Password cracking is a staple part of any pentest. This presentation dives into custom hashcat rules and analysis to yield better results when cracking, then follows up with cracking length limitations imposed by hardware.

1. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Custom Rules & Broken Tools

2. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Will Hunt
• Associate Director @ NotSoSecure
• 9+ years in InfoSec
• Pentester, formerly digital forensics, trainer of both
• Blackhat trainer
• @Stealthsploit
$ whoami /all

3. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• hashcat custom rule efficiency
• Cracking length limitations
What’s The Plan?

4. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat Custom Rule Efficiency

5. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Dictionary Rules
password password Password
letmein letmein password
security security P@ssword
monkey monkey passw0rd
123456 123456 Passw0rd
qwerty qwerty P@ssw0rd
password1
passw0rd1
Dictionaries and Rules 101

6. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat Rules
https://hashcat.net/wiki/doku.php?id=rule_based_attack

7. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Objective – try and create a more efficient rule
• Method – test existing rules against large data set and
extract top performing individual rules
• Testbed – 2016 Lifeboat breach (Minecraft)
• 7 million unsalted MD5s – 4.3 mill unique
• Outcome – “One rule to rule them all….”
• Validate – test custom rule against
Lifeboat breach (and other) data
• Hope – I didn’t waste my time…
Roll Your Own

8. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5
-w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable
-o lifeboat-best64 -r rulesbest64.rule
Let Cracking Commence

9. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
hashcat64.exe -m0 lifeboat_hashes rockyou.txt --status --status-timer=5
-w3 --debug-mode=1 --debug-file=stats-lifeboat-best64 --potfile-disable
-o lifeboat-best64 -r rulesbest64.rule
Let Cracking Commence

10. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
The Stats

11. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Success and Efficiency

12. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
The Anomalies

13. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• High concurrency
• Different rules produced the same plain text value
before the ‘:’ rule hit.
• E.g. Password is L3tme1n
• Dictionary contains l3tme1n
• If T0 rule hits before : rule… (T0 toggles case of first char)
• T0 gets the point, stealing it from :
The Anomalies

14. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Identify top 25% performing rules from each ruleset
• Concat & de-dupe
• Repeat the tests
• Custom rule cracked 2.72% (117,626) more passwords
• Not the most efficient
Super Rule Creation

15. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Xsplit breach – 2013, 3m hashes, 2.2m unique, unsalted SHA-1
2.38% better (53,046)
Battlfield Heroes – 2011, 548k hashes, 423k unique, unsalted MD5
1.13% better (4,808)
More Validation Against 2nd Place

16. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Nope.
• Several factors – time, hardware, money, dictionary quality
• Continual optimization
• Increased cumulative average success
• https://www.notsosecure.com/one-rule-to-rule-them-all/
• https://github.com/NotSoSecure/password_cracking_rules
#OneRuleToRuleThemAll?

17. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Cracking Length Limitations

18. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• @mubix
• Password candidates are stored in GPU registers
• Not enough registers to store long candidates
• Hash won’t crack even if plain text is in dictionary!
• Potential to exceed limits but processing time doubles
• JtR and hashcat investigated
Inspiration

19. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• oclHashcat-plus v0.15 released in 2013 with support for
increased lengths, generally from 15 to 55 with exceptions
hashcat

20. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• NTLM – based on UTF16-LE which uses 16 bits (2 bytes)
per character
• Each character of pw is twice the length in bytes
Windows Passwords

21. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Dictionary contains only the password
Password: NowThePwIsTwentyEightLetters
NTLM – 27 Limit

22. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Password: Weak SHA512crypt!
SHA512crypt – 16 Limit

23. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• --list=format-all-details --format=NT
• JtR takes input by default as UTF8
• Note max length in bytes
JtR

24. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• 27 unicode characters may need up to 81 bytes of UTF8
(up to 3 bytes per char)
• Algorithm limits reduced further - Japanese, Chinese,
and Korean characters, random special chars etc
JtR

25. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Latest version of john jumbo has made things easier
• No longer shows length in bytes
JtR

26. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
•
• ☺
MD5 – 55 Limit

27. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• 
MD5 – 55 Limit

28. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• John jumbo can be custom compiled
• http://www.openwall.com/lists/john-users/2017/05/05/1
• Non-SIMD build can get higher numbers
• hashcat has a modified version – doesn’t support NTLM
• https://github.com/hashcat/hashcat/tree/longer_passwords_and_salts
• Both will take significant performance hits
Length Increases

29. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
• Cheat sheet for JtR supported hashes (Over 430 of them!)
• May differ from hashcat
• https://www.notsosecure.com/maximum-password-
length-reached/
Cheat Sheet

30. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved.
Thank You
Contact us
contact@notsosecure.com
training@notsosecure.com