DEFCON 16: Password Cracking on a Budget

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

well thanks for coming to this talk I'm Matt we're I'm from Florida State University and this talk here as you can see is a password cracking on a budget before I begin there's Colton people I just want to thank first of all bill glow deck who is another research student who unfortunately for me graduated but he did a look what a bit of the work here professor Sudhir Agarwal my major professor professor brento and also the National Institute for justice for funding this research so I really do appreciate that so I'd have to teach all those intro C++ classes there real quick about me just so you know who the hell I am as I said before my name is Matt we're I'm currently a PhD student at Florida State University before I decided to go back to college and take a significant pay cut I was a network security engineer for Northrop Grumman tasks and the last project I was on I helped support the JTF Joint Task Force global network operations with other forensics investigation also just let you guys know I have had my passwords stolen in the past so just it's a little close to home in fact I discovered that during the course of this research a lot of what we do is try to figure out how people actually create passwords and in order to do that what we do is we look at disclose password lists so like a hacker will break into a site they'll steal all the passwords to post them online and then we take a look at them to try to figure out what they are and if they just post a hashes and when you actually have to go ahead and crack those passwords in or try to figure out how people create those passwords in the first place so a long time ago I played a video game called a bat mud which is way better than World of Warcraft but unfortunately they didn't have a very secure website apparently so as I was going through these lists here I was like oh hey I know these people that's my username okay crap that's my password so I mean this is hit a little close to home here for me but I think that's actually fairly common if you think that every single website that you've ever entered to user name and password into is really secure and never been broken into you're kind of probably at the wrong conference here so now I like to have a disclaimer before my talk just so you notice and can walk out early if you want to but I'm a student and I crack passwords research typesetting so we're not really giving getting hard drives and like encrypted files and having to crack them instead we're going head and we're cracking these big old password list here so some of the tools that we you do use may be a little bit different than what you would use in real life here but hopefully the techniques are fairly similar also I'll freely admit I've been wrong about many things before I'll probably wrong about law stuff in the future so I certainly don't claim to know everything there is about password cracking in fact quite a bit of what we've been doing I can feel has been reinventing the wheel because I'm asking cracking something has had been out there for a long time but it's not really well documented so we've had kind of rediscover love it ourselves and actually that's kind of the goal this talk here is if you are just saying up your own forensic shop or your system administrator the last system admin admin left and then to you know pass down all the passwords and now your boss telling you need to go and crack these passwords what do you do because a lot of stuff online is pretty much it says like run John the Ripper or you know Cain and Abel and leaves it at that or May gives you like a cissp overview of how to crack passwords about trying to actually apply that in real life it's a lot different I found so really all this talk is it's just if you're put in that position how can you maximize the chances of you cracking that password so since I do tend to kind of wander a bit I figure it might at least give you a overview of what we're gonna be talking about at the very beginning where he's gonna start real quick was just some some password cracking basics just so everyone here who wandered in kind of we're on the same level and also kind of tell what we've been focusing on as far as our research goes then we're going to go ahead and talk about input dictionaries word lists a little bit about where to get them but more about how to generate them yourselves or at least I have our work to try and generate them because a lot of the word list online are leave a little bit to be desired there and then we're going to talk about word mangling rules how you go ahead pick them a little bit advanced John the Ripper and then finally ass of our research that we've been doing on trying to automatically generate word mangling rules because doing that by hand is a real pain also because this was a 50 minute talk and that's probably the worst way to you have information about technical stuff in the world please my email address is here it's on the slides on your CD if you have any questions go ahead and let me know also I'll be available in the you know Q&A room afterwards please show up grill me we can geek out about word lists and stuff like that but it's really important for me that this research actually has some application in the real world I don't want to just go ahead and write papers that don't really apply to anything so at the end of the day if no one's actually using this information or it's not worthwhile I'll go ahead and I'll try it research something else so please get in touch with me if you think what I'm doing is wrong or you think these tools are crap please let me know as long as you can tell me like maybe a better way or you know some way to improve that craft there and if you have some good ideas you want me to look at now I mean we're research students we're always looking for less stuff to work on so please you're not bugging me if you go ahead and contact me also you might want to copy down that URL at the bottom there because that's not on slides all the tools all the scripts and stuff like that we're providing online unfortunately our main website which is on the CD is currently down right now because our system admin is took it down to make sure it's all patched up and stuff like that could he said that some people were banging away on that so I mean that's my fault and now I learned if before we give a talk at Def Con you might want to give more than two weeks you know worse notice to your system admin there so I apologize for that but I threw up it on Google pages there so it's just reusable SEC Doc Google pages calm and you can download all tools and scripts so real quick about password cracking don't worry does knock me a cissp prep course so there's really two types of password cracking that when people think about it online and offline online we really don't care about too much this is what you know people are trying to do to our website you know a couple days ago it's you sites online or they're like the computers online and you're just going to try and different username and password combinations to a site that's currently operating and this really the research that we've been doing really doesn't apply to it that much because on online password cracking first of all it's generally very slow so you're very limited by a number guesses can make ants noisy so the system admin actually looks at the logs which you know happens every once in a while it really shows up but more importantly to you're often only limited you're limited by a number of guesses you can make before it's system locks you out so you know you try four passwords if you get it wrong then you know you're locked out of the system so what we're really focusing dondo is on offline password cracking you know this is the computer forensics so you obtained the warrant you broke down the door you seized the hard drive you get back to your shop and all sudden you realize well you know there's this hard drive is encrypted or there's encrypted files on here how do we go about breaking these and when you get into that situation there you're really only limited by that you know the amount of time you can spend trying to crack this path these passwords and amount of computing power you can throw what the problem so I'll be talking about password hashes a lot and really just comes down to hopefully your computer computer your bank the website doesn't store passwords in plain text because then there's no need for password cracking someone breaks into site you see all the passwords they're done they can have a beer so most ice go ahead and a stored a password in a crypt a one-way cryptographic function just get mangles the password so it's you can't figure out what it is very easily so let's say a user goes ahead and creates the password Def Con the computer will not save the word Def Con on computer hopefully in theory anyway there's a couple talks about this later where it sometimes does but instead the computer will hash the password so the Hat md5 hash of Def Con is that long string there to login though and just say no and it stores that hash instead the actual password so when you log in you type Def Con in again the computer hashes that get that password and it compares it to what it has stored on the computer if those two hashes match it goes and logs you in cracking passwords is very similar you just make a whole lot more guesses so you make a guess you hash you guess you compare it to the hash that's on your hard drive if those two hashes match you've cracked the password so really the question is how do you go ahead making those guesses intelligently because of those hashing those guesses takes a lot of time sometimes so there's really two main ways that you go about trying to crack a password the first one which we're gonna be spoke spend most of our time on is a dictionary attack so you take words from an input dictionary that contain words that you think someone might want to use to create their password and you mangle it in a way that people normally do in organ when they create passwords so your input dictionary might have password you try that if that doesn't work you try password 11 or you know capitalize P and replace the a and this is what people normally think about when you talk about password cracking now when we crack these lists here we hit what we kind of call a brick wall after a certain point and that's really I mean initially we start cracking passwords we're doing really well because we're cracking lists you know a couple thousand passwords you know so initially will crack you know a couple hundred and then we'll like maybe go down to Clarkie maybe like in 10 an hour and then a 1 an hour and then one a day and then precinct to the point where we're cracking maybe one a week and we're like why are we doing this you know because and we gotta move on to the next list there and we call that kind of brick wall because you really you go a long long period of time it's like eating a brick wall where you're not cracking any passwords that seems like yours kind of spinning your wheels and when you're doing a dictionary based attack it's really frustrating because uh you gotta figure out why you're not cracking those passwords and you don't know until you actually crack the password why it was so I mean you could not be just trying to write dictionary work so your dictionary could be before it doesn't have the word in it doesn't have Def Con in it so you're not trying that or you might not be trying to write word mangling rule so the person might have capitalize the first letter replaced a was an @ symbol and add 11 to the end of it and you're just not trying to as your word mangling rules it's really hard to figure out when you're trying to crack these passwords do I try more dictionaries do I sort of more dictionary words at the problem or do I try more advanced word mangling rules on the dictionaries I'm currently using because it's a real trade-off because you're always limited by the amount of time to mal guess is that you can make so the bigger your dictionary the less word mangling rules it can apply to that dictionary and vice versa the more word mangling rules you do the smaller dictionary that you have to do to apply those word mangling to so it's a real trade-off and then there's brute force where he's kind of go screw it we're just going to cry every single possible combination and don't let anyone tell you anything differently brute force is wonderful I love group force if you can do it the problem is this is password cracking on a budget and generally brute force is not an option for longer passwords but if there's no password creation policy it still helps you get a lot of passwords that you normally wouldn't get with a dictionary based attack so here's some examples of some some real passwords that practice brute force like VP TP that's not gonna be in my dictionary it's not a real dictionary word I have no idea how they picked it but since it's really short it's easy to crack this brute-force another one W F capital X 8 zj once again I'm not gonna crack it with a dictionary based attack and luckily if they didn't make it one more character longer because if they did I wouldn't feel crack with fours but since it was the only 6 characters long I was ill crack it you know 0 0 K 0 0 so that's kind of just a little something that they can remember once again not resist it's very resistant to dictionary attacks and the final one that can just noise me is we for Nintendo Wii I think and discus kind of points out that the dictionaries are only good as when they were made so most dictionaries are fairly old if you're looking to crack if someone's favorite band is MC Hammer you're golden but you know if you like Linkin Park even though they're old too you're probably not gonna find it so I mean a thing recent it's very hard to keep these dictionaries up to date so I want to run a few demos just so I can have stuff breaking in front of you know a couple hundred people I guess the real question is how good can I do if I just do the catch script Kitty type saying I go online I download Yonder Ripper I download a couple these word lists and just run them because that's a that you know an honest question because if you can do really well with that then you can just walk out and go to a different talk you don't have to listen to me talking here so if you'll excuse me I'll be kind of lame and just copy and paste these commands so I don't fat finger room and what I'm gonna do is I'm just gonna go ahead and run John the Ripper what's a default rule set and so also we're going to go ahead and we're gonna crack half the myspace password list so a long time ago was disclosed more famous disclosed password list was someone set up a phishing site at MySpace and managed to grab about 60,000 you know myspace usernames and passwords so I think we feel that these passwords are very representative of what normal people would do in order when they create password if there's no strong password creation policy also yes they know we split these password lists up into different parts when we get every wherever we get a plaintext password list mainly because it's really easy to create password cracking rules if you know all the passwords beforehand so this way we'll have a training set a test set so we don't look at the test set at all but we do look at Train Set try figure out how people create passwords and then we go ahead and try maker rules and practice test set if the passwords are hashed when we grab them the whole sang-soo test says because have to break them in the first place also just so you know these passwords are not hashed so I'm just out that standard and just seen how many of them we cracked was John drippers rule set the reason for that is that this is a 50-minute talk and be really boring just to watch this crunch numbers here if this was hash what's like let's say md5 this test here will just take in about an hour so it's very in the talk we could've looked at and been pretty boring if this has been hashed with a stronger hash like Linux Azure UNIX is a krip 5 which does a 100 R I'm sorry a thousand md5 hashes we'd have to definitely extend this talk time a little bit for this so just to give you an idea an hour if this was hashes very basic ass hash thousand hours run this task here if this was a stronger hash and we use just the basic words that English Tex dictionary which is one that you find on all the different password cracking websites and it ran there and then we went manage to crack 3.2 percent of all the passwords there so yeah I mean if you're only trying to crack one or two that'd be great but if you want to tell your boss hey you know we were saying up a forensic shop here and we have a 3.2 percent chance to crack in these passwords that's probably not going to cut it very well so the next question is could we just be using a bad word list here or actually how you always hear about people always using the same common passwords so why don't we go ahead and use a word list of just common passwords and this once again is just download offline here it's like 816 most common passwords ran really quick only 41,000 guesses versus the 10 million of guesses from the previous one and we cracked 1.7 1 percent of the passwords so once again well that's actually pretty nice it's very few guesses but still you're uniting cracking double digits here so let's go ahead and use a bigger dictionary and this dictionaries description is a big dictionary this dick 0 2 9 4 and it's going to take a couple of seconds here and this is actually just so you know one of the few good big dictionaries that I've had experiences with and I'll complain about big dictionaries a little bit more later but here oh there we go and finally we're cracking double digits okay so I mean it but it took much longer there it took 37 million guesses but we did mage crack 19% of passwords so this is actually starting to get a little bit semi respectable here and finally we're gonna talk a little about custom dictionaries in a little bit here so I might as well go ahead and try one of these here real quick just to show you so this is a custom dictionary it's actually based off of Wiktionary and Wiktionary is a sister project to wikipedia it's an open source dictionary and they actually provide them in a whole bunch of different languages which is really nice so this is actually we're running it off to English dictionary off of Wikipedia that we did and it generated much less guesses in a big dictionary it's this only generated about 3 million guesses compared to the you know thirty 1 million guesses of the big dictionary here so about 10% but we still managed to crack 12% of the passwords so using custom dictionaries can definitely help you especially if the hash is really strong cool nothing blew up okay and just in case that wouldn't work there so you can see a graphical representations that's the top ones the number of guesses and the bottom ones number passwords cracked there so you can see just how well they did there so the first thing I guess we should talk about though is word lists you know how important is a word list to your password cracking and so you can see for a previous demo it actually is extremely important unfortunately it's also boring as hell I'll freely admit that if you're not doing password cracking currently or you don't enjoy you know organizing your sock drawer this is probably not gonna be the most interesting thing in the world there's probably actually a big overlap between password crackers and people who do like organizing a sock drawer actually but so I'll just hit the high points and once again if you want me to afterwards thing like that we can geek out about word lists there's a lot of places to find word lists online in fact most of them have the exact same word list so they all steal from each other and try to talk about them being the ultimate word list site the first one I really want to point out is the open wall comm FTP site is for John Ripper if you go to their website normally they don't really advertise all of their word list because they want you to spend money and buy their actual big word list which I don't blame them I love capitalism but if you go to their FTP site you can download a bunch of word lists from them the other two sites below that or just general you know word list sites one side that's kind of make fun of a little bit please don't hack me if you're in this audience is a the Argonne comm and they have the ultimate gigantic word list they say it's a two gigabit x-large everyone says oh it's gotta be good two gigabytes of words and that actually has to be one of the worst word lists I've ever played with first of all so large you can't do any word mangling rules on it takes forever to run and it there's just so much duplicates so much junk in it that it really doesn't crack passwords very well not the one password I managed to crack was that that impressed me when I ran at one time is one guy decided for his password to use an HTML markup tag which I have to admit you know there's a really good password because there's all the symbols uppercase lowercase and all that and I wonder what he does for a living but that was just in one of the web pages they sucked down here at the exact same HTML markup tags that was able to crack that the last night I just want to point out if you get all go on BitTorrent you can find it exploits master password collection it has a ton of different word lists on it but it also has what looked like passwords on that - I don't know if they actually are passwords not which is why I can talk about it but it's really good if you're just starting to try to do your own password cracking research you can go ahead go log on to that and try your tools against the the things on that as well and you don't have email addresses on interesting life like that so I don't feel bad about this it's just random passwords so which these word lists here there's a lot of stuff that you need to be really kind of anal retentive when you're dealing with them in order to really help you out later and every single time I try to cut corners with this I've gone seriously burned but just things you need to think about what's ago when you're managing your word list are you know you want to avoid duplicate words it seems pretty simple but it's actually a pain in the butt sometimes especially when you have multiple word lists that you're trying and you can't remember which one you did previously and stuff like that but duplicate words equals wasted work here are those guesses before you also gotta ask yourself how are those words terminated Rd terminated by a tab a space a newline our carriage return that's really important most Pasco crackers are fairly smart about dealing with that but if you're rating any custom scripts that can really bite you in the butt which I found out myself to standardized capitalization how many artifacts are in the word list how many HTML tags are there you know how many time stamps and junk they just shows up there when you try to create the word list because you're not gonna go ahead and copy and paste all these word lists here and then finally it's the word lengths important and this is not really for you know the hash that you're doing because most passive crackers are fairly smart about that but more long lines if you want to do case manually because if you have a really long word you wanna try every single possible case mangling in that you're gonna spend all day on that one word just trying to case mangle it so you might want to terminate it if you're doing a serious case mangling now as I said the word lets you find a line leave a lot to be desired so first thing you probably might want to do is if you're a forensics investigator you you have the hard drive in front of you and it's you just try to crack individual files on the hard drive is to try fine to see if you can find a password anywhere else on that hard drive and for that type of research I really want you to point you to David Smith's a Georgetown universe and he's doing some really good work and he's doing some really good tools for parsing that harddrive grabbing out potential passwords to try them next thing create word list by hand it's a pain but in some cases it can be really effective probably the best success I've had is swear words and different foreign languages because people using swear words in their password is pretty much an international type saying so I've gone to a bunch of different sites you know swear words Finnish swear words German and stuff like that led me to some interesting sites too but yes great cuz those custom word lists they're really work quite well now if you want to go ahead and script this on your backtrack CD there's a WYD Perl script that you can use as well that works a lot better than W get because it'll actually parse out some of the junk as well it's not perfect but you know it's better than you know doing it by hand sometimes especially if you're grabbing lots of different word lists now we created some custom wordless generation as well as I mentioned earlier Wiktionary a lot of the foreign language word lists were really really really poured it didn't have much in them the characters were messed up in it and so on so I I want to go ahead and create the password crack our crack passwords in foreign languages because like Finnish and Swedish is all those Norwegians really seem to like disclosing passwords so I looked at Wiktionary I was like I don't want to do that by hand so I created a program called you know wiki grabber that will go online you can specify you know what language you want it'll go ahead and download it you can and since we're doing some passphrase of research as well you can actually specifies if you want only grab nouns or only grab verbs or adverbs and it actually makes pretty good word lists the next step of course we were thinking as well if we're already doing this for Wiktionary why don't we create something for Wikipedia so we can create customized word lists based upon someone's interest so you know if they're hacker we might do you know hacking beer you know vodka and you know Vegas and just grab the Wikipedia pages for that that's actually still needs quite a bit of work cuz I'm I didn't realize it before I started working on this here but trying to find the right words on Wikipedia is actually fairly difficult so if you do beer for example you'll find out a lot of information about you know the fermenting a beard history of beer and so on but you're not gonna actually find beer names like Amstel Light or Boddingtons for that you'd actually have to go to the individual country's beer list and that's actually not linked off the main beer webpage for beer there so trying to find out it's still hard or still a lot of work to be done to make that a little bit easier but that's also on to CD and on our website now the next thing we want was we got a whole bunch of crack passwords already if someone used the word in their password before the chances of someone else using that word are very high so we wanted to go ahead and parse our cracked password lists and try to make you know customized dictionaries to crack more passwords and that actually works extremely well so the first thing we did was we went ahead and extracted you know the Alpha characters from a password so and you use as a word and you can make flirting like judges there so if you have you know an apt symbol between two letters that was probably you can probably change that to an A and so on you just ripped out special characters and so on and that as I said we've had extremely good success with that but we were a little bit worried that we're just missing words there's Magli rules there that we don't know about because when you're dealing with you know tens of thousands of password list you're not gonna look at each one individually so we wanted to go ahead and just try to see if we can parse out the low-hanging fruit and look at the remaining ones and try to figure out how they were created and the two that we went ahead and decided to use edit distance of passwords so you're all probably actually familiar with edit distance if you even if you haven't really dealt with that term because it's using all the different spell checkers out there so you know you type death our test instead uh it realizes you know okay you know that you might you switch to H and E because that's a very close word there well we thought why can't when you go ahead and use that with passwords as well what's analyzing these so in a normal add distance you have rules like delete swap transfers expose and insert so change Apple to apply you would have a net distance of one because you only need to change the e to a Y and then you can match the words based upon whoever has the closest at a distance we decided to add a few more rules to it to simulate how people create passwords so for example adding numbers to the end of a password is one edit so the Apple 99 to Apple having a distance of 1 and this actually worked really well it had some minuses and pluses but I'm pretty happy with it actually it does preach false negatives sometimes they'll say you know this word is always create from this one but it actually wasn't but if the word making rules make it so and also initially I thought this wasn't very good because it's only good as the input dictionary so if your input dictionary sucks well basically what you do is you have your password list you have an input dictionary give it and tries to figure out how to make which rules in the password list match up with which words in your input dictionary so if your input dictionary doesn't have the word it's not going to match up so and initially that was kind of bad saying so we we're trying to do like best-of-breed so we defeated a bunch of different dictionaries and try to create one so a good diction that's really edit towards it but what we found out later was it's actually extremely good though for evaluating dictionaries because it's nice to be I'll say this dictionary socks are blows it's much nicer in an academic setting to be I'll say dis dictionary sucks and blows because so this actually helps us out quite a bit and also it goes back to where when I was talking about that he in the brick wall whether the problem is you're not trying to write work on enough words in your word list or whether you should try more Ward mangling rules this actually gives us an idea of what is the theoretical maximum number of passwords we could crack with this word list here and so if we try every single word manually rule we can think of to crack this password list here was this dictionary we're only going to crack this many so like the really big dictionary can only crack and will crack about 50% of the passwords if you try every single word manually rule you can sync of so that's kind of the top bar there the words out English dictionary can crack only 10% of them even though it has you know 200,000 words in it so that's why we can say this one is not very good a common password one you can crack about 5.3 percent of all passwords guess what's 816 words and the Wiktionary one you can crack 32 percent with 68,000 words and really the reason why this is good is when you're never going to hit that limit really because there's always these crazy word banging rules that you still have a chance to the youth but we start getting close to that you can realize okay I probably cracked all the passwords I'm gonna crack was this a dictionary here maybe I need to switch to another dictionary to try this or may go to brute force so that really helps kind of eliminate the guessing on when you need to do whether you need to add more words to the problem or whether you need to add more word mangling rules okay I actually gonna kick off the next demo here real quick and then we'll come back to it later when haven't had a chance to explain it so hopefully it doesn't crash in the mean time but this is actually going to be our customized wordless may or word mangling rule creator so the next thing we're going to talk about is word mangling rules so this is what everyone really thinks about what's the pass pass or cracking is how do you go ahead you how do you mangle these passwords here to recreate what and user is actually doing and I'd say the one thing that's really surprised me when I started doing this is how limited most password crackers were when it comes to word mangling rules and I think the reason for that is that land man hashes the old windows hash really spoiled us because old land man hashes a capitalized everything so you don't have to worry about case mangling at all and also there seven characters maximum so it became pretty easy to brute force them after a while so I think we can kind of set said are uh you know rear end there for quite a while with a lot of past word cracker so it makes password crackers look really good when in fact they're not really doing that much the dance stuff and one thing I found I mean it's very easy to crack paths are not easy but it it's fairly straightforward to crack passwords to have only one simple word mangling rule applied to them that everyone uses so like 80% of its like 80 something percent of all people in these lists that we've been seeing here use two numbers at the very end of their password for when they create passwords it's our I think that's right now you might want double check me on that one that's why I love slides I need to have this stuff but um a lot of them do anyway so that would be one great word Bangla rule really easy but when you start combining word mangling rules it gets actually very difficult so this password here password twelve was capital P W and an @ symbol that is an extremely strong password I mean passwords gonna be in every single person's input dictionary so that's not a problem but even though doing that word mangling rule where he capitalized the first letter he capitalized the firt of the fifth letter you add two numbers to the end and he changed a to an at symbol putting all those we're making the rules together it's very unlikely that you're actually gonna go ahead and try to be able crack that password there so that's an extremely strong password even though we can all see how easy it does make also if they use a non-standard rule even one non-standard rule the chances of you cracking are very small so like password was just a seven between the P and a a since not many people go ahead and use that as a word bang rule I'll be really surprised and kind of impressed if someone cracked that without resorting to brute force the Chancellor very low even though it seems like a really simple password so if you're creating your password as a defender I highly recommend just don't stick with the pack try something even a little bit different and chances are you'll make a password fairly secure now one question I get when I talk to people here is a should should I use keen and able or John the Ripper because these are the two major free password crackers out there and I love Cain and Abel I have to say because they put a lot of work into it it integrates a lot of different things into it you got your art poisoning your sniffing and everything else so it's a wonderful program so I hate to trash it but really if you're cracking passwords seriously you need to be using John the Ripper if it's forced to hash that you're trying to crack and the reason for that's pretty simple Cain and Abel doesn't have very main word magnin rules at all in fact it's extremely trivial it does say you know adding two numbers to the end of a password and case mangly and doesn't you combine those so if you have a password with a you know password one with a capital P Cain and Abel is not going to crack that because it doesn't try capital letters and numbers at the same time so I mean key enables fun to learn how to crack passwords on but if you crack the crack and password seriously you don't want to be using it John Ripper on their hand is configured via a config file so you can go ahead and you can get really crazy with all the different word mangling rules you can think of and in fact if even if the you know John the Ripper doesn't support the whatever word mangling rule you want to use you can always just create a custom script and pipe those guesses directly into John Ripper since it's command line which is really nice as well so you can do pretty much any type of word manually rule that you want to now when you download you on a Ripper first of all the one second block he'll say is it doesn't support the type of hash Johnny and answer that is it probably does someone's written a patch for it and so go ahead find it down install it and it actually will support more hashes and K enabled us but you need to go ahead and find those patches and actually most of them are actually on the John Ripper website also I'd recommend against using the default John the Ripper config file it's not actually bad but you can do a lot better now once it gets kind of annoyed me or it surprised me is even though this is probably the most popular password crackers out there yet to find somebody else's John the Ripper config file that they posted online people just don't like sharing that information for whatever reason so it's been kinda hard to tell what other people are doing so try to solve that a little bit there I included a couple of our sample John Ripper config files on the CD so that way at least you can look at what we're doing is go on noobs you know you're doing horribly but at least now you have some examples of what some other people are doing also the John Ripper config file it is kind of intimidating a little bit has pain and it surprises me because I'll be talking somebody who knows like three different scripting languages and a bunch of different programming language is and it'll be like oh that John Ripper config file I can't figure that out I was like what it's not that hard but it just intimidates people a lot but I mean there's a rules readme file there I highly recommend reading it I have it open all the time when I'm modifying it because I forget how they do it but I highly recommend if you're going to be doing series password cracking you really need to take time to learn that but because I'm kind of tired about everyone whining about that every single time I mentioned John the Ripper I went ahead and I create a custom John Ripper a config file generator it's menu-driven as long as you don't mind text oh thank and it didn't make it to a CD I'm sorry it's it's very bond the link to it but once I whip me website it will get up they'll be on that and it's on the download 1 right now every usable sec go --gel pages com I suppose sure but they at the top there I'm sorry but not only would this allow you to go ahead and create custom config files and stuff like that but I spent a couple different things that I wanted as well in this kind of a feature Creed first of all you can save all of your settings that you have here so you don't to retype them in every single time you can go ahead and add specialized our password creation policies to this so that way you don't have to modify all of your config rules every sometime you want to try a different site so you can specify I want the password to be at least eight characters long have two numbers two special characters and so on also I've made so it's very easy to change the character set as well that it uses so that way you can switch between different languages as well since it seems like all the password crackers out there folks on English and I kind of watch here to love a little bit there so that makes things a little bit easier now as I said before brute force is a wonderful wonderful thing to use but usually you don't have the option to brute force entire key space so there is kind of half way saying where it's called targeted brute force where he tried to brute force just the the the format of the passwords so that way if your dictionary is poor you can still make me crack the password for example you might want brute force you know six characters followed by two numbers and that speeds things up a lot so even though your your brute force and the little characters and numbers you're not you're only trying characters in one spot and numbers in another spot so it actually narrows down the key space quite a bit now you can do that directly in John the Ripper it's a bit of a hack on the CD there's some additional slides on how to do that and I included a sample of brute force config file on CD as well but in reality if you really want to get fancy with this I highly recommend just writing a custom you know Perl script or something and piping into John Ripper and that way you can get really fancy to and start adding Markoff rules and things like that to really try to help speed up route force okay now with Ward bankley rules though we quickly found out that it really is a pain specify them because the first couple of word mangling rules are fairly easy but as you get into more and more like less probable word mangling rules first of all they take a long time to run because yeah add like two numbers to end of a word you're trying to hunter guesses if you try for numbers on the end of a word you're trying 10000 guesses per word in your input dictionary so you want to kind of narrow it down quite a bit and use in a premium couple hundred different word mangling rules and in editing a manager is a real pain so this idea was actually a professor Studios idea originally and it actually really works out pretty well and that is why don't we that's why we create computers while we have them go ahead and you know analyze password lists try to figure out how passwords were created and create custom word magnet rules based upon that so the actual name adjust is a probabilistic context-free grammar word mangling rules so you can tell what we're writing a paper on right now but in Syria all it does is it tries to figure out how passwords are created and it signs a probability to that word mangling rule and it also assigns probabilities to every single number every single special character you know capitalization and everything else along those lines so it finds in the password list so it'll say you know one is much more commonly be used in seven and you know 99 is much more common to be used in 11 and really what it does in is it tries to generate the most probable passwords first so right now we have a fairly basic and the one that's on CD here a way of figuring out what the word mangling rule is so for like password 11 it would say you know up case the first letter have seven lowercase letters and in two numbers and there's definitely stuff we're looking into adding you know for like it's pretty easy add-on to this you know replace to a wasn't that symbol and stuff like that as well well it does is what's that word that structure der has a probability the structure of you know numbers has a probability and you can actually even assign probability to input dictionary so you can say this is really you know common password so I want to try a lot of word mangling rules on this but this is a much bigger input dictionary I want to try you know eventually on some of the more common word mangling rules and I'll go ahead and I'll spit out the guesses of in order for you so it might try you know like password 12 and a password bang before tries password 13 so that way it really specifies all these what different we're banging rules really well for us now our current implementation makes guesses and output some two standard out so that way we can go ahead and pipe this into any other you know password cracking program so we don't have to worry about hashes and keeping track of which passwords or may I manage and so on because I'm lazy and I don't want have to code all that so right now in most of our tests we actually go ahead and come standard out and put them into John the Ripper and use John rippers just to go ahead and do all the password hashing now I'll omit this this structure does have some overhead that's why I didn't just run it immediately but the overhead is actually fairly low compared to a strong hash or even a semi weak hash so we have used this actually successfully in a real life cases so there's not you know you run for a couple days and it takes you know ten times as long or so and because League I have a graph and I'll show you results in a little bit and I'll talk about this graph here afterwards if you want to but discus guy shows the number of passwords we cracked over time versus john the ripper so initially sort of very high probability ruled we do pretty much the same in some cases actually john ripper slightly does a little bit better but after a certain point our starts to do much much better and unlike your honor if or where you have set number word mangling rules and it's done ours has gets millions of word mangling rules they're very small but they're still you know millions upon millions of word banging rules so if you let this run it'll just keep on going and going and going and we don't actually have to specify all these different word banging rules which is really nice so now we get to check to see a faint and crashed or not oh cool it looks like it would actually work here first time for everything here yep so once again we train we trained this one on that the training set of the myspace rule and we're trying to crack the test set if you want to see some graphs and stuff like this of us training on different password lists and then try to crack other password lists talk to me in the after talk room and i got some graphs and stuff like that because we've definitely had this too but like with John the Ripper was the English word list it cracks 3.2 percent of the words was our password cracking saying we cracked 5.6 percent of the words with the common passwords John repre cracked 1.7 percent using the same number of guesses we managed to crack 2.9 percent so it's not perfect but and it like the Wikipedia English one genre crack 12 percent we cracked 21 percent so in most cases that we found here I mean it does much better than a John the Ripper and that's pretty much it I seem like that oh yeah here's just hitting graph so you can see you know the number of passwords crack there versus John the Ripper oh I don't have actually in slideshow that would explain it so that's it though if anyone has any questions feel free to ask now or talk to me and after a talk room here that's my email address as I said please email me if you have any ideas or anything like that if you have any you know password list you wants to crack as long as they're legal I'll definitely we'll take a look at those as well and that's what whip-it

Info

Channel: Christiaan008

Views: 9,780

Rating: 4.8620691 out of 5

Keywords: cracking, password, lists

Id: 05JinhdvtRY

Channel Id: undefined

Length: 43min 10sec (2590 seconds)

Published: Thu Jan 20 2011