Password Profiling & Mask Attacks
The growing of GPU power has brought to the forefront brute force password cracking by significantly decrease the demanded time. For a single CPU system that runs a bruteforce tool (like John the Ripper) it will take half a year to break a seven full character (uppper, lower, digit, special) password. On the other hand, a modern system with high performance GPU(s) can break the same pass in less than a day. However when facing 9+ character length passwords, bruteforcing time is greater than a security audit can allow for. Usual password policies that are adopted in enterprise environments, demand a 8+ character containing at least one uppecase, special character and digit. The most common scenario is to capitalize the first character and add a number or special character at the end of the password. An other common scenario is to use special characters to substitute some characters (like a->@, i->!, s->3). Knowing such possible scenarios you can profile passwords & launch masked attacks through user specified rules, resulting in a significant decrease to the cracking time.
In this article i will examine some analysis tools in a linux environment, although the same techniques with relevant programs can be launched in a Windows OS too. Initially we need a Password Analysis Tool such as PACK (Password Analysis and Cracking Kit) developed by iphelix. Using PACK we can analyze a password file and create attack masks for programs such as Hashcat (read my introductory post about using oclHashcat). In order to use PACK you will need a system with python support and psyco extension installed. Psyco isn’t neccessary for the execution of the dictstat.py script (lines 8,9 can be commented), however by enabling it you will have a small performance increasε.
In the rest of post i will cover an oclHashcat+ profile attack in a 32-bit Cuda architecture system. For my experiments i use a password file containing 14.344.578 passwords gathered from the web and Kippo Honeypot. If you don’t have a Cuda or OCL compatible card, you can a CPU processing tool such as PasswordPro, but i will not go any deeper with this in the rest of the post.
Here is the analysis report of the above password file:
$./dictstat.py -f passes.txt -o mask.csv [*] Analyzing dictionary: passes.txt [+] Analyzing 100% (14344578/14344578) passwords NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords [*] Line Count Statistics... [+] 8: 20% (2966617) [+] 7: 17% (2506680) [+] 9: 15% (2191368) [+] 10: 14% (2013995) [+] 6: 13% (1948162) [+] 11: 06% (866157) [+] 12: 03% (555444) [+] 13: 02% (364256) [+] 5: 01% (259371) [+] 14: 01% (248468) [+] 15: 01% (161145) [*] Mask statistics... [+] stringdigit: 37% (5340397) [+] allstring: 28% (4117395) [+] alldigit: 16% (2346920) [+] othermask: 05% (731819) [+] digitstring: 04% (664081) [+] stringdigitstring: 03% (450900) [+] stringspecialstring: 01% (204545) [+] stringspecialdigit: 01% (167845) [+] stringspecial: 01% (147926) [+] digitstringdigit: 00% (130588) [+] specialstringspecial: 00% (25110) [+] specialstring: 00% (14432) [+] allspecial: 00% (2620) [*] Charset statistics... [+] loweralphanum: 42% (6076315) [+] loweralpha: 25% (3728112) [+] numeric: 16% (2346920) [+] loweralphaspecialnum: 03% (472651) [+] upperalphanum: 02% (407484) [+] mixedalphanum: 02% (382397) [+] loweralphaspecial: 02% (381225) [+] upperalpha: 01% (229907) [+] mixedalpha: 01% (159376) [+] mixedalphaspecialnum: 00% (53343) [+] mixedalphaspecial: 00% (49651) [+] upperalphaspecialnum: 00% (27764) [+] upperalphaspecial: 00% (26813) [+] special: 00% (2620) [*] Advanced Mask statistics... [+] ?l?l?l?l?l?l?l?l: 04% (688380) [+] ?l?l?l?l?l?l: 04% (601407) [+] ?l?l?l?l?l?l?l: 04% (585304) [+] ?l?l?l?l?l?l?l?l?l: 03% (516985) [+] ?d?d?d?d?d?d?d: 03% (487442) [+] ?d?d?d?d?d?d?d?d?d?d: 03% (478231) [+] ?d?d?d?d?d?d?d?d: 02% (428314) [+] ?l?l?l?l?l?l?d?d: 02% (420359) [+] ?l?l?l?l?l?l?l?l?l?l: 02% (417063) [+] ?d?d?d?d?d?d: 02% (390549) [+] ?d?d?d?d?d?d?d?d?d: 02% (307542) [+] ?l?l?l?l?l?d?d: 02% (292329) [+] ?l?l?l?l?l?l?l?d?d: 01% (273654) [+] ?l?l?l?l?l?l?l?l?l?l?l: 01% (267785) [+] ?l?l?l?l?d?d?d?d: 01% (235374) [+] ?l?l?l?l?d?d: 01% (215087) [+] ?l?l?l?l?l?l?l?l?d?d: 01% (213126) [+] ?l?l?l?l?l?l?d: 01% (193133) [+] ?l?l?l?l?l?l?l?d: 01% (189860) [+] ?l?l?l?l?l?l?l?l?l?l?l?l: 01% (189409) [+] ?l?l?l?d?d?d?d: 01% (178314) [+] ?l?l?l?l?l?d?d?d?d: 01% (173567) [+] ?l?l?l?l?l?l?d?d?d?d: 01% (160608) [+] ?l?l?l?l?l?l?l?l?d: 01% (160075) [+] ?l?l?l?l?l?d?d?d: 01% (152446) [*] Saving Mask statistics to mask.csv |
Each [*] section shows the analyzed dictionary by different analysis point of view. We can see that 20% of the passwords are 8 characters long, “Charset statistics” show that 42% of passwords are loweralpha numeric. Using these information we can assume that by launching a bruteforce attack with up to 8 lowercase characters and digits, we can crack the majority of the passwords.
So far analyzing was easy because we already know the cracked passwords. Although a real analysis scenario is launched against an uncracked hashlist. Our first step will be to launch an initial run using a standard dictionary with a good rule set.
$./cudaHashcat+32.bin -r ocl+rules.rule -m1000 -n8 -o found.out hashlist.txt passes.txt |
The launched attack discovered 223 out of 1000 NTLM hashes (22.3%). From this i was able to determine the password policy for the hash file and then from the recovered passwords i create a new dictionary file:
$awk 'BEGIN {FS=":"};{print $2}' found.out | sort -u > found.dic |
Then by using dictstat.py we analyze the recovered passwords and create attack masks for the discovered password policy.
Following this methodology we can profile our cracking attacks and create more efficient brute forcing rules and masks. Additional info about the password owners (name. surname, username, working environment, technical knowledge etc) can help us create more efficient dictionaries and rules.
We can see that the appropriate and efficient tools exist and are capable to crack weak passwords and pure policies in reasonable time. Consequently, IT Security administrators should launch regular analysis in their hash databases in order to ensure the “strength” of the used passwords and policies.
Web Sources:
DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.
A. Bechtsoudis
