Parti(e)
Tag: john
Look Back on 2012′s Famous Password Hash Leaks – Wordlist, Analysis and New Cracking Techniques
by Collaborative_Work on Jan.01, 2013, under Crack1ng, Hack1ng. 21,916 views
This article is a collaborative work between 3 authors. This is our look back on 2012′s most famous public password leaks.
Authors: m3g9tr0n, Thireus, CrackTheHash | Copy Editor: Thireus.
Nowadays, different hacking communities around the World publish their leaks on various online paste Web Services like Pastebin, Paste2.org, and others. The most usual target’s vulnerability is SQL Injection. These leaks contain elements like usernames, passwords, addresses, zip codes, telephone numbers and even paypal accounts or credit card nubers. In a small amount of them, passwords are in plain text which makes hackers’ job very easy.
In this article, we gathered a big amount of public published leaks with main purpose to check the strength of users’ passwords and password policy which is applied for each service. Some well known leaks, included in our article, are LinkedIN, Stratfor, Gamigo, NVidia, Adobe and eHarmony. We are going to present our cracking techniques and tools which we used to crack passwords from these leaks. And as a gift gave to our readers, you will find attached to the end of this article a wordlist containing all cracked passwords from these leaks. 
CRACKING METHODOLOGIES AND TOOLS… (m3g9tr0n)
The tools we used to accomplish our cracking process are John the Ripper and Hashcat-suite. In other words, we took advantage of both CPU and GPU.
When dealing with password cracking the most important thing is to know as many elements as possible about your target. For the case of Stratfor we had all the appropriate elements needed for effective password cracking. These are usernames, first name, last name and e-mails. Many users use their e-mail or username (or part of) as password or keyword. Knowing these information really speeds the cracking process as it is more effective to create a wordlist based on these information for our first cracking step. On the other side, LinkedIN and other well known leaks contained only hashes… that makes the cracking process more difficult and time consuming. But, with good rules and techniques some interesting results can be achieved. For better documentation, we are going to analyze each case separately by showing the techniques and custom rules.
Stratfor Case
Regarding Stratfor, we had all the appropriate elements needed for effective password cracking. The first action was to separate names, usernames, e-mails and encrypted passwords to different files. In a first attempt we used John the Ripper’s –single attack which is a cracking attack purely based on usernames associated to hashes (Hashcat-suite does not provide such an attack). The hashfile must have this kind of format for the attack to be effective:
John@yahoo.com:90560000032a57c389f686bd4eeccd4a Kate@hotmail.com:d4c202003a0a66496df5c043ec1eaaac
- John the Ripper command for –single attack against MD5:
m3g9tr0n@linux:~/JohnTheRipper-OMP/run/$ ./john --format=raw-md5 --single --pot=stratfor.pot Stratfor-hashes.txt
This kind of attack was able to crack many passwords. When I (m3g9tr0n) am trying to crack passwords, my first reaction is to apply effective rules against effective wordlists. As far as John the Ripper is concerned, I always try Single, Extra, Jumbo and rules presented in my first article plus some rules generated by Bartavelle. Regarding Hashcat-suite our favourite rules are best64.rule, best80.rule, passwordpro.rule, T0XlC.rule and d3ad0ne.rule.
- A typical example of a wordlist attack with John the Ripper is:
m3g9tr0n@linux:~/JohnTheRipper-OMP/run/$ ./john --format=raw-md5 --wordlist=list.txt --pot=stratfor.pot --rules:Single Stratfor-hashes.txt
- A typical example of a wordlist attack with oclHashcat-plus (GPU based) is:
m3g9tr0n@linux:~/oclHashcat-plus0.09/$ ./oclHashcat-plus64.bin -m 0 hashfile.txt list.txt -r rules/best80.rule -o hashfile-crack.txt --remove
During our cracking processes against Stratfor, we observed that many passwords contained the word “stratfor”. Based on this observation, we considered to generate our own rule that appends or prepends this keyword at the begining and at the end of each word of a given wordlist. The following code is an example of rule created for John the Ripper in the john.conf file.
[List.Rules:stratfor] A0"[Ss][tT+][rR][aA@][tT+][fF][oO0][rR]" Az"[Ss][tT+][rR][aA@][tT+][fF][oO0][rR]"
After cracking a big amount of passwords, we generated a custom charset with John the Ripper.
- A typical example to generate your own charset file with John the Ripper:
m3g9tr0n@linux:~/JohnTheRipper-OMP/run/$ ./john --make-charset=stratfor.chr --pot=stratfor.pot
- And the associated incremental rule in john.conf file:
[Incremental:stratfor] File = $JOHN/stratfor.chr MinLen = 10 MaxLen = 31 CharCount = 95
The charset file can be used to conduct Brute Force attack with John the Ripper based on Markov model.
- A typical example of Brute Force attack with Markov model in John the Ripper is:
m3g9tr0n@linux:~/JohnTheRipper-OMP/run/$ ./john --format=raw-md5 --incremental=stratfor --pot=stratfor.pot hashfile.txt
We left John the Ripper to run for a large amount of time. Many passwords were cracked, but the most important was that a large amount of these recovered passwords using this method were 8 characters mixed upper, lower and numbers. Thus, we understood that Stratfor had a policy of generating either default or recovered passwords with this policy for their users. Our first thought was to use pwgen utility in order to produce random passwords based on this policy.
- A typical example of pwgen to generate 8 characters mixed upper, lower and numbers:
m3g9tr0n@linux:~/JohnTheRipper-OMP/run/$ pwgen -c -n -s -1 8 5 Ch1NiIzz YrN5SSXL 8CdcCJGG 5YBIxBTt rmIW8ipN
Of course in our case we should generate more passwords and pipe pwgen’s output to John the Ripper or Hashcat-Suite. But this kind of attack is too slow. For that reason we should take advantage of GPU. We applied Brute Force attack via oclHashcat-plus.
- A typical example of Brute Force attack with oclHashcat-plus:
m3g9tr0n@linux:~/oclHashcat-plus0.09/$ ./oclHashcat-plus64.bin -a 3 -1 ?l?d?u hashfile.txt ?1?1?1?1?1?1?1?1 -o hashfile-crack.txt --remove
This kind of attack took 2 days and 17 hours to complete with an ATI 5770 but it was only able to crack 48% of passwords.
- Some examples of cracked passwords generated from Stratfor’s policy are:
dd39ebf25b0892803c0edfdedfcf137a:4QnvJQKQ 0adff76e3b3c2130fcb8d9cf476f947a:4Kjduu8J 61b4f425867841330cec762d96df157b:4sFqqEnY ffee030ed8d97ad550e50b011d95b47b:2xdjVx7G 728d78a787d7279cb0a007f5f68d817c:2DJsL9jE 00ca874d657b3fcdddbb96121667ca7c:33g3UWcA 73b87959e3d1ba6c97037f6ddb5be87c:3TSfVw9M 9a4f0f28125c03323951283409c8187d:37nfZS6p 01dfda585ff13b24ab1d276bfd58227d:2K2HHfKC 7a4f94112cd50422740035dd80f52a7d:2s6KkegZ 99ee4023fc71693006af30dbb25f477d:4f9ySQxR e46c4ccb9323566dbeb1a33967c94a7d:2SfXBWb7 99aba8d7e69649332ac64e813a664b7d:4pZ7ZmjJ e5f706829a937c3fa5e430c81e926f7d:3YnxoEfy ffff9c930660fae4c9e9ace85a96a27d:2JTSA88Y 0d7103e46a1c0f44df5c096b6e2ae17d:2ATb8ApH
eHarmony Case
Regarding eHarmony it seems that the website had a policy to covert all users’ passwords to UpperCase. For example, if you had inserted, as a registered user, the password “p@$$w0rd”, eHarmony’s system would have converted it to “P@$$W0RD”.
The first thought that came up to my mind was to write a simple rule for John the Ripper to convert all my wordlists to uppercase characters:
[List.Rules:eharmony] u
Then, I applied this Rule to John the Ripper and a large amount of passwords were cracked very fast:
m3g9tr0n@linux:~/JohnTheRipper-OMP/run/$ cat ../Wordlists/* | ./john --format=raw-md5 --pipe --pot=eharmony.pot --rules:eharmony hashfile.txt
Due to the fact that my wordlists do not contain only uppercase letters, numbers and symbols it was a waste of time to apply other rules against eHarmony hashes. So I decided to convert the most effective wordlists to uppercase characters, using the above mentioned rule, and apply some specific rules:
- Convert a wordlist to uppercase with John the Ripper:
m3g9tr0n@linux:~/JohnTheRipper-OMP/run/$ cat ../Wordlists/* | ./john --pipe --rules:eharmony --stdout > ../Wordlists/UpperList.txt
Then, I used the –wordlist attack with John the Ripper using the following rules (it is a sample you can add more):
$[1]$[2]$[3] ^[S] $[T]$[E]$[R] ^[P] $[M]$[A]$[N] ^[M] ^[B] ^[C] ^[A] ^[A]^[P] ^[T] $[I]$[N]$[G] ^[A]^[M] ^[S]^[A]^[P] $[P]$[B]$[B] $[R]$[T]$[Y] ^[D] $[E]$[R]$[S] ^[H] $[P]$[E]$[R] ^[F] $[G]$[E]$[R] ^[G] $[K]$[E]$[R] ^[K] $[S]$[O]$[N] ^[R] ^[L] $[I]$[N]$[E] ^[P]^[H]^[P] $[I]$[O]$[N] ^[J] $[V]$[E]$[R] ^[W] $[E]$[S]$[T] ^[H]^[P] $[D]$[E]$[R] ^[N] $[K]$[E]$[Y] ^[H]^[C] $[O]$[N]$[E] ^[E] $[A]$[S]$[S] ^[E]^[W]^[Q] ^[A]^[S] $[T]$[O]$[N] ^[E]^[D] $[D]$[O]$[G] ^[W]^[Q]
Of course, you can always generate your own rules or modify existing custom rules contained in the john.conf file. In addition to this, Hashcat’s Suite rules can be used. One simple rule is to use the keyword “EHARMONY” at the beggining or at the end of each word:
[List.Rules:eharmony] A0"[E][H][A][R][M][O][N][Y]" Az"[E][H][A][R][M][O][N][Y]"
For people who do not own strong hardware and adequate disk space, Hashcat-suite contains a powerfull parameter which has to do with combination. In other words, you can combine each word of your first wordlist with the other.
- Thus, I generated some wordlists via crunch, such as the following one of 4 ualpha-numeric characters:
m3g9tr0n@linux:~/crunch3.1/$ ./crunch 4 4 -f charset.lst ualpha-numeric -o 4-list.txt
- And used combination attacks with oclHashcat-plus:
m3g9tr0n@linux:~/oclHashcat-plus0.09/$ ./oclHashcat-plus64.bin -a 1 hashlist.txt ../crunch3.1/4-list.txt ../crunch3.1/4-list.txt -o hashfile-crack.txt --remove
Methodology for Other Leaks
Regarding other leaks such as Nvidia, Gamigo, Adobe, Project Whitefox, LinkedIN and various unknown leaks collected from Pastebin, the tools and methodoly are the same. The only difference is that in each situation we have to create custom rules that refer to the name of the platform/website or by guessing some keywords.
- John the Ripper Rules for Nvidia:
[List.Rules:nvidia] A0"[Nn][Vv][iI1][Dd][iI1][aA@]" Az"[Nn][Vv][iI1][Dd][iI1][aA@]"
- John the Ripper Rules for Adobe:
[List.Rules:adobe] A0"[Aa@][Dd][oO0][bB][eE]" Az"[Aa@][Dd][oO0][bB][eE]"
You can also create similar rules for Hashact-Suite.
Another effective technique is fingerprint attack. This is attack is focused on using cracked passwords against remaining hashes.
- To isolate cracked passwords from .pot files (John the Ripper or Hashcat-suite) use:
cut -d: -f2- john.pot | sort | uniq > list.txt
- In Hashcat-suite to isolate MD5 cracked passwords (from output with the -o option), use:
cut -b34- crack-file.txt | sort | uniq > list.txt
Then you can try all the rules mentioned above. From my own experience this technique has always great results.
ADVANCED PASSWORD CRACKING FOR HUNGRY PASSWORD CRACKERS… (Thireus)
During your cracking sessions you may certainly have noticed that most of the passwords used by users are always made of “keywords”. This can easily be noticed when dealing with big leaks such as LinkedIn, Gamigo or Stratfor. These keywords are interesting for us, as they are used by users consciously or unconsciously in their passwords. Fortunately for us, lot of users use the same keywords and if you want to go further in your cracking process the main idea will be to use these keywords as roots for generating new passwords. In this article section I (Thireus) will introduce you a new cracking technique based on this idea. But first of all let me explain what those keywords are exactly and why they can be so useful…
About “Keywords”…
Basically keywords can be described as passwords or part of passwords that appear as intelligible or used by multiple users. Let’s focus on the following example:
Il0v3soph il0v3sam k4r3nl0v3sk4t3 l0v3s3at l0v3s3x Myl0v3s
These passwords have the keyword “l0v3s” in common, which can be found at the begining, at the end or in the middle of the password. A common mistake would be to think that re-using these passwords with various rules will make more “l0v3s” based passwords appear, which is false because most of the rules you use will never extract the “l0v3s” pattern only, but combine or tranform each of these passwords… And yet, you keep thinking that there should be more words containing this keyword… and you are right! 
As explained in this section’s introduction, keywords are not just words, they are part of passwords that are intelligible or repeated among multiple users’ passwords. Here are some example of keywords:
inked _123 assword !)!
Keywords can be anything intelligible or not. The most important think about keywords is that they are not random, ideally generated by humans AND have a high probability to appear in other passwords. And of course keywords can be part of other keywords, for example:
inked –> Linked, linked, winked, inkedIN, etc.
Another nice property of keywords is that they are independant of the password size. And a weak password (understand easily crackable with BruteForce/Rules/Wordlists) can contain a specific keyword, that you can use to crack other strong passwords. Let’s see for example how the following passwords have been cracked:
a6fee417cdc11a71ac5da0ebb9cd20acb93d2959:M00linkedin13 ebf1570c045011b27706a28eb4c857a5b994cf47:0linkedin1-us2
M00linkedin13 –> Was cracked because it contains the keyword “linkedin13” which is part of more than 40 other linkedin passwords and is also a weak linkedin password. M00linkedin13 = 3chars + keyword
0linkedin1-us2 –> Was cracked because it contains the keyword “0linkedin1” which is part of “M00linkedin13” and 1 other linkedin password. 0linkedin1-us2 = keyword + 4chars
The padding technique – CTH_WordExtractor
So the main idea that can cross your mind would be to manually analyse your cracked passwords and look for good keywords, to finally write rules based on those few keywords… But what if there are so many keywords that you can’t even complete all this work manually? The answer is to have a keyword extractor based on your results, and CTH_WordExtractor.sh (from my “Crack That Hash” project) is the script I have created for this purpose! 
You can get the script here: CTH_WordExtractor.sh
This script helps you to extract all potential keywords directly from your current pot file. Basically what this script does is:
- Read all passwords and use a padded window which padding and size vary from X to Y as defined by the user.
- Sort extracted words by size and for each word count its redundancy in all passwords.
- Ask the user to select a range of redundancy to select only good words. In other words to select real “keywords”.
- Generate keyword wordlists from X chars to Y chars to be used by the user.
In the case of LinkedIN passwords, a 4-6chars keyword wordlist would contain the following keywords (this is just a little sample):
inke inked link Link linke Linke linked Linked
This wordlist will be used to append and prepend characters using BruteForce and Mask attack (which is the most effective). As you can see, most of these keywords are part of other keywords… and you can think this is actually very bad in term of performances… but it is not … let’s see why.
Let’s take the example of the “inke” keyword…
BruteForce + Mask attack with ?l will generate 26 possibilities per keyword:
inke –> ?l + inke = 26 possibilities
But ONLY 1 will cause a repeated password which is “linke“.
The next step of the process will be to use BruteForce + Mask attack with ?l?l which will generate 26^2=676 possibilities per keyword:
inke –> ?l?l + inke = 676 possibilities
But ONLY 26 will cause repeated passwords which are those that have been generated by ?l + “linke“.
etc.
And for sure, we have been able to recover all passwords containing the keyword inke, including unexpected passwords such as:
$dynamic_26$00000cd9fb6fe9d200144077861d4dc70c7d4798:reinke $dynamic_26$00000efc970e5f2edc1bf34fea284e930b677c19:twinke etc.
The Proper Way to Use Generated Keyword Wordlists
First of all, this technique becomes more effective and useful when you reach your limits with other classic cracking techniques. Meaning that if you want to have a very good keyword wordlist you need a very big pot file.
Then, this technique must be used with GPU BruteForcing + Mask attack or using combination attacks. Applying classic John the Ripper or Hashcat rules on the keyword wordlist will not be effective at all and will be very slow. In this article I will only take as example the GPU BruteForcing + Mask attack.
- First of all, we need to generate our keyword wordlists from 4 to 14 chars. Let’s do this for the john.pot of our LinkedIN cracked passords:
$ ./CTH_WordExtractor.sh 4 14
Other settings can be found in the CTH_WordExtractor.sh script such as padding limits.
- This is the list of wordlists generated:
$ ls CTH/ CTH_WORDLIST_FINAL_10-10.dic CTH_WORDLIST_FINAL_4-6.dic CTH_WORDLIST_FINAL_6-9.dic CTH_WORDLIST_FINAL_10-11.dic CTH_WORDLIST_FINAL_4-7.dic CTH_WORDLIST_FINAL_7-10.dic CTH_WORDLIST_FINAL_10-12.dic CTH_WORDLIST_FINAL_4-8.dic CTH_WORDLIST_FINAL_7-11.dic CTH_WORDLIST_FINAL_10-13.dic CTH_WORDLIST_FINAL_4-9.dic CTH_WORDLIST_FINAL_7-12.dic CTH_WORDLIST_FINAL_10-14.dic CTH_WORDLIST_FINAL_5-10.dic CTH_WORDLIST_FINAL_7-13.dic CTH_WORDLIST_FINAL_11-11.dic CTH_WORDLIST_FINAL_5-11.dic CTH_WORDLIST_FINAL_7-14.dic CTH_WORDLIST_FINAL_11-12.dic CTH_WORDLIST_FINAL_5-12.dic CTH_WORDLIST_FINAL_7-7.dic CTH_WORDLIST_FINAL_11-13.dic CTH_WORDLIST_FINAL_5-13.dic CTH_WORDLIST_FINAL_7-8.dic CTH_WORDLIST_FINAL_11-14.dic CTH_WORDLIST_FINAL_5-14.dic CTH_WORDLIST_FINAL_7-9.dic CTH_WORDLIST_FINAL_12-12.dic CTH_WORDLIST_FINAL_5-5.dic CTH_WORDLIST_FINAL_8-10.dic CTH_WORDLIST_FINAL_12-13.dic CTH_WORDLIST_FINAL_5-6.dic CTH_WORDLIST_FINAL_8-11.dic CTH_WORDLIST_FINAL_12-14.dic CTH_WORDLIST_FINAL_5-7.dic CTH_WORDLIST_FINAL_8-12.dic CTH_WORDLIST_FINAL_13-13.dic CTH_WORDLIST_FINAL_5-8.dic CTH_WORDLIST_FINAL_8-13.dic CTH_WORDLIST_FINAL_13-14.dic CTH_WORDLIST_FINAL_5-9.dic CTH_WORDLIST_FINAL_8-14.dic CTH_WORDLIST_FINAL_14-14.dic CTH_WORDLIST_FINAL_6-10.dic CTH_WORDLIST_FINAL_8-8.dic CTH_WORDLIST_FINAL_4-10.dic CTH_WORDLIST_FINAL_6-11.dic CTH_WORDLIST_FINAL_8-9.dic CTH_WORDLIST_FINAL_4-11.dic CTH_WORDLIST_FINAL_6-12.dic CTH_WORDLIST_FINAL_9-10.dic CTH_WORDLIST_FINAL_4-12.dic CTH_WORDLIST_FINAL_6-13.dic CTH_WORDLIST_FINAL_9-11.dic CTH_WORDLIST_FINAL_4-13.dic CTH_WORDLIST_FINAL_6-14.dic CTH_WORDLIST_FINAL_9-12.dic CTH_WORDLIST_FINAL_4-14.dic CTH_WORDLIST_FINAL_6-6.dic CTH_WORDLIST_FINAL_9-13.dic CTH_WORDLIST_FINAL_4-4.dic CTH_WORDLIST_FINAL_6-7.dic CTH_WORDLIST_FINAL_9-14.dic CTH_WORDLIST_FINAL_4-5.dic CTH_WORDLIST_FINAL_6-8.dic CTH_WORDLIST_FINAL_9-9.dic
CTH_WORDLIST_FINAL_4-14.dic for example means WORDLIST from 4 to 14 chars.
- Then we can select a specific wordlist to be used by cudaHashcat-plus or oclHashcat-plus:
$ ./cudaHashcat-plus64.bin -m 100 -a 6 -1 ?a ../LEFT_LINKEDIN_CLEANED.txt ../CTH/CTH_WORDLIST_FINAL_4-11.dic ?1?1?1?1 --remove --gpu-temp-abort=110
In this example, CTH_WORDLIST_FINAL_4-11.dic has been choosen because oclHashcat-plus/cudaHashcat-plus has a limit of 15 chars for hash computation. Which means you will never be able to crack passwords that are more than 15 chars long… And that’s why if you use a mask attack of 4 chars to be bruteforced you must use a wordlist containing words limited to a size of 11 chars.
- This is an output sample:
499896a0a104c0be6d7e578f9257e56e2dd97b31:rottweiler3:!^ 556cdfaabedd4a90c23627782ab7eb7a4d709565:LinkedInMakes$ e5386e1f0de44840a987c4d0840accbe2573511f:NetworkingLuv! 08e7c2d275a68e1519c8b0842c68601b7ba6274a:19linkedin_68! 359e2430b1e4352f1577575b7ca1ae6866131820:linkedinmym99! 8e6139a4503dd34297e32df7ea4cedc4275d3a85:linkedin15c00! df0fdf12590705e9c3ef6edb6f59323e3de6a70b:linkedinl1ng0! 79984358590405280bca6e43d331465bdb586746:linkedin81*&1$ 49cd314ab02e393171bcf1bf13099f55495b2c2e:Linkedin12kay# 7813dc98e26938e83f4475c32bbd07a3fb81b473:linkedin69TJK] cc307a7d9e40b00c0100bc049c397b817aa0a274:linkedin12914?? 33f13bb3b861c0e5fc82b10fba7857107e079884:steelwindows@77 3dd28c9d9cc4f646c254d6b4570e8bc6268b020b:artdirector@nsa 44bdcefe2a698925c57d80712763245d07326704:yaslinkedin@yas 8aa482c9989df0def8756e545457ebf206da9895:Linkedin151$cdu 56267a448f53e5d6095844152310d12e52b710aa:thundercats@83a a5949feca9f34d7042aaffe537db0e2d298c572f:linkedin13713@@ fab9ae4accf0b5766489c7760f4ee52582940d3c:missinglink=wwd 1d92639e0279840b8d00a2d7793c291838664c6c:my-linkedin-pwd a1bac77b4fe610ec13300d246ad882a68f0fedda:Interactive@ln1 90ba89bfa42002d8e6fb4fe3728bcbcd6605b49c:Inspiration.SSN [s]tatus [p]ause [r]esume [b]ypass [q]uit => s Status.......: Running Input.Base...: File (../CTH/CTH_WORDLIST_FINAL_4-11.dic) Input.Mod....: Mask (?1?1?1?1) Hash.Target..: File (../LEFT_LINKEDIN_CLEANED.txt) Hash.Type....: SHA1 Time.Running.: 1 day, 7 hours Time.Left....: 3 hours, 59 mins Time.Util....: 112529717.4ms/0.0ms Real/CPU, 0.0% idle Speed........: 35724.6k c/s Real, 36175.5k c/s GPU Recovered....: 292/1086109 Digests, 0/1 Salts Progress.....: 4020080601574/4533053083750 (88.68%) Rejected.....: 0/4020080601574 (0.00%) HWMon.GPU.#1.: -1% Util, 82c Temp, -1% Fan
And as we can see some interesting keywords have been selected, such as “rottweiler“, “Networking“, “Interactive“, “artdirector“, “Inspiration“, and of course keywords containing the word “linkedin“.
You can also notice that I’m not using a very powerful GPU , but a laptop with a “NVIDIA NVS 3100m” chip. So you can imagine how powerful this method can be with a better GPU!
To conclude on my new technique, I would say that it was very successful. I’ve been able to recover more than 1 million passwords after having exhausted all the classic techniques I usually use, and that in just 13 days with a NVidia GTX 480 and an AMD HD6870. This 1 million result was mainly against Gamigo, eHarmony and Stratfor and after an initial achievment of about 80% recovered passwords. And one thing to consider is that to go further in the cracking process and have an optimized cracking methodology, I prefered merging multiple MD5 leaks into one big MD5 leak and use this technique against the merged pot file to generate my keywords. As explained before, you will find this technique more useful in the case of very big leaks and very big pot files.
Please consider my CTH_WordExtractor.sh script as a Xmas gift. I would love to receive feedbacks about your results with it. Of course, if you have ideas to ameliorate this script or this technique do not hesitate to contact me.
METHODOLOGY TO GENERATE EFFECTIVE WORDLISTS… (CrackTheHash)
The main purpose of most of the classic cracking techniques are to guess the most common patterns in users’ passwords. Those techniques are either dealing with rules or wordlists, but in any case for them to be the most effective possible they need good candidate passwords as root of the technique process. But how can you find those good candidate passwords? The purpose of this part will be to explain a technique to find fresh new candidates from various sources such as Pastebin or Twitter.
First of all, to understand what brought me (CrackTheHash) on this methodology field, you need to know something about my hardware resources. They are very limited! I just own a dual-opteron with 2GB RAM. And for this reason, I do not want to exhaust my CPU for cracking hashes that everyone can easily recover. So I decided to focus my research on finding sources of good candicate passwords to be used for cracking techniques.
In order to know what we are looking for, let’s write some principles that will rule our research. Those principles are based on the password characteristics for them to match at best the requirements of good candidates. And they are the following:
- Password candidates must be up to date.
- Password candidates must be representative of what people may use.
- Password candidates must be multilingual (passwords in Russian, Chinese, Greek, Farsi, etc.).
- Password candidates must be available in large quantity.
There are multiple sources on the Internet where you can find a large amount of data containing password candidates, but only a few will fill those requirements. For the needs of this article we will focus only on two platforms and sources of good password candidates, Pastebin and Twitter.
Pastebin
Pastebin is probably the first Web location where you can find lot of fresh leaks and various user data. What is very interesting in most of the leaks we can find on Pastebin is that they often include real passwords in plaintext. So, monitoring Pastebin is quite interesting and useful to get fresh new candidate passwords. On top of that, there are several resources on the Internet, that will help you to monitor and download the latest Pastebin leaks. Portals like Leakedin, @Pastebindorks or @PastebinLeaks or projects like pastemon and pasteminer are good examples of sources and tools you can use.
Unfortunately, in order to generate effective wordlists you have to create some further scripting because the data does not come very well parsed. The first step and ordinary solution to parse the Pastebin data is to generate a wordlist using the space or tab character as separator and replace it with a line break. This way may lead to miss some interesting cadidates as in some leaks or cracking results. Most of the time you will find lines containing “username 
assword”, “username | password” or even worse, direct sqlmap output, etc. So you have to be clever and find the best way to parse those leaks to create useul wordlists.
In any case, Pastebin can help us to build useful wordlists, because everyday new leaks are uploaded. The produced wordlists are not that amazing in term of quantity, but usually their content is valuable.
Nowadays people tend to use sentences or combination of words for their passwords. They have been advised to do this as it is considered to be a strong and easy to remember way to create passwords. So I decided to use one of the the best sentence generator ever… Twitter! Indeed, everyday people generate tweets with fresh content and in this case our password candidates are just what people are saying.
The most important things about Twitter are that this social platform generates a lot of public and fresh data, is international and tweets are short enough to be parsed individually! On top of that, wordlists generated via Twitter can continuously feed John the Ripper.
So the first step is to grab live Twitter’ content. In order to achieve this, Twitter provides a live-feed query that gives you a full json of tweets with all the data you need. The only elements that are required to perform this query are a valid Twitter username and password:
curl --user <username>:<password> https://stream.twitter.com/1.1/statuses/sample.json
To get only the tweet content you have to parse it a bit. First we may need the ‘-m’ argument of curl to timeout just in case of network trouble and then grep the data received with the keyword \”text\”.
curl -m 10 --user <username>:<password> https://stream.twitter.com/1.1/statuses/sample.json | grep \"text\"
Once received, the result must be parsed because it comes with Unicode escaped characters. Something like the following script will do the trick:
import json, sys
for data in sys.stdin:
jj=json.loads(data)
twit=jj["text"]
print twit.encode('utf-8')
print "done"
The above few lines of Python code can be directly used to generate candidate passwords, which means keeping the whole sentence of the tweet. Another approach is to use each word of the tweet as a candidate password. Furthermore, an interesting idea is to combine tweet words with others.
What we can do is generate combinations of 4 words. Best results are by combining with or without space separators.
Here is a small Python script I wrote to performe this task, the input file is “tweets.txt”:
import sys
def combinations(words, length):
if length == 0:
return []
result = [[word] for word in words]
while length > 1:
new_result = []
for combo in result:
new_result.extend(combo + [word] for word in words)
result = new_result[:]
length -= 1
return result
filein=open("tweets.txt","r")
linesin=filein.readlines()
for i in linesin:
thisline=i.rstrip("\n").split(" ")
for j in combinations(thisline,4):
print '%s' % ''.join(map(str,j))
print '%s' % ' '.join(map(str,j))
for j in combinations(thisline,3):
print '%s' % ''.join(map(str,j))
print '%s' % ' '.join(map(str,j))
for j in combinations(thisline,2):
print '%s' % ''.join(map(str,j))
print '%s' % ' '.join(map(str,j))
for j in thisline[:]:
print j
As far as size is concerned, 10 seconds of live Twitter feed will give you about 1.5 MB and about 600 tweets. This size can be reduced down to 50 KB when keeping only the parsed tweet contents. This combination script will give you around 50 Million candidate passwords to test.
Those two approaches, are not the most effective for cracking million passwords. But for sure, they will give you interesting results such as passwords considered as very strong that have even resisted to lots of GPUs’ on fire.
CONCLUSION
As you might expect, we are not professional password crackers. Password cracking is a hobby for us. Actually, our hardware resources are limited. And bruteforcing passwords is not the most time friendly way, unless you own many GPUs and strong hardware. For this reason, we are tryining to discover new and effective techniques to crack complex passwords.
But always keep in mind that any platforms, websites and online services are never entirely protected against hacking and data leaks. So we would like to give some advices in order to protect your passwords in case critical senarios such as LinkedIN leak happen:
- Never share passwords
- Never use the same password
- Always use strong passwords
- Do not use common words
- Change your passwords in a regular basis
We hope you enjoyed reading this article. Find attached at the end of this article our new wordlist as a late Xmas gift. And of course…
HAPPY NEW YEAR 2013!!!
ABOUT THE WORDLIST
Leaks
LinkedIN Gamigo Adobe Blizzard eHarmony Geissens NVidia Stratfor Project Whitefox Various leaks collected from Pastebin
Some Results
LinkedIN*:
Loaded 6458020 password hashes SHA-1 LinkedIn
Remaining 1078419 password hashes
LinkedIN**: (CLEANED NO DUPS)
Loaded 5787239 password hashes SHA-1 LinkedIn
Remaining 880786 password hashes
Gamigo:
Loaded 7004341 password hashes MD5
Remaining 1019934 password hashes
Adobe:
Loaded 630 password hashes MD5
Remaining 95 password hashes
Blizzard:
Loaded 15932 password hashes MD5
Remaining 4967 password hashes
eHarmony:
Loaded 1513805 password hashes MD5
Remaining 134345 password hashes
Geissens:
Loaded 32502 password hashes MD5
Remaining 4180 password hashes
NVidia:
Loaded 791 password hashes MD5
Remaining 354 password hashes
Stratfor:
Loaded 822666 password hashes MD5
Remaining 58694 password hashes
*, ** The initial LinkedIN hashlist contains 00000ed and non-00000ed SHA1 hashes. A lot of 00000ed hashes still have their duplicate non-00000ed hash in the list. For instance, if you crack the initial LinkedIN hashes with our wordlist you will find 473148 duplicates between 00000ed and non-00000ed, and if you are using John the Ripper with –format:raw-sha1-linkedin you will need to run the process twice to write duplicates (either the 00000ed or non-00000ed version) in your POT file. If you have already considered duplicates as non-useful, then the right results to consider are the ones from the CLEANED version.
Some Pipal Analysis
- LinkedIN: M3G_THI_CTH_WORDLIST_LinkedIN_PIPAL.txt
- Gamigo: M3G_THI_CTH_WORDLIST_Gamigo_PIPAL.txt
- eHarmony: M3G_THI_CTH_WORDLIST_eHarmony_PIPAL.txt
- Stratfor: M3G_THI_CTH_WORDLIST_stratfor_PIPAL.txt
FINAL NOTICE
The wordlist provided in this article has been created using all the presented cracking techniques against public leaks only. Do not expect to find new passwords using the same leaks and techniques presented here.
As always it is up to the reader to use this wordlist to do password recovery. We do not take any responsibility if some of your passwords can be found in this wordlist or be recovered using our techniques. Be aware that the best way to protect you is always to change your passwords as often as possible.
Incoming search terms:
Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords
by m3g9tr0n on Aug.28, 2012, under Crack1ng, Hack1ng. 63,222 views
This is the story about how I cracked 122 million* password hashes with John the Ripper and oclHashcat-plus.
Author: m3g9tr0n, Copy Editor: Thireus.
It was several months ago, when I (m3g9tr0n) saw a tweet from KoreLogic about a torrent file containing various password hash lists for a total of 146 million passwords. This very big amount of password hashes at first discouraged me, as I only own a classic computer configuration with an AMD Phenom II 4 cores at 3,2 Mhz in addition to an ATI/AMD 5770 graphics card. But at least, I really wanted to give them a try because the field of password cracking fascinates me.
The password cracking tools I used during this long trip were John the Ripper and oclHashcat-plus. This article is about cracking the provided MD5 hashes of KoreLogic only, but the same strategy was also applied to SHA1 hashes.
Updates:
- 08/29/2012 – New example in John the Ripper section: “Crack double MD5 hashes with the help of dict2hash.pl script”
- 08/29/2012 – New download! All in one sorted and cleaned version.
Dealing with hashes…
First of all the KoreLogic torrent file file must be decompressed, it contains a folder named “hashes”. Let’s see the content of this folder…
root@m3g9tr0n:~/hashes$ ls longer_salts raw-md5.hashes.txt salted_with_md5 SHA1 vBulletin-v3.8.4
We will concentrate here on the raw-md5.hashes.txt list. This file is 4.3 GB and includes 139444502 lines according to wc utility.
root@m3g9tr0n:~/hashes$ wc -l raw-md5.hashes.txt 139444502 raw-md5.hashes.txt
As you consider, both John the Ripper and oclHashcat-plus are not able to load this file because it is too big. For that reason, we need to split this file. Under Linux we have a nice utility called split that does this job very well.
root@m3g9tr0n:~$ split --help
Usage: split [OPTION]... [INPUT [PREFIX]]
Output fixed-size pieces of INPUT to PREFIXaa, PREFIXab, ...; default
size is 1000 lines, and default PREFIX is `x'. With no INPUT, or when INPUT
is -, read standard input.
Mandatory arguments to long options are mandatory for short options too.
-a, --suffix-length=N use suffixes of length N (default 2)
-b, --bytes=SIZE put SIZE bytes per output file
-C, --line-bytes=SIZE put at most SIZE bytes of lines per output file
-d, --numeric-suffixes use numeric suffixes instead of alphabetic
-l, --lines=NUMBER put NUMBER lines per output file
--verbose print a diagnostic just before each
output file is opened
--help display this help and exit
--version output version information and exit
SIZE may be (or may be an integer optionally followed by) one of following:
KB 1000, K 1024, MB 1000*1000, M 1024*1024, and so on for G, T, P, E, Z, Y.
We can use the –lines=NUMBER parameter to split our raw-md5.hashes.txt file.
root@m3g9tr0n:~/hashes$ split -l 3000000 raw-md5.hashes.txt part
Note that we can also split the file based on the amount of MBs by taking into consideration that each MD5 hash is 32 bytes long.
Cracking Passwords with oclHashcat-plus
I started with oclHashcat-plus because it contains the –remove option, which enable remove of hash from hashfile once it is cracked and is really convenient. The only limitation oclHashcat-plus has, is the constraint on password length. In other words, it is only able to crack passwords up to 15 characters. The rules that I used for oclHashcat-plus are base64.rule, passwordspro.rule, T0XlC.rule and in some cases d3ad0ne.rule. There rules can be found directly from the oclHashcat-plus suite.
Bruteforce techniques were not my first choice. I used wordlists which I download from g0tm1lk’s blogspot. You will find on g0tmi1k’s article other external links for more wordlists. The biggest part of cracking process was done by using these wordlists with the rules mentioned above. Let’s see some examples…
Using a single rule:
./oclHashcat-plus64.bin -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -r rules/best64.rule -o Ultimate_Crack/eNtr0pY_1 --remove
Using Rules’ combination:
./oclHashcat-plus64.bin -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -r rules/best64.rule r rules/passwordspro.rule -o Ultimate_Crack/eNtr0pY_1 --remove
Bruteforce attack with mask (you can specify whatever charset you want):
./oclHashcat-plus64.bin -a 3 -1 ?l?d?u?s -m 0 ~/hashes/md5_1 ?1?1?1?1?1?1?1?1 -o Ultimate_Crack/eNtr0pY_1 --remove
Combination attack:
./oclHashcat-plus64.bin -a 1 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ~/Wordlists/list -o Ultimate_Crack/eNtr0pY_1 --remove
Combination attack with rules:
./oclHashcat-plus64.bin -a 1 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ~/Wordlists/list -r rules/passwordspro.rule -o Ultimate_Crack/eNtr0pY_1 --remove
Permutation attack:
./oclHashcat-plus64.bin -a 4 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -o Ultimate_Crack/eNtr0pY_1 --remove
Permutation attack with rules:
./oclHashcat-plus64.bin -a 4 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -r rules/best64.rule -o Ultimate_Crack/eNtr0pY_1 --remove
In some cases, I used the hybrid + mask attack technique:
./oclHashcat-plus64.bin -a 6 -1 ?l?d -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ?1?1 -o Ultimate_Crack/eNtr0pY_1 --remove
Hybrid + mask attack with rules:
./oclHashcat-plus64.bin -a 6 -1 ?l?d -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ?1?1 -r rules/best64.rule -o Ultimate_Crack/eNtr0pY_1 --remove
At this point, I did not use these last two methods as they are very time consuming. I rather found a better one using KoreLogic’s Rules for John the Ripper by piping the output of John the Ripper to oclHashcat-plus. As I mentioned, oclHashcat-plus is able to crack passwords up to 15 characters. For that reason, I had to define everytime, via the –stdout option, the length of the produced word. If you own a very fast GPU you do not have to use the following example.
./john --wordlist=~/Wordlists/all.lst -rules:KoreLogicRulesPrependYears --stdout=10 | ./oclHashcat-plus64.bin -m 0 ~/hashes/md5_1 -o Ultimate_Crack/eNtr0pY_1 --remove
Of course you can use other prepend rules created from Korelogic, like KoreLogicRulesPrependNumNum, or even better create your own rules!
It was time to produce a wordlist from the cracked passwords and use it to crack the remaining hashes. From eNtr0pY_1, I removed the MD5 hashes with the following command.
cut -b34- eNtr0pY_1 > eNtr0pY_1.dic
By using the above produced wordlist, a big amount of MD5 hashes were cracked with the fingerprint attack. You can read more about this attack from Martin Bos @purehate and I guarantee that this technique is very successful!
Of course you can also use the binaries included into hashcat-utils and pipe the output of each util to oclHashcat-plus.
root@m3g9tr0n:~/oclHashcat-plus-0.08/hashcat-utils$ ls combinator.bin expander.bin gate.bin len.bin mp32.bin permute.bin prepare.bin req.bin splitlen.bin
Cracking Passwords with John the Ripper
After testing all my wordlist collection and after several days, it was time to move to John the Ripper for cracking the rest of password hashes…
I used magnum-ripper compiled with OpenCL for ATI/AMD graphics card because I wanted to use the –format=raw-md5-opencl parameter. Compared to –format=raw-md5, it is way faster as it uses your CPU and GPU!
The Rules that were used with John the Ripper are wordlist, Single, NT, Extra, KoreLogicRulesAppendNumbers_and_Specials_Simple, KoreLogicRulesAppend6Num, KoreLogicRulesPrependAndAppendSpecial, KoreLogicRulesAppendNumNum_AddSpecialEverywhere, KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere and KoreLogicRulesL33t.
Furthermore you can download these rules and add them to your john.conf file.
Let’s see now some examples with John the Ripper…
Using –rules=Single
./john --format=raw-md5-opencl --wordlist=../../Wordlists/all.lst --rules:Single ~/hashes/md5_1
The results of cracked hashes are stored in the john.pot file by default. You can examine its contents with cat, more, head and tail.
root@m3g9tr0n:~/Tools/Password_Cracking/magnum-jumbo-OpenCL/run$ tail -n 9 john.pot $MD5$0fad81e7a61b47d387dde893fcf8e88a:anacarolinagu $MD5$0f82fc9a81f5db07eb9289767390fd2b:fabulousfoodsu $MD5$0e22933267b2e7df062703c4e5842029:fabuloustravelu $MD5$0d40086a54fefe993c9816d1441672ac:modularhomeu $MD5$0ed8181fc4d18e260dd8e36633124bfd:greenshoppingu $MD5$0d6e8da4017ec5c384ac5536087da44d:lawofattractionu $MD5$0eb916d3c6a66a32cedd4acc6edb1dbb:hotreportu $MD5$0e241f99b5c13d56686ec618ab54d5fa:flightsandholidaysu $MD5$0f3c99478362aae389d2cbf716394269:stthomasmoresu
To produce a wordlist from the john.pot file, you can use the following command.
cut -d: -f 2- john.pot | sort -u > cracked.dic
The created wordlist can be used to crack more hashes when combined with the abovementioned rules.
When I was cracking MD5 hashes with oclHashcat-plus, I observed that some produced passwords were rejected. This is because oclHashcat-plus has a limitation about characters’ length. For that reason, I piped hashcat’s output to John the Ripper with the additional advantage of using hashcat rules with John the Ripper.
./hashcat-cli64.bin --stdout ~/Wordlists/d3ad0ne.dic -r rules/best64.rule | ./john --format=raw-md5-opencl --stdin ~/hashes/md5_1
After trying all the wordlists combined with the rules mentioned above, it was time to move to bruteforce attacks with John the Ripper. Unfortunately, John the Ripper does not use the mask attacks to produce passwords when implementing bruteforce attacks. We have to create our own charset based on cracked passwords contained in john.pot.
./john --make-charset=eNtr0pY.chr Loaded 7948325 plaintexts Generating charsets... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 DONE Generating cracking order... DONE Successfully written charset file: eNtr0pY.chr (95 characters)
Many of you will wonder about “31 DONE”… 
This is just because I compiled John the Ripper with 31 characters’ length. By default, John the Ripper is compliled with 8 characters’ length, so it is best to change it by modifying the following lines of the header file params.h located in the scr folder of John the Ripper.
#define CHARSET_MIN ' ' #define CHARSET_MAX 0x7E #define CHARSET_SIZE (CHARSET_MAX - CHARSET_MIN + 1) #define CHARSET_LENGTH 8 //Change that to 31 or whatever you wish
At last you have to include your created charset to john.conf as given in this example:
# Incremental modes [Incremental:eNtr0pY] File = $JOHN/eNtr0pY.chr MinLen = 0 MaxLen = 31 CharCount = 95
Now it is time to use bruteforce attacks with our own charstet!
./john --format=raw-md5-opencl --incremental=eNtr0pY ~/hashes/md5_1
If you look into john.conf you will see some bruteforce attack modes characterized as extrernals. These are Double, Strip, Keyboard (which uses neighbor combinations produced from keyboard characters), KnownForce, DateTime, Repeats, Sequence, Subsets and DumbForce for crazy password formats.
./john --format=raw-md5-opencl --external=DumbForce ~/hashes/md5_1
We would also like to crack double MD5 hashes with the help of dict2hash.pl script provided here.
perl dict2hash.pl < rockyou.txt | ./john --format=raw-md5-opencl --stdin ~/md5_1
Here you can see some samples of cracked md5s with John the Ripper:
Personally, I believe a password like “$MD5$0b26a0faf1344d6e772bf55628e10e29:n34=mn { .clipboard $me }” is impossible to crack with bruteforce attacks.
Note: All the abovementioned techniques can be used with oclHashcat-plus by defining -m 100 and with John the Ripper by defining –format=raw-sha1-opencl for SHA1 cracking with OpenCL!
Password Analysis
Finally, it worths to see an analysis using pipal (a password analyser) of a collected sample generated from cracking results.
root@m3g9tr0n:~/pipal$ ruby1.9.1 pipal.rb \
-o eNtr0pY_1 ~/Wordlists/Ultimate/Part1/eNtr0pY_5.dic
Total entries = 759103
Total unique entries = 758299
Top 10 passwords
niezgadniesz123 = 3 (0.0%)
ubqu = 3 (0.0%)
amonys = 3 (0.0%)
centralitie = 3 (0.0%)
bobydu = 3 (0.0%)
hanghuynh = 3 (0.0%)
hmadyousi = 3 (0.0%)
matthewperman = 3 (0.0%)
shadowninja2 = 3 (0.0%)
lhz4 = 3 (0.0%)
Top 10 base words
august = 219 (0.03%)
july = 205 (0.03%)
april = 199 (0.03%)
june = 195 (0.03%)
march = 165 (0.02%)
alex = 161 (0.02%)
love = 132 (0.02%)
chris = 130 (0.02%)
daniel = 128 (0.02%)
dragon = 122 (0.02%)
Password length (length ordered)
1 = 13 (0.0%)
2 = 103 (0.01%)
3 = 1332 (0.18%)
4 = 16781 (2.21%)
5 = 19831 (2.61%)
6 = 95800 (12.62%)
7 = 202414 (26.66%)
8 = 158562 (20.89%)
9 = 103855 (13.68%)
10 = 75652 (9.97%)
11 = 46023 (6.06%)
12 = 24997 (3.29%)
13 = 8423 (1.11%)
14 = 3772 (0.5%)
15 = 1560 (0.21%)
Password length (count ordered)
7 = 202414 (26.66%)
8 = 158562 (20.89%)
9 = 103855 (13.68%)
6 = 95800 (12.62%)
10 = 75652 (9.97%)
11 = 46023 (6.06%)
12 = 24997 (3.29%)
5 = 19831 (2.61%)
4 = 16781 (2.21%)
13 = 8423 (1.11%)
14 = 3772 (0.5%)
15 = 1560 (0.21%)
3 = 1332 (0.18%)
2 = 103 (0.01%)
1 = 13 (0.0%)
|
|
|
||
||
||
||
|||
||||
||||
|||||
|||||
||||||
||||||
|||||||||
|||||||||||||||||
00000000001111111
01234567890123456
One to six characters = 133854 (17.63%)
One to eight characters = 494828 (65.19%)
More than eight characters = 264275 (34.81%)
Only lowercase alpha = 154996 (20.42%)
Only uppercase alpha = 14072 (1.85%)
Only alpha = 169068 (22.27%)
Only numeric = 119581 (15.75%)
First capital last symbol = 6088 (0.8%)
First capital last number = 73611 (9.7%)
Months
january = 109 (0.01%)
february = 45 (0.01%)
march = 247 (0.03%)
april = 251 (0.03%)
may = 850 (0.11%)
june = 246 (0.03%)
july = 223 (0.03%)
august = 300 (0.04%)
september = 80 (0.01%)
october = 134 (0.02%)
november = 113 (0.01%)
december = 115 (0.02%)
Days
monday = 59 (0.01%)
tuesday = 20 (0.0%)
wednesday = 7 (0.0%)
thursday = 38 (0.01%)
friday = 46 (0.01%)
saturday = 7 (0.0%)
sunday = 70 (0.01%)
Months (Abreviated)
jan = 1482 (0.2%)
feb = 249 (0.03%)
mar = 8397 (1.11%)
apr = 692 (0.09%)
may = 850 (0.11%)
jun = 889 (0.12%)
jul = 1051 (0.14%)
aug = 785 (0.1%)
sept = 215 (0.03%)
oct = 512 (0.07%)
nov = 821 (0.11%)
dec = 874 (0.12%)
Days (Abreviated)
mon = 4319 (0.57%)
tues = 28 (0.0%)
wed = 217 (0.03%)
thurs = 44 (0.01%)
fri = 758 (0.1%)
sat = 769 (0.1%)
sun = 1018 (0.13%)
Includes years
1975 = 411 (0.05%)
1976 = 388 (0.05%)
1977 = 446 (0.06%)
1978 = 432 (0.06%)
1979 = 441 (0.06%)
1980 = 541 (0.07%)
1981 = 453 (0.06%)
1982 = 519 (0.07%)
1983 = 533 (0.07%)
1984 = 603 (0.08%)
1985 = 585 (0.08%)
1986 = 616 (0.08%)
1987 = 710 (0.09%)
1988 = 641 (0.08%)
1989 = 941 (0.12%)
1990 = 931 (0.12%)
1991 = 995 (0.13%)
1992 = 935 (0.12%)
1993 = 905 (0.12%)
1994 = 907 (0.12%)
1995 = 4021 (0.53%)
1996 = 858 (0.11%)
1997 = 486 (0.06%)
1998 = 443 (0.06%)
1999 = 416 (0.05%)
2000 = 1024 (0.13%)
2001 = 643 (0.08%)
2002 = 586 (0.08%)
2003 = 1132 (0.15%)
2004 = 1254 (0.17%)
2005 = 796 (0.1%)
2006 = 818 (0.11%)
2007 = 1442 (0.19%)
2008 = 1019 (0.13%)
2009 = 742 (0.1%)
2010 = 767 (0.1%)
2011 = 516 (0.07%)
2012 = 925 (0.12%)
2013 = 165 (0.02%)
2014 = 142 (0.02%)
2015 = 146 (0.02%)
2016 = 118 (0.02%)
2017 = 139 (0.02%)
2018 = 131 (0.02%)
2019 = 172 (0.02%)
2020 = 179 (0.02%)
|
Years (Top 10)
1995 = 4021 (0.53%)
2007 = 1442 (0.19%)
2004 = 1254 (0.17%)
2003 = 1132 (0.15%)
2000 = 1024 (0.13%)
2008 = 1019 (0.13%)
1991 = 995 (0.13%)
1989 = 941 (0.12%)
1992 = 935 (0.12%)
1990 = 931 (0.12%)
Colours
black = 485 (0.06%)
blue = 549 (0.07%)
brown = 184 (0.02%)
gray = 89 (0.01%)
green = 348 (0.05%)
orange = 125 (0.02%)
pink = 262 (0.03%)
purple = 73 (0.01%)
red = 2974 (0.39%)
white = 179 (0.02%)
yellow = 85 (0.01%)
violet = 63 (0.01%)
indigo = 22 (0.0%)
Single digit on the end = 92080 (12.13%)
Two digits on the end = 87587 (11.54%)
Three digits on the end = 103715 (13.66%)
Last number
0 = 45407 (5.98%)
1 = 64764 (8.53%)
2 = 52570 (6.93%)
3 = 52890 (6.97%)
4 = 43719 (5.76%)
5 = 55185 (7.27%)
6 = 42826 (5.64%)
7 = 46169 (6.08%)
8 = 42475 (5.6%)
9 = 44930 (5.92%)
|
|
| | |
||| |
|||| | | |
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789
Last digit
1 = 64764 (8.53%)
5 = 55185 (7.27%)
3 = 52890 (6.97%)
2 = 52570 (6.93%)
7 = 46169 (6.08%)
0 = 45407 (5.98%)
9 = 44930 (5.92%)
4 = 43719 (5.76%)
6 = 42826 (5.64%)
8 = 42475 (5.6%)
Last 2 digits (Top 10)
95 = 14675 (1.93%)
23 = 12192 (1.61%)
12 = 9230 (1.22%)
11 = 8214 (1.08%)
01 = 7606 (1.0%)
00 = 7131 (0.94%)
07 = 6295 (0.83%)
10 = 6182 (0.81%)
21 = 5881 (0.77%)
99 = 5868 (0.77%)
Last 3 digits (Top 10)
123 = 6857 (0.9%)
995 = 4122 (0.54%)
971 = 2916 (0.38%)
972 = 2850 (0.38%)
007 = 2514 (0.33%)
000 = 1868 (0.25%)
234 = 1725 (0.23%)
666 = 1465 (0.19%)
777 = 1389 (0.18%)
004 = 1347 (0.18%)
Last 4 digits (Top 10)
1995 = 3886 (0.51%)
1234 = 1379 (0.18%)
2007 = 1325 (0.17%)
2004 = 1121 (0.15%)
2003 = 1016 (0.13%)
2008 = 869 (0.11%)
2000 = 846 (0.11%)
1991 = 819 (0.11%)
2012 = 809 (0.11%)
1990 = 789 (0.1%)
Last 5 digits (Top 10)
12345 = 743 (0.1%)
23456 = 652 (0.09%)
54321 = 189 (0.02%)
23123 = 140 (0.02%)
56789 = 127 (0.02%)
34567 = 102 (0.01%)
11111 = 99 (0.01%)
45678 = 75 (0.01%)
00000 = 73 (0.01%)
88888 = 68 (0.01%)
US Area Codes
971 = Oregon: Metropolitan Portland,
Salem/Keizer area,
incl Cricket Wireless (OR)
972 = Texas: Dallas Metro (TX)
234 = NE Ohio: Canton, Akron (OH)
Character sets
loweralphanum: 330937 (43.6%)
loweralpha: 154996 (20.42%)
numeric: 119581 (15.75%)
mixedalphanum: 41121 (5.42%)
upperalphanum: 41078 (5.41%)
mixedalpha: 28464 (3.75%)
upperalpha: 14072 (1.85%)
loweralphaspecial: 10222 (1.35%)
loweralphaspecialnum: 5735 (0.76%)
mixedalphaspecial: 4724 (0.62%)
upperalphaspecial: 2939 (0.39%)
mixedalphaspecialnum: 2247 (0.3%)
specialnum: 648 (0.09%)
upperalphaspecialnum: 374 (0.05%)
special: 47 (0.01%)
Character set ordering
stringdigit: 349534 (46.05%)
allstring: 197532 (26.02%)
alldigit: 119581 (15.75%)
digitstring: 28873 (3.8%)
othermask: 18649 (2.46%)
stringdigitstring: 14577 (1.92%)
stringspecial: 10441 (1.38%)
digitstringdigit: 9981 (1.31%)
stringspecialstring: 5469 (0.72%)
stringspecialdigit: 3075 (0.41%)
specialstring: 834 (0.11%)
specialstringspecial: 510 (0.07%)
allspecial: 47 (0.01%)
Hashcat masks (Top 10)
?d?d?d?d?d?d?d: 85053 (11.2%)
?l?l?l?l?l?l: 38400 (5.06%)
?l?l?l?l?l?l?l?l: 36217 (4.77%)
?l?l?l?l?l?l?l: 35468 (4.67%)
?l?l?l?l?l?l?d?d?d: 24051 (3.17%)
?l?l?l?l?l?l?d?d: 18591 (2.45%)
?l?l?l?l?l?d?d?d: 18047 (2.38%)
?d?d?d?d?d?d: 16048 (2.11%)
?l?l?l?l?l?l?l?l?l: 14236 (1.88%)
?l?l?l?l?d?d?d: 13802 (1.82%)
|
Conclusion
This was a very time consuming and hard job because I do not own the fastest card. The whole cracking process took about 5 months to accomplish because I had to finish my studies about CCNP certification. The lesson learned from this is that with a good and smart dictionary combined with handy rules either for hashcat or John the Ripper even strong passwords can be cracked. Based on the upon statement, admins should use a stronger hash algorithm (with salt) to store your passwords or even better from your side just change your passwords in a regular basis.
Thanks for reading.
You can find me on twitter, @m3g9tr0n.
Downloads
You can download the results of cracked hashes:
m3g9tr0n_122Million_Passwords_WordLists.zip
Version: 1.0
The provided KoreLogic torrent file contains various but unique password hashes. For that reason you may find duplicated passwords in these wordlists, as a single password can be hashed using various algorithmes! Meaning that 122 million unique hashes (MD5, SHA1, double MD5, etc.) were cracked and result in 83,6 million unique passwords.
You can download the “all in one” version, cleaned and sorted:
The command used to generate this “all in one” CLEANED wordlist was:
export LC_ALL='C' && cat * | sort | uniq > eNtr0pY_ALL_sort_uniq.dic
References
- hashcat Wiki [ http://hashcat.net/wiki/ ]
- John the Ripper Wiki [ http://openwall.info/wiki/john ]
Incoming search terms:
- korelogic rule set (162)
- md5 crack (156)
- Hashcat (72)
- how i cracked 122 million (62)
- oclhashcat-plus tutorial (60)
- md5 cracker (50)
- crack md5 (47)
- eNtr0pY_ALL_sort_uniq dic (45)
- sha1 cracker (42)
- oclhashcat-plus (24)
John the Ripped – Steak and French Fries With Salt and Pepper Sauce for Hungry Password Crackers
by Thireus on May.20, 2012, under Crack1ng, Guides and tutorials, Hack1ng. 9,914 views
John the Ripper into its latest community enhanced version (John the Ripper 1.7.9-jumbo-5) has many advanced features. Most of them are without any doubt very useful and appreciated such as MD5 hash cracking.
Four days to come before Hack In The Box Amsterdam 2012 security conferences. Excitement is at its top level, bags are already packed and iOS Hacker’s Handbook is left open on the beside table. But because it is always time for challenges, I decided to face one that I have in mind for years…
Cracking a custom hash algorithm and making your own password cracking cluster would be great huh… ? Well you know what? You can do it with John the Ripper jumbo version
Updates: (subscribe to my twitter to get notified)
- 11/16/2012 – Note about run/dynamic.conf file. No need to recompile, much more easier to edit!
- 11/16/2012 – Note dynamic function names up to 999 are reserved!
- 11/16/2012 – Added “–subformat=LIST” tip.
Prepare salt and pepper sauce… the French Cuisine
Most of the time, hashed passwords are salted and combined with different famous hash algorithms. For example, administrators who have a little sensibility with security will hash user passwords with different combinations, i.e. sha1(md5($salt.$password).”HelloWorld”). This kind of classic enhanced security to store hashed passwords makes the job harder for password crackers.
First of all the attacker needs to know how passwords were hashed. Reverse engineering is always a good start but the easiest way is to get the sources. The second point and the one I’ld like to talk in the first part of this article is to implement and use your own hash algorithm for cracking purpose.
- First go to http://www.openwall.com/john/, and download the latest jumbo ”community enhanced” version. When I write this article the latest stable release was 1.7.9-jumbo-5
$ wget http://www.openwall.com/john/g/john-1.7.9-jumbo-5.tar.gz $ tar -xvzf john-1.7.9-jumbo-5.tar.gz
- Let’s see what we have here…
$ cd john-1.7.9-jumbo-5/src/
Before changing anything, we’ld like to check if it compiles well.
- The make command will list all available compilation modes. This time I’m gonna compile john on MacOS X Lion 10.7.3. Choose the one you prefer…
john-1.7.9-jumbo-5/src$ make john-1.7.9-jumbo-5/src$ make macosx-x86-64
- If everything is ok you should see john binaries and configuration files into the run directory
john-1.7.9-jumbo-5/src$ cd ../run/ john-1.7.9-jumbo-5/run$ ./john --test
- Now go back to the src directory
john-1.7.9-jumbo-5/run$ cd ../src/
In the introduction I talked about a custom hash algorithm such as sha1(md5($salt.$password).”HelloWorld”). So let’s take this one as example.
Note: A similar procedure can also be applied directly to the run/dynamic.conf file, where you can add your own dynamic functions ([List.Generic:dynamic_XXXX]) without the need to recompile.
What we’ll need to modify is dynamic_preloads.c. This is where we can create our custom algorithm under the name of dynamic_1666. Names up to dynamic_999 are reserved, so make sure to use a number which is not already in use by another dynamic function. Use the command “./john –subformat=LIST” to check available numbers.
Additionally, you’ll find into this file many example of classic dynamic subformats such as md5(md5($password)). I advice you to understand by your own how things work before doing anything.
- When you are ready, open dynamic_preloads.c and add these new lines
//dynamic_1666 --> sha1(md5($s.$p)."HelloWorld") BY THIREUS
static DYNAMIC_primitive_funcp _Funcs_1666[] =
{
DynamicFunc__clean_input,
DynamicFunc__append_salt,
DynamicFunc__append_keys,
DynamicFunc__crypt,
DynamicFunc__SSEtoX86_switch_output1,
DynamicFunc__clean_input2,
DynamicFunc__append_from_last_output_to_input2_as_base16,
DynamicFunc__append_input2_from_CONST1,
DynamicFunc__SHA1_crypt_input2_to_output1_FINAL,
NULL
};
static struct fmt_tests _Preloads_1666[] =
{
{"$dynamic_1666$e964aa651052d2bbd64aea60756d7705634187f6$admin","password"}, // salt=admin, password=password
{"$dynamic_1666$4a573951007f7d23eb411c066e2cfb8a175a76d2$123456789","heydude"},
{"$dynamic_1666$fee9c8708b2e1a177acd350513c14ce0e9900609$salted","test123"},
{"$dynamic_1666$d8e18f5f1035ce486dd3a08911a4205d78fc7f49$bonjour","awesome"},
{NULL}
};
static DYNAMIC_Constants _Const_1666[] =
{
{"HelloWorld"},
{NULL}
};
If you are curious about how to declare DynamicFunc__ actions and optimise your function, you’ll find all you need in dynamic_parser.c and dynamic_fmt.c
- Finally at the end of the file, we need to specify hashes format
{ "dynamic_1666: sha1($s.md5($p).\"HelloWorld\")", _Funcs_1666,_Preloads_1666,_Const_1666, MGF_SALTED|MGF_SHA1_40_BYTE_FINISH, MGF_NO_FLAG },
- Once everything is in place, we have to clean and compile again.
john-1.7.9-jumbo-5/src$ make clean john-1.7.9-jumbo-5/src$ make macosx-x86-64
- You should see john binaries and configuration files into the run directory. And you can run the –test option of John the Ripper.
john-1.7.9-jumbo-5/src$ cd ../run/ john-1.7.9-jumbo-5/run$ ./john --test
New lines should appear to display benchmark scores for your function.
Benchmarking: dynamic_1666: sha1($s.md5($p)."HelloWorld") [SSE2i 10x4x3]... DONE Many salts: 1855K c/s real, 1995K c/s virtual Only one salt: 1741K c/s real, 1852K c/s virtual Benchmarking: dynamic_1666: sha1($s.md5($p)."HelloWorld") [64x2 (MD5_Body)]... DONE Many salts: 1373K c/s real, 1509K c/s virtual Only one salt: 1283K c/s real, 1410K c/s virtual
john-1.7.9-jumbo-5/run$ ./john --subformat=LIST
Tests fails? 
There are many reasons why tests can fail. The main reasons are due to a bad use of DynamicFunc__ actions, bad order or bad implementation. This will result into a verbose fail of John before starting any tests.
Another common issue, could be that your fmt_tests are broken, meaning bad format for example, this results into a FAILED (valid) error during the tests.
And one last point, if you hash long strings using SSE mode your tests will automatically fail! That’s the reason why you have to switch between SSE and X86 mode using functions such as DynamicFunc__ToX86 or DynamicFunc__SSEtoX86_switch_output1.
- You should now be ready to crack these passwords
lydia:$dynamic_1666$72d4d61b4e5db9ef8704d1af81284c67eea640dd$skyrim admin:$dynamic_1666$70ea6b7f633305f04521683226ecabd0537e90ec$example.com user123:$dynamic_1666$907c7df1d7e349e98184d74fb7486c77eaf76d60$example.com Thireus:$dynamic_1666$e41c041fda28b3615b63acddb6407cf74b354d66$CestLaFeteAlouette
- Put them into a hash.txt file, and crack them all
john-1.7.9-jumbo-5/run$ ./john hash.txt
Step by step instructions for grilling the perfect steak… with MPI enabled barbecue
Few months ago I wrote an article that explains how to compile John the Ripper with OpenMP enable to take advantage of Multiple Cores. Crack Passwords using John the Ripper with Multiple CPU Cores (OpenMP). OpenMP is good for algorithms such as DES which can be used by default with this awesome feature. The bad news is that not all algorithms are compatible with OpenMP, such as MD5 or SHA1. Fortunately there is one good news we can use the MPI (Message Passing Interface) feature of John the Ripper, to take advantage of all our CPU cores with any algorithm!
Before going any further, some packages are required. You have to install OpenMPI.
- Under MacOS you can do it via MacPorts using the “sudo port install openmpi” command.
- Under Linux you can get everything with “sudo apt-get install libopenmpi-dev openmpi-bin openmpi-doc“.
Make sure your have the mpirun command available.
- Now what you have to do is to open John’s Makefile and edit two lines
$ cd john-1.7.9-jumbo-5/src/ john-1.7.9-jumbo-5/src$ nano Makefile
- Locate the following lines
#CC = mpicc -DHAVE_MPI -DJOHN_MPI_BARRIER -DJOHN_MPI_ABORT #MPIOBJ = john-mpi.o
- Uncomment MPI flags
CC = mpicc -DHAVE_MPI -DJOHN_MPI_BARRIER -DJOHN_MPI_ABORT MPIOBJ = john-mpi.o
- Once everything is in place, we have to clean and compile again
john-1.7.9-jumbo-5/src$ make clean john-1.7.9-jumbo-5/src$ make macosx-x86-64
Under Linux, compilation should work out of the box. Under MacOS users will face this issue:
john-mpi.c:6:10: fatal error: 'omp.h' file not found
#include <omp.h>
^
1 error generated.
make[1]: *** [john-mpi.o] Error 1
make: *** [macosx-x86-64] Error 2
To fix it, just open the john-mpi.c file and comment omp.h file inclusion (which is not needed and must not be used under MacOS X)
#include "john-mpi.h" #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> //#include <omp.h>
Now it should compile and run fine with mpirun
john-1.7.9-jumbo-5/run$ mpirun -n 8 ./john hash.txt
You need to adjust the number of cores depending on your CPU . With the previous command the work is now split in 8 sub-processes, one per core on my i7-8600K. Isn’t that great?
Warning: Once the number of cores has been fixed for a session, don’t change it unless you know what you are doing. Because for sure it can break your work
Note that you can use sessions, and similar options that can be associated with mpirun. For example, if you want to know the state of a session:
john-1.7.9-jumbo-5/run$ mpirun -n 8 ./john --status=mysavedsession
This will read for you all the “mysavedsession.%d.rec” where %d is a number between 0 and 7 in this case. One last thing, sessions are saved every 10 minutes, so don’t be scared if the status command displays null stats for the first 10 minutes
Cook some French fries for your steak
So you have many computers in your room, and want to take advantage of all CPUs? As promised, I’ll talk about clustering here for advanced users only
Before going any further, some packages are required. You have to install OpenMPI and mpich2.
- Under MacOS you can do it via MacPorts using the “sudo port install openmpi mpich2” command.
- Under Linux you can get everything with “sudo apt-get install libopenmpi-dev openmpi-bin openmpi-doc mpich2“
Make sure your have the mpirun command available and hydra_pmi_proxy.
hydra_pmi_proxy is the binary file which is used to talk between computers. It is located under “/opt/local/bin/hydra_pmi_proxy” on MacOS X and “/usr/local/bin/hydra_pmi_proxy” under Linux.
What you need to know now is that any systems must run the same John the Ripper version, in the same directory and use the same version of mpich2. If this is not the case you can manually compile and install mpich2 and also create symbolic links with “ln -s” command.
For example, to talk between MacOS and Linux I had to make sure hydra_pmi_proxy can be reached using the same path on both systems.
ln -s /usr/local/bin/hydra_pmi_proxy /opt/local/bin/hydra_pmi_proxy
Now that all your computers are ready, make sure you can reach them via ssh, because this is the way used by MPI messages. So I advice you to create SSH key pairs. Once done, create a nodes.txt file, containing ip addresses of the computers you want to use.
toto@192.168.1.145 localhost localhost localhost localhost mike@192.168.4.12 mike@192.168.4.12 mike@192.168.4.12 mike@192.168.4.12 192.168.5.5 192.168.5.5 paul@mydomain.com paul@mydomain.com
You can now use this file to invoke commands on other systems. Let’s start with “john-1.7.9-jumbo-5/run/john –test”.
mpirun -f nodes.txt -n 18 john-1.7.9-jumbo-5/run/john --test
You may have noticed that I’m not using 18 processes (18 CPU cores). Because once the end of the nodes.txt file is reached, mpirun will start again at the beginning of the file, making loops. toto@192.168.1.145 will thus be used twice, as well as the 4 localhost. You should now be ready to play with your own password cracking cluster
Ready to serve. Bon appétit !
