More Related Content Similar to Custom Rules & Broken Tools (Password Cracking) (20) Custom Rules & Broken Tools (Password Cracking)1. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Custom Rules & Broken Tools
2. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Will Hunt
• Associate Director @ NotSoSecure
• 9 years in InfoSec
• Pentester, formerly digital forensics, trainer of both
• @Stealthsploit / stealthsploit.com
$ whoami /all
3. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• hashcat custom rule efficiency
• Cracking length limitations
What’s The Plan?
4. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat Custom Rule Efficiency
5. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Dictionary Rules
password password Password
letmein letmein password
security security P@ssword
monkey monkey passw0rd
123456 123456 Passw0rd
qwerty qwerty P@ssw0rd
password1
passw0rd1
Dictionaries and Rules 101
6. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat Rules
7. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat Rules
https://hashcat.net/wiki/doku.php?id=rule_based_attack
8. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Objective – try and create a more efficient rule
• Method – test existing rules against large data set and
extract top performing individual rules
• Testbed – 2016 Lifeboat breach (Minecraft)
• 7 million unsalted MD5s – 4.3 mill unique
• Outcome – “One rule to rule them all….”
• Validate – test custom rule against
Lifeboat breach (and other) data
• Hope – I didn’t waste my time…
Roll Your Own
9. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5
-w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable
-o lifeboat-best64 -r rulesbest64.rule
Let Cracking Commence
10. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5
-w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable
-o lifeboat-best64 -r rulesbest64.rule
Let Cracking Commence
11. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
The Stats
12. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Success and Efficiency
13. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
The Anomalies
14. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• High concurrency
• Different rules produced the same plain text value
before the ‘:’ rule hit.
• E.g. Password is L3tme1n
• Dictionary contains l3tme1n
• If T0 rule hits before : rule… (T0 toggles case of first char)
• T0 gets the point, stealing it from :
The Anomalies
15. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Identify top 25% performing rules from each ruleset
• Concat & de-dupe
• Repeat the tests
• Custom rule cracked 2.72% (117,626) more passwords
• Not the most efficient
Super Rule Creation
16. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Xsplit breach – 2013, 3m hashes, 2.2m unique, unsalted SHA-1
2.38% better (53,046)
Battlfield Heroes – 2011, 548k hashes, 423k unique, unsalted MD5
1.13% better (4,808)
More Validation Against 2nd Place
17. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Nope.
• Several factors – time, hardware, money, dictionary quality
• Continual optimisation
• Increased cumulative average success
• https://www.notsosecure.com/one-rule-to-rule-them-all/
• https://github.com/NotSoSecure/password_cracking_rules
#OneRuleToRuleThemAll?
18. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Cracking Length Limitations
19. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• @mubix
• Password candidates are stored in GPU registers
• Not enough registers to store long candidates
• i.e. hash won’t crack even if plain text is in dictionary
• Potential to exceed limits but processing time doubles
• JtR and hashcat investigated
Inspiration
20. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• oclHashcat-plus v0.15 released in 2013 with support for
increased lengths, generally from 15 to 55 with exceptions
hashcat
21. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
https://hashcat.net/wiki/doku.php?id=frequently_asked_questions
• Mode 0 – Straight (dictionary)
• Mode 1 – Combination
• Mode 6/7 – Hybrid Wordlist + Mask / Hybrid Mask + Wordlist
hashcat
22. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• NTLM – based on UTF16-LE which uses 16 bits (2 bytes)
per character
• Each character of pw is twice the length in bytes
hashcat
23. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Dictionary contains only the password
Password: NowThePwIsTwentyEightLetters
NTLM – 27 Limit
24. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Password: Weak SHA512crypt!
SHA512crypt – 16 Limit
25. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• --list=format-all-details –format=NT
• JtR takes input by default as UTF8
• Note max length in bytes
JtR
26. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• 27 Unicode characters may need up to 81 bytes of UTF8
(up to 3 bytes per char)
• Not often encountered - Japanese, Chinese, Korean,
random special chars etc
JtR
27. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Latest version of john jumbo has made things easier
• No longer shows length in bytes
JtR
28. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
•
• J
MD5 – 55 Limit
29. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• L
MD5 – 55 Limit
30. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
•
• J
SHA-384 – 111 Limit
31. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• L
SHA-384 – 111 Limit
32. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• John jumbo can be custom compiled
• http://www.openwall.com/lists/john-users/2017/05/05/1
• Non-SIMD build can get higher numbers
• hashcat has a modified version – doesn’t support NTLM
• https://github.com/hashcat/hashcat/tree/longer_passwords_and_salts
• Both will take significant performance hits
Length Increases
33. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Cheat sheet for JtR supported hashes (Over 430 of them!)
• May differ from hashcat
• https://www.notsosecure.com/maximum-password-
length-reached/
• And remember, no matter what others may tell you…
Cheat Sheet
34. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
It’s All About The Length
35. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Thank You
feedback/contact
training@notsosecure.com