Hey, I just met you, and this is crazy, but here's my hashes, so hack me maybe?
Those familiar with password cracking know that KoreLogic's rule set for John the Ripper has become the de facto standard for password cracking.
However, as with anything technology related, the rules are slightly starting to show their age, specifically with rules designed to take into account years. So, I decided to take on the task of making a few modifications to the rule set, this includes updating them to take into account the current and prior year, but also reworking some of the rules to eliminate some redundancy.
While updating the various rule sets is fine and dandy, but what about taking it a step further and rearranging the order in which they're applied? Running the complete KoreLogicrule set takes a lot of time, especially when running them against a respectable dictionary and salted hashes (NTLMv2, Crypt, etc...) When you have limited time during a pentest this can be fairly problematic - you want to utilize the rules that will net youthe greatest amount of success in the shortest amount of time, leaving the less successful rules as "Hail Mary passes."
But how do you determine what rules will net the greatest success? Comparing them against one client or even a few clients isn't going to give you the sample size you're looking for. It's time to queue the password study from the Global Security Report; once again (spoiler alert) we are collecting hashes to perform a study on for the 2013 Global Security Report. Using over 2 million hashes that have been collected so far as a sample size that cross industries, geographic regions, and encompass large and small businesses, we can give ourselves an idea of which rules statistically speaking will give us the highest probability of cracking a password. Then by ordering these rules properly, one can hope to crack a large percentage of their hashes within the first few hours of cracking.
What I did to achieve these rules was use each KoreLogic rule individually with a respectable dictionary against the set of hashes, capture the number of successfully cracked hashes, then delete the results and start again with the next rule until I had results for each rule. From this I was able to determine which rules netted us the greatest result, and the time it took to completely run each rule.
Below is a table of the results including the percentage of hashes cracked:
| Rule | Cracked | Percentage | Time | |||
| AppendJustNumbers | 865,303 | 30.814% | 00hr:18min:24sec | |||
| L33t | 740,824 | 26.381% | 00hr:01min:34sec | |||
| ReplaceNumbers | 736,767 | 26.237% | 00hr:00min:24sec | |||
| AddJustNumbersLimit8 | 584,001 | 20.797% | 00hr:03min:54sec | |||
| AppendNumbers_and_Specials_Simple | 549,465 | 19.567% | 00hr:57min:38sec | |||
| ReplaceLetters | 429,826 | 15.306% | 00hr:00min:40sec | |||
| ReplaceLettersCaps | 215,115 | 7.660% | 00hr:00min:13sec | |||
| Append4Num | 136,360 | 4.856% | 00hr:18min:35sec | |||
| AppendYears | 52,711 | 1.877% | 00hr:00min:26sec | |||
| AppendJustSpecials | 30,501 | 1.086% | 00hr:01min:46sec | |||
| ReplaceSpecial2Special | 28,062 | 0.999% | 00hr:00min:20sec | |||
| AppendNum_AddSpecialEverywhere | 24,378 | 0.868% | 00hr:04min:58sec | |||
| PrependNumNum | 21,980 | 0.783% | 00hr:00min:24sec | |||
| AppendNumNum_AddSpecialEverywhere | 21,880 | 0.779% | 00hr:48min:16sec | |||
| Append2NumSpecial | 18,111 | 0.645% | 00hr:05min:40sec | |||
| Append5Num | 16,761 | 0.597% | 03hr:04min:07sec | |||
| PrependNumNumNum | 15,557 | 0.554% | 00hr:02min:19sec | |||
| PrependNumNumNumNum | 15,148 | 0.539% | 00hr:20min:47sec | |||
| Append2Letters | 13,682 | 0.487% | 00hr:02min:30sec | |||
| AppendSpecialNumberNumber | 13,235 | 0.471% | 00hr:05min:42sec | |||
| Add1234_Everywhere | 13,208 | 0.470% | 00hr:00min:13sec | |||
| ReplaceNumbers2Special | 11,789 | 0.420% | 00hr:00min:14sec | |||
| Append6Num | 11,262 | 0.401% | 28hr:58min:53sec | |||
| Append3NumSpecial | 7,985 | 0.284% | 00hr:54min:00sec | |||
| AppendNumNumNum_AddSpecialEverywhere | 7,863 | 0.280% | 09hr:08min:04sec | |||
| Prepend2NumbersAppend2Numbers | 7,609 | 0.271% | 00hr:21min:06sec | |||
| AppendSpecial4num | 6,576 | 0.234% | 09hr:22min:31sec | |||
| Append1_AddSpecialEverywhere | 6,545 | 0.233% | 00hr:00min:46sec | |||
| PrependSeason | 5,905 | 0.210% | 00hr:00min:41sec | |||
| Append4NumSpecial | 5,501 | 0.196% | 08hr:56min:19sec | |||
| AppendYears_AddSpecialEverywhere | 4,221 | 0.150% | 00hr:45min:24sec | |||
| AppendSpecial3num | 3,671 | 0.131% | 00hr:51min:30sec | |||
| AppendSpecialNumberNumberNumber | 3,671 | 0.131% | 00hr:55min:57sec | |||
| MonthsFullPreface | 3,383 | 0.120% | 00hr:00min:13sec | |||
| Add2010Everywhere | 3,151 | 0.112% | 00hr:00min:14sec | |||
| Prepend4LetterMonths | 2,938 | 0.105% | 00hr:00min:13sec | |||
| PrependJustSpecials | 2,628 | 0.094% | 00hr:01min:54sec | |||
| AddShortMonthsEverywhere | 2,282 | 0.081% | 00hr:01min:09sec | |||
| PrependYears | 1,716 | 0.061% | 00hr:00min:17sec | |||
| PrependHello | 1,696 | 0.060% | 00hr:00min:16sec | |||
| AppendCap-Num_or_Special-Twice | 1,430 | 0.051% | 01hr:17min:22sec | |||
| PrependDaysWeek | 1,417 | 0.050% | 00hr:06min:21sec | |||
| PrependNumNumAppendSpecial | 1,295 | 0.046% | 00hr:05min:59sec | |||
| AppendJustSpecials3Times | 816 | 0.029% | 00hr:56min:03sec | |||
| PrependAndAppendSpecial | 648 | 0.023% | 00hr:01min:58sec | |||
| PrependNumNumSpecial | 477 | 0.017% | 00hr:06min:26sec | |||
| Prepend4NumAppendSpecial | 379 | 0.013% | 10hr:29min:17sec | |||
| DevProdTestUAT | 370 | 0.013% | 00hr:00min:13sec | |||
| AppendMonthDay | 330 | 0.012% | 00hr:02min:10sec | |||
| AppendCurrentYearSpecial | 311 | 0.011% | 00hr:00min:15sec | |||
| AppendSpecialLowerLower | 239 | 0.009% | 00hr:33min:27sec | |||
| PrependSpecialSpecial | 192 | 0.007% | 00hr:02min:15sec | |||
| PrependSpecialSpecialAppendNumbersNumber | 157 | 0.006% | 02hr:14min:19sec | |||
| PrependSpecialSpecialAppendNumber | 129 | 0.005% | 00hr:12min:53sec | |||
| AppendSeason | 124 | 0.004% | 00hr:00min:42sec | |||
| PrependCAPCAPAppendSpecial | 104 | 0.004% | 00hr:21min:15sec | |||
| PrependNumNum_AppendNumSpecial | 99 | 0.004% | 00hr:59min:41sec | |||
| PrependSpecialSpecialAppendNumbersNumberNumber | 38 | 0.001% | 22hr:46min:12sec | |||
| AddDotCom | 22 | 0.001% | 00hr:00min:12sec | |||
| AppendMonthCurrentYear | 8 | 0.000% | 00hr:00min:13se |
As you can see, the number of cracked hashes drops off fairly significantly after Replace Letters Caps. However there are some rules that in my opinion should still be applied, specifically ones that prepend and append numbers, given that our top rule was Append Just Numbers. The time tradeoff required for a few additional rules seems like a worthwhile compromise when you look at their success. Based off this information, here's the list of rules that I'm proposing complete with modifications and rule additions:
| Rule | Cracked | Time | Notes | |||
| PrependAppend1-4 | 909,146 | 00hr:39min:16sec | Replaced AppendJustNumbers | |||
| L33t | 740,824 | 00hr:01min:30sec | ||||
| ReplaceNumbers | 736,767 | 00hr:00min:23sec | ||||
| AddJustNumbersLimit8 | 584,001 | 00hr:03min:51sec | ||||
| AppendNumbers_and_Specials_Simple | 549,465 | 01hr:05min:11sec | ||||
| ReplaceLetters | 429,826 | 00hr:00min:42sec | ||||
| ReplaceLettersCaps | 215,115 | 00hr:00min:13sec | ||||
| Append4Num | Included in AppendJustNumbers | |||||
| AppendYears | Included in AppendJustNumbers | |||||
| AppendJustSpecials | 30,501 | 00hr:01min:56sec | ||||
| ReplaceSpecial2Special | 28,062 | 00hr:00min:19sec | ||||
| AppendNum_AddSpecialEverywhere | 24,378 | 00hr:06min:10sec | ||||
| PrependNumNum | Included in AppendJustNumbers | |||||
| AppendNumNum_AddSpecialEverywhere | 21,880 | 00hr:56min:53sec | ||||
| Append2NumSpecial | 18,111 | 00hr:05min:38sec | ||||
| Append5Num | 16,761 | 02hr:53min:16sec | ||||
| PrependNumNumNum | Included in AppendJustNumbers | |||||
| PrependNumNumNumNum | Included in AppendJustNumbers | |||||
| Append2Letters | 13,682 | 00hr:02min:28sec | ||||
| AppendSpecialNumberNumber | 13,235 | 00hr:05min:36sec | ||||
| Add1234_Everywhere | 13,208 | 00hr:00min:12sec | ||||
| ReplaceNumbers2Special | 11,789 | 00hr:00min:13sec | ||||
| Append6Num | 11,262 | 28hr:22min:48sec | ||||
| Append3NumSpecial | 7,985 | 00hr:59min:20sec | ||||
| AppendNumNumNum_AddSpecialEverywhere | 7,863 | 09hr:18min:31sec | ||||
| Prepend2NumbersAppend2Numbers | 7,609 | 00hr:20min:00sec | ||||
| Add2011Everywhere | 6,773 | 00hr:00min:14sec | New Rule | |||
| AppendSpecial4num | 6,576 | 08hr:34min:30sec | ||||
| Append1_AddSpecialEverywhere | 6,545 | 00hr:00min:46sec | ||||
| PrependAppendSeason | 6,072 | 00hr:06min:36sec |
Replaced KoreRulesPrependSeason |
|||
| Append4NumSpecial | 5,501 | 08hr:13min:32sec | ||||
| AppendYears_AddSpecialEverywhere | 4,221 | 00hr:37min:14sec | ||||
| AppendSpecial3num | 3,671 | 00hr:43min:48sec | ||||
| AppendSpecialNumberNumberNumber | 3,671 | 00hr:45min:14sec | ||||
| MonthsFullPreface | 3,383 | 00hr:00min:11sec | ||||
| Add2010Everywhere | 3,151 | 00hr:00min:14sec | ||||
| PrependMonthAbbrev | 4,265 | 00hr:00min:13sec |
Replaced Prepend4LetterMonths |
|||
| PrependJustSpecials | 2,628 | 00hr:01min:39sec | ||||
| AddShortMonthsEverywhere | 2,282 | 00hr:00min:51sec | ||||
| PrependYears | Included in AppendJustNumbers | |||||
| PrependHello | 1,698 | 00hr:00min:31sec | Added more l33t characters | |||
| Add2012Everywhere | 1,498 | 00hr:00min:12sec | New Rule | |||
| AppendCap-Num_or_Special-Twice | 1,430 | 01hr:05min:18sec | ||||
| PrependDaysWeek | 1,417 | 00hr:13min:47sec | Added more l33t characters | |||
| PrependNumNumAppendSpecial | 1,295 | 00hr:04min:55sec | ||||
| Append2011Special | 850 | 00hr:00min:15sec | New Rule | |||
| AppendJustSpecials3Times | 816 | 00hr:43min:28sec | ||||
| PrependAndAppendSpecial | 648 | 00hr:01min:39sec | ||||
| PrependNumNumSpecial | 477 | 00hr:04min:59sec | ||||
| Append2012Special | 383 | 00hr:00min:16sec | New Rule | |||
| Prepend4NumAppendSpecial | 379 | 08hr:42min:23sec | ||||
| DevProdTestUAT | 370 | 00hr:00min:11sec | ||||
| AppendMonthDay | 330 | 00hr:02min:00sec | ||||
| Append2010Special | 311 | 00hr:00min:16sec | Replaced AppendCurrentYearSpecial | |||
| AppendSpecialLowerLower | 239 | 00hr:30min:13sec | ||||
| PrependSpecialSpecial | 192 | 00hr:01min:43sec | ||||
| PrependSpecialSpecialAppendNumbersNumber | 157 | 01hr:49min:40sec | ||||
| PrependSpecialSpecialAppendNumber | 129 | 00hr:11min:43sec | ||||
| AppendSeason | Included in PrependAppendSeason | |||||
| PrependCAPCAPAppendSpecial | 104 | 00hr:22min:39sec | ||||
| PrependNumNum_AppendNumSpecial | 99 | 01hr:01min:12sec | ||||
| AddTLD | 72 | 00hr:00min:42sec | Replaced AddDotCom, Added all TLDs | |||
| PrependSpecialSpecialAppendNumbersNumberNumber | 38 | 19hr:49min:25sec | ||||
| AppendMonth2011 | 24 | 00hr:00min:13sec | New Rule | |||
| AppendMonth2010 | 8 | 00hr:00min:15sec | Replaced AppendMonthCurrentYear | |||
| AppendMonth2012 | 7 | 00hr:00min:15sec | New Rule |
After looking at these rules, here are a few answers to questions you might have:
- Why are you not including 5 and 6 digits in Prepend Append Just Numbers?
- It's simply a time versus success tradeoff. Cracking a 5th and 6thdigit takes a significant amount of time to crack with very little result, whereas cracking 1-4 digits not only takes very little time, but achieves extremely high success.
- Why are 2012 based rules netting little success?
- While I don't have concrete evidence, my guess would be that users might not have been given enough opportunity to change their password yet. We've been collecting hashes since the 1st of year, and given an average password expiration policy within corporations of approximately 90 days, users may have only changed their password once or twice during 2012 depending on when the hashes were collected.
- What was the wordlist size and hardware was used to crack the hashes?
- 8 x 2.6ghz AMD Opteron Cores (Bulldozer) and a 1,167,382word dictionary. Remember, since NT hashes are unsalted, the number of hashes you are attempting to crack will not affect the cracking time, assuming you aren't taking into account possible program inefficiencies with large hash lists. The dictionary size and hardware specifications do factor into the time.
I've uploaded the updated ruleset with a few variations to the SpiderLabs github in the following formats:
- All rules built into 1 main John ruleset (Eliminates the need for loops in scripts)
- All rules but kept separated
- Top 7 based on stats built into 1 main John ruleset
- Top 7 but kept separated
We'll be hopefully making updates in the future, and suggestions are defintely welcome, feel free to clone the repository.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.