Cracking JOOMLA salted hash with hashcat(cudaHashcat-plus)

The site moved to root domain where all post are imported. Please go to

Hashcat is a most fastest hash cracker. Hashcat really is a best hash cracking tools i ever seen. You can compare this tool with other tools and you will see what I mean. I rarely use any other tools instead hashcat to crack hash. Today I will show you that how we can crack joomla hash. My system is optimus technology. If your Computer also Optimus then you need to install bumblebee :
science@BAD-LUCK:~/tools$ mkdir tools
science@BAD-LUCK:~/tools$ cd tools
science@BAD-LUCK:~/tools$wget -c
science@BAD-LUCK:~/tools$ 7z x *
science@BAD-LUCK:~/tools$ cd oclHashcat-*
Note: I renamed my oclHashcat folder
science@BAD-LUCK:~/tools/hashcat-plus$ ls
cudaExample400.cmd cudaHashcat-plus32.exe example0.hash hashcat.pot oclHashcat-plus64.bin
charsets cudaHashcat-plus64.bin example400.hash kernels oclExample500.cmd oclHashcat-plus64.exe
cudaExample500.cmd cudaHashcat-plus64.exe example500.hash oclExample0.cmd pass.txt
cudaExample0.cmd docs example.dict oclHashcat-plus32.bin rules cudaHashcat-plus32.bin eula.accepted hashcat.hcstat oclExample400.cmd oclHashcat-plus32.exe vclHashcat-plus64.bin
In the 7z file hashcat for windows and Linux (32+64) both has been compressed. So plus(32/64).bin is for 64 bit or 32 bit. And the .exe file is for windows. So we need the cudaHashcat-plus64.bin.
Now see the all options:
science@BAD-LUCK:~/tools/hashcat-plus$ optirun ./cudaHashcat-plus64.bin –help
cudaHashcat-plus, advanced password recovery
Usage: cudaHashcat-plus [options]… hash|hashfile|hccapfile [dictionary|mask|directory]…
* General:
-m, –hash-type=NUM Hash-type, see references below
-a, –attack-mode=NUM Attack-mode, see references below
-V, –version Print version
-h, –help Print help
–eula Print EULA
–quiet Suppress output
* Misc:
–runtime=NUM Abort session after NUM seconds of runtime
–hex-salt Assume salt is given in hex
–hex-charset Assume charset is given in hex
–force Ignore warnings
* Markov:
–markov-hcstat Specify hcstat file to use, default is hashcat.hcstat
–markov-disable Disables markov-chains, emulates classic brute-force
–markov-classic Enables classic markov-chains, no per-position enhancement
-t, –markov-threshold=NUM Threshold when to stop accepting new markov-chains
* Files:
-o, –outfile=FILE Define outfile for recovered hash
–outfile-format=NUM Define outfile-format for recovered hash, see references below
-p, –seperator=CHAR Define seperator char for hashlists and outfile
–show Show cracked passwords only
–left Show un-cracked passwords only
–username Enable ignoring of usernames in hashfile
–remove Enable remove of hash once it is cracked
–disable-potfile Do not write potfile
* Resources:
-c, –segment-size=NUM Size in MB to cache from the wordfile
–cpu-affinity=STR Locks to CPU devices, seperate with comma
–gpu-async Use non-blocking async calls (NV only)
-d, –gpu-devices=STR Devices to use, separate with comma
-n, –gpu-accel=NUM Workload tuning: 1, 8, 40, 80, 160
–gpu-loops=NUM Workload fine-tuning: 8 – 1024
–gpu-temp-disable Disable temperature and fanspeed readings and triggers
–gpu-temp-abort=NUM Abort session if GPU temperature reaches NUM degrees celsius
–gpu-temp-retain=NUM Try to retain GPU temperature at NUM degrees celsius (AMD only)
* Rules:
-j, –rule-left=RULE Single rule applied to each word from left dict
-k, –rule-right=RULE Single rule applied to each word from right dict
-r, –rules-file=FILE Rules-file, multi use: -r 1.rule -r 2.rule
-g, –generate-rules=NUM Generate NUM random rules
–generate-rules-func-min=NUM Force NUM functions per random rule min
–generate-rules-func-max=NUM Force NUM functions per random rule max
* Custom charsets:
-1, –custom-charset1=CS User-defined charsets
-2, –custom-charset2=CS Example:
-3, –custom-charset3=CS –custom-charset1=?dabcdef
-4, –custom-charset4=CS Sets charset ?1 to 0123456789abcdef
* Increment:
-i, –increment Enable increment mode
–increment-min=NUM Start incrementing at NUM
–increment-max=NUM Stop incrementing at NUM
* Outfile Formats:
1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
* Built-in charsets:
?l = abcdefghijklmnopqrstuvwxyz
?d = 0123456789
?a = ?l?u?d?s
?s = !”#$%&'()*+,-./:;<=>?@[]^_`{|}~
?h = 8 bit characters from 0xc0 – 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet
?R = 8 bit characters from russian alphabet
* Attack modes:
0 = Straight
1 = Combination
3 = Brute-force
6 = Hybrid dict + mask
7 = Hybrid mask + dict
* Generic hash types:
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
300 = MySQL
400 = phpass, MD5(WordPress), MD5(phpBB3)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials, mscash
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1500 = descrypt, DES(Unix), Traditional DES
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1800 = sha512crypt, SHA512(Unix)
2100 = Domain Cached Credentials2, mscash2
2400 = Cisco-PIX MD5
2500 = WPA/WPA2
2600 = Double MD5
3000 = LM
3100 = Oracle 7-10g, DES(Oracle)
3200 = bcrypt, Blowfish(OpenBSD)
* Specific hash types:
11 = Joomla
21 = osCommerce, xt:Commerce
101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
112 = Oracle 11g
121 = SMF > v1.1
122 = OSX v10.4, v10.5, v10.6
131 = MSSQL(2000)
132 = MSSQL(2005)
141 = EPiServer 6.x
1722 = OSX v10.7
2611 = vBulletin < v3.8.5
2711 = vBulletin > v3.8.5
2811 = IPB2+, MyBB1.2+
Ah lots of options can be used!
We need few options:
-a //Attack mode
-m // hash type (11)
–increment // Need for try all length
–increment-min // Length start from minimum
–increment-max // Length Maximum.
-o // output for the cracked hash
path/target/hash/file //Tell where the hash file is located
-1 //mask 
So we need it like:
-a 3
-m 11
-o cracked.txt
-1 ?l?u ?1?1?1?1?1?1?1?1?1?
Here, ?l=a-z, ?u=A-Z which should be declared in -1 option and in last ?1?1?1?1?1?1?1?1?1?1 mean how many length should be tested, In our case it 10th .
So All in one :
science@BAD-LUCK:~/tools/hashcat-plus$ optirun ./cudaHashcat-plus64.bin -a 3 -m 11 –increment –increment-min=4 –increment-max=10 -o crack/cracked.txt crack/hash.txt -1 ?l?d ?1?1?1?1?1?1?1?1?1?1
cudaHashcat-plus v0.09 by atom starting…
Hashes: 166 total, 166 unique salts, 166 unique digests
Bitmaps: 11 bits, 2048 entries, 0x000007ff mask, 8192 bytes
Workload: 256 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GT 525M, 1023MB, 1200Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0010_a3.sm_21.ptx
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
hashcat now trying to crack the hashes. If you type s the you will be able to see the progress of hashcat . For example:
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status…….: Running
Input.Mode…: Mask (?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type….: Joomla
Time.Running.: 58 secs
Time.Left….: 3 secs
Time.Util….: 58232.2ms/203.6ms Real/CPU, 0.4% idle
Speed……..: 159.6M c/s Real, 160.3M c/s GPU
Recovered….: 2/166 Digests, 2/166 Salts
Progress…..: 9404743680/10037385216 (93.70%)
Rejected…..: 109117440/9404743680 (1.16%)
HWMon.GPU.#1.: -1% Util, 69c Temp, -1% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status…….: Running
Input.Mode…: Mask (?1?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type….: Joomla
Time.Running.: 6 mins, 3 secs
Time.Left….: 26 mins, 53 secs
Time.Util….: 363169.9ms/188.2ms Real/CPU, 0.1% idle
Speed……..: 168.7M c/s Real, 168.8M c/s GPU
Recovered….: 14/166 Digests, 14/166 Salts
Progress…..: 64146636800/361345867776 (17.75%)
Rejected…..: 2866544640/64146636800 (4.47%)
HWMon.GPU.#1.: -1% Util, 74c Temp, -1% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status…….: Running
Input.Mode…: Mask (?1?1?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type….: Joomla
Time.Running.: 1 min, 21 secs
Time.Left….: 19 hours, 12 mins
Time.Util….: 81672.0ms/194.0ms Real/CPU, 0.2% idle
Speed……..: 168.6M c/s Real, 169.1M c/s GPU
Recovered….: 17/166 Digests, 17/166 Salts
Progress…..: 17595105280/13008451239936 (0.14%)
Rejected…..: 3822059520/17595105280 (21.72%)
HWMon.GPU.#1.: -1% Util, 73c Temp, -1% Fan

Status says it cracked 17 hashes already. So :
science@BAD-LUCK:~/tools/hashcat-plus$ cat crack/cracked.txt
Enjoy cracking!!!
Posted on sysexploits too

vmware workstation 9 on Ubuntu 12.10

The site moved to root domain where all post are imported. Please go to

I tried to use Ubuntu 12.04 but seems it has a serious problem(Kernel) which freeze the Modern Laptop such as Dell xps 15 series. As a security related work we need to work for long time 1day-weeks without powering off the Laptop. Anyway, To solved the problem i installed the Ubuntu 12.10 which has kernel 3.5 and may have been fixed the issue . I tested it and it still no freezes whereas Ubuntu 12.04 freezes within 24 hours but Vmware Workstation get installed but there is a problem of kernel when you boot and start the vmware.

To solved this issue you you need to patch it which is found in vmware forum.

Do the following:

1. Download:

2. Extract: tar xvf vmware9_kernel35_patch.tar.bz2 .

3. root@best:~/Downloads# cd vmware9_kernel3.5_patch
root@best:~/Downloads/vmware9_kernel3.5_patch# ls  vmware3.5.patch

4. nano &
rm /lib/modules/$(uname -r)/misc/vm*

5. You will see(Full bash shell) :  

#! /bin/bash
# VMWare Workstation/Player _host kernel modules_ patcher v0.6.2 by ©2010 Artem S. Tashkinov
# Updated for VMware 9 / VMplayer 5 on kernel 3.5
# Use at your own risk.


    echo “$*. Exiting”

bdate=`date “+%F-%H:%M:%S”` || error “date utility didn’t quite work. Hm”
vmver=`vmware-installer -l 2>/dev/null | awk ‘/vmware-/{print $1substr($2,1,5)}’`

unset product
[ -z “$vmver” ] && error “VMWare is not installed (properly) on this PC”
[ “$vmver” == “workstation$vmreqver” ] && product=”VMWare WorkStation”
[ “$vmver” == “player$plreqver” ] && product=”VMWare Player”
[ -z “$product” ] && error “Sorry, this script is only for VMWare WorkStation $vmreqver or VMWare Player $plreqver”

[ “`id -u`” != “0” ] && error “You must be root to run this script”
[ -f “$ptoken” ] && error “$ptoken found. You have already patched your sources”
[ ! -d “$basedir” ] && error “Source ‘$basedir’ directory not found, reinstall $product”
[ ! -f “$fpatch” ] && error “‘$fpatch’ not found. Please, copy it to the current ‘$curdir’ directory”

tmpdir=`mktemp -d` || exit 1
cp -an “$basedir” “$bkupdir” || exit 2

cd “$tmpdir” || exit 3
find “$basedir” -name “*.tar” -exec tar xf ‘{}’ ; || exit 4

patch -p1 < “$curdir/$fpatch” || exit 5
tar cf vmmon.tar vmmon-only || exit 6

cp -a *.tar “$basedir” || exit 20
rm -rf “$tmpdir” || exit 21
touch “$ptoken” || exit 22
cd “$curdir” || exit 23

vmware-modconfig –console –install-all

echo -e “n”
echo “All done, you can now run $product.”
echo “Modules sources backup can be found in the ‘$bkupdir’ directory”

Now delete the Unnecessary red colored code and re-execute. 

6.   reboot. 

Now Enjoy your visualization!

Perhaps they will release another version of workstation which will support those latest kernel(You may try).  

Update: Vmware 9.0.1-894247 Released and full support for Ubuntu 12.10 .