A Song of Hashes and Dumps: What I've learned from cracking .br passwords

Transcript

1. A song of hashes and dumps WHAT I'VE LEARNED FROM

   CRACKING .BR PASSWORDS Daniel Marques Black Hat Regional Summit São Paulo November 2014

2. Daniel Marques @0xc0da, your friendly neighbor Penetration Tester First time

   Blackhat Speaker Not a “professional” password cracker

3. Disclaimer This research has no intention to cause any harm.

   It is only for educational purposes. Opinions on my own, so my employer or clients cannot be hold responsible for what you will see here.

4. 50% of hashes can be cracked with RockYou + best64

   PasswordsCon ‘13 “ ”

5. .br hashes? Works for

6. Collect .br dumps Classify the hashes Analyze data

7. lessons learned Focus on during the research

8. lessons learned tools wordlists rules scripts patterns stats

9. Collecting .br dumps Challenge #1 few dumps available keeping organized

10. pastebot Enter Automating dump collection and organization

11. pastebot Web interface Modified Dumpmon (thx Jordan!) Pastebot db

12. Extracting dump data Challenge #2 bad formatting truncated hashes

13. /t , examples

14. extract-hashes.py Dump Regexes SHA1 MD5

15. hash algorithms? Thinking Yeah, I was curious too.

16. think again. 54% clear text passwords 42% unsalted hash 4%

    Salted hash

17. Let’s crack some passwords!!

18. Scenarios No password policy 8 alphanumeric chars (uppercase + lowercase)

    6 alphanumeric + 1 special chars (uppercase + lowercase)

19. Classifying hashes Challenge #3 Manual classification

20. Wordlists Crackstation (Human Only) InsidePro 2012 RockYou Cain & Abel

    John The Ripper 500 Worst Passwords

21. Wordlist only Round #1 Hashcat without best64.rule

22. no password policy Crackstation ~39% RockYou ~35% Others ~10%

23. 8 alphanum (uppercase + lowercase) Inside Pro ~13% RockYou ~3%

    Crackstation ~1%

24. 6 alphanum + special (uppercase + lowercase) Inside Pro ~1%

    Others <1%

25. Wordlist + best64 Round #2 Hashcat with best64.rule

26. no password policy Crackstation ~45% RockYou ~44% Inside Pro ~15%

27. 8 alphanum (uppercase + lowercase) Inside Pro ~16% RockYou ~3%

    Crackstation ~2%

28. 6 alphanum + special (uppercase + lowercase) Inside Pro ~2%

    Others <1% RockYou ~4%

29. PT-BR wordlists The making of

30. wordlists with NLTK Data NLTK script Words Sentences

31. dump.br dump.br dump.br Crack passwords Data analysis Wordlist

32. password patterns Pipal Custom Scripts Passwords Stats Patterns

33. identified patterns Obsevartions on using the previous scenarios

34. no password policy 6-8 chars Numbers only Service or tool

    name 123

35. 8 alphanum (uppercase + lowercase) Blackhat1 Renata10

36. 6 alphanum + special (uppercase + lowercase) Name@[0-9] First or

    Last name Most used special char, followed by “!”

37. BONUS STAGE!

38. world readable logs SQL Query FTW

39. more log files Google Code, Yay! Guess who user ID

    =1 is?

40. plain text in log files Username + Password (clear text)

    ~ 6K UNIQUE credentials in a single file. http://xxx.com.br/logs/xxx.log.bkp

41. Wordlist PT-BR + best64 Round #3 Hashcat with best64.rule Considering

    whole new dumps

42. no password policy PT-BR + best64 ~52%

43. 8 alphanum (uppercase + lowercase) PT-BR + best64 ~16%

44. 6 alphanum + special (uppercase + lowercase) PT-BR + best64

    ~8%
45. None

46. improve pastebot pastebot Dumpmon Parsing data CrackEngine White Chappel JtR

    Hashcat Wordlists Pipal Tag cloud Automated wordlist generation

47. distributed approach CrackEngine Multiple nodes Auto deploy Instances Collaborative (really)

    Long-term future

48. BONUS STAGE!

49. Makes a lot more Sorry, folks! sense in Portuguese

50. porondequerqueeuvalevovocenoolhar

51. vemnimimqueeutoqueto Em um dump .gov euamomeusfilhos Em um dump pornográfico

52. ninguemdescobreminhasenhamano

53. None

54. Thank You! [email protected] @0xc0da codalabs.net /0xc0da