Password Cracking: The First 500 Million

right oh goodness this is come to be the biggest room I've ever talked to by a factor of three probably so I want to talk about faster cracking today not probably the minutia the thing that maybe some of the logistical issues the motivation is essentially I've got bored of remembering all the haschke options running out over in hurricane so we look for some efficiency savings so first off this is work I've done here or builds on top of hash cat Tommy Ripper in packet various word lists from little people expect lists cracks tension hashes org it uses graphic live reserved people of selling here because the size in the first place and the dataset reduced sort of a

proving ground for all the stuff is from Troy Hemant so there's a whole lot of people to thank the work that's gone into here so I'm from NCC this isn't particularly official NCC work it's not also not that controversial and they probably don't disagree with it I don't think they've actually read it so there is an NCC logo there but please don't take this as official NCC stuff so the only interesting bits about me I've built improved and managed malteaser password cracking systems at tuk pentas companies I don't offer being cracked in people's passwords since about 2003 which is blue teen stuff and yeah this there's obviously more but you don't each never asset so why we actually

bother in this anyway some people tell you is the solve problem or were too dull or in problem before cities problem that comes up quite a lot in pen testing so if we look at the the naive approach a lot of people just find a favorite word list a favorite rule file and then you know just run that which isn't actually T bad rock-hewn and save you to dothe is pretty good but we can send you better so in terms of other things we do need to do this sort of as a pen tester you come across the movie 40 also common hash formats so it's not all just ntlm there's plenty of other things out there

like Kerberos various things and so on we also need to do format conversions in quite a few places and obviously when you're in pen test you've got a hard time but you want to get everything as soon as you possibly can another approach I've heard from people is just to use a massive 80 gig word list which is fine if it's in frequency order if it's not then you sort of wasting their own time and it's better to use the time to do one so so from both the red and blue team point of view I want to talk about but adding good hashes why they're back and why the good but then go into

the hash prep practice script I've written which is essentially just a big blue script offensive uses of password cracking and then defensive uses and then say as a test bed room to talk about the Troy hunt date set and obviously last week I realized I promise to do CTF as well which is not really a CTF in that sense but it's a challenge that people to do at home so that'd be the last bit so md5 why is it about hash for us we don't care about the various cryptographic flaws that is pointing the preimage stuff the only issue for us is it's very very quick to compute so I think I've been separating my 1080 Ti

like guesses 35 billion tries again 75 in a second which is just not acceptable I've written that there's no salt so you could compute lookup table of common you know questions announces but in practice in the lookup table will be 35 billion messes a second anyway have it this their theoretical floor ntlm is based on MD 4 and LMZ worse than those two so that's an example of hollow about hashes and before.she for most of us we can't really get rid of any of them for our environments they are going to be still there somewhere other examples of bad hashes people have tried doing various homebrew crypto seems to shore up their md5 hashes so

adding secret data in which is it's a reasonably well codified approach you just have to make sure that the secret stays secret so you may find yourself attacking this lock up found one web app where essentially a random string fixed strings appended to the thing which means you can just write one genre for all and it will crack it for you so please just use a good library function Blowfish or argon - a good examples or pbkdf2 if you haven't got any others hb7 implement it even so you can generate a nice strong hash that essentially it needs to be just a bit quicker than annoying for the user's computer once sort of maybe one ten to the second and

then this already caused the attacker problems because there's a random salt involved in the process which is stored along with it it becomes infeasible to create a lookup table of you know all the common questions and answers you've got so some point I've got or word of typing out commands by hand over and over and over so I built the script which essentially tries to getcha guess the hash type for you so you don't need to import dollar to a means or anything that if it's a more complex thing like a zip file it will try D codify the Jumeirah script which will come out with your hashtag each attack and it'll also based on what

it thinks is speed at the hashes it'll try some dictionaries and rules and also the the mapping of regular expressions to hash types and hash types to what parameters during it ways is stored as data files so it's fairly easy to tweak if when you're very unlikely to have same exact same cars that I've got and that's currently GPL on github so sorry

the motivation behind writing this script was I was bored of writing the same commands over and over again so I wanted to create a system which would essentially take all the thinking out the initial attacking of these hashes so I don't have to remember how to unpack some file format but after roughly how fast it is I can just essentially feed it to this and see how it gets on start with and then maybe to queue from there another important thing to do is to actually have a codified technique so I can see if it's good or not and then if you think about improvement so the graph on the right this is not using this

system it's easy this from our work system how it does show us the improvement in the ratio of password repacking which is obviously what we honesty is pregnant right in a stroke but if it's not you know if the app puts rubbish then you know it's not used to anyone so the other reason I wrote this six of them often stuck at machine room side I have access to our crack and cluster so to get on my laptop and also being in seniors lot enabled me to have some free time to write this norm right waiting for my necess scan fish so the the way hash crack works is it has five main attack boats you have a hybrid so

dictionary rules approach there's a mode a1 which is the cross product ie tries every word that lists a with every bit of speed and you've got various mask mode so above all with this we want to keep the gpgpu busy if you just feed it a few ANTM hashes you just feed it a standard dictionary it weren't really utilize the whole GPU so you need to give it more things to try either with dictionary and mask or dictionary rules we also want it to start finding passwords yeah quickly they need to be at the front so studying like NTM it'll run really quickly with the incremental load a3 which basically tries all possible combinations of masks up to

whatever you want so we want to find passwords quickly rather than at the end of the process the other thing which is more of a design consideration then that it is now maybe the steep reuse obviously if you crack any other master presence you know the corresponding ntlm is going to be that same word with a different capitalization I thought LM is dead but they probably found another domain name on it so that functional answer is not quite obsolete yet so I think it supports maybe 3040 hash types but we'll take PWM file so we all know unload visit this example see that PWM file it will first try the LM ashes they're probably all blank these days

and if there are only when we used that as a crib using it rule which essentially gives you all case permutations of that word it'll then try the incremental math mode up to eight characters which I think allows a pro lower digit to heart then lower in digit and then special on the end movie it will also run a few other modes and then it will fall back to the basic extended whatever dictionary you think we can get away with in a few hours together with some rules so I seemed like a reasonable approach for ntlm then you come across something like bcrypt which is them basically the exact exact opposite so it's salted which means that the runtime

scales with number of hashes ntlm can crack fifty five hundred five million and it won't make much difference to the runtime decrypt to hashes takes types of thousands of on hash so you can only really afford some fairly small dictionary files in this case you don't need a new rules or anything masks to keep up speed in general so you can just feed it but you're sort of topping on to what k5 or something like that so that's essentially what the script does it stops me from having to think about all these issues every time home and it tells you what it's doing if you need to tweak it for your own purposes during a

red team engagement we get hashes to remember of places if you can calculate running responder or dumping NTDs util stuff directly you can get bodes you've got Kerberos the internal monologue the nicking devices SMB your eye leaks office docks zip files all these things at least either how our hashes or imply hashes in the case of stocks and during a red team of C never know what's going to be useful so you might want to start cracking things pursuance you of them so the nice thing about password cracking is once you abstract it extracted that hash for target isn't know you're cracking it obviously you can replace some ashes but it's always nice to password if only

because then you can retry that password on other things and so it's just nice to have something kicked off in the background or you can then go and think about other things that you need to do for the blue team I would say don't share passwords across security domains for example I saw a printer and a route to sharing same SMB password and obviously printers are not hard and in the same areas are and it would very easy to give it up as a red team that's exactly what each one juice to it so good you can see that reason they've got the this is sort of relative hash speeds so the T on the Left LM and ntlm those

are both unsalted so they're actually worse than that looks sorry it's a log graph otherwise it would be you wouldn't be able to read it properly so ntlm is very fast and unsalted LM do we all know so LM is broken into two hours which makes it worse unless capitalized which makes it we're still so it's really terrible a schism from there you have sort of domain cache credentials Ln V one and so on so the point is obviously the first batch of loading is up to TCC to a much more likely to all will have us you know whatever hash you get is in a represent the Windows domain password so in your interest to be cracking ntlm rather than

DCC - I've put office 2007 and 2013 on for comparison as well let's say obviously is better for you to be attacking past the hashes so things that I've written is to support now I've used personally you can just read it something you've gathered through an TDC tool and an i FM so that standard thing if you've installed it properly it will run in packets secret start to unpack it for you and then it'll do its work Sam responded up DB runs a secret like query to get the antenna master SAP salaries direct so that's X it would run the script from John the Ripper which will again give you a hash that hash captain

work with so this is not really original work just there's a blue script so because I've got bored of typing up these things so that's a slightly trim down examples of running it against the docx file from the test suite as you can see is from Python to you officer john de pie it's got the hash out as you can see at the bottom it runs hash cat using the appropriate mode picks it reasonably here because there's a test suite on I've put the answer straight in the form of hash cap dot txt in real life obviously have to wait for it a bit so essentially is just meant to take time and it needs to take

the so you take the hard thinking work out of doing this stuff for sort of the blue team people you can also do this and this is what I was doing in 2003-2004 if you crack your own divine hashes you can see essentially what the really weak ones are so it's unlikely that anyone would be able to obtain your any of them hashes directly but if people have got pastors like you know passed with one welcome one two three that's probably guessable within the parameters you count like a policy so it's very much worth doing this just because you crack something in this offline sack doesn't necessarily mean it's an awful password but you may want

to look at the data it's a whole lot in considering consider sort of updating your pastor policies unfortunately default wind is possible season very flexible some of people trying to add a filter to stop you know things like welcome welcome one bang which technically the policy policy if it still doesn't look good password so I can leave the team point of view you wanna stop people choosing really view passwords passwords that are widely compromised if they are tied to the same account certainly and things based on dictionary words so the essential idea is if you can stop people choosing a small group of very big passwords and you have a decent account like how or

rate limiting policy of some kind then you should basically be okay and it'll you know it'll greatly reduce the users of people guessing correct credentials it's like cracking your own pastors is great way to find the really low-hanging fruit here so I graft lengths of the the 500-year hazard you got from try and you can see Shannon entropy isn't isn't a wonderful way of estimating how good a password is but now it's relatively easy to compute you can see there's a fairly good sort of dome shape graph modulo some conservation where as the password length tends to you have a bit of a longer tail on right which is just people here years long passwords using

less complex passwords but that's fine that's why longer passwords exist so for example if you want to stop people choosing passwords that have been introns breach itself you can send him the I think that's show on Ash and it'll literally tell you whether it's people from us or not for those worried about privacy there is a more honest way of querying that apparently which I have not needed looking to yet again for the blue team when you're cracking these if you get hash cat and use the status outputs say every ten seconds or so you can actually see you whether so that x-axis is time and the y-axis is how many passes through covered so you can see whether

essentially your audio passwords they left that graph which means they're generally weak or if they sort of shunted to the right which means essentially that the they're not very easily guessable that are guessable but at least you made the attacker work for it so for anyone who wants to get into this pending on budget you can start with an entry level that laptops to fine CPUs still do fine for a lot of things and if you are using a laptop you very careful about overheating it so make sure it's got enough airflow and please do not disable the hardware monitoring a homework modest tower which is essentially at 1080 TI with some scaffolding you can have a homebrew

cases multi colors anything like that you can buy one off the shelf for about twenty five thousand US dollars which is very less you can use hash table lists a clustered very small unis the only one I haven't played with really is a double yes because the if essentially if I forget to turn something off fast on the able of twenty K at in the month and I'm not professor so I'd rather spend a couple of K on hardware so that's the tower I've got a cooling pad for my laptop because it's slightly temperamental Sakuni pad cost about a 10 or an Amazon so it's not not particularly stretch and yeah as I say on on these two things

I got through I was sort of 500 million passes in a couple of weeks so it's a straight this is in reach of everyone to try this stuff and the ntlm is really not a good hash so if you want to replicate this stuff and I say I'm essentially just easing this is a validation to the approach they've taken so you can download the passage from Detroit on site get them unzip them you need to from this particular phone in check off the frequency vector you will also need to put a small tank into the codes so the bitmap Maps max parameter is fine for basically every base that I've looked at apart from this one it's

to do is sort of what's due and you need to set high enough cash cat5 will warn if is too low and it'll basically say you set it higher and just you keep setting a higher until as I K and then it runs at a reasonable speed otherwise it will be very slow also the whole base that doesn't fit in even 1080 Ti so what I had to do is split it into chunks of 500 sorry 50 million lines if you are going to do this make sure you put L which is 50 million lines not n which is 50 million jokes even next for doesn't like 15 million files so I think I had

about Jimmy 1011 files which then got essentially run a particular approach against each chunk - - remove takes your answers out so basically your answers accumulating try one pot the need at the end you stitch too far back together so actually summer and then repeat with the next phase the other thing I found I needed to send the output once of which happy is working I need to send the output to dead null because literally writing out the fan passes to the terminal was loving these damn so we've got two dictionary rules available to play with incremental attack masks then you've got a six a seven which is sort of wordless in masks and then the sort

of cross product to Dickens so probably just explain the other ones are obvious but the a one and masks a one literally tries every word from the left dictionary next to every regional right extra so that folded squares or you get from maths in Texas slightly complex but basically quest might use any uppercase fish my allies any lowercase and it'll iterate you all the possible values that just skip over this briefly because it's not directly relevant as well as doing that you can also feed stuff in standard if you need to as you've run out of other IDs so in terms of my script those same attacks are expressed like this and then this is actually what I got out of

sorry hun data so default run ways I think top 258 million and some rules go up literary 250 million then incremental attacks it's a listicle reach compilation online and a slightly more aggressive mask approach versus two which had more but more special characters the top two Billy this was quite good the next one 250 million in last four I essentially computed the common suffixes and it's just taking a load of common words back in common suffixes on them and seeing what you get and the answer is that's quite a good approach as well ice to try some other dictionaries with suffixes and then best of all probably because essentially how she's always been attacking the same

list and I am aware of that hash it's all got under that sort of trying to follow million and if you have those follows up that is over five from the meet so like I say that's that's two weeks work on a 1080 TOI you could probably do in three weeks on the laptop these days so is there any practical use to us other than validating the approach probably not directly so if you're going to use it as dictionary you should prune out the really obvious words because you probably want to be searching that enviable approach so there we go it needs more work as is everything only so far john the ripper sports bitlocker

OpenCL for example that's not in attica yet so dispute in i did promise the CCF i saw last week in my submissions so there is one if you want to have a go there's various I think in five or six formats crack as fun as you can starting with the easiest and sends me and I will do something for the winner he'll be nice to see the solution on your blog if you'd like to take answers so on the web right I'll skip feelers on that website there is a bunch of references there because they got too big anyway so I'm just get to questions with that up on it there

[Music]

yeah yeah some of them sorry the question was how well does regular expression work for matching on hash types the answer is anywhere between very well and and not also ntlm and md5 look exactly the same there was no way to tell me about where is obviously things like dollar one dollar two dollar five very easy so the regular expressions I've got have been arrived at empirically so yes they work well enough for me no you can just tell it what it is for you if you know better

[Applause]