Hashcat and Survivorship Bias: Cracking uncommon passwords

hello all welcome to the b-sides dfw 2021 virtual conference this is the track 2 presentation of hash cat and survivorship bias cracking uncommon passwords now for some id my name is john rhodes and i currently work for truest bank as a principal adversarial engineer i also moonlight as a bug bounty hunter with synac as a synagogue team member

so what is survivorship bias i'm not going to read the definition word for word it's there on the slide basically though it's focusing solely on specific results or preconceptions and ignoring the rest because it's not visible to you let's take a look at a very common example of survivorship bias during world war ii the u.s and british air forces were losing a large number of bombers in an attempt to increase the survival rate of these bombers they'd studied the damage of the returning planes to see what areas needed to be reinforced a composite image was created showing all the damage like the one you see on the slide and a decision was made to add

additional armor to the most hit areas of the bomber this seems like a logical conclusion right if the plane was getting shot on the wings and mid-fuselage until then those areas should be the which you should reinforce well maybe not quite the british air force decided to reach out to a statistician named abraham wald he worked with the statistical research group at columbia university using survivorship bias and his calculations wall deduced that the armor should be added in the areas with the least amount of damage like the engines the cockpit and the gunner seat the planes that were studied by the military it all survived without hits to these areas whereas the planes that did not make it

back were likely here here so if you can imagine if the cockpit gets shot up the plane's probably going down if you lose your gunner you're not gonna have protection if you don't have engines it's pretty hard to fly now into hashcat i'm gonna start with an introduction to hashcat and how to use it with a few test cases and then work a real world example so what is hashcat hashcat is an awesome password recovery tool it works on all major os's and has support for 300 plus hashing algorithms it also supports cpu gpu and other hardware accelerators that can greatly speed up hacking which is great if you can find a gpu these days

you know at a non-scouting price so what do you need to do to get started cracking well first you gotta have the thing that you're trying to crack which is gonna be a password hash or a list of hashes but you're also going to need to know that hash is type hash id or hashes.com and other tools can help you determine the hashtag if you don't know it next you're going to need to know the attack mode you want to use you're likely going to use a combination of modes when you're cracking passwords hashcat has five modes built in straight combination brute force and hybrid hybrid's got two categories it's got lists plus a mask and mask plus a word

list finally you're also going to need a word list or two or more depending on the attack mode you're running so where can you get your word list well lots of places here is a very much non-exhausted list of word lists that you can use to get started or you can create your own it's good to have a variety of word lists as they all have pluses and minuses which we'll discuss later alright so next is a note about some hashcat attack types you'll most likely crack some passwords with wordlists but a large majority of the passwords will not be able to crack this way for those hashes a brute force attack or hybrid attack which combines the word

list and brute force will likely be needed the old brute force method in hashcat has been deprecated and replaced by the mask attack the mask attack allows you to set a very specific character sets for each position of a potential password you know example of this would be if you had an eight character password the mask could be set as the first character's uppercase the next five characters all being lower case followed by a single digit and then followed by a special character which meets most requirements for a lot of password policies out there and here's a quick look at the built-in character sets that we have in hash cat today we're going to be using uppercase

lowercase decimal and all all is a combination of lowercase uppercase decimal and special characters in addition to the built-in character sets hashcat also allows you to create custom character sets this allows you to set only the characters you want to include in the character set so one example of this is to use a combination of the built-in character sets like special characters and decimals you can use a or set a custom character set by using the switch one for the first custom character set as you see this example we have the switch 1 question mark s question mark d and that's going to contain all special characters and decimals for that custom character set to create additional character sets

you're going to increment the number um so minus or switch to switch 3 and so on but you can only use up to four custom character sets at a time so how can you obtain a ntlm password hashes that's what we're going to use on this example well in missouri i heard you can use code them from html and state government websites but most of the time you have to obtain them from other tried and true methods some of which are listed above again this list is by no means exhaustive but it has some very good options or you know you can just create your own hashes the ntlm hashing algorithm is widely known and many websites have ntlm

hash generation tools i've got example here top2.com it allows you to generate passwords by length and you can even specify the character sets you'd like to use for the generated passwords once the passwords are generated you can calculate the ntlm hashes and the lm hashes it also gives you the nice password done format there for our exercises today we're only going to be using the ntlm hashes all right so now we have everything we need to start tracking so let's look at a few examples of different hash cat modes with some test passwords first up is going to be a brute force mask attack a file named text.txt contains the test hash of the password password all lower

case the hash type switch m is set to 1000 this is for ntlm hashes the attack mode is set to 3 for brute force and the mask is set to 8 lowercase characters this password was cracked in just two seconds yes that was a very easy one so let's try a longer and more complex password the next password is password with a capital p 123 exclamation point this is a 12 character password it has an uppercase letter it has seven lowercase letters it's got three numbers and one special character so let's try another brute force mask attack i've updated text.txt with the new password hash the hashtype is going to be a thousand still for mtlm hashes the attack mode is

going to be set to 3 for brute force but i am going to update the mask for 12 characters so first i've got an uppercase letter next seven are going to be lowercase followed by four all characters and you can see the mass set there on the slide so when we run this one hashcat is going to throw an error it says integer overflow detected in key space well what does this mean so i'll let rose williams who's a contributor of hashcat explain when someone asks this question in an issue on their github page first off he says the mask is a too large for hashgat to handle and secondly b even if it could it would take thousand

years to complete you will need to know more about your target plaintext in order to attack it okay well let's try another attack type

so now we'll try hybrid attack for the 12 character password the attack mode on this one's gonna have to be changed to six uh if you remember this is word list and a mask the word list we're gonna use is rockview.txt this was included in cali and the mask is gonna be set to 4 characters same as before for all characters now this time you run it we don't get an error but the estimated time to crack is 21 hours now just to note on this estimated time to crack this is to get through all combinations of every word in the word list and all combinations of all the letters all the characters with every word in the word

list so if you crack a single password it could be correct in the first 10 minutes of this 21 hours or it might be cracked in the last minute of the 21 hours i'd rather not wait and see on this one let's see if we can find a quicker method to crack this so we're going to keep most of the settings the same this time and we're just going to update the word list so instead of using the larger rocky.txt words list which by the way contains 14 million words we're going to use english.txt which contains a little over 3 million words english.txt is just an english dictionary got a lot of words in it

so the estimated time to crack for this example dropped from 21 hours just five hours which is quite a bit better let's not wait for this one to finish let's see if we can find a more targeted attack more specific attack so we're going to keep everything the same as the last example even the word list but we're going to be a little more specific with the math this time instead of having the four characters set to all characters let's create a custom character set the custom character set number one specified by the switch one is set to decimal and special characters only as evidenced by the custom character set on the slide we have switch one

question mark d question mark s for decibel and special characters so we run the attack and the estimated time to crack has now been reduced from 5 hours to just 13 minutes and the actual password cracked in just 7.5 minutes that's that's excellent all right so let's try this one one more time to see if we can't get it cracked even faster again let's leave everything else the same except even be a little bit more specific with the mask instead of using the custom character set the mask this time is going to be set to the first three characters as decibels and the last character set as a special character as you can see we have

question mark d question mark d question mark d there's the three decibels and question mark s for the special character this time the password correct in just five seconds and it kind of sounds like ross williams had the right idea the more specific you can be the quicker you can crack the password let's move on to the next example all right for this example we have a complex password that is eight characters this password uses uppercase a lowercase number and special characters but the number and special character are not at the end so we can't use this specific mask any position this time so let's try a mask attack with a character set to all character types

the attack mode is changed back to three for brute force the hatch has been updated in the text.txt file and the attack is kicked off wow the estimated time to crack this one is 1.5 days at the start of this attempt and it's going to fluctuate as the attempt goes on i think we should look at another way to do this is we really don't want to wait that long so up to this point we haven't tried a straight or a wordless attack yet so let's change the attack mode back to zero for straight and we're going to use the rock u word list this time the the complex password of capital p at sign ssw0rd

[Music] was cracked in just two seconds

okay so now we've seen a couple of test cases and we've learned some things so let's gather some initial thoughts here first these larger word lists can be very useful but they dramatically increase the cracking time due to number combinations with the hybrid attacks especially it might be more useful to use a targeted and or smaller word list depending on what you know about the environment again the more you know the easier it is going to be for you to crack the passwords second hybrid attacks are great at cracking hashes from longer passwords that hashcat is not going to be able to brute force and thirdly what is better password length or complexity a password containing a long collection

of simple words but non-related words can be very hard if impossible to crack whereas an eight character but complex password can crack in a matter of hours or days depending on the hardware alright so now for a real-ish world example i pulled some cracked hashes from my hashcat pot file but some of them were had to be edited to protect the guilty you know company names profanity etc additionally i generated some hashes with the ntlm generator on tom2.com uh this was to help round out the list so i've ended up with 808 password hashes and i added them all to a file named example.hashes that will be used through the next round of exercises so what is a pot file

a hashcat spot fall is where hashgate stores broken hashes on linux it's stored in the location listed there on the slide on windows is stored in the same folder as hashgraph.ac wherever you extracted it on your system if you want to view all hashes that you've cracked from the particular hash file use the switch show example this would be hashcat and earlier we use text.txt and the switch show if you want to see all the hashes in the thoughtfile you can cat out the hashcat podfile or if you're in windows you can type it out

okay so let's go back to the example in order to more effectively crack passwords it's good to know information about your target we're going to make some assumptions about our company's password policy here we're going to use a standard password policy in as i fill in here for the fictitious company the password policy is as follows passwords must be characters are longer passwords must contain three of the four following characteristics they must have an uppercase lowercase number special character three of the four and passwords cannot contain a username a pretty simple pretty standard password policy all right so how does survivorship bias tie in the crack passwords like the us military overlooked data and planes that did not

return because this data wasn't directly visible to them it's easy to overlook data when cracking passwords if you focus strictly on cracking passwords based on the password policy for example or known standards or user behavior you're likely going to overlook a lot of very easy to crack passwords so if you do have your nonpassword policy it's still worth checking for items that fall outside of that password policy like passwords that are less than the required number of characters an increment scan of less than 8 characters is usually very quick and it's beneficial to password tracking efforts to run an increment scan you just use the i switch you can also set a minimum numbered increment from with the increment

dash min equals number switch so an example of this would be if you had legacy service account passwords that were created before the password policy was put into place service account passwords are generally static in most organizations as well so a pass or legacy service account password that was set 20 years ago may still be valid today as an example i once found a 4 character password for a service account that had domain admin privileges this password was able to be cracked in just a few seconds i was then able to perform several other attacks as domain admin additionally some passwords are going to subvert common expectations or standards they may start with lowercase instead of

uppercase they may start with a number or a special character or they may use lead speak throughout the whole password so speaking of elite speak what is it well leadspeak is a style of typing that replaces english letters with similar looking numbers or symbols it was closely tied to early hacking and gaming culture with a script like lead speak generator you can convert an existing word list to leadspeak using a simple example word list here i've had two passwords in it capital p-a-s-s-w-r-d and p capital p a s s w r d 1 2 3 exclamation point the elite speak generator will create multiple lead speak variations of each string as you can see on the slide

the lead speed generator script can be downloaded and edited if needed from the paceman link above there are also other scripts and tools that can transform the existing word listed leak speed so be sure to find the one that works best for your needs all right let's get cracking uh we're going to start going after some low-hanging fruit with the mask created from the company's password policy and using a common password format the attack mode is going to be set to brute force a3 a custom character set is going to be created which contains special characters and decimals only the mass we're using is going to start with one uppercase character followed by four lowercase characters and ends with

the two characters from our custom character set you can see that on the slide and i'm gonna run the attack so this yielded 16 passwords out of the 808 in 30 seconds okay let's take a short detour to create a word list that has the uppercase first letter for each word in the list this can be useful in cracking passwords since many passwords start with a capital letter so you can perform this operation on an existing word list and output it to a news word list using the command listed on the slide

all right so back to cracking we're going to use our newly updated word list rockq dash up this time we're going to do a straight attack attack mode is going to be set to 0 for that and we're going to use the new word list the total crack password is now up to 51 in just two seconds all right let's go ahead and try another straight attack attack mode still zero and we're going to use an unmodified rocky word list a few additional passwords were correct in two seconds and the total password's cracked is now 57. all right so far we've heard a mask attack with standard password format and two straight attacks using as an original and a modified word

list with these we've had minimal success tracking 57 passwords let's try something a little different this time and combine the two methods and do a hybrid attack a wordless plus a mask so we have to switch over to hybrid mode so we're going to change the attack mode to six this is for hybrid word list plus mask i've also taken a list of three million english words and capitalized the first letter using the said script i created a new word list called english dash uh we up a custom character set with a key space that contains special characters and decimals only and we're going to use four of those for this attack and we're going to use the increment

i switch to increment through the mask we run the attack and this time we've cracked a much larger number of passwords in a single 13-minute attack so the total correct password is now up to 261 which is 33 percent

so the last attack was pretty efficient with a four character mask let's retry the attack with a five character mask using the same custom character set and drop the increment switch now due to the number of combinations added with just the single extra character the estimated completion time is now 9 plus hours you know typically i let this one finish running an actual engagement as several larger passwords are likely discovered this way today's exercise i just let it run for 40 minutes and cut it short now if you take a look at some of the passwords that were cracked in this round many of them are too long to be correct for brute force attacks

some of them are even up to 14 plus characters so the total crack we have now is 289 out of the 808 let's move on

all right so now we're going to try another hybrid attack attack mode 6 and we're going to use the unmodified english word list without the capital letter first a custom character set is still set that contains special characters and decimals and we're going to use increment switch to increment through the mask this time a few additional passwords were cracked in 13 minutes uh the total passwords cracked now is up to 304.

all right so this time we're going to try a brute force mask attack and all eight characters are going to be set to all characters in key space we're also going to make sure we're going to use the capital o switch and this will enable optimized kernels this helps to be a little more efficient with cracking additionally we're going to use the increment i switch to increment through the mask now when we look at this time to crack it's going to be two plus days for this one i allowed it to run for about 39 minutes and only a few additional passwords are cracked now if i let it run for the entire duration many more but not all the

passwords would be cracked using this attack um this is one i recommend you run later after you've tried everything else it's gonna take a while uh you just kind of let it sit or if you've got another box you're running on you can start off with this one and you can try other techniques on the other one all right so since we're innovative time pressure we don't have tuples days uh let's see how change in the mass will change the estimated time to completion so we'll create a custom character set that is created with a key space that contains special characters and decimals uh the mask is going to be updated include six all characters first

and then two characters at the end with the custom character set as you can see on the slide this time the estimated completion time is going to be 13 hours and that's way better than two plus days i'm only going to let it run for 15 minutes though and during that time i got a few years from passwords uh we're up to 314. so brute forcing it can lead great results given enough time but so far we've had most luck with our hyper attacks so let's try a different hybrid attack with a different word list so we've still got a custom character set with special characters and decibels and this time we're going to be using

rocky word list we've got a mask set with three characters with the custom character set we're going to have the increment switch turned on and this attack's going to yield more results in three minutes and now we're up to 319. all right since we had better luck with a capitalized word list let's run through the attack again with our custom rock u dash upward list with the first letter of each word capitalized the mask and all other settings are going to remain the same and a few more passwords are cracked in this attempt and now we're up to 40 so far we've used a cali built-in word list the rockq.txt and we've used one containing english words

but there are a ton of other wordlets out there to try we're going to start first with weak past 2a and we're going to need to change the attack mode back to straight and set the new word list this attack will run for about 29 minutes and it cracks several new passwords for a total of 359 of 808

next up we're going to try the kenoshi word list this is also from the week past website we're going to set the new word list but we're going to leave the rest of the settings the same this attack ran for three minutes as the word list is much shorter and it cracks several new passwords for a total of 366. finally we're going to try the hashes or 2019 word list again we're going to set the new word list in the attack and we're going to leave the rest of the settings the same this attack is going to run for three minutes it's also a shorter word list and it cracks several new passwords for a total of 378 of 808.

all right so before going back to a longer attack like brute force all characters let's take a look at what's been cracked so far this can be done by using the show switch in hashgat if you want to see the passwords and not the hash password combinations you can use the following command on the slide basically we're going to use the show switch on the hatch file with hash cat

we're going to cut it at the delimiter for a colon and then we're only going to show the second side then we're going to sort it for unique because we only want unique passwords and we want them sorted so this is going to provide you with a sorted list of passwords that we can use to find additional passwords and our use case here several passwords discovered had the prefixes of company and new hire so these would make great candidates for mask attacks as they seem to be common and incrementing passwords uh just a note you know so many companies are going to use default temporary passwords for new hires they might use one for password lock you

you lock your password you call into the service desk and they unlock your password and they unlock it with a password of unlock one or temp 123 or something else stupid now many users are going to take those passwords that they got from when they first got hired or when their passwords got unlocked or just the password is given to them and they're going to just increment it that's why when you see one password like new hire one it may be the first new hire password that's what they give out when they start and then you'll see incrementing up so in this example we have new higher one and then we have two and we have 10 and

11 and 12 and so on and so forth

all right so now we're going to start a mask attack for the new heart prefix we're going to set the attack mode to 3 for brute force a custom character set is created with key space that has special characters and decimals only this mask is going to be set to the prefix itself and then four characters used in the custom and character set finally we're going to use the increment switch and the increment switch is going to increment through that mask so wow that's a lot of newer passwords so we've jumped up from 378 passwords cracked previously to 448 correct passwords in just seven seconds on this attempt and we have now cracked over 50 of the

passwords all right now we'll try the sec same thing but with the company prefix uh this mass will be set to prefix plus four characters using the custom character set everything else is going to stay the same including increment this time though we only got one additional password but it only took four seconds all right so how can we do the same thing but a little more efficiently well you said of course yes that's a great tool so we're going to use the command here listed on the slide and what it's going to do is trim off the numbers from all the correct passwords that we have and then create a new word list we'll then use this new word list in a

hybrid attack with a mask before all characters to find the additional passwords that use the prefixes from all our previous crack passwords so a few more passwords were cracked this way and we're now up at 452 of the 808 all right so now it's time for status report we've been able to crack over half we're at 56 percent now of the passwords in two hours and about 45 minutes or so many of these passwords were well over eight characters and they would have not been able to be cracked by a brute force or a straight birdless attack a large majority of the other ones could be cracked with more time probably about two days or with better hardware currently i'm

only using a single nvidia 2080 now if you don't have hardware at home to bills do this you can use a aws gpu instance now they can be really cheap to run especially use spot instances but you need to be sure to stop the instance when it's not in use and you can build automation to help with that all right so now i wanted to quickly run through some other things you could try first up is going to be hybrid attack with a list of english names plus a for all character mask now i would also recommend using word lists from other countries and nationalities as well depending on your target

uh with this one we're up to 456 of the 808. a second option would be to run a hybrid attack with elite speak word list and a mask you can generate your own lead speak word list using the lead speed generator script provided earlier in the presentation we can keep the maps from the previous example and change out the word list to elite speak one i ran this through with bleatspeak english as you see eliteenglish.txt a elite speak version of rocky leaked rocky text after rock you we had 465 of the 808 cracked right so finally it would be very beneficial to run a hybrid attack on some of the larger word lists you have

um this is likely going to take a while but the results from the test case that i've used have proved worth it so you're going to set up a hybrid attack attack mode 6. you're going to use a custom character set again decimal special characters and choose a large word list like kenosha or weak past 2a the mask we're going to use we're going to have it set to up to 4 characters and make sure that increment is turned on and run the attack so when i started this i let it run for just 20 minutes i use kanoshi word list and i cracked up to 542 of the 808 passwords

all right and that's all i have today uh thanks for attending i really hope you learned something i'll be on the b-sides dfw discord if you have any questions and my handle is john doe 297. thank you so much