> 1 device(s) ZTEX 1.15y ready
> SN: XXXXXXXXXX productId: 10.15.0.0 "inouttraffic UFM 1.15y" busnum:2 devnum:36 
> Using default input encoding: UTF-8
> Loaded 3269 password hashes with 2243 different salts (descrypt-ztex, traditional crypt(3) [DES ZTEX])
> Remaining 3268 password hashes with 2243 different salts
> Warning: Slow communication channel to the device. Increase mask or expect performance degradation.
> Press 'q' or Ctrl-C to abort, almost any other key for status
> 0g 0:00:00:10  0g/s 0p/s 745784Kc/s 1067MC/s loveaaaa..loveaays
> 0g 0:00:00:15  0g/s 0p/s 740910Kc/s 1072MC/s loveaaaa..loveaays
> pinkfloy         (u1273-des)
> 1g 0:00:00:18  0.05497g/s 0p/s 739285Kc/s 1064MC/s loveaaaa..loveaays
> 1g 0:00:00:23  0.04317g/s 0p/s 737519Kc/s 1087MC/s loveaaaa..loveaays
> bluefish         (u947-des)
> 2g 0:00:00:29  0.06870g/s 0p/s 736204Kc/s 1124MC/s loveaaaa..loveaays
> 2g 0:00:00:36  0.05515g/s 0p/s 739285Kc/s 1072MC/s loveaaaa..loveaays
> blueeyes         (u1774-des)
> 3g 0:00:00:40  0.07457g/s 0p/s 738473Kc/s 1085MC/s loveaaaa..loveaays
> mattingl         (u2361-bigcrypt:1)
> 4g 0:00:01:09  0.05787g/s 0p/s 735400Kc/s 1046MC/s loveaaaa..loveaays
> lissabon         (u2310-des)
> password         (u2-des)
> blowfish         (u946-des)
> jeanette         (u660-des)
> bluebird         (u363-des)
> pinkfloy         (u1273-bigcrypt:1)
> maryjane         (u297-des)
> poohbear         (u102-des)
> 12g 0:00:03:19  0.06022g/s 0p/s 735570Kc/s 1054MC/s love####..luku####
> Warning: passwords printed above might be partial
> Use the "--show" option to display all of the cracked passwords reliably
> Session aborted
> 
> Indeed, these passwords are easier crackable with a wordlist, but this
> is just a test.
> 
> The reported ranges of candidates being tested look off (stuck at "love"
> for the first 4 chars here).  I guess this is not fully implemented yet,
> and I recall Denis mentioning related implementation difficulties to me.
> But it shouldn't hurt actual cracking.

I wrongly used -inc=alpha (52 characters) instead of -inc=lower (would
be 26 characters), which is inconsistent with the mask for the remainder
of the passwords.  Luckily, incremental mode ordered candidate passwords
such that this almost didn't matter.  Anyway, here's the same slightly
weird test repeated now, with the new design and the virtualized setup:

$ ./john -form=descrypt-ztex -inc=alpha -min-len=8 -max-len=8 -mask='?w?l?l?l?l' pw-fake-unix
SN XXXXXXXXXX: uploading bitstreams.. ok
ZTEX XXXXXXXXXX bus:2 dev:7 Frequency:220,160 220,160 220,160 220,160 
Using default input encoding: UTF-8
Loaded 3269 password hashes with 2243 different salts (descrypt-ztex, traditional crypt(3) [DES ZTEX])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07  0g/s 0p/s 814722Kc/s 1211MC/s loveaaaa..loveaays
pinkfloy         (u1273-des)
1g 0:00:00:16  0.06230g/s 0p/s 804277Kc/s 1151MC/s loveaaaa..loveaays
bluefish         (u947-des)
blueeyes         (u1774-des)
mattingl         (u2361-bigcrypt:1)
4g 0:00:00:42  0.09489g/s 0p/s 807759Kc/s 1180MC/s loveaaaa..loveaays
lissabon         (u2310-des)
password         (u2-des)
blowfish         (u946-des)
jeanette         (u660-des)
bluebird         (u363-des)
pinkfloy         (u1273-bigcrypt:1)
maryjane         (u297-des)
poohbear         (u102-des)
[...]
beautifu         (u545-des)
starbuck         (u2713-des)
starwars         (u797-des)
shanghai         (u2653-des)
49g 0:00:20:13 0.01% (ETA: 2017-12-06 21:35) 0.04038g/s 241068p/s 805664Kc/s 1172MC/s sepeaaaa..sepeaays
jethrotu         (u1131-bigcrypt:1)
monopoly         (u716-des)
alexande         (u160-des)
[...]
supersta         (u2745-des)
superfly         (u1377-des)
bernardo         (u1740-des)
87g 0:00:49:48 0.03% (ETA: 2017-10-20 10:24) 0.02911g/s 342554p/s 805892Kc/s 1168MC/s surf####..miri####
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

As you can see, the first 12 passwords cracked are the same (I didn't
record more of them for this test the last time), and the speed is up
from 736M to 806M.

5% overclocking:

$ ./john -form=descrypt-ztex -inc=alpha -min-len=8 -max-len=8 -mask='?w?l?l?l?l' pw-fake-unix
ZTEX XXXXXXXXXX bus:2 dev:7 Frequency:231,168 231,168 231,168 231,168 
Using default input encoding: UTF-8
Loaded 3269 password hashes with 2243 different salts (descrypt-ztex, traditional crypt(3) [DES ZTEX])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03  0g/s 0p/s 822556Kc/s 1233MC/s loveaaaa..loveaays
pinkfloy         (u1273-des)
bluefish         (u947-des)
blueeyes         (u1774-des)
mattingl         (u2361-bigcrypt:1)
lissabon         (u2310-des)
password         (u2-des)
blowfish         (u946-des)
jeanette         (u660-des)
bluebird         (u363-des)
pinkfloy         (u1273-bigcrypt:1)
maryjane         (u297-des)
poohbear         (u102-des)
12g 0:00:03:16  0.06116g/s 0p/s 841581Kc/s 1213MC/s loveaaaa..loveaays
[...]
25g 0:00:08:47 0.00% (ETA: 2017-11-15 21:59) 0.04742g/s 277375p/s 839101Kc/s 1213MC/s babs####..seto####
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

The same passwords cracked (until I interrupted this), but the speed is
up to 839M.

With -inc=lower, standard clocks:

$ ./john -form=descrypt-ztex -inc=lower -min-len=8 -max-len=8 -mask='?w?l?l?l?l' pw-fake-unix
ZTEX XXXXXXXXXX bus:2 dev:7 Frequency:220,160 220,160 220,160 220,160 
Using default input encoding: UTF-8
Loaded 3269 password hashes with 2243 different salts (descrypt-ztex, traditional crypt(3) [DES ZTEX])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12  0g/s 0p/s 804277Kc/s 1157MC/s loveaaaa..loveaays
pinkfloy         (u1273-des)
bluefish         (u947-des)
blueeyes         (u1774-des)
mattingl         (u2361-bigcrypt:1)
lissabon         (u2310-des)
password         (u2-des)
blowfish         (u946-des)
jeanette         (u660-des)
bluebird         (u363-des)
pinkfloy         (u1273-bigcrypt:1)
maryjane         (u297-des)
poohbear         (u102-des)
[...]
brewster         (u1794-des)
99g 0:00:49:45 0.49% (ETA: 2017-07-06 17:59) 0.03316g/s 342899p/s 806212Kc/s 1168MC/s lynnaaaa..lynnaays
superman         (u334-des)
100g 0:00:54:43 0.56% (ETA: 2017-07-06 11:37) 0.03045g/s 356327p/s 806126Kc/s 1168MC/s suno####..jmbp####
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

Overclocked:

$ ./john -form=descrypt-ztex -inc=lower -min-len=8 -max-len=8 -mask='?w?l?l?l?l' pw-fake-unix
ZTEX XXXXXXXXXX bus:2 dev:7 Frequency:231,168 231,168 231,168 231,168 
Using default input encoding: UTF-8
Loaded 3269 password hashes with 2243 different salts (descrypt-ztex, traditional crypt(3) [DES ZTEX])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:08  0g/s 0p/s 840835Kc/s 1188MC/s loveaaaa..loveaays
pinkfloy         (u1273-des)
bluefish         (u947-des)
blueeyes         (u1774-des)
mattingl         (u2361-bigcrypt:1)
lissabon         (u2310-des)
password         (u2-des)
blowfish         (u946-des)
jeanette         (u660-des)
bluebird         (u363-des)
pinkfloy         (u1273-bigcrypt:1)
maryjane         (u297-des)
poohbear         (u102-des)
12g 0:00:02:52  0.06971g/s 0p/s 838285Kc/s 1200MC/s loveaaaa..loveaays
[...]
brewster         (u1794-des)
99g 0:00:47:39 0.49% (ETA: 2017-07-06 09:17) 0.03462g/s 358015p/s 840055Kc/s 1217MC/s lynnaaaa..lynnaays
superman         (u334-des)
100g 0:00:52:15 0.56% (ETA: 2017-07-06 02:43) 0.03189g/s 373136p/s 839891Kc/s 1218MC/s sunoaaaa..sunoaays
pipeline         (u2514-des)
[...]
commande         (u1001-des)
155g 0:01:30:24 0.98% (ETA: 2017-07-06 00:57) 0.02857g/s 377435p/s 839110Kc/s 1213MC/s toahaaaa..toahaays
teddybea         (u1387-des)
156g 0:01:31:01 0.98% (ETA: 2017-07-06 02:00) 0.02856g/s 374877p/s 839101Kc/s 1212MC/s toah####..kync####
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

The first 100 guesses are the same (I didn't run the non-oc session
further), and the speed was 840M at that point, decreasing to 839M
later (perhaps because of changes in activity on the host machine).

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.