how-to crack 43kk passwords while drinking your juice/smoozie in the hood

Yurii Bilyk | 2016

How-to crack 43kk passwords while drinking your in the Hood

WHO AM I

26 vs 27.5 vs 29

TEAM

WE are Security Group WE are ALL Engineers (Almost;) WE are OWASP Lviv Chapter WE are Legio… oops

blog: http://owasp-lviv.blogspot.comskype: y.bilyk

o But WHY??!!o Our CRACKING RIG o Different obvious methodso Not so obvious methodso Some interesting statistics

Agenda

Tell Me WHY!?

what’s wrong with you?

The Reason

Just for FUN

Good example of Open Source Intelligence

You can really test your skills in password cracking

Some Info

LinkedIn DB contains 250 758 057 e-mails

Only 61 829 208 contains unique hashes

File size of all unique hashes is 2.5 GB

Our CRACKING RIG

because we can

P - Podgotovka

LinkedIn DB contains unsalted SHA-1 hashes

GPU should be best option for such type of hashes

Best tool for this case is HashCat

GTX 1080 SHA-1 Benchmark

8xGPU SHA-1 crack speed: 68 771.0 MH/s

8xCHARS password Z!sN0/7u: 95 symbols length alphabet6.70 X 1015 search space

1 days 3 hours 4 minutes 54 seconds to brute ALL combinations

Question of Money

738x8 = 5904 $$$

Amazon K80 SHA-1 Benchmark

36xGPU SHA-1 crack speed: 75 200.0 MH/s


1 days 45 minutes 59 seconds to brute ALL combinations

So You’ve said Amazon?

(14.4+14.4+7.2)x25 = 900 $$$

Rainbow Alternatives

1000 $$$

RainBow Seek SHA-1 Benchmark

SHA-1 crack speed: 3 880 000.0 MH/s for 1 hash784 000.0 MH/s for 10 hashes


28 minutes <-> 2 hours 22 minutes to brute ALL combinations

Return to Reality

Intel Core i5-3570 @ 3.4GhzSHA-1 crack speed: ~120.0 MH/s

NVIDIA 750GT (Mobile):SHA-1 crack speed: ~120.0 MH/s

1xi5-3570 SHA-1 Benchmark

SHA-1 crack speed: 120.0 MH/s


1 years 281 days 10 hours 30 minutes 48 seconds to brute ALL combinations

Some OBVIOUS STEPS

let’s play

Where to Start?

We used dictionary attack as the first attempt

You need good dictionary. We started with rockyou.txt

You need memory for your hashes. It could be problem for GPU

So First Try

Cracked around 20% of all hashes (with rockyou.txt dictionary)

It took around 5 mins

And now you have to think what to do next

We need moar dictionaries!

RockYou contains 14 344 391 words

We tried different dictionaries. The biggest was 1 212 356 398 words and 15 GB in size

All this gives us approx 35% of all hashes

Let’s brute it!

We selected up to 6 char passwords with full set of characters

It took around 2 hours


Magic of STATISTICS

new is well-forgotten old

What we can do get moar?

HashCat has rules of transformationIt mutates original word

Quality of your dictionary is essential. Size doesn’t rly matters

Using rules is more time consuming than just dictionary attack

What rules are effective?

We used best64, InsidePro-PasswordsPro and d3ad0ne rules

It was very effective in terms of number of hashes


Time to go smarter way

We have 36 millions of cracked passwords

We can analyze cracked password to determine patters

This patterns can produce more efficient bruteforce masks

Meet PACK Tool

http://thesprawl.org/projects/pack/

PACK Tool Features

Can analyze list of password and generate bruteforce mask

You can specify password length, time, complexity constrains

Gives you some idea what type of passwords are popular

Is PACK effective?

It can crack similar passwords according that you already have

You can flexibly choose best masks regarding constrains


Other types of attacks

PRINCE attack, somehow similar to the using PACK tool + mutation

Combination of TWO and more dictionaries

Hybrid attack, that uses dictionaries + rules + bruteforce masks

Some CHARTSIt’s easy

Length of password (Our)

Length of password (Korelogic)

Character-set of password (Our)

how-to crack 43kk passwords while drinking your juice/smoozie in the hood

Technology