Hashes, hashes everywhere, but all I see is plaintext
Attacking Passphrases •Combinator attacks -dictionary combined with a dictionary •Google top 10,000 words https://github com/first20hours/google-10000-
A S L H an d S i gn C l as s i fi c ati on an - GitHub Pages
computed using the Tesla K80 GPU hosted on Google Colaboratory C Natural Language Processing The natural language processing portion of our model depends on determining the probabilities of arbitrary n -grams in English An n -gram is a group of n letters For example, in order to determine the
More with pandas - Fabrice Rossi
Toaccessthelowerleveloftheindex,onecanusesuccessivelocatorssuchasdemo[:,2] whichis even 4 Exercise 1 (Hierarchical Index) Thisexerciseusestheworddataset'google-10000
Fromseentounseen:Designingkeyboard-lessinterfacesfor
2 L H Lee, T Braud, K Y Lam et al / Pervasive and Mobile Computing 64 (2020) 101148 Fig 1 Thefinaldesignofkeyboard
Understanding Script-Mixing: A Case Study of Hindi-English
Proceedings of the LREC 2020 4 th Workshop on Computational Approaches to Code Switching , pages 36 44 Language Resources and Evaluation Conference (LREC 2020), Marseille, 11 16 May 2020
Most Common English Words List - venusdemocom
ADVANCED English WORDS- Improve your vocabulary #advancedenglish 10000 Most Common English Words With Examples and Meanings — 1-500 Words 10000 most common english words - part 1 Learn 100 most common ENGLISH words * American English Pronunciation * + examples Learn 8000
[PDF] (PDF): 1001 Inventions - Islamic Studies
[PDF] Guía para padres primerizos - EB Translations
[PDF] Grenoble INP - Grenoble INP - Bergès
[PDF] Form 1040 (PDF) - Internal Revenue Service
[PDF] 2016 Form 1040NR - Internal Revenue Service
[PDF] Instructions for Form 1040NR - Internal Revenue Service
[PDF] 1040NR-EZ - Internal Revenue Service
[PDF] 2016 Instructions for Form 1042-S - Internal Revenue Service
[PDF] Country Codes for Form 1042 #8208 S (2016) Country Codes Country Code
[PDF] Guide de production de déclarations de revenus pour les non
[PDF] Instructions for Form 1042-S - Internal Revenue Service
[PDF] Guide de production de déclarations de revenus pour les non
[PDF] Nos FICHES PRATIQUES Le Compte Administratif Le Compte de
[PDF] 107 BOETIE 107 rue la Boétie 75008 PARIS - Estate Consultant
Will HuntHashes, hashes everywhere, but all I see is plaintext...
$whoamiWill Hunt•Co-founder of in.security•10+ years in cyber•Hacker, formerly digital forensics•Trainer/speaker @ Black Hat USA/EU, Nolacon, 44CON, Infosec Europe IICSG etc•Assists UK government•@Stealthsploit
Agenda•Traditional cracking recap•Password guidelines -old vs new•Passphrases•Creative / advanced cracking•GPUs vs CPUs: A crypto-wallet story•Foreign language cracking in h3x•Secure p@ssw0rd advice
Before We Start
Common TechniquesDictionary + Rules Mask / HybridRainbowTablePure Brute ForceSuccess criteriaAlgorithm complexityPassword length / complexity Known / predictable elementsHardware
Common Techniques•Dictionary and rules hashcat-m1000 hashes.txtrockyou.txt-r OneRuleToRuleThemAll.rule•Maskhashcat-m0 hashes.txt-a3 -1 ?l?d?1?1?1?1?1?1?1?1?1•Dictionarieshttps://github.com/xajkep/wordlists•OneRuleToRuleThemAllhttps://github.com/stealthsploit/Optimised-hashcat-Rule
Common Techniques•Hybrid hashcat-m0 hashes.txt-a6 rockyou.txt?d?d?d•Pure brute forcehashcat-m1000 hashes.txt-a3 ?a?a?a?a?a?a?a?a?a?a?a?a--increment•Rainbowtables -rarely situationally useful for single unsalted hashes
Key Space•Key space = char set ^ length •Mixed alpha-numeric + special = 95 printable ASCII chars9 chars = 95^9 = 630,249,409,724,609,37510 chars= 62^10 = 839,299,365,868,340,224•9 chars using mixed alpha-numeric + special•10 chars using mixed alpha-numericWhich password is stronger?
It's all about the length
Pure Brute Force•8x NVIDIA GTX 2080 Ticracking NTLM @ 822 GH/s* (95 char set)•8 char = <2.5 hours•9 char = 9 days•10 char = 2.3 years•11 char = 219 years •12 char = 20,840 years•13 char = 2 million years* https://twitter.com/hashcat/status/1095807014079512579/
Pure Brute Forcehttps://twitter.com/TerahashCorp/status/1155128018156892160Guidelines -Old vs NewOld Guidelines•Minimum 8 chars•Mixed alpha-numeric and special•Change password every 90 daysNew Guidelines•NIST SP 800-63B* •"..at least 64 characters" (still min 8)•Complexity recommended not required•No truncation, password hints or KBA•No expiry without justification•Compare to dictionaries / breaches* https://pages.nist.gov/800-63-3/sp800-63b.htmltl;dr-passphrasesover passwords
Guidelines -Old vs Newhttps://xkcd.com/936/
Attacking Passphrases•Combinator attacks -dictionary combined with a dictionary•Google top 10,000 words https://github.com/first20hours/google-10000-english/blob/master/google-10000-english.txt•Google top 20,000 words https://github.com/first20hours/google-10000-english/blob/master/20k.txt•@netmuxhas a great guide -https://www.netmux.com/blog/cracking-12-character-above-passwordshashcat-m0 hashes.txt-a1 20k.txt 20k.txt
MoarWords•Combinator -https://github.com/hashcat/hashcat-utils•3 or 4 wordshashcat-m0 hashes.txt-a1 20k-combined 20k-combined.txt./combinator 20k.txt 20k.txt > 20k-combined
Delimitersawk'{print $0" "}' 20k.txt > 20k-space./combinator 20k-space 20k.txt > 20k-combined-mid-space
3 and 4 WordsCombinator ruleshashcat-m0 hashes -a1 20k-combined-mid-space -j '$ ' 20k.txthashcat-m0 hashes -a1 20k-combined-mid-space -j '$ ' 20k-combined-mid-space
Combinator All The RulesAdd another space and pipe to hashcatawk'{print $0" "}' 20k-combined-mid-space > 20k-combined-mid-end-space./combinator 20k-combined-mid-end-space 20k-combined-mid-space | hashcat-m1000 hashes.txt-r rules/OneRuleToRuleThemAll.rule-w4•Optimised kernels (-O) increases speed but limits length•E.g. MD5 optimised = 31 / NTLM optimised = 27
Expander•https://github.com/hashcat/hashcat-utils/•Splits candidates into single chars, mutates & reconstructs•Recompile with LEN_MAX 8 and always unique output./expander < wordlist.txt| sort -u
Fingerprint Attackhttps://hashcat.net/wiki/doku.php?id=fingerprint_attack1)Expand previously cracked passwords2)Combo the resulting file with itself3)Update (expand) wordlist4)Repeat and rinsecut -d: -f2-< hashcat.potfile| ./expander | sort -u > word.listhashcat-m1000 hashes.txt--remove -a1 word.listword.list-o word.list2cut -d: -f2-< word.list2 | ./expander | sort -u > word.list3hashcat-m1000 hashes.txt--remove -a1 word.list3 word.list3 -o word.list4
PRINCEPRobabilityINfiniteChained Elements (PRINCE)•princeprocessor-Jens Steube"Atom" @hashcat•Single dictionary input --> builds chains of 1 to nwords•E.g. if princeprocessorwas guessing 4 char candidates...•4 letter word•2 letter word + 2 letter word•1 letter word + 3 letter word•3 letter word + 1 letter word•1 letter word + 1 letter word + 2 letter word•1 letter word + 2 letter word + 1 letter word•2 letter word + 1 letter word + 1 letter word•1 letter word + 1 letter word + 1 letter word + 1 letter wordhttps://github.com/hashcat/princeprocessor
PRINCE Attacks•De-dupe dictionary before running prince PRINCE AttackPRINCEPTION-@jmgosney•Delimiter request open: https://github.com/hashcat/princeprocessor/issues/49./pp.binrockyou.txt--pw-min=8 | hashcat-m1000 hashes.txt./pp.binrockyou.txt--pw-min=8 | ./pp.bin--pw-min=8 | hashcat-m1000 hashes.txt-g 300000
Passphrases with PRINCE•Traditional delimited combinator•pp variant (thanks @TychoTithonus& @Chick3nman512)•If dictionary & combo attacks fail-USE PRINCEhashcat-m0 hashes -a1 20k-combined-mid-space -j '$ ' 20k-combined-mid-space./pp.bin--elem-cnt-min=4 --elem-cnt-max=4 --pw-min=8 20k-space | hashcat-j ] -m1000 hashes.txt-w3 -O -r prince_optimized.rule
Purple Rain...and as a last resort •Shuffled wordlist--> different output•https://www.netmux.com/blog/purple-rain-attackshufrockyou.txt| ./pp.bin--pw-min=8 | hashcat-m0 hashes --remove -w3 -O -g 300000
StatsAttack (Lastfm-top500k (358863 deduped))CrackedRockyou.txt+ OneRuleToRuleThemAll290337/358863 (80.9%)5-char brute force --> Fingerprint attack 1615/68526 (0.9%)Fingerprint attack 29194/67911 (13.54%)Fingerprint attack 35860/58717 (9.98%)Fingerprint attack 4805/52857 (1.52%)Fingerprint attack 584/52052 (0.16%)Fingerprint attack 69/51968 (0.02%)Fingerprint attack 70/519592hr -Prince82/51959 (0.16%)2hr -Prince + prince optimized rule3325/51878 (6.41%) -1 in potfile2hr -Purple rain + 300000 self-generated rules4298/48558 (8.85%) -6 in potfile2hr -Purple rain + 300000 self-generated rules1610/44270 (3.64%) -10 in potfile2hr -Purple rain + OneRuleToRuleThemAll7011/42660 (16.43%) -1 in potfile-35649 (Total 323214 (90% cracked))
Crypto Wallet Example•Ethereum wallets -MyEtherWallet, Geth, Mist•JSON keystorefile option•scryptused in testing
Crypto Wallet Example•Ethereum wallets -MyEtherWallet, Geth, Mist•JSON keystorefile option•scryptused in testing
Ethereum Wallets•GPU cracking viability depends on n,r•https://stealthsploit.com/2017/06/12/ethereum-wallet-cracking/
Calculating Memory•Determine memory requirements using n, rStep 1: Calculate Single Computation per GPUsize_scrypt= (128 * r) * nStep 2: Calculate Parallel Computations per GPUThreads per compute unit(1) * no. of compute units(2) = no. parallel computationsStep 3: Calculate RAM requirement per GPUsize_scrypt* no. parallel computations NVIDIAAMD(1)3264(2)Depends on GPU
Calculating Memory•In earlier post: n= 1024, r= 8 Step 1: Calculate Single Computation per GPUsize_scrypt= (128 * r) * n(128 * 8) * 1024 = 1048576 bytes (1 MB)Step 2: Calculate Parallel Computations per GPUThreads per compute unit(1) * no. of compute units(2) = no. parallel computations32 * 68 = 2176 Step 3: Calculate RAM requirement per GPUsize_scrypt* no. parallel computations 1 MB * 2176 = 2176 MB per GPUNVIDIAAMD(1)3264(2)Depends on GPUhttps://www.techpowerup.com/gpu-specs/geforce-rtx-2080-ti.c3305
Calculating Memorysize_scrypt= (128 * r) * n (128 * 8) * 131072 = 134217728 bytes (128 MB) Threads per compute unit(1) * no. of compute units(2) = no. parallel computations 32 * 68 = 2176 size_scrypt* no. parallel computations 128 MB * 2176 = 278528 MB = 272 GB RAM per GPU
GPU vs CPU•Cracking recent wallets on GPU will likely error, hang, blue screen etc.•CPU to the rescue!•https://stealthsploit.com/2018/01/04/ethereum-wallet-cracking-pt-2-gpu-vs-cpu/-D 1 -d
GPU vs CPU•Convert with ethereum2john -ethereum2john.py
GPU vs CPU•Convert with ethereum2john -ethereum2john.py
Non-ASCII Characters•256 ASCII characters -single byte encoding•UTF-8 (1-4 byte encoding) for other characters•Find the hex and pass to hashcatwith --hex-charsethttps://www.utf8-chartable.de/unicode-utf8-table.pl
Non-ASCII Characters•E.g. Arabic alphabet uses the following UTF-8 (hex) chars•First byted8 d9 da db•Second byte80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae afb0 b1 b2 b3 b4 b5 b6 b7 b8 b9 babb bcbd be bf•The attackhashcat-m0 a095531811f39557054b5340e5d2b182 -1 d8d9dadb -2 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf --hex-charset ?1?2?1?2?1?2?1?2?1?2 -w3 -a3
S3cure Y0urs3lf•Password managers -Lastpass, 1Password, Dashlane, Keepassetc•Passphrases -5+ random words•Use spaces (other/differing delimiters)•Avoid elements based on KBA•2FA / MFA•Don't reuse passwords•HIBP -https://haveibeenpwned.com/