1. Sanjiv Kawa & Tom Porter
Crafting tailored wordlists with Wordsmith
BSides LV 2016

2. Formalities
Tom’s the guy with the beard
www.porterhau5.com
@porterhau5
Sanjiv’s the Canadian
www.popped.io
@skawasec
PSC – Proprietary and Confidential. All Rights Reserved. 2

3. • Penetration Testers at PSC - www.paysw.com
• PSC specializes in PCI assessments
• Our day-to-day activities consist of attacking large
enterprise networks and searching for CHD
What do you guys do?
PSC – Proprietary and Confidential. All Rights Reserved. 3

4. • Wordsmith generates wordlists for dictionary attacks!
• Wordlists can be used on their own or as a supplement
• Uses geo-location data from U.S. States to create
wordlists
What’s Wordsmith?
PSC – Proprietary and Confidential. All Rights Reserved. 4

5. • Authentication process
• Dictionary attacks
• 8 slides total!
Quick primer
PSC – Proprietary and Confidential. All Rights Reserved. 5

6. • We have something else you can do during the primer!
• First 10 people who tweet the correct answer will get
some swag
• Or go and check out Wordsmith here:
https://github.com/skahwah/wordsmith
For those who already know this
PSC – Proprietary and Confidential. All Rights Reserved. 6

7. • What hash format is this? (hint wpad)
Question
PSC – Proprietary and Confidential. All Rights Reserved. 7

8. Back to the primer
PSC – Proprietary and Confidential. All Rights Reserved. 8

9. Primer (1/8): Authentication process
PSC – Proprietary and Confidential. All Rights Reserved. 9

10. • On submit, convert the password into a hashed
representative
Primer (2/8): Password converted to hash
PSC – Proprietary and Confidential. All Rights Reserved. 10

11. Primer (3/8): Credentials sent to authentication
server
PSC – Proprietary and Confidential. All Rights Reserved. 11

12. • Backend DB holds passwords for all users in a hashed state
• Check to see if hashes match
if userSuppliedCreds == userStoredCreds
allow logon :)
else
deny logon :(
Primer (4/8): Credentials validated
PSC – Proprietary and Confidential. All Rights Reserved. 12

13. • How do we “convert” a hash back to a cleartext
password?
• No direct way. However, we can do a dictionary attack.
Primer (5/8): password == hash, right?
PSC – Proprietary and Confidential. All Rights Reserved. 13

14. • Large lists containing common words
• Sometimes compiled from passwords obtained in
breaches (LinkedIn, Yahoo, Adobe, AM, etc.)
• Dictionaries we use:
– Rockyou (free)
– Uniq (paid, but worth it)
– top10k (free)
– yahoo (free)
– linkedin (free)
Primer (6/8): What are dictionaries?
PSC – Proprietary and Confidential. All Rights Reserved. 14

15. A couple of pre-requisites:
1. A solid dictionary (also known as wordlist)
2. Need to know the hash type (md5, sha1, NTLM,
NetNTLMv2, etc)
3. A list of password hashes (typically exfiltrated in post-
exploitation)
Primer (7/8): Dictionary attacks
PSC – Proprietary and Confidential. All Rights Reserved. 15

16. Primer (8/8): Conducting a dictionary attack
1. Guess
2. Encrypt
3. Compare
apple
banana
cherry
…
$hash <- encrypt(apple)
$hash : 5ebe7dfa074da8ee8aef1faa2bbde876
Search for $hash in obtained hash list:
af5432a79b941528fa7fac9e7e391651
5ebe7dfa074da8ee8aef1faa2bbde876
8846f7eaee8fb117ad06bdd830b7586c
PSC – Proprietary and Confidential. All Rights Reserved. 16

17. • Lets move on to Wordsmith
Primers done
PSC – Proprietary and Confidential. All Rights Reserved. 17

18. • Wordsmith generates wordlists for dictionary attacks!
• Wordlists can be used on their own or as a supplement
• Uses geo-location data from U.S. States to create
wordlists
A quick re-cap on Wordsmith
PSC – Proprietary and Confidential. All Rights Reserved. 18

19. What kind of geo-location data is in a wordlist?
Landmarks
Sports teams
Cities, towns, etc
Streets/Roads
Zip codes
Area codes
Common names
Colleges
PSC – Proprietary and Confidential. All Rights Reserved. 19

20. • Saw more geo-location related passwords during
engagements
• Thought it would be a cool project
• Improve overall password cracking efficacy
• Limit guess-encrypt compare cycles
Why geo-location data?
PSC – Proprietary and Confidential. All Rights Reserved. 20

21. *Wikipedia, US Census and Open Street Map
Where is all of this data coming from?
PSC – Proprietary and Confidential. All Rights Reserved. 21

22. How Wordsmith works
PSC – Proprietary and Confidential. All Rights Reserved. 22

23. • Initial git clone (~20 MB)
Wordsmith files
PSC – Proprietary and Confidential. All Rights Reserved. 23

24. First run
• On first run, data.tar.gz is unpacked (1 second, 175 MB)
PSC – Proprietary and Confidential. All Rights Reserved. 24

25. • ./wordsmith/data/
• All lookups are done offline (speed & efficiency).
File structure and data lookup
PSC – Proprietary and Confidential. All Rights Reserved. 25

26. Word is kept in its original form (special characters included)
Freemont St.
You can also use the “-m” flag for basic mangling!
Freemont St.
Freemont St
Freemont
St.
St
FreemontSt.
FreemontSt
Sort & Uniq to remove all duplicate words
downcase()
Min character length
What does a wordlist look like?
PSC – Proprietary and Confidential. All Rights Reserved. 26

27. Demo time
PSC – Proprietary and Confidential. All Rights Reserved. 27

28. Statistics and results
PSC – Proprietary and Confidential. All Rights Reserved. 28

29. • Hash cracking rig
• Get our hands on REAL NTLM hashes
– Massachusetts 404 hashes
– Wisconsin 2011 hashes
– New York 542 hashes
Pre-requisites
PSC – Proprietary and Confidential. All Rights Reserved. 29

30. • Software
– hashcat.net
• Hardware
– NVidia GRID K520
• 3617 MH/s – nothing too crazy, but it does the trick
– 1 MH/s is 1,000,000 hashes per second
• Build your own cracking rig:
https://www.popped.io/2016/07/steps-to-create-aws-
hash-cracking-rig.html
Hash cracking rig
PSC – Proprietary and Confidential. All Rights Reserved. 30

31. • Crack hashes for each U.S. State using common
wordlists and rules
• Crack hashes for each U.S. State using a Wordsmith
wordlist for the particular State
• ruby wordsmith.rb –s WI –a –m –o wi.txt
Test Cases
PSC – Proprietary and Confidential. All Rights Reserved. 31
State NTLM Hashes Wordsmith
Wordlist
Wisconsin 2011 112k
Massachusetts 404 82k
New York 542 158k

32. Input Parameters for Cracking Session
1. Guess
2. Encrypt
3. Compare
Wordlists:
• Top10k (10k)
• Rockyou (14.4m)
• Wordsmith
• WI, MA, NY
NTLM Hash (NT)
Based on MD4
Common on Active Directory domains
Hashes obtained from various clients:
Wisconsin-hashes.txt (2011 hashes)
Massachusetts-hashes.txt (404 hashes)
Newyork-hashes.txt (542 hashes)
Rule set:
• D3adhob0 (57.5k rules)
PSC – Proprietary and Confidential. All Rights Reserved. 32

33. Results!
PSC – Proprietary and Confidential. All Rights Reserved. 33

34. • 2011 NTLM Hashes
Wisconsin results
Wordlist Hashcat
run time
Number of
passwords recovered
Top10k
(10k words)
2 secs
Rockyou
(14.4m words)
27 mins
Wisconsin.txt
(112k words)
12 secs
237
12%
1094
54%
229
11%
77%
PSC – Proprietary and Confidential. All Rights Reserved. 34

35. • 404 NTLM Hashes
Massachusetts results
Wordlist Hashcat
run time
Number of
passwords recovered
Top10k
(10k words)
1 sec
Rockyou
(14.4m words)
24 mins
Massachusetts.txt
(82k words)
12 secs
52
13%
262
65%
56
14%
92%
PSC – Proprietary and Confidential. All Rights Reserved. 35

36. • 542 NTLM Hashes
New York results
Wordlist Hashcat
run time
Number of
passwords recovered
Top10k
(10k words)
1 sec
Rockyou
(14.4m words)
26 mins
Newyork.txt
(158k words)
22 secs
0
220
41%
59
11%
52%
PSC – Proprietary and Confidential. All Rights Reserved. 36

37. • Identifying proper nouns
unique to location
• Time-CPU cycle tradeoff
• At least 11% of
passwords recovered in <
20 seconds
Conclusions
PSC – Proprietary and Confidential. All Rights Reserved. 37

38. • Data!
– Team rosters, mascots, stadiums
– Famous people
– State symbols
– Motto, song, bird, flower, etc.
– Regional food, cuisine, agriculture
– (h/t Larry Pesce - @haxorthematrix)
• Design
– Modular
– Extend to provinces, territories, countries
– Integrate data look up by coordinates
Next Steps for Wordsmith
PSC – Proprietary and Confidential. All Rights Reserved. 38

39. • Important to maintain, expand, and improve
• Got any additional data sources or features?
• Pull requests, submit issues, comment, share:
https://github.com/skahwah/wordsmith
Suggestions?
PSC – Proprietary and Confidential. All Rights Reserved. 39

40. Questions?
Tom’s the guy with the beard
www.porterhau5.com
@porterhau5
Sanjiv’s the Canadian
www.popped.io
@skawasec
https://github.com/skahwah/wordsmith
PSC – Proprietary and Confidential. All Rights Reserved. 40