Full Report
When I got a new MacBook with an M1 Pro chip, I was excited to see the performance benefits. The first thing I did was to fire up hashcat which gave an impressive benchmark speed for NT hashes (mode 1000) of around 9 GH/s, a solid doubling of the benchmark speed of my old Intel MacBook Pro. But, when it came to actually cracking things, the speed dropped off considerably. Instead of figuring out why, I decided to try my hand at writing my own NT hash cracker, because I’m kind of addicted to writing single use tooling in rust then taking time to perf optimise it.
Analysis Summary
# Tool/Technique: ntcrack
## Overview
`ntcrack` is a simple, single-use tool written in Rust designed specifically for cracking NT (NTLM) hashes. The author developed it for personal performance optimization testing on an Apple M1 Pro chip, aiming to achieve faster cracking times for specific use cases compared to established tools like Hashcat. It operates purely on the CPU and uses multi-threading.
## Technical Details
- Type: Tool
- Platform: Primarily demonstrated on macOS/Linux environments (used on an M1 Pro MacBook). The described functionality relates to cracking Windows NT hashes.
- Capabilities: CPU-only, multi-threaded cracking of NT hashes (mode 1000). Optimized for startup speed and raw hash generation per second in specific scenarios.
- First Seen: February 2022 (Date of publication).
## MITRE ATT&CK Mapping
This tool directly relates to credential access techniques, specifically password guessing against password hashes.
- **TA0006 - Credential Access**
- **T1110 - Brute Force:** Attempting to discover a password or passphrase by systematically checking all possible combinations.
- **T1110.003 - Credential Cracking:** Exploiting offline password hashes to attempt to discover the associated passwords.
## Functionality
### Core Capabilities
- Reads a list of input NT hashes from a specified file.
- Reads the wordlist (potential passwords) from standard input (stdin).
- Executes multi-threaded cracking operations using only CPU resources.
- Achieved cracking speeds of approximately 40,207 kH/s against test sets, outperforming Hashcat in specific comparisons involving startup time optimization.
### Advanced Features
- Written in Rust, focusing heavily on performance optimization for sustained cracking rates and fast startup times.
- Designed to be lightweight (around 150 lines of code).
- Notably outperformed earlier benchmarks against older hardware/software setups for comparable workloads.
## Indicators of Compromise
*Note: As this is a custom, legitimate-use research tool, traditional malicious IOCs are not applicable unless observed in a malicious context.*
- File Hashes: Available via the provided GitHub repository (`https://github.com/sensepost/ltmod/` in the `ntcrack` directory).
- File Names: `ntcrack`
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Rapid, high utilization of CPU cores for mathematical/cryptographic operations associated with NTLM hash verification.
## Associated Threat Actors
This tool was developed by SensePost researchers for performance testing and is not explicitly associated with known malicious threat actor groups in the context provided.
## Detection Methods
*Since this is a custom tool, detection focuses on its introduction and execution pattern.*
- Signature-based detection: Signatures could be generated based on the compiled binary if deployed by an adversary, depending on how security vendors track custom Rust binaries.
- Behavioral detection: Monitoring for processes heavily utilizing CPU resources for password cracking functions (specifically NTLM validation/hashing algorithms). Monitoring for the loading of wordlists from standard input (`stdin`) paired with binary execution.
- YARA rules if available: Not provided in the source material.
## Mitigation Strategies
- **Prevention measures:** Strict control over the introduction of unknown binaries onto systems.
- **Hardening recommendations:** Implementing strong, complex, and unique passwords significantly reduces the effectiveness of any password cracking tool, including specialized ones written in Rust.
## Related Tools/Techniques
- **Hashcat:** Mentioned as the primary tool for comparison, supporting a massive range of hash types, modes, and advanced rule-based brute-forcing options (e.g., using `-a6` mutations).
- **jwilkins’ tool (Historical):** Referenced for historical performance comparison on Windows NT Server.