MDXFIND / MDXSPLIT#
MDXFIND runs large numbers of unsolved hashes of any type, using many algorithms concurrently, against a large number of plaintext words and rules, very quickly. Its main use is to deal with large lists (20 to 50 million) of unsolved hashes and run them against new dictionaries as you acquire them. MDXSPLIT separates cracked hashes back into the original files they came from.
When to use#
If the operator dumps a database and the hashes will not crack with standard attacks, they may be a nested custom hashing series, for example.
$hash = sha1($password . $salt);
for ($i = 1; $i <= 65000; ++$i) {
$hash = sha1($hash . $salt);
}
If the source code is available the operator can direct MDXFIND to replicate the series. If not, the generic attack plans below are still effective.
MDXFIND#
Three command structures, stdout, stdin, file.
# 1. Reading hashes from stdout
$ cat hash.txt | mdxfind -h <regex #type> -i <#iterations> dict.txt > out.txt
# 2. Stdin from outside attack sources, with -f for hash file
$ mp64.bin ?d?d?d?d?d?d | mdxfind -h <regex #type> -i <#iterations> -f hash.txt stdin > out.txt
# 3. File specified with -f
$ mdxfind -h <regex #type> -i <#iterations> -f hash.txt dict.txt > out.txt
Options#
Flag |
Description |
|---|---|
|
Email address munging |
|
Expand each word into Unicode (best effort) |
|
Replace special chars ( |
|
De-duplicate wordlists (best done ahead of time) |
|
Extended search for truncated hashes |
|
Print source (filename) of found plaintexts |
|
Internal iteration counts for SHA1MD5x and others (set to 5
for |
|
Rotate calculated hashes to match input hash |
|
File to read salts from |
|
File to read user IDs from |
|
File to read suffixes from |
|
Digits to append ( |
|
Iteration count per hash |
|
Threads to run |
|
File to read hashes from (else stdin) |
|
Append CR / LF / CRLF and print in hex |
|
File to read rules from |
|
Do not mark salts as found |
|
Lines to skip from first wordlist |
|
Directory recursion for wordlists |
|
Debug info / hash results (output can grow large) |
|
Hash types (459 supported) |
Generic attack plans#
Skip salted / user hash types unless you know the salt has been found.
$ cat hash.txt | mdxfind -h ALL -h '!salt,!user,!md5x' -i 10 dict.txt > out.txt
The developer recommends.
$ cat hash.txt | mdxfind -h '^md5$,^sha1$,^md5md5pass$,^md5sha1$' -i 5 dict.txt > out.txt
Add a rule attack.
$ cat hash.txt | mdxfind -h '^md5$,^sha1$,^md5md5pass$,^md5sha1$' -i 5 dict.txt -r best64.rule > out.txt
Notes about MDXFIND#
Multiple hash types and files in a single run.
cat sha1/*.txt sha256/*.txt md5/*.txt salted/*.txt | mdxfind ...459 different hash types / sequences supported.
Large hashlists (100 mil) and 10 KB character passwords.
Hashcat rule files for dictionary integration.
-zoutputs all viable hashing solutions (output can grow very large).Include / exclude by regex.
Multiple iterations (up to 4 billion) tweakable per
-i.MD5x01ismd5($Pass).MD5x02ismd5(md5($pass)).MD5x03ismd5(md5(md5($pass))).MD5x10is ten nestedmd5calls.
Separate
-usernames,-email,-ids,-saltsfor custom attacks.For pure brute force, prefer Hashcat.
Output format, kind of solution, hash, then salt and / or password.
MD5x01 000012273bc5cab48bf3852658b259ef:1EbOTBK3 MD5x05 033b111073e5f64ee59f0be9d6b8a561:08061999 MD5x09 aadb9d1b23729a3e403d7fc62d507df7:1140 MD5x09 326d921d591162eed302ee25a09450ca:1761974
MDSPLIT#
When cracking large lists of hashes from multiple file locations, MDSPLIT matches the cracked hashes to their originals, outputs them into separate files based on hash type, and removes them from the original hash file.
Three command structures, stdout, stdin, file.
# 1. Match MDXFIND results with the original hash files
$ cat hashes_out/out_results.txt | mdsplit hashes_orig/hash_orig.txt
# or match against a directory of originals
$ cat hashes_out/* | mdsplit hashes_orig/*
# 2. Pipe MDXFIND into MDSPLIT to sort in real time
$ cat *.txt | mdxfind -h ALL -h '!salt,!user,!md5x' -i 10 dict.txt | mdsplit *.txt
# 3. Specify a file location to match in real time
$ mdxfind -h ALL -f hashes.txt -i 10 dict.txt | mdsplit hashes.txt
MDSPLIT appends the final hash solution to the end of the filename.
Submitting hashes.txt with solutions MD5x01 yields
hashes.MD5x01. Solutions are removed from source files and
tabulated into the correct solved files.
$ cat dir1/*.txt dir2/*.txt dir3/*.txt | \
mdxfind -h '^md5$,^sha1$,^sha256$' -i 10 dict.txt | \
mdsplit dir1/*.txt dir2/*.txt dir3/*.txt