Tuesday, February 22, 2011

Automated Password Cracking: Use oclHashcat To Launch A Fingerprint Attack

The below article explains how I used password fingerprinting to crack 500,000 password hashes in less than half a day completly automated. This article shows each command step by step, but only to describe the details of how password fingerprinting with oclHashcat works. The reality is that the password fingerprinting process can easily be automated by a script which is why we call it automated password cracking.
The Fingerprint Attack in my example had a success rate of about 80% in a 100% automated process after 12 hours with a single GeForce GTX 285. In order to reach the 500,000 cracked hashes I first created a list of 650,000 unique password hashes using a well known leaked password hash database. Once I had the list of 650,000 unique password hashes I started out by doing some easy attacks on the hashes such as a five character long brute force using all possible character sets which will provide an initial wordlist to start the fingerprint attack with. You really do not need to perform this step as explained further below. Once the initial brute force attack is complete the real fingerprinting starts. You will take the initial results, pipe them into the expander, and then run a combined dictionary attack against the hash list. Once we have results from the second set of attacks we use the expander again and issue another attack. You will see through the process, which is described in detail below, that results are returned at a very high rate by automated finding patterns and exploiting those patterns to return results.

Resources Used For Password Fingerprinting Example:

Generate Example Hashlist:
Here we use a real-world database of passwords that was leaked to prove that password fingerprinting works on all levels of passwords including easy passwords, medium strength passwords, and a bit more difficult passwords. Please note that real long and complex passwords are still safe.
Follow the examples below to generate the password hash file containing 650,000 unique md5 password hashes.
  1. Make Password Entries Unique:
    $ bzcat rockyou.txt.bz2 | sort -u > rockyou.txt.uniq
  2. Limit Random Password List Entries To 650,000:
    $ sort -R rockyou.txt.uniq | head -650000 > rockyou.txt.uniq.650k

  3. Generate Hashes From Password List Using dict2hash.pl:
    $ perl dict2hash.pl < rockyou.txt.uniq.650k > rockyou.txt.uniq.650k.md5
The dict2hash.pl is a simple script for generating md5 hashes from dictionary files as shown below. It is available for download at the top of this article under “Resources Used For Password Fingerprinting”.

Issue Some Simple Attacks On The Hash List To Generate Initial Wordlist:
We need a base wordlist to begin our fingerprint attack from so we first issue a simple brute force attack using a full charset at a minimum length so it returns results quickly. By using the full charset we will get password patterns that include special characters, lowercase characters, uppercase characters, and digits which are all used in medium strength password hashes to a bit more difficult strength passwords hashes. You can of course use your own wordlist to generate the initial pattern results files however if you do I recommend you have all types of characters in the wordlist. Follow the examples below to generate the initial wordlist.
  1. Issue Brute Force Attack With oclHashcat: Here we use a full charset (lowercase, uppercase, digits, special characters) to run a five character long brute force against the list of 650,000 unique hashes. This is again what will generate our initial wordlist where we will use password fingerprinting to generate patterns and password results. This specific attack took only a few seconds using oclHashcat with my GeForce GTX 285. Notice in the below oclHashcat command we use the “–-remove” switch to remove the found hashes so we can track results much easier as well as output the results to “res” using the “-o” switch.
    $ ./oclHashcat64.bin -n 80 --remove rockyou.txt.uniq.650k.md5 -1 ?l?d?s?u ?1?1?1 ?1?1 -o res
    Recovered.: 11584/650000 Digests
    Note: If you did the random step above by yourself, these and all following numbers can vary.
  2. Remove MD5′s In Front Of Results: Use the below cut command below to remove the the md5 hash from the beginning of the output so we are left with a list of passwords only.

    $ cut -b 34- < res > res.dict
The Init Looping Process:
We are now going to expand our results file generated above and use these results in a combined dictionary attack. This is where the fingerprint attack really starts.
The expander will do something very easy which is to first decompile a list of provided words into all possible parts or into patterns. Most humans will create passwords from patterns. Many humans are familiar with typical patterns such as appending a 1 to the pattern or adding the year 2010 to end of a pattern so these patterns are known to not be safe. So instead of simply using those patterns many humans will now create more complex patterns. So by using the expander to decompile a big number of words into all of their parts we have all of the complex patterns in our expanded dictionary. Take for example the pattern “!1Qq” which looks complicated but technically it is not very complex. Once we have used the expander to generate an pattern dictionary that will include such patterns thus raising the chances that a human has picked such a password.

How The Expander Works On A Single Pattern:
root@dev:~/oclHashcat-0.22# echo 'an12!Qi' | ./expander.bin
a
n
1
2
!
Q
i
an
12
!Q
n1
2!
Qi
an1
2!Q
n12
!Qi
12!
Qia
an12
n12!
12!Q
2!Qi
an12!
n12!Q
12!Qi
2!Qia
!Qian
an12!Q
n12!Qi
12!Qia
2!Qian
!Qian1
Qian12
an12!Qi
n12!Qia
12!Qian
2!Qian1
!Qian12
Qian12!
ian12!Q

The above provides a simple real world idea of how password fingerprinting works. The fingerprint is simply a specific pattern which is not from a specific person but from a specific source which in this example the source is humans.
  1. Just to see how the status is, use “wc” To Count Lines In the original Results File:
    $ wc -l res.dict
    11584 res.dict
  2. Use Expander On Password Dictionary Results File:
    $ ./expander.bin < res.dict | sort -u > res.dict.exp

  3. Just to see what happend, use “wc” To Count Lines In New Results File:
    $ wc -l res.dict.exp
    112158 res.dict.exp
As a first result, we now have a dictionary file that is filled with all possible patterns from our first five character in length brute force attack. Examples of the patterns that have been located include the below.
2196.
as$$r
osa!
0__04
 r
s**no

Now we simply combine all of these strange looking words in the results file using the combination attack. The combination attack is the base of oclHashcat which is very simple. You have two wordlists which include a left wordlist and a right wordlist and the combination attack combines each word in the right wordlist to each word in the left wordlist for greater length character combinations.
The Looping Process Itself, Combine Results Using oclHashcat’s Combination Engine:
  1. Use Combination Mode To Attack The Hash List With The Expanded Dictionary:
    $ ./oclHashcat64.bin -n 80 --remove rockyou.txt.uniq.650k.md5 res.dict.exp res.dict.exp -o res2
    Recovered.: 147747/638416 Digests
    This 2nd attack only took 1 minute on my GeForce GTX 285. After this attack we had cracked nearly 150,000 unique hashes! Can you believe it?

  2. Remove The MD5 Hashes From Results: Now remove the MD5′s from the results file to generate another password dictionary list as shown below.
    $ cut -b 34- < res2 > res2.dict
  3. Analyze New Password Results List: We now have a treasure of real life patterns such as the examples displayed below.
    <3
    pinky2*
    m121*86
    love=0

  4. Expand The New Dictionary List:
    $ ./expander.bin < res2.dict | sort -u > res2.dict.exp
  5. Repeat From Beginning Of The Looping Process: You can also step out of the looping process here and use some of the tips and tricks from the “Password Fingerprinting Tips & Tricks” section below and then go back to the actual looping process. I repeated these steps for two more iterations while I sit back and watch how it continues to crack more and more complex passwords which is completely automated. In less than two hours I had already found 420,000 passwords from the initial list of 650,000 hashes including these complex examples below.

    300202.eb
    23081990*
    11pixie11!
    123abc123..
    !@1357642
    *baby1981
    1107*im
    il0ve<3
    1sexy-baby
    I didn’t need a single wordlist to accomplish these results however I could use a wordlist as described more in the “Password Fingerprinting Tips & Tricks” section below.
Password Fingerprinting Attack Tips & Tricks:

  1. Fingerprinting Attack Is Made For GPU’s: You can also use Hashcat CPU version to run a fingerprint attack however it has specifically been designed to run on GPU’s using oclHashcat. The fingerprint attack is similar to hybrid attacks or rule attacks however it is definitely superior to them. Hybrid attacks much search a larger key space to find the same results therefore a hybrid attack takes much longer than a fingerprint attack. Rule based attacks can not be applied effeciently enough on GPU’s because the engine was written for CPU’s. Rule based attacks can also be annoying because of the lengthy process of writing the actual rules that will be used in the attack.
  2. Fingerprint Attacks Can Be Automated: You would not need to do anything by hand and your wordlists are never exhausted because they increase in size while the attack is running. You will have zero holes in your attack if you do not know how to use the GPU power effeciently. You can stop the loop at any time if no new passwords are found and after doing so add some words from your wordlists. You can simply build a script that executes the steps from the Looping Process above.
  3. Use Your Own Wordlists: If you have wordlists containing names, wiki dumps, or good small dictionarys like that from milworm, or anything else you can change up your patterns a lot by using such data. At some point you can step out of the loop to use your own wordlist on the right or left side of a combination attack. Use the pattern file on the opposite side of the combination attack and then step back to the loop which will greatly improve the attacks effectiveness.
  4. Careful To Not Use Huge Wordlists With The Expander: Be careful to not use wordlists or dictionaries  that are to large such as the wikipedia-wordlist-sraveau-20090325.txt with the expander. These types of wordlists are great by themselves but you will fail attempting to use them with the expander. These huge wordlists are only good if you use them in combination with a pattern file.
  5. Sharpen Your Patterns: Your pattern file will contain lots of patterns that only consist of lowercase characters which are typically words that are already in our dictionary wordlists so we do not want them in our pattern file. You can filter such words using another simple program called req.bin which is also part of the hashcat-utils. The req.bin application will only output words that match a specific number and any of the dictionary entries which you provide. The numbers paramter defines a character-class that must match the words in your dictionary. in our case we only want words that contain at least one capitalized letter or at least one digit or at least one special character. This process requires three seperate steps which are displayed in examples below.
    1 = lower, 2 = upper, 4 = digit, 8 = symbol
    $ ./req.bin 2 < res2.dict.exp >> pattern.dict.exp
    $ ./req.bin 4 < res2.dict.exp >> pattern.dict.exp
    $ ./req.bin 8 < res2.dict.exp >> pattern.dict.exp

  6. Build Your Own Pattern Dictionary: You can use your pattern multiple times or you can add patterns from small but efficient dictionaries such as milworm, frt, or opencrack_plains. There is a possibility in the beginning of our fingerprint attack that we do not have all of the possible characters in our initial wordlist which would mean we would never find passwords containing the missing characters. Please note that while this article relates to automated cracking of multiple hashes it is entirely possible to use the pattern files you are generating in this process to crack single high quality hashes in the future. It makes sense to save the new dictionary files you have generated and use these in attacks against single hashes.
  7. Limit Length Of The Patterns: Since patterns only make sense in combination mode they should have a maximum length. The oclHashcat application supports password lengths up to 15 characters long which means a good length for the patterns is seven characters long. When used in a combination attack the two pattern files would reach password lengths of 14. The maximum length can be increased by modifying the LEN_MAX variable in expander.c however be careful because this will create huge results!

thanks to atom from question-defense.com for this guide you are the man!!!

No comments:

Post a Comment