SlideShare a Scribd company logo

Custom Rules & Broken Tools (Password Cracking)

C
camsec

A talk by @stealthsploit from NotSoSecure on tips, tricks and restrictions on cracking passwords using common tools. Accompanying blog posts at https://www.notsosecure.com/one-rule-to-rule-them-all/ & https://www.notsosecure.com/maximum-password-length-reached/

Technology
1 of 35
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Custom Rules & Broken Tools
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Will Hunt • Associate Director @ NotSoSecure • 9 years in InfoSec • Pentester, formerly digital forensics, trainer of both • @Stealthsploit / stealthsploit.com $ whoami /all
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • hashcat custom rule efficiency • Cracking length limitations What’s The Plan?
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Custom Rule Efficiency
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary Rules password password Password letmein letmein password security security P@ssword monkey monkey passw0rd 123456 123456 Passw0rd qwerty qwerty P@ssw0rd password1 passw0rd1 Dictionaries and Rules 101
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules https://hashcat.net/wiki/doku.php?id=rule_based_attack
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Objective – try and create a more efficient rule • Method – test existing rules against large data set and extract top performing individual rules • Testbed – 2016 Lifeboat breach (Minecraft) • 7 million unsalted MD5s – 4.3 mill unique • Outcome – “One rule to rule them all….” • Validate – test custom rule against Lifeboat breach (and other) data • Hope – I didn’t waste my time… Roll Your Own
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Stats
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Success and Efficiency
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Anomalies
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • High concurrency • Different rules produced the same plain text value before the ‘:’ rule hit. • E.g. Password is L3tme1n • Dictionary contains l3tme1n • If T0 rule hits before : rule… (T0 toggles case of first char) • T0 gets the point, stealing it from : The Anomalies
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Identify top 25% performing rules from each ruleset • Concat & de-dupe • Repeat the tests • Custom rule cracked 2.72% (117,626) more passwords • Not the most efficient Super Rule Creation
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Xsplit breach – 2013, 3m hashes, 2.2m unique, unsalted SHA-1 2.38% better (53,046) Battlfield Heroes – 2011, 548k hashes, 423k unique, unsalted MD5 1.13% better (4,808) More Validation Against 2nd Place
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Nope. • Several factors – time, hardware, money, dictionary quality • Continual optimisation • Increased cumulative average success • https://www.notsosecure.com/one-rule-to-rule-them-all/ • https://github.com/NotSoSecure/password_cracking_rules #OneRuleToRuleThemAll?
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Cracking Length Limitations
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • @mubix • Password candidates are stored in GPU registers • Not enough registers to store long candidates • i.e. hash won’t crack even if plain text is in dictionary • Potential to exceed limits but processing time doubles • JtR and hashcat investigated Inspiration
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • oclHashcat-plus v0.15 released in 2013 with support for increased lengths, generally from 15 to 55 with exceptions hashcat
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. https://hashcat.net/wiki/doku.php?id=frequently_asked_questions • Mode 0 – Straight (dictionary) • Mode 1 – Combination • Mode 6/7 – Hybrid Wordlist + Mask / Hybrid Mask + Wordlist hashcat
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • NTLM – based on UTF16-LE which uses 16 bits (2 bytes) per character • Each character of pw is twice the length in bytes hashcat
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary contains only the password Password: NowThePwIsTwentyEightLetters NTLM – 27 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Password: Weak SHA512crypt! SHA512crypt – 16 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • --list=format-all-details –format=NT • JtR takes input by default as UTF8 • Note max length in bytes JtR
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • 27 Unicode characters may need up to 81 bytes of UTF8 (up to 3 bytes per char) • Not often encountered - Japanese, Chinese, Korean, random special chars etc JtR
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Latest version of john jumbo has made things easier • No longer shows length in bytes JtR
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J MD5 – 55 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L MD5 – 55 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J SHA-384 – 111 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L SHA-384 – 111 Limit
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • John jumbo can be custom compiled • http://www.openwall.com/lists/john-users/2017/05/05/1 • Non-SIMD build can get higher numbers • hashcat has a modified version – doesn’t support NTLM • https://github.com/hashcat/hashcat/tree/longer_passwords_and_salts • Both will take significant performance hits Length Increases
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Cheat sheet for JtR supported hashes (Over 430 of them!) • May differ from hashcat • https://www.notsosecure.com/maximum-password- length-reached/ • And remember, no matter what others may tell you… Cheat Sheet
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. It’s All About The Length
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Thank You feedback/contact training@notsosecure.com

Recommended

Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approachmdhar123
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Business vocabulary in use
Business vocabulary in useBusiness vocabulary in use
Business vocabulary in useVioleta67
 
Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321Kim Hồng Nguyễn
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product OverviewKenneth Chiu
 
Cybersecurity State of the Union
Cybersecurity State of the UnionCybersecurity State of the Union
Cybersecurity State of the UnionMark Niebergall
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDDevyani Chaudhari
 

Recommended

Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approachmdhar123
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Business vocabulary in use
Business vocabulary in useBusiness vocabulary in use
Business vocabulary in useVioleta67
 
Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321Business vocabulary in_use_g__5321
Business vocabulary in_use_g__5321Kim Hồng Nguyễn
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product OverviewKenneth Chiu
 
Cybersecurity State of the Union
Cybersecurity State of the UnionCybersecurity State of the Union
Cybersecurity State of the UnionMark Niebergall
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDDevyani Chaudhari
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisLewis Ardern
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Apache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeApache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeDremio Corporation
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryGene Gotimer
 
Getting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsGetting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsRevelation Technologies
 
CH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptxCH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptxfatimajarman1
 
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...Amazon Web Services
 
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...Amazon Web Services
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreSri Ambati
 
Hash cat
Hash catHash cat
Hash catSreekanth Narendran
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSAmazon Web Services
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeterCA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeterCA Technologies
 
Advanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationAdvanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationLars Schneider
 
How we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseHow we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseDataWorks Summit
 
New DevOps for the DBA
New DevOps for the DBANew DevOps for the DBA
New DevOps for the DBAKellyn Pot'Vin-Gorman
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
All access demystifying certs
All access demystifying certsAll access demystifying certs
All access demystifying certsGary Williams
 
Cleartext and PtH still alive
Cleartext and PtH still aliveCleartext and PtH still alive
Cleartext and PtH still alivecamsec
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 

More Related Content

Similar to Custom Rules & Broken Tools (Password Cracking)

Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisLewis Ardern
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Apache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeApache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeDremio Corporation
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryGene Gotimer
 
Getting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsGetting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsRevelation Technologies
 
CH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptxCH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptxfatimajarman1
 
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...Amazon Web Services
 
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...Amazon Web Services
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreSri Ambati
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeterCA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeterCA Technologies
 
Advanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationAdvanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationLars Schneider
 
How we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseHow we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseDataWorks Summit
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
All access demystifying certs
All access demystifying certsAll access demystifying certs
All access demystifying certsGary Williams
 

Similar to Custom Rules & Broken Tools (Password Cracking) (20)

Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Apache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In PracticeApache Arrow: In Theory, In Practice
Apache Arrow: In Theory, In Practice
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
 
Getting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite IntegrationsGetting Started with Security for your Oracle SOA Suite Integrations
Getting Started with Security for your Oracle SOA Suite Integrations
 
CH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptxCH02 _Slides_Kh.pptx
CH02 _Slides_Kh.pptx
 
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
Cache Me If You Can Minimizing Latency While Optimizing Cost Through Advanced...
 
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
ATC303-Cache Me If You Can Minimizing Latency While Optimizing Cost Through A...
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
 
Hash cat
Hash catHash cat
Hash cat
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
 
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeterCA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
CA Security Communities Webcast - CA SSO Performance Testing with CA BlazeMeter
 
Advanced GitHub Enterprise Administration
Advanced GitHub Enterprise AdministrationAdvanced GitHub Enterprise Administration
Advanced GitHub Enterprise Administration
 
How we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBaseHow we solved Real-time User Segmentation using HBase
How we solved Real-time User Segmentation using HBase
 
New DevOps for the DBA
New DevOps for the DBANew DevOps for the DBA
New DevOps for the DBA
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
All access demystifying certs
All access demystifying certsAll access demystifying certs
All access demystifying certs
 

More from camsec

Cleartext and PtH still alive
Cleartext and PtH still aliveCleartext and PtH still alive
Cleartext and PtH still alivecamsec
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 
Reversing for beginners 2
Reversing for beginners 2Reversing for beginners 2
Reversing for beginners 2camsec
 
Active Directory Delegation - By @rebootuser
Active Directory Delegation - By @rebootuserActive Directory Delegation - By @rebootuser
Active Directory Delegation - By @rebootusercamsec
 
Working with NIM - By Jordan Hrycaj
Working with NIM - By Jordan HrycajWorking with NIM - By Jordan Hrycaj
Working with NIM - By Jordan Hrycajcamsec
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 

More from camsec (6)

Cleartext and PtH still alive
Cleartext and PtH still aliveCleartext and PtH still alive
Cleartext and PtH still alive
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Reversing for beginners 2
Reversing for beginners 2Reversing for beginners 2
Reversing for beginners 2
 
Active Directory Delegation - By @rebootuser
Active Directory Delegation - By @rebootuserActive Directory Delegation - By @rebootuser
Active Directory Delegation - By @rebootuser
 
Working with NIM - By Jordan Hrycaj
Working with NIM - By Jordan HrycajWorking with NIM - By Jordan Hrycaj
Working with NIM - By Jordan Hrycaj
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

Custom Rules & Broken Tools (Password Cracking)

  • 1. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Custom Rules & Broken Tools
  • 2. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Will Hunt • Associate Director @ NotSoSecure • 9 years in InfoSec • Pentester, formerly digital forensics, trainer of both • @Stealthsploit / stealthsploit.com $ whoami /all
  • 3. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • hashcat custom rule efficiency • Cracking length limitations What’s The Plan?
  • 4. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Custom Rule Efficiency
  • 5. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary Rules password password Password letmein letmein password security security P@ssword monkey monkey passw0rd 123456 123456 Passw0rd qwerty qwerty P@ssw0rd password1 passw0rd1 Dictionaries and Rules 101
  • 6. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules
  • 7. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat Rules https://hashcat.net/wiki/doku.php?id=rule_based_attack
  • 8. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Objective – try and create a more efficient rule • Method – test existing rules against large data set and extract top performing individual rules • Testbed – 2016 Lifeboat breach (Minecraft) • 7 million unsalted MD5s – 4.3 mill unique • Outcome – “One rule to rule them all….” • Validate – test custom rule against Lifeboat breach (and other) data • Hope – I didn’t waste my time… Roll Your Own
  • 9. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
  • 10. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5 -w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable -o lifeboat-best64 -r rulesbest64.rule Let Cracking Commence
  • 11. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Stats
  • 12. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Success and Efficiency
  • 13. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. The Anomalies
  • 14. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • High concurrency • Different rules produced the same plain text value before the ‘:’ rule hit. • E.g. Password is L3tme1n • Dictionary contains l3tme1n • If T0 rule hits before : rule… (T0 toggles case of first char) • T0 gets the point, stealing it from : The Anomalies
  • 15. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Identify top 25% performing rules from each ruleset • Concat & de-dupe • Repeat the tests • Custom rule cracked 2.72% (117,626) more passwords • Not the most efficient Super Rule Creation
  • 16. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Xsplit breach – 2013, 3m hashes, 2.2m unique, unsalted SHA-1 2.38% better (53,046) Battlfield Heroes – 2011, 548k hashes, 423k unique, unsalted MD5 1.13% better (4,808) More Validation Against 2nd Place
  • 17. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Nope. • Several factors – time, hardware, money, dictionary quality • Continual optimisation • Increased cumulative average success • https://www.notsosecure.com/one-rule-to-rule-them-all/ • https://github.com/NotSoSecure/password_cracking_rules #OneRuleToRuleThemAll?
  • 18. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Cracking Length Limitations
  • 19. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • @mubix • Password candidates are stored in GPU registers • Not enough registers to store long candidates • i.e. hash won’t crack even if plain text is in dictionary • Potential to exceed limits but processing time doubles • JtR and hashcat investigated Inspiration
  • 20. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • oclHashcat-plus v0.15 released in 2013 with support for increased lengths, generally from 15 to 55 with exceptions hashcat
  • 21. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. https://hashcat.net/wiki/doku.php?id=frequently_asked_questions • Mode 0 – Straight (dictionary) • Mode 1 – Combination • Mode 6/7 – Hybrid Wordlist + Mask / Hybrid Mask + Wordlist hashcat
  • 22. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • NTLM – based on UTF16-LE which uses 16 bits (2 bytes) per character • Each character of pw is twice the length in bytes hashcat
  • 23. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Dictionary contains only the password Password: NowThePwIsTwentyEightLetters NTLM – 27 Limit
  • 24. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Password: Weak SHA512crypt! SHA512crypt – 16 Limit
  • 25. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • --list=format-all-details –format=NT • JtR takes input by default as UTF8 • Note max length in bytes JtR
  • 26. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • 27 Unicode characters may need up to 81 bytes of UTF8 (up to 3 bytes per char) • Not often encountered - Japanese, Chinese, Korean, random special chars etc JtR
  • 27. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Latest version of john jumbo has made things easier • No longer shows length in bytes JtR
  • 28. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J MD5 – 55 Limit
  • 29. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L MD5 – 55 Limit
  • 30. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • • J SHA-384 – 111 Limit
  • 31. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • L SHA-384 – 111 Limit
  • 32. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • John jumbo can be custom compiled • http://www.openwall.com/lists/john-users/2017/05/05/1 • Non-SIMD build can get higher numbers • hashcat has a modified version – doesn’t support NTLM • https://github.com/hashcat/hashcat/tree/longer_passwords_and_salts • Both will take significant performance hits Length Increases
  • 33. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. • Cheat sheet for JtR supported hashes (Over 430 of them!) • May differ from hashcat • https://www.notsosecure.com/maximum-password- length-reached/ • And remember, no matter what others may tell you… Cheat Sheet
  • 34. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. It’s All About The Length
  • 35. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Thank You feedback/contact training@notsosecure.com