Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Yurii Bilyk | 2016
How-to crack 43kk passwords
while drinking your
in the Hood
WHO AM I
26 vs 27.5 vs 29
TEAM
 WE are Security Group
 WE are ALL Engineers (Almost;)
 WE are OWASP Lviv Chapter
 WE are Legio… oops
blog: http...
o But WHY??!!
o Our CRACKING RIG
o Different obvious methods
o Not so obvious methods
o Some interesting statistics
Agenda
Tell Me WHY!?
what’s wrong with you?
The Reason
Just for FUN
Good example of Open Source
Intelligence
You can really test your skills in
password cracking
Some Info
LinkedIn DB contains 250 758 057
e-mails
Only 61 829 208 contains unique
hashes
File size of all unique hashes i...
Our CRACKING RIG
because we can
P - Podgotovka
LinkedIn DB contains unsalted
SHA-1 hashes
GPU should be best option for
such type of hashes
Best tool for ...
GTX 1080 SHA-1 Benchmark
8xGPU SHA-1 crack speed:
68 771.0 MH/s
8xCHARS password Z!sN0/7u:
95 symbols length alphabet
6.70...
Question of Money
738x8 = 5904 $$$
Amazon K80 SHA-1 Benchmark
36xGPU SHA-1 crack speed:
75 200.0 MH/s
8xCHARS password Z!sN0/7u:
95 symbols length alphabet
6...
So You’ve said Amazon?
(14.4+14.4+7.2)x25 = 900 $$$
Rainbow Alternatives
1000 $$$
RainBow Seek SHA-1 Benchmark
SHA-1 crack speed:
3 880 000.0 MH/s for 1 hash
784 000.0 MH/s for 10 hashes
8xCHARS password ...
Return to Reality
Intel Core i5-3570 @ 3.4Ghz
SHA-1 crack speed: ~120.0 MH/s
NVIDIA 750GT (Mobile):
SHA-1 crack speed: ~12...
1xi5-3570 SHA-1 Benchmark
SHA-1 crack speed:
120.0 MH/s
8xCHARS password Z!sN0/7u:
95 symbols length alphabet
6.70 X 1015 ...
Some OBVIOUS STEPS
let’s play
Where to Start?
We used dictionary attack as the
first attempt
You need good dictionary. We
started with rockyou.txt
You n...
So First Try
Cracked around 20% of all hashes
(with rockyou.txt dictionary)
It took around 5 mins 
And now you have to th...
We need moar dictionaries!
RockYou contains 14 344 391 words
We tried different dictionaries.
The biggest was 1 212 356 39...
Let’s brute it!
We selected up to 6 char passwords
with full set of characters
It took around 2 hours
All this gives us ap...
Magic of STATISTICS
new is well-forgotten old
What we can do get moar?
HashCat has rules of transformation
It mutates original word
Quality of your dictionary is
essent...
What rules are effective?
We used best64, InsidePro-
PasswordsPro and d3ad0ne rules
It was very effective in terms of
numb...
Time to go smarter way
We have 36 millions of cracked
passwords
We can analyze cracked password
to determine patters
This ...
Meet PACK Tool
http://thesprawl.org/projects/pack/
PACK Tool Features
Can analyze list of password and
generate bruteforce mask
You can specify password length,
time, comple...
Is PACK effective?
It can crack similar passwords
according that you already have
You can flexibly choose best
masks regar...
Other types of attacks
PRINCE attack, somehow similar to
the using PACK tool + mutation
Combination of TWO and more
dictio...
Some CHARTS
It’s easy
Length of password (Our)
Length of password (Korelogic)
Character-set of password (Our)
Most Popular Passwords (Korelogic)
Mails (Korelogic)
Base Words (Korelogic)
Thank YOU!
How-to crack 43kk passwords  while drinking your  juice/smoozie in the Hood
How-to crack 43kk passwords  while drinking your  juice/smoozie in the Hood
How-to crack 43kk passwords  while drinking your  juice/smoozie in the Hood
How-to crack 43kk passwords  while drinking your  juice/smoozie in the Hood
Upcoming SlideShare
Loading in …5
×

How-to crack 43kk passwords while drinking your juice/smoozie in the Hood

1,969 views

Published on

Analysis of leaked LinkedIn dumps, methods of cracking passwords, what hardware do you need and how long it could take, some interesting statistics

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How-to crack 43kk passwords while drinking your juice/smoozie in the Hood

  1. 1. Yurii Bilyk | 2016 How-to crack 43kk passwords while drinking your in the Hood
  2. 2. WHO AM I 26 vs 27.5 vs 29
  3. 3. TEAM  WE are Security Group  WE are ALL Engineers (Almost;)  WE are OWASP Lviv Chapter  WE are Legio… oops blog: http://owasp-lviv.blogspot.com skype: y.bilyk
  4. 4. o But WHY??!! o Our CRACKING RIG o Different obvious methods o Not so obvious methods o Some interesting statistics Agenda
  5. 5. Tell Me WHY!? what’s wrong with you?
  6. 6. The Reason Just for FUN Good example of Open Source Intelligence You can really test your skills in password cracking
  7. 7. Some Info LinkedIn DB contains 250 758 057 e-mails Only 61 829 208 contains unique hashes File size of all unique hashes is 2.5 GB
  8. 8. Our CRACKING RIG because we can
  9. 9. P - Podgotovka LinkedIn DB contains unsalted SHA-1 hashes GPU should be best option for such type of hashes Best tool for this case is HashCat
  10. 10. GTX 1080 SHA-1 Benchmark 8xGPU SHA-1 crack speed: 68 771.0 MH/s 8xCHARS password Z!sN0/7u: 95 symbols length alphabet 6.70 X 1015 search space 1 days 3 hours 4 minutes 54 seconds to brute ALL combinations
  11. 11. Question of Money 738x8 = 5904 $$$
  12. 12. Amazon K80 SHA-1 Benchmark 36xGPU SHA-1 crack speed: 75 200.0 MH/s 8xCHARS password Z!sN0/7u: 95 symbols length alphabet 6.70 X 1015 search space 1 days 45 minutes 59 seconds to brute ALL combinations
  13. 13. So You’ve said Amazon? (14.4+14.4+7.2)x25 = 900 $$$
  14. 14. Rainbow Alternatives 1000 $$$
  15. 15. RainBow Seek SHA-1 Benchmark SHA-1 crack speed: 3 880 000.0 MH/s for 1 hash 784 000.0 MH/s for 10 hashes 8xCHARS password Z!sN0/7u: 95 symbols length alphabet 6.70 X 1015 search space 28 minutes <-> 2 hours 22 minutes to brute ALL combinations
  16. 16. Return to Reality Intel Core i5-3570 @ 3.4Ghz SHA-1 crack speed: ~120.0 MH/s NVIDIA 750GT (Mobile): SHA-1 crack speed: ~120.0 MH/s
  17. 17. 1xi5-3570 SHA-1 Benchmark SHA-1 crack speed: 120.0 MH/s 8xCHARS password Z!sN0/7u: 95 symbols length alphabet 6.70 X 1015 search space 1 years 281 days 10 hours 30 minutes 48 seconds to brute ALL combinations
  18. 18. Some OBVIOUS STEPS let’s play
  19. 19. Where to Start? We used dictionary attack as the first attempt You need good dictionary. We started with rockyou.txt You need memory for your hashes. It could be problem for GPU
  20. 20. So First Try Cracked around 20% of all hashes (with rockyou.txt dictionary) It took around 5 mins  And now you have to think what to do next 
  21. 21. We need moar dictionaries! RockYou contains 14 344 391 words We tried different dictionaries. The biggest was 1 212 356 398 words and 15 GB in size All this gives us approx 35% of all hashes
  22. 22. Let’s brute it! We selected up to 6 char passwords with full set of characters It took around 2 hours All this gives us approx 45% of all hashes
  23. 23. Magic of STATISTICS new is well-forgotten old
  24. 24. What we can do get moar? HashCat has rules of transformation It mutates original word Quality of your dictionary is essential. Size doesn’t rly matters Using rules is more time consuming than just dictionary attack
  25. 25. What rules are effective? We used best64, InsidePro- PasswordsPro and d3ad0ne rules It was very effective in terms of number of hashes All this gives us approx 60% of all hashes
  26. 26. Time to go smarter way We have 36 millions of cracked passwords We can analyze cracked password to determine patters This patterns can produce more efficient bruteforce masks
  27. 27. Meet PACK Tool http://thesprawl.org/projects/pack/
  28. 28. PACK Tool Features Can analyze list of password and generate bruteforce mask You can specify password length, time, complexity constrains Gives you some idea what type of passwords are popular
  29. 29. Is PACK effective? It can crack similar passwords according that you already have You can flexibly choose best masks regarding constrains All this gives us approx 65% of all hashes
  30. 30. Other types of attacks PRINCE attack, somehow similar to the using PACK tool + mutation Combination of TWO and more dictionaries Hybrid attack, that uses dictionaries + rules + bruteforce masks
  31. 31. Some CHARTS It’s easy
  32. 32. Length of password (Our)
  33. 33. Length of password (Korelogic)
  34. 34. Character-set of password (Our)
  35. 35. Most Popular Passwords (Korelogic)
  36. 36. Mails (Korelogic)
  37. 37. Base Words (Korelogic)
  38. 38. Thank YOU!

×