SlideShare une entreprise Scribd logo

Crafting tailored wordlists with Wordsmith

Télécharger en tant que PPTX, PDF
Sanjiv Kawa
Sanjiv Kawa

A copy of our PowerPoint presentation from BSides LV 2016

Technologie
1  sur  40
Sanjiv Kawa & Tom Porter Crafting tailored wordlists with Wordsmith BSides LV 2016
Formalities Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec PSC – Proprietary and Confidential. All Rights Reserved. 2
• Penetration Testers at PSC - www.paysw.com • PSC specializes in PCI assessments • Our day-to-day activities consist of attacking large enterprise networks and searching for CHD What do you guys do? PSC – Proprietary and Confidential. All Rights Reserved. 3
• Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists What’s Wordsmith? PSC – Proprietary and Confidential. All Rights Reserved. 4
• Authentication process • Dictionary attacks • 8 slides total! Quick primer PSC – Proprietary and Confidential. All Rights Reserved. 5
• We have something else you can do during the primer! • First 10 people who tweet the correct answer will get some swag • Or go and check out Wordsmith here: https://github.com/skahwah/wordsmith For those who already know this PSC – Proprietary and Confidential. All Rights Reserved. 6
• What hash format is this? (hint wpad) Question PSC – Proprietary and Confidential. All Rights Reserved. 7
Back to the primer PSC – Proprietary and Confidential. All Rights Reserved. 8
Primer (1/8): Authentication process PSC – Proprietary and Confidential. All Rights Reserved. 9
• On submit, convert the password into a hashed representative Primer (2/8): Password converted to hash PSC – Proprietary and Confidential. All Rights Reserved. 10
Primer (3/8): Credentials sent to authentication server PSC – Proprietary and Confidential. All Rights Reserved. 11
• Backend DB holds passwords for all users in a hashed state • Check to see if hashes match if userSuppliedCreds == userStoredCreds allow logon :) else deny logon :( Primer (4/8): Credentials validated PSC – Proprietary and Confidential. All Rights Reserved. 12
• How do we “convert” a hash back to a cleartext password? • No direct way. However, we can do a dictionary attack. Primer (5/8): password == hash, right? PSC – Proprietary and Confidential. All Rights Reserved. 13
• Large lists containing common words • Sometimes compiled from passwords obtained in breaches (LinkedIn, Yahoo, Adobe, AM, etc.) • Dictionaries we use: – Rockyou (free) – Uniq (paid, but worth it) – top10k (free) – yahoo (free) – linkedin (free) Primer (6/8): What are dictionaries? PSC – Proprietary and Confidential. All Rights Reserved. 14
A couple of pre-requisites: 1. A solid dictionary (also known as wordlist) 2. Need to know the hash type (md5, sha1, NTLM, NetNTLMv2, etc) 3. A list of password hashes (typically exfiltrated in post- exploitation) Primer (7/8): Dictionary attacks PSC – Proprietary and Confidential. All Rights Reserved. 15
Primer (8/8): Conducting a dictionary attack 1. Guess 2. Encrypt 3. Compare apple banana cherry … $hash <- encrypt(apple) $hash : 5ebe7dfa074da8ee8aef1faa2bbde876 Search for $hash in obtained hash list: af5432a79b941528fa7fac9e7e391651 5ebe7dfa074da8ee8aef1faa2bbde876 8846f7eaee8fb117ad06bdd830b7586c PSC – Proprietary and Confidential. All Rights Reserved. 16
• Lets move on to Wordsmith Primers done PSC – Proprietary and Confidential. All Rights Reserved. 17
• Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists A quick re-cap on Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 18
What kind of geo-location data is in a wordlist? Landmarks Sports teams Cities, towns, etc Streets/Roads Zip codes Area codes Common names Colleges PSC – Proprietary and Confidential. All Rights Reserved. 19
• Saw more geo-location related passwords during engagements • Thought it would be a cool project • Improve overall password cracking efficacy • Limit guess-encrypt compare cycles Why geo-location data? PSC – Proprietary and Confidential. All Rights Reserved. 20
*Wikipedia, US Census and Open Street Map Where is all of this data coming from? PSC – Proprietary and Confidential. All Rights Reserved. 21
How Wordsmith works PSC – Proprietary and Confidential. All Rights Reserved. 22
• Initial git clone (~20 MB) Wordsmith files PSC – Proprietary and Confidential. All Rights Reserved. 23
First run • On first run, data.tar.gz is unpacked (1 second, 175 MB) PSC – Proprietary and Confidential. All Rights Reserved. 24
• ./wordsmith/data/ • All lookups are done offline (speed & efficiency). File structure and data lookup PSC – Proprietary and Confidential. All Rights Reserved. 25
Word is kept in its original form (special characters included) Freemont St. You can also use the “-m” flag for basic mangling! Freemont St. Freemont St Freemont St. St FreemontSt. FreemontSt Sort & Uniq to remove all duplicate words downcase() Min character length What does a wordlist look like? PSC – Proprietary and Confidential. All Rights Reserved. 26
Demo time PSC – Proprietary and Confidential. All Rights Reserved. 27
Statistics and results PSC – Proprietary and Confidential. All Rights Reserved. 28
• Hash cracking rig • Get our hands on REAL NTLM hashes – Massachusetts 404 hashes – Wisconsin 2011 hashes – New York 542 hashes Pre-requisites PSC – Proprietary and Confidential. All Rights Reserved. 29
• Software – hashcat.net • Hardware – NVidia GRID K520 • 3617 MH/s – nothing too crazy, but it does the trick – 1 MH/s is 1,000,000 hashes per second • Build your own cracking rig: https://www.popped.io/2016/07/steps-to-create-aws- hash-cracking-rig.html Hash cracking rig PSC – Proprietary and Confidential. All Rights Reserved. 30
• Crack hashes for each U.S. State using common wordlists and rules • Crack hashes for each U.S. State using a Wordsmith wordlist for the particular State • ruby wordsmith.rb –s WI –a –m –o wi.txt Test Cases PSC – Proprietary and Confidential. All Rights Reserved. 31 State NTLM Hashes Wordsmith Wordlist Wisconsin 2011 112k Massachusetts 404 82k New York 542 158k
Input Parameters for Cracking Session 1. Guess 2. Encrypt 3. Compare Wordlists: • Top10k (10k) • Rockyou (14.4m) • Wordsmith • WI, MA, NY NTLM Hash (NT) Based on MD4 Common on Active Directory domains Hashes obtained from various clients: Wisconsin-hashes.txt (2011 hashes) Massachusetts-hashes.txt (404 hashes) Newyork-hashes.txt (542 hashes) Rule set: • D3adhob0 (57.5k rules) PSC – Proprietary and Confidential. All Rights Reserved. 32
Results! PSC – Proprietary and Confidential. All Rights Reserved. 33
• 2011 NTLM Hashes Wisconsin results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 2 secs Rockyou (14.4m words) 27 mins Wisconsin.txt (112k words) 12 secs 237 12% 1094 54% 229 11% 77% PSC – Proprietary and Confidential. All Rights Reserved. 34
• 404 NTLM Hashes Massachusetts results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 24 mins Massachusetts.txt (82k words) 12 secs 52 13% 262 65% 56 14% 92% PSC – Proprietary and Confidential. All Rights Reserved. 35
• 542 NTLM Hashes New York results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 26 mins Newyork.txt (158k words) 22 secs 0 220 41% 59 11% 52% PSC – Proprietary and Confidential. All Rights Reserved. 36
• Identifying proper nouns unique to location • Time-CPU cycle tradeoff • At least 11% of passwords recovered in < 20 seconds Conclusions PSC – Proprietary and Confidential. All Rights Reserved. 37
• Data! – Team rosters, mascots, stadiums – Famous people – State symbols – Motto, song, bird, flower, etc. – Regional food, cuisine, agriculture – (h/t Larry Pesce - @haxorthematrix) • Design – Modular – Extend to provinces, territories, countries – Integrate data look up by coordinates Next Steps for Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 38
• Important to maintain, expand, and improve • Got any additional data sources or features? • Pull requests, submit issues, comment, share: https://github.com/skahwah/wordsmith Suggestions? PSC – Proprietary and Confidential. All Rights Reserved. 39
Questions? Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec https://github.com/skahwah/wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 40

Recommandé

The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
เทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Googleเทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Google
zerostart77777
 
Digital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDFDigital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDF
Md Mazedul Islam Khan
 
Keeping it personal
Keeping it personalKeeping it personal
Keeping it personal
adactio
 
when the link makes sense
when the link makes sensewhen the link makes sense
when the link makes sense
Fabien Gandon
 
Annotating the Hebrew Bible
Annotating the Hebrew BibleAnnotating the Hebrew Bible
Annotating the Hebrew Bible
Dirk Roorda
 
Web 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyceWeb 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyce
Sebastian Ryszard Kruk
 

Recommandé

The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
Sanjiv Kawa
 
เทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Googleเทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Google
zerostart77777
 
Digital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDFDigital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDF
Md Mazedul Islam Khan
 
Keeping it personal
Keeping it personalKeeping it personal
Keeping it personal
adactio
 
when the link makes sense
when the link makes sensewhen the link makes sense
when the link makes sense
Fabien Gandon
 
Annotating the Hebrew Bible
Annotating the Hebrew BibleAnnotating the Hebrew Bible
Annotating the Hebrew Bible
Dirk Roorda
 
Web 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyceWeb 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyce
Sebastian Ryszard Kruk
 
"Whatever I can get..."
"Whatever I can get...""Whatever I can get..."
"Whatever I can get..."
Dan Brickley
 
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Fariz Darari
 
(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages
Michael Nelson
 
Two graph data models : RDF and Property Graphs
Two graph data models : RDF and Property GraphsTwo graph data models : RDF and Property Graphs
Two graph data models : RDF and Property Graphs
andyseaborne
 
Linked Data on Rails
Linked Data on RailsLinked Data on Rails
Linked Data on Rails
Patrick Sinclair
 
2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)
Dr.-Ing. Thomas Hartmann
 
Scaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay KleinanzeigenScaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay Kleinanzeigen
Andre Charton
 
Real-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter AnnotationsReal-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter Annotations
Joshua Shinavier
 
semlavssws2015
semlavssws2015semlavssws2015
semlavssws2015
hala Skaf
 
Thinking in documents
Thinking in documentsThinking in documents
Thinking in documents
César Rodas
 
Deepweb Tools
Deepweb ToolsDeepweb Tools
Deepweb Tools
manigandan_ramkumar
 
Linked Data and Tools
Linked Data and ToolsLinked Data and Tools
Linked Data and Tools
Pedro Szekely
 
쉽게 이해하는 LOD
쉽게 이해하는 LOD쉽게 이해하는 LOD
쉽게 이해하는 LOD
Myungjin Lee
 
NdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationNdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference Preservation
José M. Giménez-García
 
DHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and TellDHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and Tell
Georgina Goodlander
 
3. ldap
3. ldap3. ldap
3. ldap
Saroj Sahoo
 
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, FlaxCoffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Lucidworks
 
Perl DBI Scripting with the ILS
Perl DBI Scripting with the ILSPerl DBI Scripting with the ILS
Perl DBI Scripting with the ILS
Roy Zimmer
 
Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010
Juan Sequeda
 
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Victor de Boer
 
Ppsp icassp17v10
Ppsp icassp17v10Ppsp icassp17v10
Ppsp icassp17v10
Gérard Chollet
 
Hash cat
Hash catHash cat
Hash cat
Sreekanth Narendran
 

Contenu connexe

Tendances

NdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationNdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference Preservation
José M. Giménez-García
 

Tendances (20)

"Whatever I can get..."
"Whatever I can get...""Whatever I can get..."
"Whatever I can get..."
 
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
 
(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages
 
Two graph data models : RDF and Property Graphs
Two graph data models : RDF and Property GraphsTwo graph data models : RDF and Property Graphs
Two graph data models : RDF and Property Graphs
 
Linked Data on Rails
Linked Data on RailsLinked Data on Rails
Linked Data on Rails
 
2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)
 
Scaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay KleinanzeigenScaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay Kleinanzeigen
 
Real-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter AnnotationsReal-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter Annotations
 
semlavssws2015
semlavssws2015semlavssws2015
semlavssws2015
 
Thinking in documents
Thinking in documentsThinking in documents
Thinking in documents
 
Deepweb Tools
Deepweb ToolsDeepweb Tools
Deepweb Tools
 
Linked Data and Tools
Linked Data and ToolsLinked Data and Tools
Linked Data and Tools
 
쉽게 이해하는 LOD
쉽게 이해하는 LOD쉽게 이해하는 LOD
쉽게 이해하는 LOD
 
NdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationNdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference Preservation
 
DHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and TellDHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and Tell
 
3. ldap
3. ldap3. ldap
3. ldap
 
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, FlaxCoffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
 
Perl DBI Scripting with the ILS
Perl DBI Scripting with the ILSPerl DBI Scripting with the ILS
Perl DBI Scripting with the ILS
 
Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010
 
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
 

Similaire à Crafting tailored wordlists with Wordsmith

Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Ontico
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 
Anton Dedov - Testing of password policy
Anton Dedov - Testing of password policyAnton Dedov - Testing of password policy
Anton Dedov - Testing of password policy
DefconRussia
 

Similaire à Crafting tailored wordlists with Wordsmith (20)

Ppsp icassp17v10
Ppsp icassp17v10Ppsp icassp17v10
Ppsp icassp17v10
 
Hash cat
Hash catHash cat
Hash cat
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
NoSQL Couchbase Lite & BigData HPCC Systems
NoSQL Couchbase Lite & BigData HPCC SystemsNoSQL Couchbase Lite & BigData HPCC Systems
NoSQL Couchbase Lite & BigData HPCC Systems
 
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
 
Checksum 101
Checksum 101Checksum 101
Checksum 101
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOC
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
 
Anton Dedov - Testing of password policy
Anton Dedov - Testing of password policyAnton Dedov - Testing of password policy
Anton Dedov - Testing of password policy
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 

Dernier

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Dernier (20)

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Crafting tailored wordlists with Wordsmith

  • 1. Sanjiv Kawa & Tom Porter Crafting tailored wordlists with Wordsmith BSides LV 2016
  • 2. Formalities Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec PSC – Proprietary and Confidential. All Rights Reserved. 2
  • 3. • Penetration Testers at PSC - www.paysw.com • PSC specializes in PCI assessments • Our day-to-day activities consist of attacking large enterprise networks and searching for CHD What do you guys do? PSC – Proprietary and Confidential. All Rights Reserved. 3
  • 4. • Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists What’s Wordsmith? PSC – Proprietary and Confidential. All Rights Reserved. 4
  • 5. • Authentication process • Dictionary attacks • 8 slides total! Quick primer PSC – Proprietary and Confidential. All Rights Reserved. 5
  • 6. • We have something else you can do during the primer! • First 10 people who tweet the correct answer will get some swag • Or go and check out Wordsmith here: https://github.com/skahwah/wordsmith For those who already know this PSC – Proprietary and Confidential. All Rights Reserved. 6
  • 7. • What hash format is this? (hint wpad) Question PSC – Proprietary and Confidential. All Rights Reserved. 7
  • 8. Back to the primer PSC – Proprietary and Confidential. All Rights Reserved. 8
  • 9. Primer (1/8): Authentication process PSC – Proprietary and Confidential. All Rights Reserved. 9
  • 10. • On submit, convert the password into a hashed representative Primer (2/8): Password converted to hash PSC – Proprietary and Confidential. All Rights Reserved. 10
  • 11. Primer (3/8): Credentials sent to authentication server PSC – Proprietary and Confidential. All Rights Reserved. 11
  • 12. • Backend DB holds passwords for all users in a hashed state • Check to see if hashes match if userSuppliedCreds == userStoredCreds allow logon :) else deny logon :( Primer (4/8): Credentials validated PSC – Proprietary and Confidential. All Rights Reserved. 12
  • 13. • How do we “convert” a hash back to a cleartext password? • No direct way. However, we can do a dictionary attack. Primer (5/8): password == hash, right? PSC – Proprietary and Confidential. All Rights Reserved. 13
  • 14. • Large lists containing common words • Sometimes compiled from passwords obtained in breaches (LinkedIn, Yahoo, Adobe, AM, etc.) • Dictionaries we use: – Rockyou (free) – Uniq (paid, but worth it) – top10k (free) – yahoo (free) – linkedin (free) Primer (6/8): What are dictionaries? PSC – Proprietary and Confidential. All Rights Reserved. 14
  • 15. A couple of pre-requisites: 1. A solid dictionary (also known as wordlist) 2. Need to know the hash type (md5, sha1, NTLM, NetNTLMv2, etc) 3. A list of password hashes (typically exfiltrated in post- exploitation) Primer (7/8): Dictionary attacks PSC – Proprietary and Confidential. All Rights Reserved. 15
  • 16. Primer (8/8): Conducting a dictionary attack 1. Guess 2. Encrypt 3. Compare apple banana cherry … $hash <- encrypt(apple) $hash : 5ebe7dfa074da8ee8aef1faa2bbde876 Search for $hash in obtained hash list: af5432a79b941528fa7fac9e7e391651 5ebe7dfa074da8ee8aef1faa2bbde876 8846f7eaee8fb117ad06bdd830b7586c PSC – Proprietary and Confidential. All Rights Reserved. 16
  • 17. • Lets move on to Wordsmith Primers done PSC – Proprietary and Confidential. All Rights Reserved. 17
  • 18. • Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists A quick re-cap on Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 18
  • 19. What kind of geo-location data is in a wordlist? Landmarks Sports teams Cities, towns, etc Streets/Roads Zip codes Area codes Common names Colleges PSC – Proprietary and Confidential. All Rights Reserved. 19
  • 20. • Saw more geo-location related passwords during engagements • Thought it would be a cool project • Improve overall password cracking efficacy • Limit guess-encrypt compare cycles Why geo-location data? PSC – Proprietary and Confidential. All Rights Reserved. 20
  • 21. *Wikipedia, US Census and Open Street Map Where is all of this data coming from? PSC – Proprietary and Confidential. All Rights Reserved. 21
  • 22. How Wordsmith works PSC – Proprietary and Confidential. All Rights Reserved. 22
  • 23. • Initial git clone (~20 MB) Wordsmith files PSC – Proprietary and Confidential. All Rights Reserved. 23
  • 24. First run • On first run, data.tar.gz is unpacked (1 second, 175 MB) PSC – Proprietary and Confidential. All Rights Reserved. 24
  • 25. • ./wordsmith/data/ • All lookups are done offline (speed & efficiency). File structure and data lookup PSC – Proprietary and Confidential. All Rights Reserved. 25
  • 26. Word is kept in its original form (special characters included) Freemont St. You can also use the “-m” flag for basic mangling! Freemont St. Freemont St Freemont St. St FreemontSt. FreemontSt Sort & Uniq to remove all duplicate words downcase() Min character length What does a wordlist look like? PSC – Proprietary and Confidential. All Rights Reserved. 26
  • 27. Demo time PSC – Proprietary and Confidential. All Rights Reserved. 27
  • 28. Statistics and results PSC – Proprietary and Confidential. All Rights Reserved. 28
  • 29. • Hash cracking rig • Get our hands on REAL NTLM hashes – Massachusetts 404 hashes – Wisconsin 2011 hashes – New York 542 hashes Pre-requisites PSC – Proprietary and Confidential. All Rights Reserved. 29
  • 30. • Software – hashcat.net • Hardware – NVidia GRID K520 • 3617 MH/s – nothing too crazy, but it does the trick – 1 MH/s is 1,000,000 hashes per second • Build your own cracking rig: https://www.popped.io/2016/07/steps-to-create-aws- hash-cracking-rig.html Hash cracking rig PSC – Proprietary and Confidential. All Rights Reserved. 30
  • 31. • Crack hashes for each U.S. State using common wordlists and rules • Crack hashes for each U.S. State using a Wordsmith wordlist for the particular State • ruby wordsmith.rb –s WI –a –m –o wi.txt Test Cases PSC – Proprietary and Confidential. All Rights Reserved. 31 State NTLM Hashes Wordsmith Wordlist Wisconsin 2011 112k Massachusetts 404 82k New York 542 158k
  • 32. Input Parameters for Cracking Session 1. Guess 2. Encrypt 3. Compare Wordlists: • Top10k (10k) • Rockyou (14.4m) • Wordsmith • WI, MA, NY NTLM Hash (NT) Based on MD4 Common on Active Directory domains Hashes obtained from various clients: Wisconsin-hashes.txt (2011 hashes) Massachusetts-hashes.txt (404 hashes) Newyork-hashes.txt (542 hashes) Rule set: • D3adhob0 (57.5k rules) PSC – Proprietary and Confidential. All Rights Reserved. 32
  • 33. Results! PSC – Proprietary and Confidential. All Rights Reserved. 33
  • 34. • 2011 NTLM Hashes Wisconsin results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 2 secs Rockyou (14.4m words) 27 mins Wisconsin.txt (112k words) 12 secs 237 12% 1094 54% 229 11% 77% PSC – Proprietary and Confidential. All Rights Reserved. 34
  • 35. • 404 NTLM Hashes Massachusetts results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 24 mins Massachusetts.txt (82k words) 12 secs 52 13% 262 65% 56 14% 92% PSC – Proprietary and Confidential. All Rights Reserved. 35
  • 36. • 542 NTLM Hashes New York results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 26 mins Newyork.txt (158k words) 22 secs 0 220 41% 59 11% 52% PSC – Proprietary and Confidential. All Rights Reserved. 36
  • 37. • Identifying proper nouns unique to location • Time-CPU cycle tradeoff • At least 11% of passwords recovered in < 20 seconds Conclusions PSC – Proprietary and Confidential. All Rights Reserved. 37
  • 38. • Data! – Team rosters, mascots, stadiums – Famous people – State symbols – Motto, song, bird, flower, etc. – Regional food, cuisine, agriculture – (h/t Larry Pesce - @haxorthematrix) • Design – Modular – Extend to provinces, territories, countries – Integrate data look up by coordinates Next Steps for Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 38
  • 39. • Important to maintain, expand, and improve • Got any additional data sources or features? • Pull requests, submit issues, comment, share: https://github.com/skahwah/wordsmith Suggestions? PSC – Proprietary and Confidential. All Rights Reserved. 39
  • 40. Questions? Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec https://github.com/skahwah/wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 40