Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Sanjiv Kawa & Tom Porter
Crafting tailored wordlists with Wordsmith
BSides LV 2016
Formalities
Tom’s the guy with the beard
www.porterhau5.com
@porterhau5
Sanjiv’s the Canadian
www.popped.io
@skawasec
PSC ...
• Penetration Testers at PSC - www.paysw.com
• PSC specializes in PCI assessments
• Our day-to-day activities consist of a...
• Wordsmith generates wordlists for dictionary attacks!
• Wordlists can be used on their own or as a supplement
• Uses geo...
• Authentication process
• Dictionary attacks
• 8 slides total!
Quick primer
PSC – Proprietary and Confidential. All Right...
• We have something else you can do during the primer!
• First 10 people who tweet the correct answer will get
some swag
•...
• What hash format is this? (hint wpad)
Question
PSC – Proprietary and Confidential. All Rights Reserved. 7
Back to the primer
PSC – Proprietary and Confidential. All Rights Reserved. 8
Primer (1/8): Authentication process
PSC – Proprietary and Confidential. All Rights Reserved. 9
• On submit, convert the password into a hashed
representative
Primer (2/8): Password converted to hash
PSC – Proprietary ...
Primer (3/8): Credentials sent to authentication
server
PSC – Proprietary and Confidential. All Rights Reserved. 11
• Backend DB holds passwords for all users in a hashed state
• Check to see if hashes match
if userSuppliedCreds == userSt...
• How do we “convert” a hash back to a cleartext
password?
• No direct way. However, we can do a dictionary attack.
Primer...
• Large lists containing common words
• Sometimes compiled from passwords obtained in
breaches (LinkedIn, Yahoo, Adobe, AM...
A couple of pre-requisites:
1. A solid dictionary (also known as wordlist)
2. Need to know the hash type (md5, sha1, NTLM,...
Primer (8/8): Conducting a dictionary attack
1. Guess
2. Encrypt
3. Compare
apple
banana
cherry
…
$hash <- encrypt(apple)
...
• Lets move on to Wordsmith
Primers done
PSC – Proprietary and Confidential. All Rights Reserved. 17
• Wordsmith generates wordlists for dictionary attacks!
• Wordlists can be used on their own or as a supplement
• Uses geo...
What kind of geo-location data is in a wordlist?
Landmarks
Sports teams
Cities, towns, etc
Streets/Roads
Zip codes
Area co...
• Saw more geo-location related passwords during
engagements
• Thought it would be a cool project
• Improve overall passwo...
*Wikipedia, US Census and Open Street Map
Where is all of this data coming from?
PSC – Proprietary and Confidential. All R...
How Wordsmith works
PSC – Proprietary and Confidential. All Rights Reserved. 22
• Initial git clone (~20 MB)
Wordsmith files
PSC – Proprietary and Confidential. All Rights Reserved. 23
First run
• On first run, data.tar.gz is unpacked (1 second, 175 MB)
PSC – Proprietary and Confidential. All Rights Reserv...
• ./wordsmith/data/
• All lookups are done offline (speed & efficiency).
File structure and data lookup
PSC – Proprietary ...
Word is kept in its original form (special characters included)
Freemont St.
You can also use the “-m” flag for basic mang...
Demo time
PSC – Proprietary and Confidential. All Rights Reserved. 27
Statistics and results
PSC – Proprietary and Confidential. All Rights Reserved. 28
• Hash cracking rig
• Get our hands on REAL NTLM hashes
– Massachusetts 404 hashes
– Wisconsin 2011 hashes
– New York 542 ...
• Software
– hashcat.net
• Hardware
– NVidia GRID K520
• 3617 MH/s – nothing too crazy, but it does the trick
– 1 MH/s is ...
• Crack hashes for each U.S. State using common
wordlists and rules
• Crack hashes for each U.S. State using a Wordsmith
w...
Input Parameters for Cracking Session
1. Guess
2. Encrypt
3. Compare
Wordlists:
• Top10k (10k)
• Rockyou (14.4m)
• Wordsmi...
Results!
PSC – Proprietary and Confidential. All Rights Reserved. 33
• 2011 NTLM Hashes
Wisconsin results
Wordlist Hashcat
run time
Number of
passwords recovered
Top10k
(10k words)
2 secs
Roc...
• 404 NTLM Hashes
Massachusetts results
Wordlist Hashcat
run time
Number of
passwords recovered
Top10k
(10k words)
1 sec
R...
• 542 NTLM Hashes
New York results
Wordlist Hashcat
run time
Number of
passwords recovered
Top10k
(10k words)
1 sec
Rockyo...
• Identifying proper nouns
unique to location
• Time-CPU cycle tradeoff
• At least 11% of
passwords recovered in <
20 seco...
• Data!
– Team rosters, mascots, stadiums
– Famous people
– State symbols
– Motto, song, bird, flower, etc.
– Regional foo...
• Important to maintain, expand, and improve
• Got any additional data sources or features?
• Pull requests, submit issues...
Questions?
Tom’s the guy with the beard
www.porterhau5.com
@porterhau5
Sanjiv’s the Canadian
www.popped.io
@skawasec
https...
Upcoming SlideShare
Loading in …5
×

Crafting tailored wordlists with Wordsmith

476 views

Published on

A copy of our PowerPoint presentation from BSides LV 2016

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Crafting tailored wordlists with Wordsmith

  1. 1. Sanjiv Kawa & Tom Porter Crafting tailored wordlists with Wordsmith BSides LV 2016
  2. 2. Formalities Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec PSC – Proprietary and Confidential. All Rights Reserved. 2
  3. 3. • Penetration Testers at PSC - www.paysw.com • PSC specializes in PCI assessments • Our day-to-day activities consist of attacking large enterprise networks and searching for CHD What do you guys do? PSC – Proprietary and Confidential. All Rights Reserved. 3
  4. 4. • Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists What’s Wordsmith? PSC – Proprietary and Confidential. All Rights Reserved. 4
  5. 5. • Authentication process • Dictionary attacks • 8 slides total! Quick primer PSC – Proprietary and Confidential. All Rights Reserved. 5
  6. 6. • We have something else you can do during the primer! • First 10 people who tweet the correct answer will get some swag • Or go and check out Wordsmith here: https://github.com/skahwah/wordsmith For those who already know this PSC – Proprietary and Confidential. All Rights Reserved. 6
  7. 7. • What hash format is this? (hint wpad) Question PSC – Proprietary and Confidential. All Rights Reserved. 7
  8. 8. Back to the primer PSC – Proprietary and Confidential. All Rights Reserved. 8
  9. 9. Primer (1/8): Authentication process PSC – Proprietary and Confidential. All Rights Reserved. 9
  10. 10. • On submit, convert the password into a hashed representative Primer (2/8): Password converted to hash PSC – Proprietary and Confidential. All Rights Reserved. 10
  11. 11. Primer (3/8): Credentials sent to authentication server PSC – Proprietary and Confidential. All Rights Reserved. 11
  12. 12. • Backend DB holds passwords for all users in a hashed state • Check to see if hashes match if userSuppliedCreds == userStoredCreds allow logon :) else deny logon :( Primer (4/8): Credentials validated PSC – Proprietary and Confidential. All Rights Reserved. 12
  13. 13. • How do we “convert” a hash back to a cleartext password? • No direct way. However, we can do a dictionary attack. Primer (5/8): password == hash, right? PSC – Proprietary and Confidential. All Rights Reserved. 13
  14. 14. • Large lists containing common words • Sometimes compiled from passwords obtained in breaches (LinkedIn, Yahoo, Adobe, AM, etc.) • Dictionaries we use: – Rockyou (free) – Uniq (paid, but worth it) – top10k (free) – yahoo (free) – linkedin (free) Primer (6/8): What are dictionaries? PSC – Proprietary and Confidential. All Rights Reserved. 14
  15. 15. A couple of pre-requisites: 1. A solid dictionary (also known as wordlist) 2. Need to know the hash type (md5, sha1, NTLM, NetNTLMv2, etc) 3. A list of password hashes (typically exfiltrated in post- exploitation) Primer (7/8): Dictionary attacks PSC – Proprietary and Confidential. All Rights Reserved. 15
  16. 16. Primer (8/8): Conducting a dictionary attack 1. Guess 2. Encrypt 3. Compare apple banana cherry … $hash <- encrypt(apple) $hash : 5ebe7dfa074da8ee8aef1faa2bbde876 Search for $hash in obtained hash list: af5432a79b941528fa7fac9e7e391651 5ebe7dfa074da8ee8aef1faa2bbde876 8846f7eaee8fb117ad06bdd830b7586c PSC – Proprietary and Confidential. All Rights Reserved. 16
  17. 17. • Lets move on to Wordsmith Primers done PSC – Proprietary and Confidential. All Rights Reserved. 17
  18. 18. • Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists A quick re-cap on Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 18
  19. 19. What kind of geo-location data is in a wordlist? Landmarks Sports teams Cities, towns, etc Streets/Roads Zip codes Area codes Common names Colleges PSC – Proprietary and Confidential. All Rights Reserved. 19
  20. 20. • Saw more geo-location related passwords during engagements • Thought it would be a cool project • Improve overall password cracking efficacy • Limit guess-encrypt compare cycles Why geo-location data? PSC – Proprietary and Confidential. All Rights Reserved. 20
  21. 21. *Wikipedia, US Census and Open Street Map Where is all of this data coming from? PSC – Proprietary and Confidential. All Rights Reserved. 21
  22. 22. How Wordsmith works PSC – Proprietary and Confidential. All Rights Reserved. 22
  23. 23. • Initial git clone (~20 MB) Wordsmith files PSC – Proprietary and Confidential. All Rights Reserved. 23
  24. 24. First run • On first run, data.tar.gz is unpacked (1 second, 175 MB) PSC – Proprietary and Confidential. All Rights Reserved. 24
  25. 25. • ./wordsmith/data/ • All lookups are done offline (speed & efficiency). File structure and data lookup PSC – Proprietary and Confidential. All Rights Reserved. 25
  26. 26. Word is kept in its original form (special characters included) Freemont St. You can also use the “-m” flag for basic mangling! Freemont St. Freemont St Freemont St. St FreemontSt. FreemontSt Sort & Uniq to remove all duplicate words downcase() Min character length What does a wordlist look like? PSC – Proprietary and Confidential. All Rights Reserved. 26
  27. 27. Demo time PSC – Proprietary and Confidential. All Rights Reserved. 27
  28. 28. Statistics and results PSC – Proprietary and Confidential. All Rights Reserved. 28
  29. 29. • Hash cracking rig • Get our hands on REAL NTLM hashes – Massachusetts 404 hashes – Wisconsin 2011 hashes – New York 542 hashes Pre-requisites PSC – Proprietary and Confidential. All Rights Reserved. 29
  30. 30. • Software – hashcat.net • Hardware – NVidia GRID K520 • 3617 MH/s – nothing too crazy, but it does the trick – 1 MH/s is 1,000,000 hashes per second • Build your own cracking rig: https://www.popped.io/2016/07/steps-to-create-aws- hash-cracking-rig.html Hash cracking rig PSC – Proprietary and Confidential. All Rights Reserved. 30
  31. 31. • Crack hashes for each U.S. State using common wordlists and rules • Crack hashes for each U.S. State using a Wordsmith wordlist for the particular State • ruby wordsmith.rb –s WI –a –m –o wi.txt Test Cases PSC – Proprietary and Confidential. All Rights Reserved. 31 State NTLM Hashes Wordsmith Wordlist Wisconsin 2011 112k Massachusetts 404 82k New York 542 158k
  32. 32. Input Parameters for Cracking Session 1. Guess 2. Encrypt 3. Compare Wordlists: • Top10k (10k) • Rockyou (14.4m) • Wordsmith • WI, MA, NY NTLM Hash (NT) Based on MD4 Common on Active Directory domains Hashes obtained from various clients: Wisconsin-hashes.txt (2011 hashes) Massachusetts-hashes.txt (404 hashes) Newyork-hashes.txt (542 hashes) Rule set: • D3adhob0 (57.5k rules) PSC – Proprietary and Confidential. All Rights Reserved. 32
  33. 33. Results! PSC – Proprietary and Confidential. All Rights Reserved. 33
  34. 34. • 2011 NTLM Hashes Wisconsin results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 2 secs Rockyou (14.4m words) 27 mins Wisconsin.txt (112k words) 12 secs 237 12% 1094 54% 229 11% 77% PSC – Proprietary and Confidential. All Rights Reserved. 34
  35. 35. • 404 NTLM Hashes Massachusetts results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 24 mins Massachusetts.txt (82k words) 12 secs 52 13% 262 65% 56 14% 92% PSC – Proprietary and Confidential. All Rights Reserved. 35
  36. 36. • 542 NTLM Hashes New York results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 26 mins Newyork.txt (158k words) 22 secs 0 220 41% 59 11% 52% PSC – Proprietary and Confidential. All Rights Reserved. 36
  37. 37. • Identifying proper nouns unique to location • Time-CPU cycle tradeoff • At least 11% of passwords recovered in < 20 seconds Conclusions PSC – Proprietary and Confidential. All Rights Reserved. 37
  38. 38. • Data! – Team rosters, mascots, stadiums – Famous people – State symbols – Motto, song, bird, flower, etc. – Regional food, cuisine, agriculture – (h/t Larry Pesce - @haxorthematrix) • Design – Modular – Extend to provinces, territories, countries – Integrate data look up by coordinates Next Steps for Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 38
  39. 39. • Important to maintain, expand, and improve • Got any additional data sources or features? • Pull requests, submit issues, comment, share: https://github.com/skahwah/wordsmith Suggestions? PSC – Proprietary and Confidential. All Rights Reserved. 39
  40. 40. Questions? Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec https://github.com/skahwah/wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 40

×