SlideShare a Scribd company logo

Custom Rules & Broken Tools (Password Cracking)

C
camsec

A talk by @stealthsploit from NotSoSecure on tips, tricks and restrictions on cracking passwords using common tools. Accompanying blog posts at https://www.notsosecure.com/one-rule-to-rule-them-all/ & https://www.notsosecure.com/maximum-password-length-reached/

Technology
1 of 35
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Custom Rules & Broken Tools
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Will Hunt • Associate Director @ NotSoSecure • 9 years in InfoSec • Pentester, formerly digital forensics, trainer of both • @Stealthsploit / stealthsploit.com $ whoami /all
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • hashcat custom rule efficiency • Cracking length limitations What’s The Plan?
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Custom Rule Efficiency
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary Rules password password Password letmein letmein password security security P@ssword monkey monkey passw0rd 123456 123456 Passw0rd qwerty qwerty P@ssw0rd password1 passw0rd1 Dictionaries and Rules 101
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules https://hashcat.net/wiki/doku.php?id=rule_based_attack
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Objective – try and create a more efficient rule • Method – test existing rules against large data set and extract top performing individual rules • Testbed – 2016 Lifeboat breach (Minecraft) • 7 million unsalted MD5s – 4.3 mill unique • Outcome – “One rule to rule them all….” • Validate – test custom rule against Lifeboat breach (and other) data • Hope – I didn’t waste my time… Roll Your Own
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Stats
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Success and Efficiency
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Anomalies
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • High concurrency • Different rules produced the same plain text value before the ‘:’ rule hit. • E.g. Password is L3tme1n • Dictionary contains l3tme1n • If T0 rule hits before : rule… (T0 toggles case of first char) • T0 gets the point, stealing it from : The Anomalies
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Identify top 25% performing rules from each ruleset • Concat & de-dupe • Repeat the tests • Custom rule cracked 2.72% (117,626) more passwords • Not the most efficient Super Rule Creation
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Xsplit breach – 2013, 3m hashes, 2.2m unique, unsalted SHA-1 2.38% better (53,046) Battlfield Heroes – 2011, 548k hashes, 423k unique, unsalted MD5 1.13% better (4,808) More Validation Against 2nd Place
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Nope. • Several factors – time, hardware, money, dictionary quality • Continual optimisation • Increased cumulative average success • https://www.notsosecure.com/one-rule-to-rule-them-all/ • https://github.com/NotSoSecure/password_cracking_rules #OneRuleToRuleThemAll?
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Cracking Length Limitations
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • @mubix • Password candidates are stored in GPU registers • Not enough registers to store long candidates • i.e. hash won’t crack even if plain text is in dictionary • Potential to exceed limits but processing time doubles • JtR and hashcat investigated Inspiration
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • oclHashcat-plus v0.15 released in 2013 with support for increased lengths, generally from 15 to 55 with exceptions hashcat
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. https://hashcat.net/wiki/doku.php?id=frequently_asked_questions • Mode 0 – Straight (dictionary) • Mode 1 – Combination • Mode 6/7 – Hybrid Wordlist + Mask / Hybrid Mask + Wordlist hashcat
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • NTLM – based on UTF16-LE which uses 16 bits (2 bytes) per character • Each character of pw is twice the length in bytes hashcat
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary contains only the password Password: NowThePwIsTwentyEightLetters NTLM – 27 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Password: Weak SHA512crypt! SHA512crypt – 16 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • --list=format-all-details –format=NT • JtR takes input by default as UTF8 • Note max length in bytes JtR
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • 27 Unicode characters may need up to 81 bytes of UTF8 (up to 3 bytes per char) • Not often encountered - Japanese, Chinese, Korean, random special chars etc JtR
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Latest version of john jumbo has made things easier • No longer shows length in bytes JtR
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J MD5 – 55 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L MD5 – 55 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J SHA-384 – 111 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L SHA-384 – 111 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • John jumbo can be custom compiled • http://www.openwall.com/lists/john-users/2017/05/05/1 • Non-SIMD build can get higher numbers • hashcat has a modified version – doesn’t support NTLM • https://github.com/hashcat/hashcat/tree/longer_passwords_and_salts • Both will take significant performance hits Length Increases
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Cheat sheet for JtR supported hashes (Over 430 of them!) • May differ from hashcat • https://www.notsosecure.com/maximum-password- length-reached/ • And remember, no matter what others may tell you… Cheat Sheet
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. It’s All About The Length
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Thank You feedback/contact training@notsosecure.com

Recommended

Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approach
mdhar123
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Business vocabulary in use
Business vocabulary in useBusiness vocabulary in use
Business vocabulary in use
Violeta67
 
Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321
Kim Hồng Nguyễn
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product Overview
Kenneth Chiu
 
Cybersecurity State of the Union
Cybersecurity State of the UnionCybersecurity State of the Union
Cybersecurity State of the Union
Mark Niebergall
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORD
Devyani Chaudhari
 

Recommended

Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approach
mdhar123
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Business vocabulary in use
Business vocabulary in useBusiness vocabulary in use
Business vocabulary in use
Violeta67
 
Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321
Kim Hồng Nguyễn
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product Overview
Kenneth Chiu
 
Cybersecurity State of the Union
Cybersecurity State of the UnionCybersecurity State of the Union
Cybersecurity State of the Union
Mark Niebergall
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORD
Devyani Chaudhari
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
NotSoSecure Global Services
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Apache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeApache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In Practice
Dremio Corporation
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
Gene Gotimer
 
Getting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsGetting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite Integrations
Revelation Technologies
 
CH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptxCH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptx
fatimajarman1
 
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Amazon Web Services
 
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
Amazon Web Services
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
Sri Ambati
 
Hash cat
Hash catHash cat
Hash cat
Sreekanth Narendran
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
Amazon Web Services
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Real-Time Innovations (RTI)
 
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeterCA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Technologies
 
Advanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationAdvanced GitHub Enterprise Administration
Advanced GitHub Enterprise Administration
Lars Schneider
 
How we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseHow we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBase
DataWorks Summit
 
New DevOps for the DBA
New DevOps for the DBANew DevOps for the DBA
New DevOps for the DBA
Kellyn Pot'Vin-Gorman
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
All access demystifying certs
All access demystifying certsAll access demystifying certs
All access demystifying certs
Gary Williams
 
Cleartext and PtH still alive
Cleartext and PtH still aliveCleartext and PtH still alive
Cleartext and PtH still alive
camsec
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
camsec
 

More Related Content

Similar to Custom Rules & Broken Tools (Password Cracking)

Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Apache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeApache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In Practice
Dremio Corporation
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
Gene Gotimer
 
Getting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsGetting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite Integrations
Revelation Technologies
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
Amazon Web Services
 
Advanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationAdvanced GitHub Enterprise Administration
Advanced GitHub Enterprise Administration
Lars Schneider
 
How we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseHow we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBase
DataWorks Summit
 

Similar to Custom Rules & Broken Tools (Password Cracking) (20)

Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Apache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeApache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In Practice
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
 
Getting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsGetting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite Integrations
 
CH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptxCH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptx
 
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
 
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
 
Hash cat
Hash catHash cat
Hash cat
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
 
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeterCA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
 
Advanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationAdvanced GitHub Enterprise Administration
Advanced GitHub Enterprise Administration
 
How we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseHow we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBase
 
New DevOps for the DBA
New DevOps for the DBANew DevOps for the DBA
New DevOps for the DBA
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
All access demystifying certs
All access demystifying certsAll access demystifying certs
All access demystifying certs
 

More from camsec

More from camsec (6)

Cleartext and PtH still alive
Cleartext and PtH still aliveCleartext and PtH still alive
Cleartext and PtH still alive
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Reversing for beginners 2
Reversing for beginners 2Reversing for beginners 2
Reversing for beginners 2
 
Active Directory Delegation - By @rebootuser
Active Directory Delegation - By @rebootuserActive Directory Delegation - By @rebootuser
Active Directory Delegation - By @rebootuser
 
Working with NIM - By Jordan Hrycaj
Working with NIM - By Jordan HrycajWorking with NIM - By Jordan Hrycaj
Working with NIM - By Jordan Hrycaj
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Custom Rules & Broken Tools (Password Cracking)

  • 1. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Custom Rules & Broken Tools
  • 2. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Will Hunt • Associate Director @ NotSoSecure • 9 years in InfoSec • Pentester, formerly digital forensics, trainer of both • @Stealthsploit / stealthsploit.com $ whoami /all
  • 3. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • hashcat custom rule efficiency • Cracking length limitations What’s The Plan?
  • 4. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Custom Rule Efficiency
  • 5. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary Rules password password Password letmein letmein password security security P@ssword monkey monkey passw0rd 123456 123456 Passw0rd qwerty qwerty P@ssw0rd password1 passw0rd1 Dictionaries and Rules 101
  • 6. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules
  • 7. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules https://hashcat.net/wiki/doku.php?id=rule_based_attack
  • 8. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Objective – try and create a more efficient rule • Method – test existing rules against large data set and extract top performing individual rules • Testbed – 2016 Lifeboat breach (Minecraft) • 7 million unsalted MD5s – 4.3 mill unique • Outcome – “One rule to rule them all….” • Validate – test custom rule against Lifeboat breach (and other) data • Hope – I didn’t waste my time… Roll Your Own
  • 9. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
  • 10. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
  • 11. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Stats
  • 12. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Success and Efficiency
  • 13. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Anomalies
  • 14. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • High concurrency • Different rules produced the same plain text value before the ‘:’ rule hit. • E.g. Password is L3tme1n • Dictionary contains l3tme1n • If T0 rule hits before : rule… (T0 toggles case of first char) • T0 gets the point, stealing it from : The Anomalies
  • 15. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Identify top 25% performing rules from each ruleset • Concat & de-dupe • Repeat the tests • Custom rule cracked 2.72% (117,626) more passwords • Not the most efficient Super Rule Creation
  • 16. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Xsplit breach – 2013, 3m hashes, 2.2m unique, unsalted SHA-1 2.38% better (53,046) Battlfield Heroes – 2011, 548k hashes, 423k unique, unsalted MD5 1.13% better (4,808) More Validation Against 2nd Place
  • 17. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Nope. • Several factors – time, hardware, money, dictionary quality • Continual optimisation • Increased cumulative average success • https://www.notsosecure.com/one-rule-to-rule-them-all/ • https://github.com/NotSoSecure/password_cracking_rules #OneRuleToRuleThemAll?
  • 18. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Cracking Length Limitations
  • 19. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • @mubix • Password candidates are stored in GPU registers • Not enough registers to store long candidates • i.e. hash won’t crack even if plain text is in dictionary • Potential to exceed limits but processing time doubles • JtR and hashcat investigated Inspiration
  • 20. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • oclHashcat-plus v0.15 released in 2013 with support for increased lengths, generally from 15 to 55 with exceptions hashcat
  • 21. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. https://hashcat.net/wiki/doku.php?id=frequently_asked_questions • Mode 0 – Straight (dictionary) • Mode 1 – Combination • Mode 6/7 – Hybrid Wordlist + Mask / Hybrid Mask + Wordlist hashcat
  • 22. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • NTLM – based on UTF16-LE which uses 16 bits (2 bytes) per character • Each character of pw is twice the length in bytes hashcat
  • 23. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary contains only the password Password: NowThePwIsTwentyEightLetters NTLM – 27 Limit
  • 24. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Password: Weak SHA512crypt! SHA512crypt – 16 Limit
  • 25. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • --list=format-all-details –format=NT • JtR takes input by default as UTF8 • Note max length in bytes JtR
  • 26. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • 27 Unicode characters may need up to 81 bytes of UTF8 (up to 3 bytes per char) • Not often encountered - Japanese, Chinese, Korean, random special chars etc JtR
  • 27. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Latest version of john jumbo has made things easier • No longer shows length in bytes JtR
  • 28. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J MD5 – 55 Limit
  • 29. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L MD5 – 55 Limit
  • 30. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J SHA-384 – 111 Limit
  • 31. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L SHA-384 – 111 Limit
  • 32. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • John jumbo can be custom compiled • http://www.openwall.com/lists/john-users/2017/05/05/1 • Non-SIMD build can get higher numbers • hashcat has a modified version – doesn’t support NTLM • https://github.com/hashcat/hashcat/tree/longer_passwords_and_salts • Both will take significant performance hits Length Increases
  • 33. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Cheat sheet for JtR supported hashes (Over 430 of them!) • May differ from hashcat • https://www.notsosecure.com/maximum-password- length-reached/ • And remember, no matter what others may tell you… Cheat Sheet
  • 34. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. It’s All About The Length
  • 35. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Thank You feedback/contact training@notsosecure.com