Bug#856932: hashcat dependency problem

Philipp philsmd at hashcat.net
Mon Mar 6 12:19:31 UTC 2017 

Package: hashcat
Version: 3.30-1
Severity: normal

Dear Maintainer,

Firstly, I just want to let you know that I already tried to contact some
Kali/Debian developers privately (via mail, for instance the dev rhertzog
which seems to be active and somehow related to this package) about this
"problem", but for some reason I didn't get a single reply. Maybe it is not
the correct way to contact somebody via mail about some package issues and
therefore I was just ignored or (also possible) all of the @hashcat.net mails
were blocked/flagged for some unknown reasons.

I hope this official bug report will reach someone and get more replies than I
got with my previous attempts.

Secondly, I really appreciate the work of the maintainers and that there is now
a "hashcat" package such that the user can install hashcat as simple as
"apt-get install hashcat".

I recently tried to use the hashcat package together with Debian (and Kali) and
I want to give you a little feedback and my experience with getting the
"hashcat" package to run properly.

This is why I first tried to communicate with some maintainers privately
because it first seemed that we should discuss this a little bit and we can't
really call this a bug/issue yet ... therefore I first just wanted to know what
you thought about my experience. Currently I think it is worth a bug report
since we get several problem reports regarding this exact problem.

The main reason why I, a hashcat contributor/project member, tried hashcat on
Kali is that we get a lot of user reports on forum/irc/github saying "hashcat
doesn't work on Kali" or something like this.

The users most of the time get one of these error messages:
"clGetDeviceIDs(): CL_DEVICE_NOT_FOUND",
"clBuildProgram(): CL_BUILD_PROGRAM_FAILURE" etc
... even though the hardware is perfectly supported by both hashcat and the
vendor's driver.

This is, for what I've seen until now, also the main cause of most of the
problems which the users experience, i.e. that the dependency list of the
"hashcat" package incorrectly marks the Mesa driver as a dependency for hashcat.

In our experience, Mesa might work as a general driver replacement for the
proprietary drivers in case the user just uses his "desktop" normally, but not
if it comes to running highly-optimized OpenCL code. Mesa even fails to compile
the smallest/easiest GPU kernels, let alone the performance drop if it manages
to compile a standard OpenCL kernel (and the false negatives/bugs). It comes
with a huge speed drop and the user might get a completely wrong picture about
the speeds in regards to hash cracking with hashcat.


In fact, when you start hashcat 3.40 (which was recently released, you might
consider updating the "hashcat" package to 3.40!?) it will display an unmissable
red warning when Mesa is installed
https://github.com/hashcat/hashcat/commit/aa5ed1ca89b0599cfa4a1cfa3539d56dfeeba79a
For good reasons.


My steps:

I decided to download the current stable ISO of Kali from
https://www.kali.org/downloads/
and started a completely fresh install (on physical disk, not virtual machine,
just to be sure). My setup for this test is 1 x NVidia GTX 980ti.

The good thing is that hashcat is pre-installed on Kali Linux, the bad thing is
that (I would say) it currently doesn't work at all!

Furthermore, it is very tedious to get it running properly, at the end it would
be easier to just download the nvidia driver from nvidia.com and hashcat from
hashcat.net. But... that doesn't help much... for the nvidia driver we also need
the Linux headers corresponding to the currently used kernel. It seems Kali
Linux just doesn't provide Linux kernel headers... expect for one single kernel
version and this kernel version is neither the default one, nor is it guaranteed
that it will be correctly updated/loaded with Grub etc. It's a mess, you see.

At the end of the day, a normal Kali user will (and they do, we know that for a
fact!) just give up and say:
"hashcat doesn't work at all. hashcat please fix this!!!" (and yeah, hashcat
isn't really responsible for this, it's the wrong dependencies all over the
place, starting with the hashcat package, but also the nvidia-driver package -
the incorrect dependency on the (virtual) kernel header version etc).

This is how I finally got hashcat to run properly - with a list of as little
steps as possible (it just shows the main problem, not really what a user will
try to mess around) - (the howto guide):

# sha1sum kali-linux-2016.2-amd64.iso
25cc6d53a8bd8886fcb468eb4fbb4cdfac895c65  kali-linux-2016.2-amd64.iso
# # start the "Graphical installation" with CD, after that:
# hashcat -b
# # got the "clBuildProgram(): CL_BUILD_PROGRAM_FAILURE" error, only Mesa seems
# # to be loaded
# apt-get update
# apt-get dist-upgrade
# apt-get autoremove
# reboot

# hashcat -b
# # still not working (this is the time when most of the unexperienced users
# # just blame hashcat and give up!)

# # make sure that kernel 4.9.0-kali2-amd64 is loaded because we need the kernel
# # headers!
# # (4.6.0-kali1-amd64 (default) is not working)
# # make sure kernel 4.9.0-kali2-amd64 is installed
# # update-grub and make sure that the "correct" kernel is selected with grub!
# # (this is not guaranteed unfortunately)
# reboot

# # after several tries finally the "correct"??? kernel was loaded
# # (uname -r saying "4.9.0-kali2-amd64")

# apt-get install nvidia-driver     # this seems to correctly/automatically
# # install the kernel headers, but it only compiles the modules if the
# # "correct kernel" is running
# apt-get install nvidia-opencl-icd # an additional dependency that should be
# # listed by default for the "hashcat" package (besides the corresponding AMD,
# # Intel alternatives)
# reboot # such that the nvidia modules loads correctly

# # after reboot, I saw hashcat working for the first time! Hurray!
# # (but this was very tedious and time consuming)
# hashcat -b

As you can see, the main problem here was that the pre-installed "hashcat"
package (it's actually very nice that it is pre-installed, don't get me wrong
here) didn't work at all without messing around with kernel versions, kernel
headers, finding the missing packages, nvidia driver installation, ICD
installation and a lot of tries-and-errors (before I came up with this guide).

Another question that came up is why do the Kali repositories do not have all
the kernel header packages for all (older and current) kernel versions?
If I run kernel 4.6 I should be able to install the kernel headers for kernel
4.6, if I have the image 4.9.0-kali1-amd64 I should be able to install the
headers for 4.9.0-kali1-amd64.
It seems that the only kernel headers that are currently present are the ones
shipped by 4.9.0-kali2-amd64 and you first have to switch kernel versions and
make sure to load the correct kernel etc. I don't understand why!? It's a mess
and we can't say to the users "hashcat doesn't work because you use the wrong
kernel" (that sounds so wrong, hashcat nor nvidia/AMD drivers have any
limitation like this, as far as I can tell).
If it is the case that you can't ship more kernel headers than the one for
4.9.0-kali2-amd64, than you need to fix all the dependencies to point to kernel
image 4.9.0-kali2-amd64, otherwise installation of the nvidia-driver silently
fails etc etc etc.

We also see many users struggling with this problem a lot. Some end up with
systems that are unbootable, black screens, others struggle with uninstalling
Mesa completely (which I didn't even attempted above, since that would probably
mean that hashcat would be uninstalled because of wrong dependencies), etc etc

I also tested a newer version of Kali (weekly build #8 of 2017) and experienced
almost exactly the same problems (I just wanted to make sure that it's not
related to some "old versions").

This is the guide I came up with:

# sha1sum kali-linux-2017-W08-amd64.iso
1416e96300c719b03b064aff252f5b2e23c5905f  kali-linux-2017-W08-amd64.iso
# apt-get update
# apt-get dist-upgrade
# apt-get autoremove
# reboot

# make sure that kernel 4.9.0-kali2-amd64 is loaded !
# # (4.9.0-kali1-amd64 (default) is not working)
# reboot

# apt-get install nvidia-driver
# apt-get install nvidia-opencl-icd
# reboot # such that the nvidia modules loads correctly

The same might be true for AMD GPUs (with firmware-amd-graphics?).

I did not yet test how easy/difficult it is to get Kali to run hashcat with AMD
GPUs (proprietary driver) since I first wanted to know how much Kali/Debian is
interested to coordinate and find a good solution for the NVidia problem (first).

Additionally, since both NVidia hardware and drivers currently are the better
choice if it comes to hash cracking with hashcat (whenever we compare NVidia to
AMD), the focus of hashcat (currently) is on NVidia graphic cards. This is also
why most of the hashcat's users have new NVidia cards (gtx 980, gtx 980ti, gtx
1080, gtx 1080 ti soon ;) ) and it would be great if hashcat just works
out-of-the-box (or at least with very little need for the user to mess around
the whole system to get it running).

What do you think can be done to resolve these difficulties a Debian/Kali Linux
user faces when he tries to "just run hashcat"? Can we somehow improve the
dependencies and overall reach an user-friendlier install process? It's good
that hashcat is pre-installed, but it is currently not working at all
by-default, because of this incorrect Mesa-dependencies etc.

I am sure there might be some very clever/intuitive solutions to this problem.
Maybe with a wrapper, first-run script or something similar, such that hashcat
can still be pre-installed. I'm not sure what the best option is because I'm not
totally familiar how something like this is normally handled (but I guess there
might exist a lot of projects/packages out there that depend on alternative
packages and a package selection mechanism that depends heavily on the hardware
of the user).

Hashcat developers, including but not limited to atom (the main author), epixoip
(a very active member/contributor/moderator which seems to grasp packages/debs
dependencies and how one should create packages much better than me. Yeah, he
even builds/maintains his own repositories/packages) an myself (philsmd), are
happy to discuss a possible solution for this issue (preferably on #hashcat IRC
- freenode - given that emails seem to not always reach the target or do not get
answered).

Thank you very much
Philipp

-- System Information:
Distributor ID:	Kali
Description:	Kali GNU/Linux Rolling
Release:	kali-rolling
Codename:	kali-rolling
Architecture: x86_64

Kernel: Linux 4.9.0-kali2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages hashcat depends on:
ii  hashcat-data                    3.30-1
ii  libc6                           2.24-9
ii  mesa-opencl-icd [opencl-icd]    13.0.5-1
ii  nvidia-opencl-icd [opencl-icd]  375.39-1

hashcat recommends no packages.

hashcat suggests no packages.

-- no debconf information

More information about the Pkg-security-team mailing list