3. TEAM
WE are Security Group
WE are ALL Engineers (Almost;)
WE are OWASP Lviv Chapter
WE are Legio… oops
blog: http://owasp-lviv.blogspot.com
skype: y.bilyk
4. o But WHY??!!
o Our CRACKING RIG
o Different obvious methods
o Not so obvious methods
o Some interesting statistics
Agenda
23. Where to Start?
We used dictionary attack as the
first attempt
You need good dictionary. We
started with rockyou.txt
You need memory for your hashes.
It could be problem for GPU
24. So First Try
Cracked around 20% of all hashes
(with rockyou.txt dictionary)
It took around 5 mins
And now you have to think what
to do next
25. We need moar dictionaries!
RockYou contains 14 344 391 words
We tried different dictionaries.
The biggest was 1 212 356 398
words and 15 GB in size
All this gives us approx 35% of all
hashes
26. Let’s brute it!
We selected up to 6 char passwords
with full set of characters
It took around 2 hours
All this gives us approx 45% of all
hashes
28. What we can do get moar?
HashCat has rules of transformation
It mutates original word
Quality of your dictionary is
essential. Size doesn’t rly matters
Using rules is more time consuming
than just dictionary attack
29. What rules are effective?
We used best64, InsidePro-
PasswordsPro and d3ad0ne rules
It was very effective in terms of
number of hashes
All this gives us approx 60% of all
hashes
30. Time to go smarter way
We have 36 millions of cracked
passwords
We can analyze cracked password
to determine patters
This patterns can produce more
efficient bruteforce masks
32. PACK Tool Features
Can analyze list of password and
generate bruteforce mask
You can specify password length,
time, complexity constrains
Gives you some idea what type of
passwords are popular
33. Is PACK effective?
It can crack similar passwords
according that you already have
You can flexibly choose best
masks regarding constrains
All this gives us approx 65% of all
hashes
34. Other types of attacks
PRINCE attack, somehow similar to
the using PACK tool + mutation
Combination of TWO and more
dictionaries
Hybrid attack, that uses
dictionaries + rules + bruteforce
masks