how-to crack 43kk passwords while drinking your juice/smoozie in the hood
TRANSCRIPT
Yurii Bilyk | 2016
How-to crack 43kk passwords while drinking your in the Hood
WHO AM I
26 vs 27.5 vs 29
TEAM
WE are Security Group WE are ALL Engineers (Almost;) WE are OWASP Lviv Chapter WE are Legio… oops
blog: http://owasp-lviv.blogspot.comskype: y.bilyk
o But WHY??!!o Our CRACKING RIG o Different obvious methodso Not so obvious methodso Some interesting statistics
Agenda
Tell Me WHY!?
what’s wrong with you?
The Reason
Just for FUN
Good example of Open Source Intelligence
You can really test your skills in password cracking
Some Info
LinkedIn DB contains 250 758 057 e-mails
Only 61 829 208 contains unique hashes
File size of all unique hashes is 2.5 GB
Our CRACKING RIG
because we can
P - Podgotovka
LinkedIn DB contains unsalted SHA-1 hashes
GPU should be best option for such type of hashes
Best tool for this case is HashCat
GTX 1080 SHA-1 Benchmark
8xGPU SHA-1 crack speed: 68 771.0 MH/s
8xCHARS password Z!sN0/7u: 95 symbols length alphabet6.70 X 1015 search space
1 days 3 hours 4 minutes 54 seconds to brute ALL combinations
Question of Money
738x8 = 5904 $$$
Amazon K80 SHA-1 Benchmark
36xGPU SHA-1 crack speed: 75 200.0 MH/s
8xCHARS password Z!sN0/7u: 95 symbols length alphabet6.70 X 1015 search space
1 days 45 minutes 59 seconds to brute ALL combinations
So You’ve said Amazon?
(14.4+14.4+7.2)x25 = 900 $$$
Rainbow Alternatives
1000 $$$
RainBow Seek SHA-1 Benchmark
SHA-1 crack speed: 3 880 000.0 MH/s for 1 hash784 000.0 MH/s for 10 hashes
8xCHARS password Z!sN0/7u: 95 symbols length alphabet6.70 X 1015 search space
28 minutes <-> 2 hours 22 minutes to brute ALL combinations
Return to Reality
Intel Core i5-3570 @ 3.4GhzSHA-1 crack speed: ~120.0 MH/s
NVIDIA 750GT (Mobile):SHA-1 crack speed: ~120.0 MH/s
1xi5-3570 SHA-1 Benchmark
SHA-1 crack speed: 120.0 MH/s
8xCHARS password Z!sN0/7u: 95 symbols length alphabet6.70 X 1015 search space
1 years 281 days 10 hours 30 minutes 48 seconds to brute ALL combinations
Some OBVIOUS STEPS
let’s play
Where to Start?
We used dictionary attack as the first attempt
You need good dictionary. We started with rockyou.txt
You need memory for your hashes. It could be problem for GPU
So First Try
Cracked around 20% of all hashes (with rockyou.txt dictionary)
It took around 5 mins
And now you have to think what to do next
We need moar dictionaries!
RockYou contains 14 344 391 words
We tried different dictionaries. The biggest was 1 212 356 398 words and 15 GB in size
All this gives us approx 35% of all hashes
Let’s brute it!
We selected up to 6 char passwords with full set of characters
It took around 2 hours
All this gives us approx 45% of all hashes
Magic of STATISTICS
new is well-forgotten old
What we can do get moar?
HashCat has rules of transformationIt mutates original word
Quality of your dictionary is essential. Size doesn’t rly matters
Using rules is more time consuming than just dictionary attack
What rules are effective?
We used best64, InsidePro-PasswordsPro and d3ad0ne rules
It was very effective in terms of number of hashes
All this gives us approx 60% of all hashes
Time to go smarter way
We have 36 millions of cracked passwords
We can analyze cracked password to determine patters
This patterns can produce more efficient bruteforce masks
Meet PACK Tool
http://thesprawl.org/projects/pack/
PACK Tool Features
Can analyze list of password and generate bruteforce mask
You can specify password length, time, complexity constrains
Gives you some idea what type of passwords are popular
Is PACK effective?
It can crack similar passwords according that you already have
You can flexibly choose best masks regarding constrains
All this gives us approx 65% of all hashes
Other types of attacks
PRINCE attack, somehow similar to the using PACK tool + mutation
Combination of TWO and more dictionaries
Hybrid attack, that uses dictionaries + rules + bruteforce masks
Some CHARTSIt’s easy
Length of password (Our)
Length of password (Korelogic)
Character-set of password (Our)
Most Popular Passwords (Korelogic)
Mails (Korelogic)
Base Words (Korelogic)
Thank YOU!