Passwords13 Smarter Password Cracking With Pack

Copyright 2013.
Peter Kacherginsky
Peter Kacherginsky @_iphelix

http://thesprawl.org
Security research and consulting

http://redteamsecure.com
Proud member of Team Hashcat

http://hashcat.net
IGHASHGPU
Downloaded 2500
uncracked passwords
Brute-force attack
5.6 Billion Keys/Sec
24 Hours
300 passwords
24 Hours
Smarter approach
to password
cracking
300 passwords
Psychology
Technology
Security
I like
cracking
Max length
8 characters
1 Special, 1
Digit, 1 Upper
Characters
Cr@cker1
through detection and

analysis of patterns in
password creation factors to
reduce runtime and increase
success rate.
Password analysis tools

Length and Character-Set
Mask Patterns
Policy Patterns
Word Mangling Rules (new!)
Helps craft pattern-based attacks
against password lists
Uses Hashcat masks and rules format.
https://thesprawl.org/projects/pack
http://github.com/iphelix/PACK
Source
Date
Count
Cracked
Notes
PhpBB**
January 2009
184,389
97%*
MD5 Encrypted
RockYou**
December 2009
14,344,391
100%
Clear-text
Gawker***
December 2010
1,084,394
92%*
DES Encrypted
Stratfor***
December 2011
804,041
93%*
MD5 Encrypted
LinkedIn***
June 2012
5,374,200
94%*
SHA1 Encrypted
eHarmony***
June 2012
1,475,738
97%*
MD5 Encrypted
Gamigo***
July 2012
6,306,186
90%*
MD5 Encrypted
Note:
* Important: all statistics will be generated relative to the percentage cracked
** http://www.skullsecurity.org/wiki/index.php/Passwords
*** http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.php
oclHashcat-plus
Hash Type
Performance*
NTLM
7501M c/s
MD5
5470M c/s
SHA1
2136M c/s
SHA256
1012M c/s
SHA512
76M c/s
AMD Radeon 7970
* http://hashcat.net/oclhashcat-plus/
* http://golubev.com/gpuest.htm
$ python statsgen.py rockyou.txt

[*] Analyzing passwords: rockyou.txt
[+] Analyzing 100% (14344391/14344391) passwords
[*] Length Statistics...
[+]
8: 20% (2966004)
[+]
7: 17% (2506264)
[+]
9: 15% (2191000)
[+]
10: 14% (2013690)
[+]
6: 13% (1947858)
[+]
11: 06% (865973)
[+]
12: 03% (555333)
[+]
13: 02% (364169)
[+]
5: 01% (259174)
[+]
14: 01% (248514)
[+]
15: 01% (161181)
...
80.0%
30.0%
31.0%
0.0%
0.0%
0.0%
0.0%
2.0%
1.0%
0.0%
RockYou
0.0%
4.0%
0.0%
2.0%
3.0%
1.0%
4.0%
22.0%
10.0%
17.0%
6.0%
17.0%
13.0%
eHarmony
3.0%
17.0%
11.0%
14.0%
6.0%
19.0%
17.0%
63.0%
20.0%
2.0%
10.0%
17.0%
0.0%
12.0%
14.0%
15.0%
Gamigo
20.0%
17.0%
Gawker
1.0%
6.0%
12.0%
0.0%
44.0%
13.0%
14.0%
0.0%
2.0%
6.0%
0.0%
4.0%
6.0%
6.0%
0.0%
1.0%
4.0%
0.0%
2.0%
4.0%
3.0%
0.0%
2.0%
1.0%
2.0%
0.0%
1.0%
0.0%
1.0%
10
11
12
13
14
15
LinkedIn
PhpBB
Stratfor
80.0%
30.0%
31.0%
0.0%
0.0%
0.0%
0.0%
2.0%
1.0%
0.0%
RockYou
0.0%
4.0%
0.0%
2.0%
3.0%
1.0%
4.0%
22.0%
10.0%
17.0%
6.0%
17.0%
13.0%
eHarmony
3.0%
17.0%
11.0%
14.0%
6.0%
19.0%
17.0%
63.0%
20.0%
2.0%
10.0%
17.0%
0.0%
12.0%
14.0%
15.0%
Gamigo
20.0%
17.0%
Gawker
1.0%
6.0%
12.0%
0.0%
44.0%
13.0%
14.0%
0.0%
2.0%
6.0%
0.0%
4.0%
6.0%
6.0%
0.0%
1.0%
4.0%
0.0%
2.0%
4.0%
3.0%
0.0%
2.0%
1.0%
2.0%
0.0%
1.0%
0.0%
1.0%
10
11
12
13
14
15
LinkedIn
PhpBB
Stratfor
1 to 8
1 to 10
0.0%
10.0%
Stratfor
20.0%
PhpBB
30.0%
40.0%
LinkedIn
50.0%
Gawker
60.0%
Gamigo
70.0%
80.0%
eHarmony
90.0%
RockYou
100.0%
$ python statsgen.py rockyou.txt

[*] Analyzing passwords: rockyou.txt
[+] Analyzing 100% (14344391/14344391) passwords
...
[*] Charset statistics...
[+]
loweralphanum: 42% (6075055)
[+]
loweralpha: 25% (3726656)
[+]
numeric: 16% (2346842)
[+]
loweralphaspecialnum: 03% (472673)
[+]
upperalphanum: 02% (407436)
[+]
mixedalphanum: 02% (382246)
[+]
loweralphaspecial: 02% (381095)
[+]
upperalpha: 01% (229893)
[+]
mixedalpha: 01% (159332)
[+]
mixedalphaspecialnum: 00% (53240)
[+]
mixedalphaspecial: 00% (49633)
[+]
upperalphaspecialnum: 00% (27732)
[+]
upperalphaspecial: 00% (26795)
[+]
special: 00% (5763)
...
65.0%
60.0%
42.0% 43.0%
42.0%
37.0%
25.0%
12.0%
0.0%
0.0%
RockYou
16.0%
5.0%
4.0%
1.0%
eHarmony
12.0%
3.0%
0.0%
0.0%
0.0%
Gamigo
3.0%
2.0%
0.0%
Gawker
2.0%
0.0%
0.0%
0.0%
LinkedIn
2.0%0.0%
0.0%
PhpBB
3.0%
1.0%
0.0%2.0%
Stratfor
1.0%0.0%
0.0%
65.0%
60.0%
42.0% 43.0%
42.0%
37.0%
25.0%
12.0%
0.0%
0.0%
RockYou
16.0%
5.0%
4.0%
1.0%
eHarmony
12.0%
3.0%
0.0%
0.0%
0.0%
Gamigo
3.0%
2.0%
0.0%
Gawker
2.0%
0.0%
0.0%
0.0%
LinkedIn
2.0%0.0%
0.0%
PhpBB
3.0%
1.0%
0.0%2.0%
Stratfor
1.0%0.0%
0.0%
76 Days
BruteForce
(All-character space)
47 Minutes
RockYou Pattern
(loweralphanumeric)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
$ python statsgen.py --maxlength=8

--charset="loweralphanum,numeric,loweralpha gawker.txt
Analysis filters
[+] Analyzing 90% (986425/1084394) of passwords

NOTE: Statistics below is relative to the number of analyzed passwords, not
total number of passwords
[+]
[+]
[+]
[+]
[+]
[+]
[+]
[+]
8:
6:
7:
5:
4:
3:
2:
1:
62%
18%
14%
02%
01%
00%
00%
00%
(612522)
(183307)
(146152)
(26438)
(15088)
(2497)
(308)
(113)

[+]
loweralphanum: 47% (470580)
[+]
loweralpha: 46% (459208)
[+]
numeric: 05% (56637)
1 to 8
eHarmony
1 to 10
eHarmony
0.0%
10.0%
Stratfor
20.0%
PhpBB
30.0%
LinkedIn
40.0%
50.0%
Gawker
60.0%
Gamigo
70.0%
eHarmony
80.0%
90.0%
RockYou
100.0%

[+]
[+]
6: 84% (254004)
5: 15% (46821)

[+]
upperalphanum: 57% (173459)
[+]
upperalpha: 42% (126954)
[+]
numeric: 00% (187)
[+]
upperalphaspecialnum: 00% (118)
[+]
upperalphaspecial: 00% (101)
[+]
loweralphaspecialnum: 00% (5)
[+]
special: 00% (1)
1898 Years
BruteForce
42 Days
Targetted Pattern
(upperalphanumeric)
RockYou Pattern
(loweralphanumeric)
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
P a s swo r d 1 !
?u
?l
?l
?l
?l
?l
?l
?l
?d
?s
$ python statsgen.py rockyou.txt o rockyou.masks

...
[*] Advanced Mask statistics...
[+]
?l?l?l?l?l?l?l?l: 04% (688053)
[+]
?l?l?l?l?l?l: 04% (601257)
[+]
?l?l?l?l?l?l?l: 04% (585093)
[+]
?l?l?l?l?l?l?l?l?l: 03% (516862)
[+]
?d?d?d?d?d?d?d: 03% (487437)
[+]
?d?d?d?d?d?d?d?d?d?d: 03% (478224)
[+]
?d?d?d?d?d?d?d?d: 02% (428306)
[+]
?l?l?l?l?l?l?d?d: 02% (420326)
[+]
?l?l?l?l?l?l?l?l?l?l: 02% (416961)
[+]
?d?d?d?d?d?d: 02% (390546)
[+]
?d?d?d?d?d?d?d?d?d: 02% (307540)
[+]
?l?l?l?l?l?d?d: 02% (292318)
[+]
?l?l?l?l?l?l?l?d?d: 01% (273640)
...
25.0%
20.0%
15.0%
10.0%
5.0%
0.0%
RockYou
Gamigo
Gawker
LinkedIn
PhpBB
Stratfor
Complexity (keyspace):
208827064576
?u
?l
Time: 3.5 minutes

(1,000,000,000 PPS)
?l
?l
Length: 8
?l
?l
?l
?l
Occurrence: 17097
$ python maskgen.py rockyou.masks -t 86400 --showmasks -optindex -q

[*] Analyzing masks in [rockyou.masks]
[*] Using 1,000,000,000 keys/sec for calculations.
[*] Sorting masks by their [optindex].
[L:] Mask:
[ Occ: ] [ Time: ]
...
[ 8] ?u?u?d?d?d?d?s?s
[30
] [ 0:00:07]
[ 9] ?l?l?l?l?l?l?d?d?s
[4149
] [ 0:16:59]
[ 8] ?s?d?d?l?l?l?l?l
[159
] [ 0:00:39]
[ 9] ?l?l?l?l?d?d?d?d?l
[480
] [ 0:01:58]
[ 8] ?d?d?d?d?s?d?l?l
[9
] [ 0:00:02]
[ 8] ?l?d?d?d?d?d?l?s
[9
] [ 0:00:02]
[ 9] ?l?l?d?d?l?l?l?d?d
[478
] [ 0:01:58]
[ 8] ?l?l?l?l?s?d?d?s
[200
] [ 0:00:49]
...
[!] Target time exceeded.
[*] Finished generating masks:
Masks generated: 5285
Masks coverage: 75% (10794350/14344380)
Masks runtime:
1 day, 0:32:08

[L:] Mask:
[ Occ: ] [ Time: ]
Masks sorting mode
...
[ 8] ?u?u?d?d?d?d?s?s
[30
] [OptIndex
0:00:07]= Complexity/Occurrence
[ 9] ?l?l?l?l?l?l?d?d?s
[4149
] [ 0:16:59]
[ 8] ?s?d?d?l?l?l?l?l
[159
] [ 0:00:39]
[ 9] ?l?l?l?l?d?d?d?d?l
[480
] [ 0:01:58]
[ 8] ?d?d?d?d?s?d?l?l
[9
] [ 0:00:02]
[ 8] ?l?d?d?d?d?d?l?s
[9
] [ 0:00:02]
[ 9] ?l?l?d?d?l?l?l?d?d
[478
] [ 0:01:58]
[ 8] ?l?l?l?l?s?d?d?s
[200
] [ 0:00:49]
...
Masks coverage: 75% (10794350/14344380)
Masks runtime:
1 day, 0:32:08

[L:] Mask:
[ Occ: ] [ Time: ]
Target runtime
...
[ 8] ?u?u?d?d?d?d?s?s
[30
] [ 0:00:07]
(seconds)
[ 9] ?l?l?l?l?l?l?d?d?s
[4149
] [ 0:16:59]
[ 8] ?s?d?d?l?l?l?l?l
[159
] [ 0:00:39]
[ 9] ?l?l?l?l?d?d?d?d?l
[480
] [ 0:01:58]
[ 8] ?d?d?d?d?s?d?l?l
[9
] [ 0:00:02]
[ 8] ?l?d?d?d?d?d?l?s
[9
] [ 0:00:02]
[ 9] ?l?l?d?d?l?l?l?d?d
[478
] [ 0:01:58]
[ 8] ?l?l?l?l?s?d?d?s
[200
] [ 0:00:49]
...
Masks coverage: 75% (10794350/14344380)
Masks runtime:
1 day, 0:32:08

[L:] Mask:
[ Occ: ] [ Time: ]
...
[ 8] ?u?u?d?d?d?d?s?s
[30
] [ 0:00:07]
[ 9] ?l?l?l?l?l?l?d?d?s
[4149
] [ 0:16:59]
[ 8] ?s?d?d?l?l?l?l?l
[159
] [ 0:00:39]
Sorted Masks
[ 9] ?l?l?l?l?d?d?d?d?l
[480
] [ 0:01:58]
[ 8] ?d?d?d?d?s?d?l?l
[9
] [ 0:00:02]
(higher is better)
[ 8] ?l?d?d?d?d?d?l?s
[9
] [ 0:00:02]
[ 9] ?l?l?d?d?l?l?l?d?d
[478
] [ 0:01:58]
[ 8] ?l?l?l?l?s?d?d?s
[200
] [ 0:00:49]
...
Masks coverage: 75% (10794350/14344380)
Masks coverage and
Masks runtime:
1 day, 0:32:08
total runtime
--occurrence
--optindex
--complexity
100.00%
90.00%
80.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
RockYou
Gamigo
Gawker
LinkedIn
PhpBB
Stratfor
eHarmony
* 1,000,000,000 keys/sec
--occurrence
--optindex
--complexity
18000
16000
14000
12000
10000
8000
6000
4000
2000
0
RockYou
Gamigo
Gawker
LinkedIn
PhpBB
Stratfor
eHarmony
* 1,000,000,000 keys/sec
LINKEDIN
100.00%
RockYou OptIndex
GAMIGO
LinkedIn OptIndex
100.00%
90.00%
90.00%
80.00%
80.00%
70.00%
70.00%
60.00%
60.00%
50.00%
50.00%
40.00%
40.00%
30.00%
30.00%
20.00%
20.00%
10.00%
10.00%
0.00%
0.00%
1
15
30
1 Hour 6 Hours 12 Hours 1 Day
Minute Minutes Minutes
5 Days 30 Days
RockYou OptIndex
1 Minute
Gamigo OptIndex
15
30
Minutes Minutes
5 Days 30 Days
PHPBB
100.00%
RockYou OptIndex
EHARMONY
PHPBB OptIndex
RockYou OptIndex
eHarmony OptIndex
100.00%
90.00%
90.00%
80.00%
80.00%
70.00%
70.00%
60.00%
60.00%
50.00%
50.00%
40.00%
40.00%
30.00%
30.00%
20.00%
20.00%
10.00%
10.00%
0.00%
0.00%
1
15
30
1 Hour 6 Hours
12
Minute Minutes Minutes
Hours
1 Day
5 Days 30 Days
1 Minute
15
30
Minutes Minutes
5 Days 30 Days
STRATFOR
RockYou OptIndex
100.00%
Stratfor OptIndex
90.00%
80.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
1 Minute
15 Minutes 30 Minutes
1 Hour
6 Hours
12 Hours
1 Day
5 Days
30 Days
60 Days
120 Days
1 Year
8 CHARACTER PASSWORDS
Non-Compliant
38%
Only need to
target this.
Compliant
62%
76 DAYS
Non-Compliant
41 days*
Takes less than

half expected time
Compliant
35 days*
* 1,000,000,000 keys/sec
Minimum password policy definition

$ python policygen.py --mindigit=1 --minlower=1 --minupper=1 -minspecial=1 --showmasks q o policy-compliant.hcmask
[*] Password policy:
Password policy compliant
Pass Lengths: min:8 max:8
masks
Min strength: l:1 u:1 d:1 s:1
Max strength: l:None u:None d:None s:None
[*] Generating [compliant] masks.
[*] Generating 8 character password masks.
[ 8] ?d?d?d?d?d?l?u?s
[l: 1 u: 1 d: 5 s: 1] [ 0:00:02]
[ 8] ?d?d?d?d?d?l?s?u
[l: 1 u: 1 d: 5 s: 1] [ 0:00:02]
[ 8] ?d?d?d?d?d?u?l?s
[l: 1 u: 1 d: 5 s: 1] [ 0:00:02]
...
[*] Total Masks: 65536 Time: 76 days, 18:50:04
[*] Policy Masks: 40824 Time: 35 days, 0:33:09
Minimum password policy
$ python
policygen.py
--mindigit=1 --minlower=1 --minupper=1
--minspecial=1 --showmasks q o policy-compliant.hcmask --noncompliant

Password policy non-compliant
Min strength: l:1 u:1 d:1 s:1
masks
Max strength: l:None u:None d:None s:None
[*] Generating [non-compliant] masks.
[ 8] ?d?d?d?d?d?d?d?d
[l: 0 u: 0 d: 8 s: 0] [ 0:00:00]
[ 8] ?d?d?d?d?d?d?d?l
[l: 1 u: 0 d: 7 s: 0] [ 0:00:00]
[ 8] ?d?d?d?d?d?d?d?u
[l: 0 u: 1 d: 7 s: 0] [ 0:00:00]
...
1. Obtain a small sample with bruteforce:

./oclHashcat-plus64.bin -n 160 --runtime 3600 -m 0 -a 3 -o stratfor.dict -outfile-format=2 stratfor.hash ?a?a?a?a?a?a?a?a
Session.Name...: oclHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?a?a?a?a?a?a?a?a)
Hash.Target....: File (stratfor.hash)
Hash.Type......: MD5
Time.Started...: Mon Jul 22 14:35:30 2013 (8 secs)
Time.Estimated.: Fri Sep 6 14:52:09 2013 (46 days, 0 hours)
Speed.GPU.#1...: 2528.8 MH/s
Recovered......: 1016/822657 (0.12%) Digests, 0/1 (0.00%) Salts
Progress.......: 13736345600/6634204312890625 (0.00%)
Rejected.......: 0/13736345600 (0.00%)
HWMon.GPU.#1...: 79% Util, 50c Temp, 39% Fan
2. Analyze recovered passwords with statsgen:

$ python statsgen.py stratfor.dict
...
[+]
8: 100% (6961)
[+]
loweralphanum:
[+]
mixedalphanum:
[+]
loweralpha:
[+]
mixedalpha:
[+]
numeric:
...
34%
23%
22%
11%
02%
(2417)
(1613)
(1596)
(825)
(199)
User selected
passwords
Randomly generated
passwords
3. Generate targeted policy masks with policygen.

$ python policygen.py --mindigit=0 --minlower=1 --minupper=1 --maxspecial=0
-o stratfor-policy.hcmask
[*] Saving generated masks to [stratfor-policy.hcmask]
Min strength: l:1 u:1 d:0 s:None
Max strength: l:None u:None d:None s:0
[*] Generating [compliant] masks.
STRATFOR
RockYou OptIndex
Stratfor OptIndex
Stratfor Policy
RockYou Complexity
100.00%
90.00%
80.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
1 Minute
15
30
Minutes Minutes
5 Days 30 Days 60 Days 120 Days 1 Year
p$$w0rAd123
Replace all
instances of s
with $
Based on the
dictionary word
password
Insert A
p$$w0rAd123
Delete second
character
Substitute o
with 0
Append 123
Passwords
Words and
Rules
Apply
other rules
password
remix
p$$w0rAd123
D1 ss$ so0
i6A $1 $2 $3
other words
Reverse
Source
Word(s)
Levenshtein
Rule(s)
Hashcat
Rule(s)
Profit!
Source
Word(s)
Is a word mangled password a case of intentional misspelling?

p4ssword1 => password, swordplay, crossword
Does it work for more complex passwords?

1pa$$word1 => pulpwood, upwardness
Can we improve results with a bit of pre-analysis?

1pa$$word1 => password, broadsword, swordplayer
Source
Word(s)
What other rules can be detected readily by pre-analysis?
Rotation: wordpass => password

Reversal: drowssap => password
Prefix/Appendix: 1password1 => password
Duplication: passwordpassword => password
Combination: super!man => super + man
Patterns: password@gmail.com => password
How about custom dictionaries for targeted attacks?

Iloveu123 => spillover, allover, alleviate
Iloveu123 => iloveu
Source
Word(s)
How can we prioritize generated source words?

Levenshtein Edit Distance
distance between two words is the minimum number of single-character edits
(insertion, deletion, substitution) required to change one word into the other.
-Wikipedia (http://en.wikipedia.org/wiki/Levenshtein_distance)
p4ssw0rd =>
password Edit distance 2
Pissaro
Edit distance 5
assured
Edit distance 5
Levenshtein
Rule(s)
Levenshtein Edit Distance Algorithm
p
p
4
s
s
w
0
r
d
0
p
4
s
s
w
0
r
d
p
1
a
2
s
3
s
4
w
5
o
6
r
7
d
8
p
4
s
s
w
0
r
d
0
1
p
1
0
a
2
1
s
3
2
s
4
3
w
5
4
o
6
5
r
7
6
d
8
7
p
4
s
s
w
0
r
d
0
1
2
p
1
0
1
a
2
1
1
s
3
2
2
s
4
3
3
w
5
4
4
o
6
5
5
r
7
6
6
d
8
7
7
p
4
s
s
w
0
r
d
0
1
2
3
4
5
6
7
8
p
1
0
1
2
3
4
5
6
7
a
2
1
1
2
3
4
5
6
7
s
3
2
2
1
2
3
4
5
6
s
4
3
3
2
1
2
3
4
5
w
5
4
4
3
2
1
2
3
4
o
6
5
5
4
3
2
2
3
4
r
7
6
6
5
4
3
3
2
3
d
8
7
7
6
5
4
4
3
2
Insertion
Same or Substitution
Deletion
p
4
s
s
w
0
r
d
0
1
2
3
4
5
6
7
8
p
1
0
1
2
3
4
5
6
7
a
2
1
1
2
3
4
5
6
7
s
3
2
2
1
2
3
4
5
6
s
4
3
3
2
1
2
3
4
5
w
5
4
4
3
2
1
2
3
4
o
6
5
5
4
3
2
2
3
4
r
7
6
6
5
4
3
3
2
3
d
8
7
7
6
5
4
4
3
2
p
4
s
s
w
0
r
d
0
1
2
3
4
5
6
7
8
p
1
0
1
2
3
4
5
6
7
a
2
1
1
2
3
4
5
6
7
s
3
2
2
1
2
3
4
5
6
s
4
3
3
2
1
2
3
4
5
w
5
4
4
3
2
1
2
3
4
o
6
5
5
4
3
2
2
3
4
r
7
6
6
5
4
3
3
2
3
d
8
7
7
6
5
4
4
3
2
p
4
s
s
w
0
r
d
0
1
2
3
4
5
6
7
8
p
1
0
1
2
3
4
5
6
7
a
2
1
1
2
3
4
5
6
7
s
3
2
2
1
2
3
4
5
6
s
4
3
3
2
1
2
3
4
5
w
5
4
4
3
2
1
2
3
4
o
6
5
5
4
3
2
2
3
4
r
7
6
6
5
4
3
3
2
3
d
8
7
7
6
5
4
4
3
2
p
4
s
s
w
0
r
d
0
1
2
3
4
5
6
7
8
p
1
0
1
2
3
4
5
6
7
a
2
1
1
2
3
4
5
6
7
s
3
2
2
1
2
3
4
5
6
s
4
3
3
2
1
2
3
4
5
w
5
4
4
3
2
1
2
3
4
o
6
5
5
4
3
2
2
3
4
r
7
6
6
5
4
3
3
2
3
d
8
7
7
6
5
4
4
3
2
p
s
s
w
0
r
d
1
0
1
2
3
4
5
6
7
8
p
1
0
1
2
3
4
5
6
7
a
2
1
1
2
3
4
5
6
7
s
3
2
1
1
2
3
4
5
6
s
4
3
2
1
2
3
4
5
6
w
5
4
3
2
1
2
3
4
5
o
6
5
4
3
2
2
3
4
5
r
7
6
5
4
3
3
2
3
4
d
8
7
6
5
4
4
3
2
3
p
s
s
w
0
r
d
1
0
1
2
3
4
5
6
7
8
p
1
0
1
2
3
4
5
6
7
a
2
1
1
2
3
4
5
6
7
s
3
2
1
1
2
3
4
5
6
s
4
3
2
1
2
3
4
5
6
w
5
4
3
2
1
2
3
4
5
o
6
5
4
3
2
2
3
4
5
r
7
6
5
4
3
3
2
3
4
d
8
7
6
5
4
4
3
2
3
Hashcat
Rule(s)
Hashcat rules to transform password to pssw0rd1
Delete a
D1
Substitute o
o40
Insert 1
i71
Levenshtein OP
(insert,i,j) where i is at the end of the word.
(insert,i,j) where i is at the beginning of the word.
(delete,i,j) where i is at the end of the word.
(replace,i,j) where i and i+1 were swapped.
(replace,i,j) where i and i+1 were swapped where i at the beginning of the word
(replace,i,j) where i and i+1 were swapped where i is at the end of the word
Rule
$c
^c
]
*XY
k
*XY
TN
Description
Append character to end.
Prepend character to end.
Delete last character.
Swap character X with Y.
Swap the first two characters.
Swap the last two characters.
Toggle the case of characters at
position N.
(replace,i,j) where a case changed for the character i

(replace,i,j) where all characters at the index location i in the source word were
replaced in the password
sXY
(replace,i,j) where replacement character at i is an ASCII increment
+N
Replace all instances of X with Y.

Increment character @ N by 1 ascii
value.
(replace,i,j) where replacement character at i is a left bitwise shift
LN
Bitwise shift left character @ N.
(Total 20 Hashcat rules detected)
Hashcat
Rule(s)
Hashcat rules to transform password to pssw0rd1

Delete a
D1
Substitute o
so0
Insert 1
$1
Hashcat
Rule(s)
$ python rulegen.py --password 'p$$w0rAd123' v -q

[*] Using Enchant 'aspell' module. For best results please install
'aspell' module language dictionaries.
[*] Saving rules to analysis.rule
[*] Saving words to analysis.word
[*] Press Ctrl-C to end execution and generate statistical analysis.
[*] Analyzing password: p$$w0rAd123
...
[+] password => D1 ss$ so0 i6A $1 $2 $3 => p$$w0rAd123
[+] passwords =>
[+] passwords =>
D1 ss$ so0 i6A o81 $2 $3 => p$$w0rAd123

D1 ss$ so0 i6A i81 o92 $3 => p$$w0rAd123
D1 ss$ so0 i6A i81 i92 oA3 => p$$w0rAd123
[+] passwords =>

[*] Finished analysis in 0.00 seconds
$ python rulegen.py gawker.dic -b gawker -bruterules

...
[*] Finished processing 1084394 passwords in 593.15 seconds at the rate of
1828.20 p/sec
[*] Word worker stopped.
[*] Generating statistics for [gawker] rules and words.
[-] Skipped 56637 all numeric passwords (5.22%)
[-] Skipped 13703 passwords with less than 25% alpha characters (1.26%)
[-] Skipped 26 passwords with non ascii characters (0.00%)
[*]
[+]
[+]
[+]
[+]
[+]
[+]
[+]
[+]
[+]
[+]
Top 10 rule statistics

: - 167201 (3.00%)
T0 - 24531 (0.00%)
$1 - 17619 (0.00%)
r - 13412 (0.00%)
] - 7237 (0.00%)
$2 - 4792 (0.00%)
$1 $2 - 3718 (0.00%)
l $1 - 3243 (0.00%)
$1 $2 $3 - 3146 (0.00%)
o71 - 2902 (0.00%)
Source
Top Words (2+ chars)
Top Rules
RockYou*
lover, baby, lovey, maria,

jean, loves, loved, angel,
mike, kebab, mayo, angels,
marina
:
$1
r
$2
$1 $2 $3
$1 $2
$3
$7
^1
$1 $3
* Generated using new --bruterules flag.
Source
Top Rules
LinkedIn
linked, linkedin, password,

:
alex, mike, jim, jfs, jam, jack, $1
job
$1 $2 $3
$0 $1
$2
$1 $2
$1 $1
$7 $3
^1
Source
Singles.org Jesus, love, angel, loveme,

faith
Source
Top Rules
MySpace
password, olive, myspace,

love, hearts, baseball,
softball, football, cutie,
chicken
$1
:
$2
$!
$3
$1 $2 $3
l $1
$7
$1 $2
$5
Top Rules
:
T0
$1
]
$2
$7
l $1
$1 $2 $3
$1 $2
$4
USING EXAMPLE.DICT
best64
d3ad0ne
generated
generated 1000000
Rockyou 1000000
T0Xlc
2000000
1800000
1600000
1400000
1200000
1000000
800000
600000
400000
200000
0
0
60
120
180
240
300
360
420
480
540
600
660
721
781
841
901
961
1021
1081
1141
1201
1262
USING WIKIPEDIA.DICT
best64
d3ad0ne
generated
Generated 1000000
Rockyou 1000000
T0Xlc
1400000
1200000
1000000
800000
600000
400000
200000
0
0
120 240 360 480 600 720 840 961 1081 1201 1321 1441 1561 1681 1802 1922 2042 2162 2282 2402 2523 2643 2763 2883 3003 3123 3243 3364 3484 3604
$ python rulegen.py gamigo-rockyou1000000wikipedia.cracked b gamigo-recycled
$ oclHashcat-plus64.bin gamigo.hash
gamigo-recycled-sorted.word
-r gamigo-recycled-sorted.rule
0
120
240
360
480
600
720
840
961
1081
1201
1321
1441
1561
1681
1802
1922
2042
2162
2282
2402
2523
2643
2763
2883
3003
3123
3243
3364
3484
3604
3724
3844
3964
4084
4204
4324
4445
4565
4685
4805
4925
5045
5166
5286
5406
5526
5646
5766
5887
6007
6127
6247
6367
6487
6608
6728
RECYCLED WORDLIST
RockYou 1000000
Recycled
1800000
1600000
1400000
1200000
1000000
800000
600000
400000
200000
Crack
Passwords
RuleGen
StatsGen
PolicyGen
MaskGen
Defenders &
Developers
Security
Researchers
Penetration
Testers
Jens and Team Hashcat
Crack Me If You Can
Per and Jeremi

Passwords13 Smarter Password Cracking With Pack

Uploaded by

Copyright:

Available Formats

Passwords13 Smarter Password Cracking With Pack

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Passwords13 Smarter Password Cracking With Pack

Uploaded by

Copyright:

Available Formats

Copyright 2013.

Peter Kacherginsky @_iphelix

Security research and consulting

Proud member of Team Hashcat

5.6 Billion Keys/Sec

through detection and

Password analysis tools

Uses Hashcat masks and rules format.

AMD Radeon 7970

$ python statsgen.py rockyou.txt

$ python statsgen.py rockyou.txt

$ python statsgen.py --maxlength=8

[+] Analyzing 90% (986425/1084394) of passwords

[*] Charset statistics...

[*] Length Statistics...

[*] Charset statistics...

$ python statsgen.py rockyou.txt o rockyou.masks

Time: 3.5 minutes

$ python maskgen.py rockyou.masks -t 86400 --showmasks -optindex -q

$ python maskgen.py rockyou.masks -t 86400 --showmasks -optindex -q

$ python maskgen.py rockyou.masks -t 86400 --showmasks -optindex -q

$ python maskgen.py rockyou.masks -t 86400 --showmasks -optindex -q

Takes less than

Minimum password policy definition

Minimum password policy

--mindigit=1 --minlower=1 --minupper=1

--minspecial=1 --showmasks q o policy-compliant.hcmask --noncompliant

1. Obtain a small sample with bruteforce:

2. Analyze recovered passwords with statsgen:

3. Generate targeted policy masks with policygen.

5 Days 30 Days 60 Days 120 Days 1 Year

Is a word mangled password a case of intentional misspelling?

Does it work for more complex passwords?

Can we improve results with a bit of pre-analysis?

What other rules can be detected readily by pre-analysis?

Rotation: wordpass => password

How about custom dictionaries for targeted attacks?

How can we prioritize generated source words?

Levenshtein Edit Distance Algorithm

Hashcat rules to transform password to pssw0rd1

(replace,i,j) where a case changed for the character i

(replace,i,j) where replacement character at i is an ASCII increment

Replace all instances of X with Y.

(replace,i,j) where replacement character at i is a left bitwise shift

Bitwise shift left character @ N.

(Total 20 Hashcat rules detected)

Hashcat rules to transform password to pssw0rd1

$ python rulegen.py --password 'p$$w0rAd123' v -q

D1 ss$ so0 i6A o81 $2 $3 => p$$w0rAd123

[+] passwords =>

$ python rulegen.py gawker.dic -b gawker -bruterules

Top 10 rule statistics

Top Words (2+ chars)

lover, baby, lovey, maria,

* Generated using new --bruterules flag.

Top Words (2+ chars)

linked, linkedin, password,

Top Words (2+ chars)

Singles.org Jesus, love, angel, loveme,

Top Words (2+ chars)