Угадываем пароль за минуту

1. Brute-Forced in Sixty Seconds ptsecurity.com Nikolay Anisenya nanisenya@ptsecurity.com

2. What will be discussed

3. What will be discussed ptsecurity.com Pentesters often deal with corporative services (mail, portal, etc.) which exposes only authorization form and the rest part is accessible only for authorized users. In case the service has fairly safe authorization form the only way to fully explore the application is to have correct login/password pair.

4. What will be discussed ptsecurity.com Getting login/password pair for online service Ask customer Social Engineering Cracking login/password pairs brute forcing username listing/enumeration or have some from open sources brute force attack dictionary attack network bandwidth server performance account lockouts tarpitting detection in logs and IDS changing passwords Online password cracking issues to consider Which one to use? Too slow, need to speed up

5. What will be discussed ptsecurity.com Getting login/password pair for online service Ask customer Social Engineering Cracking login/password pairs brute forcing username listing/enumeration or have some from open sources brute force attack dictionary attack network bandwidth server performance account lockouts tarpitting detection in logs and IDS changing passwords Online password cracking issues to consider Which one to use? Too slow, need to speed up

6. What will be discussed ptsecurity.com Wordlists: which one to use? Wordlist should: - be large enough to increase probability of successful attack - be small enough to - complete attack in time - not lead to account lockouts - make attack harder for detecting - meet password policy requirements of the service In other words, the wordlist should contain only suitable passwords most likely to be used. Our goal is to get at least 1 valid login/password pair with a minimum number of requests

7. Minimize size & Maximize density

8. Minimize size & Maximize density ptsecurity.com Maximize high probable passwords density Minimize dictionary size Small wordlists: top100, top500, etc. Wordlists with count Heuristic methods – just guessing and improvisation! Generate dictionary using password rules lists Generate sorted password rules list Use existing wordlists Or make your own

9. Heuristic methods: The story of ZAQ!

10. Heuristic methods: the story of ZAQ! ptsecurity.com Hi! I’m Zack But it’s a completely different story

11. Heuristic methods: the story of ZAQ! ptsecurity.com ZAQ!xsw2 Pentest. Was given an account with default password: ZAQ!xsw2 What if there is someone else who uses the same password? 15/500 users do Not bad, but what if… 1 1 2

12. Heuristic methods: the story of ZAQ! ptsecurity.com What if there are more tricky users and they have changed the combination rule slightly? 21 2 1 1 2 1 1 2 Tried only suitable of all possible variations of these rules. 15 passwords total. And what? +10/500 users are OWNED Maybe there are few more? Few more similar keyboard combinations and their variations. It took more time to try about 6000 combinations against each user. The result was not so cool but +3/500 accounts are compromised Thanks to creative users 1 2 1 23 4

13. Heuristic methods: the story of ZAQ! ptsecurity.com 1 ∉ZAQ!xsw2 and other 15 candidates 15 10 3 Summary Interesting facts KeyboardCombinations.txt 9801 lines … zaq1zaq1 zaq1xsw2 … 63`941 `069 lines ∈ZAQ!xsw2 and other 15 candidates In some cases you can test your heuristic offline realhuman_phill.txt

14. Password rules

15. Someone already has ptsecurity.com In our universe In parallel universe People use the same username modification rules when register to pick the free one. What if they use the same password modification rules to meet password policy requirements?

16. Password rules ptsecurity.com Hashcat password rules example Name Function Description Example Rule Input Word Output Word Nothing : Do nothing : password password Lowercase l Lowercase all letters l AlicE alice Capitalize c Capitalize the first letter and lower the rest c paSSwoRd Password Append Character $X Append character X to end $1 qwerty qwerty1 Replace sXY Replace all instances of X with Y ss$ Password Pa$$word Duplicate last N ZN Dulicates last character N times Z2 hackmeplz hackmeplzzz

17. Password rules ptsecurity.com You can take sorted rule file $<space> l $1 i4 i5 c t i3 i6 $2 and base words file password nikolay qwerty password password password1 pass word passw ord Password PASSWORD pas sword passwo rd password2 nikolay nikolay nikolay1 niko lay nikol ay Nikolay NIKOLAY nik olay nikola y nikolay2 qwerty qwerty qwerty1 qwer ty qwert y Qwerty QWERTY qwe rty qwerty qwerty2 Then generate wordlist applying each rule to each base word. - <space> character

18. Password rules problems ptsecurity.com - Available password rule lists are mostly handmade. Only several of them are grouped or sorted. - Common rule generation methods (from password masks or random rules) take a lot of time and computational resources. They also have a lot of garbage in the result. - Truly powerful password rule lists are kept in secret.

19. Password templates

20. How most people create their passwords ptsecurity.com Steps Example 1. Choose the base: word, number, name, date, etc. 2. Modify base: capitalize, lowercase, substitue, … 3. Choose prefix 4. Choose suffixes 5. Choose postfix 1. Base = {password} 2. password -> P@ssw0rd 3. Prefix = zZz 4. Postfix = xXx Result: zZzP@ssw0rdxXx 1. Base = {nikolay,18.05.1992} 2. nikolay -> Nikolay 18.05.1992 -> may1992 3. Prefix = qwe 4. Suffix = ! Result: qweNikolay!may1992 Assume that password is not random and not a keyboard combination

21. Password templates ptsecurity.com Consider the simple case: the base consists of a single word. Suppose we have the following password dictionary: madIson123 1viKING internet1 Sandra123 qwerty123 Knights Natasha12 maggie1 hello1 pAssw0rd1 1RainBow turtles CowBoys lucky12 abdullah1 qwertyuiop1 matthews WaRrIoRs SuperMan1 DRAGon1 julia1 sTUPIDs 1adidas 1RUSSIA dolphins mASTER1 Now we need list of common words – base words. Then cut out them from each password in dictionary. Ideally we need to cut out as much as possible modifications of base words but for simplicity let’s do this only for case modifications. (***)123 1(***) (***)1 (***)123 qwerty123 (***)s (***)12 (***)1 (***)1 pAssw0rd1 1(***) (***)s (***)s (***)12 (***)1 qwertyuiop1 (***)s (***)s (***)1 (***)1 (***)1 (***)s 1(***) 1(***) (***)s (***)1

22. Password templates ptsecurity.com (***)123 1(***) (***)1 (***)123 qwerty123 (***)s (***)12 (***)1 (***)1 pAssw0rd1 1(***) (***)s (***)s (***)12 (***)1 qwertyuiop1 (***)s (***)s (***)1 (***)1 (***)1 (***)s 1(***) 1(***) (***)s (***)1 (***)123 (***)123 1(***) 1(***) 1(***) 1(***) (***)s (***)s (***)s (***)s (***)s (***)s (***)s (***)12 (***)12 (***)1 (***)1 (***)1 (***)1 (***)1 (***)1 (***)1 (***)1 Remove passwords which do not contain words from dictionary and their simple modifications Group the rest lines, count lines in each group and sort in descending order 8 (***)1 7 (***)s 4 1(***) 2 (***)123 2 (***)12

23. Password templates to rules ptsecurity.com Then translate result templates to hashcat password rule language Count Template Rule Description 8 (***)1 $1 Append 1 7 (***)s $s Append s 4 1(***) ^1 Prepend 1 2 (***)123 $1 $2 $3 Append 123 2 (***)12 $1 $2 Append 12 We can do the same for base word modifications Count Example Rule Description 10 hello : Do nothing 3 Sandra c Capitalize the first letter 2 mASTER C Invert capitalize Rules with count 1 are ignored

24. Password templates to rules ptsecurity.com Count Template Rule Description 8 (***)1 $1 Append 1 7 (***)s $s Append s 4 1(***) ^1 Prepend 1 2 (***)123 $1 $2 $3 Append 123 2 (***)12 $1 $2 Append 12 Count Example Rule Description 10 hello : Do nothing 3 Sandra c Capitalize the first letter 2 mASTER C Invert capitalize Preference Score Rule 80 : $1 70 : $s 40 : ^1 24 c $1 21 c $s 20 : $1 $2 $3 20 : $1 $2 16 C $1 14 C $s 12 c ^1 ... ... ×

25. Some base words statistics ptsecurity.com 0 500 1000 1500 2000 2500 3000 10 20 30 40 50 100Words of “top-500-pass.txt” in 1 million passwords wordlist Rating position 0 500 1000 1500 10 20 30 40 50 100 Names in 1 million passwords wordlist Passwords Rating position Passwords Base words distribution Top 10 names yankee william angel james young power david sasha happy chris Top 10 words of top-500-pass.txt 2000 love 12345 wolf pass william star chris king 123456 Other Names 5-30% top-500-pass.txt 8-10% Corporate logins often contain last names and initials. It’s not difficult to find full names and other personal data in social networks. We can use them as base words in rule- based attack.

26. Generated rules analysis ptsecurity.com 0 100 200 300 400 500 600 700 800 900 1000 10 20 30 40 50 100 top-500-pass.txt and name templates (prefixes/postfixes) preference comparison Passwords Rating position Top500 templates are sorted in descending order. Name templates list contains Top500-specific templates with password number of 0. Name templates are sorted in Top500 templates list order. Case modification rules distribution Top 10 password rules Example Rule Description Base word Password l $1 Lowercase, append 1 password password1 l $s Lowercase, append s dragon dragons l $2 Lowercase, append 2 dolphin dolphin2 l ^1 Lowercase, prepend 1 Nikolay 1nikolay c $1 Capitalize, append 1 welcome Welcome1 u $1 Uppercase, append 1 William WILLIAM1 c $s Capitalize, append s king Kings c $2 Capitalize, append 2 pass Pass2 c ^1 Capitalize, prepend 1 James James1 u $s Uppercase, append s Yankee YANKEES ... ... ... ... Uppercase 2.7% Other 1.3% Capitalize 8% Lowercase 88%

27. Brute-Forced in Sixty Seconds ptsecurity.com Thank you! Any questions? Take small base word list Prepare password rules lists Collect additional information about victims Test locally user- independent wordlists on large dictionary Crack online Generate both user- dependent and user- independent wordlists

Угадываем пароль за минуту

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Угадываем пароль за минуту

Plus De Contenu Connexe

Diaporamas pour vous (20)

Les utilisateurs ont également aimé (20)

Similaire à Угадываем пароль за минуту (20)

Plus par Positive Hack Days (20)

Plus récents (20)