SpiderLabs Blog

Hey, I just met you, and this is crazy, but here's my hashes, so hack me maybe?

Written by | Sep 25, 2012 1:13:00 PM

Those familiar with password cracking know that KoreLogic's rule set for John the Ripper has become the de facto standard for password cracking.

However, as with anything technology related, the rules are slightly starting to show their age, specifically with rules designed to take into account years. So, I decided to take on the task of making a few modifications to the rule set, this includes updating them to take into account the current and prior year, but also reworking some of the rules to eliminate some redundancy.

While updating the various rule sets is fine and dandy, but what about taking it a step further and rearranging the order in which they're applied? Running the complete KoreLogicrule set takes a lot of time, especially when running them against a respectable dictionary and salted hashes (NTLMv2, Crypt, etc...) When you have limited time during a pentest this can be fairly problematic - you want to utilize the rules that will net youthe greatest amount of success in the shortest amount of time, leaving the less successful rules as "Hail Mary passes."

But how do you determine what rules will net the greatest success? Comparing them against one client or even a few clients isn't going to give you the sample size you're looking for. It's time to queue the password study from the Global Security Report; once again (spoiler alert) we are collecting hashes to perform a study on for the 2013 Global Security Report. Using over 2 million hashes that have been collected so far as a sample size that cross industries, geographic regions, and encompass large and small businesses, we can give ourselves an idea of which rules statistically speaking will give us the highest probability of cracking a password. Then by ordering these rules properly, one can hope to crack a large percentage of their hashes within the first few hours of cracking.

What I did to achieve these rules was use each KoreLogic rule individually with a respectable dictionary against the set of hashes, capture the number of successfully cracked hashes, then delete the results and start again with the next rule until I had results for each rule. From this I was able to determine which rules netted us the greatest result, and the time it took to completely run each rule.

Below is a table of the results including the percentage of hashes cracked:

Rule   Cracked   Percentage   Time
AppendJustNumbers   865,303   30.814%   00hr:18min:24sec
L33t   740,824   26.381%   00hr:01min:34sec
ReplaceNumbers   736,767   26.237%   00hr:00min:24sec
AddJustNumbersLimit8   584,001   20.797%   00hr:03min:54sec
AppendNumbers_and_Specials_Simple   549,465   19.567%   00hr:57min:38sec
ReplaceLetters   429,826   15.306%   00hr:00min:40sec
ReplaceLettersCaps   215,115   7.660%   00hr:00min:13sec
Append4Num   136,360   4.856%   00hr:18min:35sec
AppendYears   52,711   1.877%   00hr:00min:26sec
AppendJustSpecials   30,501   1.086%   00hr:01min:46sec
ReplaceSpecial2Special   28,062   0.999%   00hr:00min:20sec
AppendNum_AddSpecialEverywhere   24,378   0.868%   00hr:04min:58sec
PrependNumNum   21,980   0.783%   00hr:00min:24sec
AppendNumNum_AddSpecialEverywhere   21,880   0.779%   00hr:48min:16sec
Append2NumSpecial   18,111   0.645%   00hr:05min:40sec
Append5Num   16,761   0.597%   03hr:04min:07sec
PrependNumNumNum   15,557   0.554%   00hr:02min:19sec
PrependNumNumNumNum   15,148   0.539%   00hr:20min:47sec
Append2Letters   13,682   0.487%   00hr:02min:30sec
AppendSpecialNumberNumber   13,235   0.471%   00hr:05min:42sec
Add1234_Everywhere   13,208   0.470%   00hr:00min:13sec
ReplaceNumbers2Special   11,789   0.420%   00hr:00min:14sec
Append6Num   11,262   0.401%   28hr:58min:53sec
Append3NumSpecial   7,985   0.284%   00hr:54min:00sec
AppendNumNumNum_AddSpecialEverywhere   7,863   0.280%   09hr:08min:04sec
Prepend2NumbersAppend2Numbers   7,609   0.271%   00hr:21min:06sec
AppendSpecial4num   6,576   0.234%   09hr:22min:31sec
Append1_AddSpecialEverywhere   6,545   0.233%   00hr:00min:46sec
PrependSeason   5,905   0.210%   00hr:00min:41sec
Append4NumSpecial   5,501   0.196%   08hr:56min:19sec
AppendYears_AddSpecialEverywhere   4,221   0.150%   00hr:45min:24sec
AppendSpecial3num   3,671   0.131%   00hr:51min:30sec
AppendSpecialNumberNumberNumber   3,671   0.131%   00hr:55min:57sec
MonthsFullPreface   3,383   0.120%   00hr:00min:13sec
Add2010Everywhere   3,151   0.112%   00hr:00min:14sec
Prepend4LetterMonths   2,938   0.105%   00hr:00min:13sec
PrependJustSpecials   2,628   0.094%   00hr:01min:54sec
AddShortMonthsEverywhere   2,282   0.081%   00hr:01min:09sec
PrependYears   1,716   0.061%   00hr:00min:17sec
PrependHello   1,696   0.060%   00hr:00min:16sec
AppendCap-Num_or_Special-Twice   1,430   0.051%   01hr:17min:22sec
PrependDaysWeek   1,417   0.050%   00hr:06min:21sec
PrependNumNumAppendSpecial   1,295   0.046%   00hr:05min:59sec
AppendJustSpecials3Times   816   0.029%   00hr:56min:03sec
PrependAndAppendSpecial   648   0.023%   00hr:01min:58sec
PrependNumNumSpecial   477   0.017%   00hr:06min:26sec
Prepend4NumAppendSpecial   379   0.013%   10hr:29min:17sec
DevProdTestUAT   370   0.013%   00hr:00min:13sec
AppendMonthDay   330   0.012%   00hr:02min:10sec
AppendCurrentYearSpecial   311   0.011%   00hr:00min:15sec
AppendSpecialLowerLower   239   0.009%   00hr:33min:27sec
PrependSpecialSpecial   192   0.007%   00hr:02min:15sec
PrependSpecialSpecialAppendNumbersNumber   157   0.006%   02hr:14min:19sec
PrependSpecialSpecialAppendNumber   129   0.005%   00hr:12min:53sec
AppendSeason   124   0.004%   00hr:00min:42sec
PrependCAPCAPAppendSpecial   104   0.004%   00hr:21min:15sec
PrependNumNum_AppendNumSpecial   99   0.004%   00hr:59min:41sec
PrependSpecialSpecialAppendNumbersNumberNumber   38   0.001%   22hr:46min:12sec
AddDotCom   22   0.001%   00hr:00min:12sec
AppendMonthCurrentYear   8   0.000%   00hr:00min:13se

As you can see, the number of cracked hashes drops off fairly significantly after Replace Letters Caps. However there are some rules that in my opinion should still be applied, specifically ones that prepend and append numbers, given that our top rule was Append Just Numbers. The time tradeoff required for a few additional rules seems like a worthwhile compromise when you look at their success. Based off this information, here's the list of rules that I'm proposing complete with modifications and rule additions:

Rule   Cracked   Time   Notes
PrependAppend1-4   909,146   00hr:39min:16sec   Replaced AppendJustNumbers
L33t   740,824   00hr:01min:30sec    
ReplaceNumbers   736,767   00hr:00min:23sec    
AddJustNumbersLimit8   584,001   00hr:03min:51sec    
AppendNumbers_and_Specials_Simple   549,465   01hr:05min:11sec    
ReplaceLetters   429,826   00hr:00min:42sec    
ReplaceLettersCaps   215,115   00hr:00min:13sec    
Append4Num           Included in AppendJustNumbers
AppendYears           Included in AppendJustNumbers
AppendJustSpecials   30,501   00hr:01min:56sec    
ReplaceSpecial2Special   28,062   00hr:00min:19sec    
AppendNum_AddSpecialEverywhere   24,378   00hr:06min:10sec    
PrependNumNum           Included in AppendJustNumbers
AppendNumNum_AddSpecialEverywhere   21,880   00hr:56min:53sec    
Append2NumSpecial   18,111   00hr:05min:38sec    
Append5Num   16,761   02hr:53min:16sec    
PrependNumNumNum           Included in AppendJustNumbers
PrependNumNumNumNum           Included in AppendJustNumbers
Append2Letters   13,682   00hr:02min:28sec    
AppendSpecialNumberNumber   13,235   00hr:05min:36sec    
Add1234_Everywhere   13,208   00hr:00min:12sec    
ReplaceNumbers2Special   11,789   00hr:00min:13sec    
Append6Num   11,262   28hr:22min:48sec    
Append3NumSpecial   7,985   00hr:59min:20sec    
AppendNumNumNum_AddSpecialEverywhere   7,863   09hr:18min:31sec    
Prepend2NumbersAppend2Numbers   7,609   00hr:20min:00sec    
Add2011Everywhere   6,773   00hr:00min:14sec   New Rule
AppendSpecial4num   6,576   08hr:34min:30sec    
Append1_AddSpecialEverywhere   6,545   00hr:00min:46sec    
PrependAppendSeason   6,072   00hr:06min:36sec  

Replaced KoreRulesPrependSeason
Added more l33t characters
Append4NumSpecial   5,501   08hr:13min:32sec    
AppendYears_AddSpecialEverywhere   4,221   00hr:37min:14sec    
AppendSpecial3num   3,671   00hr:43min:48sec    
AppendSpecialNumberNumberNumber   3,671   00hr:45min:14sec    
MonthsFullPreface   3,383   00hr:00min:11sec    
Add2010Everywhere   3,151   00hr:00min:14sec    
PrependMonthAbbrev   4,265   00hr:00min:13sec  

Replaced Prepend4LetterMonths
Adds 3 letter months
PrependJustSpecials   2,628   00hr:01min:39sec    
AddShortMonthsEverywhere   2,282   00hr:00min:51sec    
PrependYears           Included in AppendJustNumbers
PrependHello   1,698   00hr:00min:31sec   Added more l33t characters
Add2012Everywhere   1,498   00hr:00min:12sec   New Rule
AppendCap-Num_or_Special-Twice   1,430   01hr:05min:18sec    
PrependDaysWeek   1,417   00hr:13min:47sec   Added more l33t characters
PrependNumNumAppendSpecial   1,295   00hr:04min:55sec    
Append2011Special   850   00hr:00min:15sec   New Rule
AppendJustSpecials3Times   816   00hr:43min:28sec    
PrependAndAppendSpecial   648   00hr:01min:39sec    
PrependNumNumSpecial   477   00hr:04min:59sec    
Append2012Special   383   00hr:00min:16sec   New Rule
Prepend4NumAppendSpecial   379   08hr:42min:23sec    
DevProdTestUAT   370   00hr:00min:11sec    
AppendMonthDay   330   00hr:02min:00sec    
Append2010Special   311   00hr:00min:16sec   Replaced AppendCurrentYearSpecial
AppendSpecialLowerLower   239   00hr:30min:13sec    
PrependSpecialSpecial   192   00hr:01min:43sec    
PrependSpecialSpecialAppendNumbersNumber   157   01hr:49min:40sec    
PrependSpecialSpecialAppendNumber   129   00hr:11min:43sec    
AppendSeason           Included in PrependAppendSeason
PrependCAPCAPAppendSpecial   104   00hr:22min:39sec    
PrependNumNum_AppendNumSpecial   99   01hr:01min:12sec    
AddTLD   72   00hr:00min:42sec   Replaced AddDotCom, Added all TLDs
PrependSpecialSpecialAppendNumbersNumberNumber   38   19hr:49min:25sec    
AppendMonth2011   24   00hr:00min:13sec   New Rule
AppendMonth2010   8   00hr:00min:15sec   Replaced AppendMonthCurrentYear
AppendMonth2012   7   00hr:00min:15sec   New Rule

After looking at these rules, here are a few answers to questions you might have:

  • Why are you not including 5 and 6 digits in Prepend Append Just Numbers?
    • It's simply a time versus success tradeoff. Cracking a 5th and 6thdigit takes a significant amount of time to crack with very little result, whereas cracking 1-4 digits not only takes very little time, but achieves extremely high success.
  • Why are 2012 based rules netting little success?
    • While I don't have concrete evidence, my guess would be that users might not have been given enough opportunity to change their password yet. We've been collecting hashes since the 1st of year, and given an average password expiration policy within corporations of approximately 90 days, users may have only changed their password once or twice during 2012 depending on when the hashes were collected.
  • What was the wordlist size and hardware was used to crack the hashes?
    • 8 x 2.6ghz AMD Opteron Cores (Bulldozer) and a 1,167,382word dictionary. Remember, since NT hashes are unsalted, the number of hashes you are attempting to crack will not affect the cracking time, assuming you aren't taking into account possible program inefficiencies with large hash lists. The dictionary size and hardware specifications do factor into the time.

I've uploaded the updated ruleset with a few variations to the SpiderLabs github in the following formats:

  • All rules built into 1 main John ruleset (Eliminates the need for loops in scripts)
  • All rules but kept separated
  • Top 7 based on stats built into 1 main John ruleset
  • Top 7 but kept separated

We'll be hopefully making updates in the future, and suggestions are defintely welcome, feel free to clone the repository.
View full post