Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Custom	Rules	&	Broken	Tools
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Will	Hunt
• Associate	Director	@	NotSoSecure
• ...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• hashcat	custom	rule	efficiency
• Cracking	len...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat	Custom	Rule	Efficiency
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Dictionary Rules
password password Password
let...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat	Rules
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat	Rules
https://hashcat.net/wiki/doku.php...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Objective – try	and	create	a	more	efficient	r...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat64.exe	-m0	lifeboat_hashes rockyou.txt	-...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat64.exe	-m0	lifeboat_hashes rockyou.txt	-...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
The	Stats
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Success	and	Efficiency
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
The	Anomalies
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• High	concurrency
• Different	rules	produced	t...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Identify	top	25%	performing	rules	from	each	r...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Xsplit breach	– 2013,	3m	hashes,	2.2m	unique,	u...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Nope.
• Several	factors	– time,	hardware,	mon...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Cracking	Length	Limitations
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• @mubix
• Password	candidates	are	stored	in	GP...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• oclHashcat-plus	v0.15	released	in	2013	with	s...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
https://hashcat.net/wiki/doku.php?id=frequently...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• NTLM	– based	on	UTF16-LE	which	uses	16	bits	(...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Dictionary	contains	only	the	password
Password:...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Password:	Weak	SHA512crypt!
SHA512crypt	– 16	Li...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• --list=format-all-details	–format=NT
• JtR ta...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• 27	Unicode	characters	may	need	up	to	81	bytes...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Latest	version of	john	jumbo	has	made	things	...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
•
• J
MD5	– 55	Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• L
MD5	– 55	Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
•
• J
SHA-384	– 111	Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• L
SHA-384	– 111	Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• John	jumbo	can	be	custom	compiled
• http://ww...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Cheat	sheet	for	JtR supported	hashes	(Over	43...
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
It’s	All	About	The	Length
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Thank	You
feedback/contact	
training@notsosecur...
Upcoming SlideShare
Loading in …5
×

Custom Rules & Broken Tools (Password Cracking)

1,569 views

Published on

A talk by @stealthsploit from NotSoSecure on tips, tricks and restrictions on cracking passwords using common tools.

Accompanying blog posts at https://www.notsosecure.com/one-rule-to-rule-them-all/ & https://www.notsosecure.com/maximum-password-length-reached/

Published in: Technology
  • Be the first to comment

Custom Rules & Broken Tools (Password Cracking)

  1. 1. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Custom Rules & Broken Tools
  2. 2. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Will Hunt • Associate Director @ NotSoSecure • 9 years in InfoSec • Pentester, formerly digital forensics, trainer of both • @Stealthsploit / stealthsploit.com $ whoami /all
  3. 3. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • hashcat custom rule efficiency • Cracking length limitations What’s The Plan?
  4. 4. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Custom Rule Efficiency
  5. 5. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary Rules password password Password letmein letmein password security security P@ssword monkey monkey passw0rd 123456 123456 Passw0rd qwerty qwerty P@ssw0rd password1 passw0rd1 Dictionaries and Rules 101
  6. 6. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules
  7. 7. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules https://hashcat.net/wiki/doku.php?id=rule_based_attack
  8. 8. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Objective – try and create a more efficient rule • Method – test existing rules against large data set and extract top performing individual rules • Testbed – 2016 Lifeboat breach (Minecraft) • 7 million unsalted MD5s – 4.3 mill unique • Outcome – “One rule to rule them all….” • Validate – test custom rule against Lifeboat breach (and other) data • Hope – I didn’t waste my time… Roll Your Own
  9. 9. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
  10. 10. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
  11. 11. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Stats
  12. 12. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Success and Efficiency
  13. 13. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Anomalies
  14. 14. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • High concurrency • Different rules produced the same plain text value before the ‘:’ rule hit. • E.g. Password is L3tme1n • Dictionary contains l3tme1n • If T0 rule hits before : rule… (T0 toggles case of first char) • T0 gets the point, stealing it from : The Anomalies
  15. 15. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Identify top 25% performing rules from each ruleset • Concat & de-dupe • Repeat the tests • Custom rule cracked 2.72% (117,626) more passwords • Not the most efficient Super Rule Creation
  16. 16. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Xsplit breach – 2013, 3m hashes, 2.2m unique, unsalted SHA-1 2.38% better (53,046) Battlfield Heroes – 2011, 548k hashes, 423k unique, unsalted MD5 1.13% better (4,808) More Validation Against 2nd Place
  17. 17. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Nope. • Several factors – time, hardware, money, dictionary quality • Continual optimisation • Increased cumulative average success • https://www.notsosecure.com/one-rule-to-rule-them-all/ • https://github.com/NotSoSecure/password_cracking_rules #OneRuleToRuleThemAll?
  18. 18. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Cracking Length Limitations
  19. 19. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • @mubix • Password candidates are stored in GPU registers • Not enough registers to store long candidates • i.e. hash won’t crack even if plain text is in dictionary • Potential to exceed limits but processing time doubles • JtR and hashcat investigated Inspiration
  20. 20. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • oclHashcat-plus v0.15 released in 2013 with support for increased lengths, generally from 15 to 55 with exceptions hashcat
  21. 21. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. https://hashcat.net/wiki/doku.php?id=frequently_asked_questions • Mode 0 – Straight (dictionary) • Mode 1 – Combination • Mode 6/7 – Hybrid Wordlist + Mask / Hybrid Mask + Wordlist hashcat
  22. 22. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • NTLM – based on UTF16-LE which uses 16 bits (2 bytes) per character • Each character of pw is twice the length in bytes hashcat
  23. 23. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary contains only the password Password: NowThePwIsTwentyEightLetters NTLM – 27 Limit
  24. 24. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Password: Weak SHA512crypt! SHA512crypt – 16 Limit
  25. 25. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • --list=format-all-details –format=NT • JtR takes input by default as UTF8 • Note max length in bytes JtR
  26. 26. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • 27 Unicode characters may need up to 81 bytes of UTF8 (up to 3 bytes per char) • Not often encountered - Japanese, Chinese, Korean, random special chars etc JtR
  27. 27. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Latest version of john jumbo has made things easier • No longer shows length in bytes JtR
  28. 28. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J MD5 – 55 Limit
  29. 29. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L MD5 – 55 Limit
  30. 30. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J SHA-384 – 111 Limit
  31. 31. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L SHA-384 – 111 Limit
  32. 32. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • John jumbo can be custom compiled • http://www.openwall.com/lists/john-users/2017/05/05/1 • Non-SIMD build can get higher numbers • hashcat has a modified version – doesn’t support NTLM • https://github.com/hashcat/hashcat/tree/longer_passwords_and_salts • Both will take significant performance hits Length Increases
  33. 33. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Cheat sheet for JtR supported hashes (Over 430 of them!) • May differ from hashcat • https://www.notsosecure.com/maximum-password- length-reached/ • And remember, no matter what others may tell you… Cheat Sheet
  34. 34. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. It’s All About The Length
  35. 35. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Thank You feedback/contact training@notsosecure.com

×