Search n00bz.net

Entries in Pipal (2)

Tuesday
Jun122012

Lessons in LinkedIn Password Cracking

So this past week the password cracking community had some excitement.  Several dumps of hashes were leaked.  One of those was LinkedIN.  This caught my eye since most professionals use this social media service.  I am a fan of passwords ever since I met Matt Weir when he presented about the science of password cracking.  One of his talking points was that people can pick anything as passwords but generally follow a pattern.  How many of us have a capital first letter and end with the number 1?  Password1 is technically a strong password in the eyes of Active Directory.

A few months ago, digininja created a tool Pipal which allows analysis of passwords.  This allowed the community a common metric and analysis tool to run the various password dumps.  Using the various data from previous dumps, I was able to fine tune my hashcat rules to be able to crack over half the LinkedIn hashes.  

Lessons Learned

  1. Start with a good dictionary.  KoreLogic has a group of amazing word lists here.  In addition, SkullSecurity has a list of previously cracked passwords and various wordlists which I also added to my master_wordlist.dic.  To make my master_wordlist.dic I would "cat infile >> master_wordlist.dic".  Make sure to use the double >> or else you wipe over the words already in the master_wordlist.dic.
  2. After adding everything to your list, you need to sort and remove the duplicates.  In Windows it is a pain since your list is too big for Excel and Access just plain stinks to use.  Score 1 for Bash! The command "sort master_wordlist.dic | uniq > master_sorted_wordlist.dic" worked perfectly.
  3. Fire up hashcat and crack!  Don't forget to use some rules and masks!  You don't need a GPU but it helps.  One thing I learned was my Dell Laptop has a nVidia card so check your gear.
  4. Now that I have a cracked list in the hash:plaintext format we need to remove the hash part.  Score 2 for Bash! The command "grep -o '[^:]*$' infile > outfile" will remove the hashes leaving you a file with only plaintext passwords.
  5. At this point you can perform a Pipal analysis or you can run your list through hashcat again using the cracked passwords as your new dictionary and apply the rules and masks.

 

 You can find the Pipal Analysis of the LinkedIn dump here.  Happy Cracking!

 

Sunday
Jan012012

The Happiest Passwords on Earth

So there was a dump a few days ago that had several companies including Yahoo, Google, Core Security, and Disney.

The Disney data interested me. Disney is awesome. I love going there even as an adult. There is something about that Disney brand of magic. It maybe expensive, but you get a premium experience with Disney.

I wanted to see what type of password logic was in place at that company. It takes a special right brained creative person to make Disney magic. What type of creative passwords did they have? Not very! All passwords were 8 characters or less! @purehate_ pointed out that DES hashes only allow 8 char max. Set Hashcat accordingly!

Below is a redacted output report from Pipal, an awesome tool for password analysis created by @digininja! Head over to digininja.org to download Pipal or fire up BT5 and apt-get it!

 


Total entries = 426
Total unique entries = 419

Password length (length ordered)
1 = 4 (0.94%)
3 = 2 (0.47%)
4 = 6 (1.41%)
5 = 9 (2.11%)
6 = 203 (47.65%)
7 = 97 (22.77%)
8 = 112 (26.29%)

Password length (count ordered)
6 = 203 (47.65%)
8 = 112 (26.29%)
7 = 97 (22.77%)
5 = 9 (2.11%)
4 = 6 (1.41%)
1 = 4 (0.94%)
3 = 2 (0.47%)

|
|
|
|
|
|
|
| |
|||
|||
|||
|||
|||
|||
|||
|||||||||
012345678

One to six characters = 219 (51.41%)
One to eight characters = 426 (100.0%)
More than eight characters = 0 (0.0%)

Only lowercase alpha = 186 (43.66%)
Only uppercase alpha = 1 (0.23%)
Only alpha = 187 (43.9%)
Only numeric = 13 (3.05%)

First capital last symbol = 1 (0.23%)
First capital last number = 12 (2.82%)

Single digit on the end = 83 (19.48%)
Two digits on the end = 43 (10.09%)
Three digits on the end = 14 (3.29%)

Last number
0 = 12 (2.82%)
1 = 54 (12.68%)
2 = 23 (5.4%)
3 = 10 (2.35%)
4 = 11 (2.58%)
5 = 12 (2.82%)
6 = 6 (1.41%)
7 = 10 (2.35%)
8 = 12 (2.82%)
9 = 8 (1.88%)

|
|
|
|
|
|
|
|
|
||
||
||
||| || |
|||||| |||
||||||||||
||||||||||
0123456789

Last digit


Character sets
loweralpha: 186 (43.66%)
loweralphanum: 170 (39.91%)
loweralphaspecial: 25 (5.87%)
numeric: 13 (3.05%)
mixedalphanum: 9 (2.11%)
mixedalpha: 7 (1.64%)
loweralphaspecialnum: 6 (1.41%)
upperalphanum: 2 (0.47%)
mixedalphaspecialnum: 2 (0.47%)
special: 2 (0.47%)
mixedalphaspecial: 2 (0.47%)
upperalpha: 1 (0.23%)

Character set ordering
allstring: 194 (45.54%)
stringdigit: 134 (31.46%)
stringspecial: 21 (4.93%)
stringdigitstring: 21 (4.93%)
othermask: 16 (3.76%)
digitstring: 15 (3.52%)
alldigit: 13 (3.05%)
stringspecialdigit: 4 (0.94%)
stringspecialstring: 3 (0.7%)
specialstring: 3 (0.7%)
allspecial: 2 (0.47%)

Hashcat masks (Top 10)
?l?l?l?l?l?l: 104 (24.41%)
?l?l?l?l?l?l?l?l: 40 (9.39%)
?l?l?l?l?l?l?l: 34 (7.98%)
?l?l?l?l?l?l?d: 26 (6.1%)
?l?l?l?l?l?d: 23 (5.4%)
?l?l?l?l?l?l?l?d: 18 (4.23%)
?l?l?l?l?d?d: 18 (4.23%)
?l?l?l?l?l?l?d?d: 11 (2.58%)
?d?d?d?d?d?d: 10 (2.35%)
?d?l?l?l?l?l?l?l: 10 (2.35%)


 

As of 1/1/2012, Disney did have 3 jobs related to Information Security open.


http://jobs.disney.corp.go.com/los-angeles/facilities-and-security/jobid1985370-manager-information-safeguarding-jobs

http://jobs.disney.corp.go.com/new-york/facilities-and-security/jobid1879313-security-operations-support-specialist-jobs

http://jobs.disney.corp.go.com/los-angeles/accounting-and-finance/jobid1922771-senior-financial-analyst-corporate-compliance-and-controls-jobs