This document discusses techniques for brute forcing passwords online in a short amount of time. It recommends generating targeted wordlists by analyzing common password patterns and rules, such as capitalization variations, number/special character suffixes, and prefixes drawn from personal information. Wordlists should balance completeness with brevity to avoid detection. The author cracked over 20 passwords within a minute by heuristically guessing variations on an initial default password.
3. What will be discussed
ptsecurity.com
Pentesters often deal with
corporative services (mail, portal,
etc.) which exposes only
authorization form and the rest part
is accessible only for authorized
users.
In case the service has fairly safe
authorization form the only way to
fully explore the application is to
have correct login/password pair.
4. What will be discussed
ptsecurity.com
Getting login/password pair for
online service
Ask customer
Social
Engineering
Cracking
login/password
pairs brute forcing
username listing/enumeration or
have some from open sources
brute force attack
dictionary attack
network bandwidth
server performance
account lockouts
tarpitting
detection in logs and IDS
changing passwords
Online password cracking
issues to consider
Which one
to use?
Too slow, need
to speed up
5. What will be discussed
ptsecurity.com
Getting login/password pair for
online service
Ask customer
Social
Engineering
Cracking
login/password
pairs brute forcing
username listing/enumeration or
have some from open sources
brute force attack
dictionary attack
network bandwidth
server performance
account lockouts
tarpitting
detection in logs and IDS
changing passwords
Online password cracking
issues to consider
Which one
to use?
Too slow, need
to speed up
6. What will be discussed
ptsecurity.com
Wordlists: which one to use? Wordlist should:
- be large enough to increase probability of
successful attack
- be small enough to
- complete attack in time
- not lead to account lockouts
- make attack harder for detecting
- meet password policy requirements of the
service
In other words, the wordlist should contain only
suitable passwords most likely to be used.
Our goal is to get at least 1 valid
login/password pair with a minimum
number of requests
8. Minimize size & Maximize density
ptsecurity.com
Maximize high probable
passwords density
Minimize dictionary size
Small wordlists: top100, top500, etc.
Wordlists with count
Heuristic methods – just guessing and improvisation!
Generate dictionary using password rules lists
Generate sorted password rules list
Use existing wordlists
Or make your own
10. Heuristic methods: the story of ZAQ!
ptsecurity.com
Hi! I’m Zack
But it’s
a completely
different story
11. Heuristic methods: the story of ZAQ!
ptsecurity.com
ZAQ!xsw2
Pentest.
Was given an account with default password:
ZAQ!xsw2
What if there is someone else who uses the same
password?
15/500 users do
Not bad, but what if…
1
1 2
12. Heuristic methods: the story of ZAQ!
ptsecurity.com
What if there are more tricky users and they have
changed the combination rule slightly?
21
2 1 1 2
1
1 2
Tried only suitable of all possible variations of these
rules. 15 passwords total. And what?
+10/500 users are OWNED
Maybe there are few more?
Few more similar keyboard combinations and their
variations.
It took more time to try about 6000 combinations
against each user. The result was not so cool but
+3/500 accounts are compromised
Thanks to creative users
1 2 1 23 4
13. Heuristic methods: the story of ZAQ!
ptsecurity.com
1
∉ZAQ!xsw2
and other 15 candidates
15
10
3
Summary Interesting facts
KeyboardCombinations.txt
9801
lines
…
zaq1zaq1
zaq1xsw2
…
63`941
`069
lines
∈ZAQ!xsw2
and other 15 candidates
In some cases you can test your heuristic offline
realhuman_phill.txt
15. Someone already has
ptsecurity.com
In our universe In parallel universe
People use the same username modification rules
when register to pick the free one.
What if they use the same password modification
rules to meet password policy requirements?
16. Password rules
ptsecurity.com
Hashcat password rules example
Name Function Description Example Rule Input Word Output Word
Nothing : Do nothing : password password
Lowercase l
Lowercase all
letters
l AlicE alice
Capitalize c
Capitalize the
first letter and
lower the rest
c paSSwoRd Password
Append
Character
$X
Append character
X to end
$1 qwerty qwerty1
Replace sXY
Replace all
instances of X
with Y
ss$ Password Pa$$word
Duplicate last N ZN
Dulicates last
character N times
Z2 hackmeplz hackmeplzzz
17. Password rules
ptsecurity.com
You can take sorted rule file
$<space>
l
$1
i4
i5
c
t
i3
i6
$2
and base words file
password
nikolay
qwerty
password
password
password1
pass word
passw ord
Password
PASSWORD
pas sword
passwo rd
password2
nikolay
nikolay
nikolay1
niko lay
nikol ay
Nikolay
NIKOLAY
nik olay
nikola y
nikolay2
qwerty
qwerty
qwerty1
qwer ty
qwert y
Qwerty
QWERTY
qwe rty
qwerty
qwerty2
Then generate wordlist applying
each rule to each base word.
- <space> character
18. Password rules problems
ptsecurity.com
- Available password rule lists are mostly handmade.
Only several of them are grouped or sorted.
- Common rule generation methods (from password
masks or random rules) take a lot of time and
computational resources. They also have a lot of
garbage in the result.
- Truly powerful password rule lists are kept in secret.
20. How most people create their passwords
ptsecurity.com
Steps Example
1. Choose the base: word, number, name,
date, etc.
2. Modify base: capitalize, lowercase,
substitue, …
3. Choose prefix
4. Choose suffixes
5. Choose postfix
1. Base = {password}
2. password -> P@ssw0rd
3. Prefix = zZz
4. Postfix = xXx
Result: zZzP@ssw0rdxXx
1. Base = {nikolay,18.05.1992}
2. nikolay -> Nikolay
18.05.1992 -> may1992
3. Prefix = qwe
4. Suffix = !
Result: qweNikolay!may1992
Assume that password is not random and not a
keyboard combination
21. Password templates
ptsecurity.com
Consider the simple case: the base consists of a
single word.
Suppose we have the following password
dictionary:
madIson123
1viKING
internet1
Sandra123
qwerty123
Knights
Natasha12
maggie1
hello1
pAssw0rd1
1RainBow
turtles
CowBoys
lucky12
abdullah1
qwertyuiop1
matthews
WaRrIoRs
SuperMan1
DRAGon1
julia1
sTUPIDs
1adidas
1RUSSIA
dolphins
mASTER1
Now we need list of common words – base
words. Then cut out them from each password in
dictionary.
Ideally we need to cut out as much as possible
modifications of base words but for simplicity
let’s do this only for case modifications.
(***)123
1(***)
(***)1
(***)123
qwerty123
(***)s
(***)12
(***)1
(***)1
pAssw0rd1
1(***)
(***)s
(***)s
(***)12
(***)1
qwertyuiop1
(***)s
(***)s
(***)1
(***)1
(***)1
(***)s
1(***)
1(***)
(***)s
(***)1
23. Password templates to rules
ptsecurity.com
Then translate result templates to hashcat
password rule language
Count Template Rule Description
8 (***)1 $1 Append 1
7 (***)s $s Append s
4 1(***) ^1 Prepend 1
2 (***)123 $1 $2 $3 Append 123
2 (***)12 $1 $2 Append 12
We can do the same for base word
modifications
Count Example Rule Description
10 hello : Do nothing
3 Sandra c
Capitalize
the first
letter
2 mASTER C
Invert
capitalize
Rules with count 1 are ignored
24. Password templates to rules
ptsecurity.com
Count Template Rule Description
8 (***)1 $1 Append 1
7 (***)s $s Append s
4 1(***) ^1 Prepend 1
2 (***)123 $1 $2 $3 Append 123
2 (***)12 $1 $2 Append 12
Count Example Rule Description
10 hello : Do nothing
3 Sandra c
Capitalize
the first
letter
2 mASTER C
Invert
capitalize
Preference
Score
Rule
80 : $1
70 : $s
40 : ^1
24 c $1
21 c $s
20 : $1 $2 $3
20 : $1 $2
16 C $1
14 C $s
12 c ^1
... ...
×
25. Some base words statistics
ptsecurity.com
0
500
1000
1500
2000
2500
3000
10
20
30
40
50
100Words of “top-500-pass.txt” in 1
million passwords wordlist
Rating position
0
500
1000
1500
10
20
30
40
50
100
Names in 1 million passwords
wordlist
Passwords
Rating position
Passwords
Base words distribution
Top 10
names
yankee
william
angel
james
young
power
david
sasha
happy
chris
Top 10 words of
top-500-pass.txt
2000
love
12345
wolf
pass
william
star
chris
king
123456
Other
Names
5-30%
top-500-pass.txt
8-10%
Corporate logins often contain last names and initials. It’s
not difficult to find full names and other personal data in
social networks. We can use them as base words in rule-
based attack.
26. Generated rules analysis
ptsecurity.com
0
100
200
300
400
500
600
700
800
900
1000
10
20
30
40
50
100
top-500-pass.txt and name
templates (prefixes/postfixes)
preference comparison
Passwords
Rating position
Top500 templates are sorted
in descending order.
Name templates list contains
Top500-specific templates with
password number of 0. Name
templates are sorted in Top500
templates list order.
Case modification rules distribution
Top 10 password rules Example
Rule Description Base word Password
l $1 Lowercase, append 1 password password1
l $s Lowercase, append s dragon dragons
l $2 Lowercase, append 2 dolphin dolphin2
l ^1 Lowercase, prepend 1 Nikolay 1nikolay
c $1 Capitalize, append 1 welcome Welcome1
u $1 Uppercase, append 1 William WILLIAM1
c $s Capitalize, append s king Kings
c $2 Capitalize, append 2 pass Pass2
c ^1 Capitalize, prepend 1 James James1
u $s Uppercase, append s Yankee YANKEES
... ... ... ...
Uppercase
2.7%
Other
1.3%
Capitalize
8%
Lowercase
88%
27. Brute-Forced
in Sixty
Seconds
ptsecurity.com
Thank you!
Any questions?
Take small base word
list
Prepare password
rules lists
Collect additional
information about
victims
Test locally user-
independent wordlists
on large dictionary
Crack online
Generate both user-
dependent and user-
independent wordlists