Password Cracking Benchmarks

TL;DR

This guide shows you how to benchmark password cracking tools like Hashcat and John the Ripper to understand their performance on your hardware. We’ll cover setting up a test environment, generating sample hashes, running benchmarks, and interpreting the results.

Setting Up Your Test Environment

1. Choose a Linux Distribution: Kali Linux is popular for cyber security tasks but any distribution will work (Ubuntu, Debian, etc.). Ensure you have sufficient disk space.
2. Install Cracking Tools: Install Hashcat and John the Ripper using your distribution’s package manager.

   sudo apt update && sudo apt install hashcat john

3. Hardware Considerations: GPU performance is crucial for Hashcat. A powerful CPU helps John the Ripper. Note your hardware specs (CPU, GPU, RAM) as you’ll need this information when comparing results.

Generating Sample Hashes

1. Create Test Passwords: Generate a list of passwords to crack. Use a password generator or create your own.

   pwgen -1 8 100 > passwords.txt

   This creates 100 random passwords, each 8 characters long.

2. Hash the Passwords: Use a hashing tool to generate hashes for your test passwords.

   mkpasswd -m sha256 < passwords.txt > hashes.txt

   This creates SHA256 hashes of the passwords in passwords.txt and saves them to hashes.txt. You can use other hash types (MD5, bcrypt) as needed.

Benchmarking with Hashcat

1. Basic Benchmark: Run a simple benchmark to test Hashcat’s performance.

   hashcat -m 0 hashes.txt ?a?a?a?a?a?a?a?a

   This attempts to crack SHA256 hashes using a brute-force attack with 8-character passwords (using ‘a’ as the character set). ‘-m 0’ specifies SHA256.

2. Advanced Benchmark: Use a rule-based attack for more realistic cracking.

   hashcat -m 0 hashes.txt rockyou.txt

   This attempts to crack the hashes using the ‘rockyou.txt’ wordlist (download this separately).

3. Monitor Performance: Hashcat displays real-time statistics like hash rate (hashes/second) and estimated cracking time.

Benchmarking with John the Ripper

1. Basic Benchmark: Run a simple benchmark to test John the Ripper’s performance.

   john hashes.txt

   This attempts to crack the hashes using its default rules and wordlist.

2. Specify Wordlist: Use a specific wordlist for more control.

   john --wordlist=rockyou.txt hashes.txt

   This uses ‘rockyou.txt’ as the wordlist.

3. Rule-Based Attack: Apply rules to generate variations of passwords.

   john --rules=best64 hashes.txt

   This applies the ‘best64’ rule set.

4. Monitor Performance: John displays statistics like hash rate and cracking progress.

Interpreting Results

1. Hash Rate: Higher hash rates indicate faster cracking speeds. Compare the hash rates of different tools on your hardware.
2. Cracking Time: Note the time it takes to crack a set of passwords with each tool.
3. Hardware Impact: Consider how CPU and GPU usage affect performance. Hashcat benefits more from GPUs, while John the Ripper can be faster on CPUs for certain attacks.
4. Wordlist Effectiveness: Different wordlists will yield varying results. Test multiple wordlists to find the most effective one for your target passwords.