Saturday, September 15, 2018

More on password cracking

Some more ideas for password cracking when you've run dict+rules.

lastN or lastN-M is a list of common suffixes taken from a breach compilation

l33tXXX.rule are leetified rules - see perl script after the bash script:

#!/bin/bash

# no inc as we've done it already
python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/Top32Million-probable.txt -r rules/nsav2dive.rule

python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/Top95Thousand-probable.txt -r rules/l33test.rule

# troy hunt and other breaches..
python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/breachcompilation.txt -r rules/nsav2dive.rule

# dumb stuff
# python3 hashcrack.py -i ../32hex.txt -t md5 --noinc --mask maskfiles/default.hcmask

python3 hashcrack.py -i ../32hex.txt -t md5 -d nb --noinc -e /root/dict/last1-4.txt

python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/ucth.txt -r rules/nsav2dive.rule

python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/Top2Billion_probable.txt -r rules/l33t64.rule

python3 hashcrack.py -i ../32hex.txt -t md5 -d /root/dict/first1-4.txt -e nb

# suffixes...
python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/Top95Thousand-probable.txt -e /root/dict/last1-4.txt

# python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/Top32Million-probable.txt -e /root/dict/last3.txt

# python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/Top32Million-probable.txt -e /root/dict/last4.txt

# previously found and phrases
python3 hashcrack.py -i ../32hex.txt -t md5 -d nb --noinc -r rules/l33test.rule

python3 hashcrack.py -i ../32hex.txt -t md5 --noinc --mask maskfiles/hashcat.hcmask

python3 hashcrack.py -i ../32hex.txt -t md5 -d /root/dict/Top2Billion_probable.txt -r rules/best64.rule  --noinc

python3 hashcrack.py -i ../32hex.txt -t md5 -d /root/dict/Top2Billion_probable.txt -r hashcat-4.0.1/rules/InsidePro-PasswordsPro.rule  --noinc

python3 hashcrack.py -i ../32hex.txt -t md5 -d /root/dict/crackstation.txt --noinc

python3 hashcrack.py -i ../32hex.txt -t md5 --noinc -d /root/dict/Top258Million-probable.txt -e /root/dict/last3.txt

# PACK - password policy mask
# python3 hashcrack.py -i ../32hex.txt -t md5 --noinc --mask maskfiles/ntlm.hcmask

python3 hashcrack.py -i ../32hex.txt -t md5 -d /root/dict/Top2Billion_probable.txt -r rules/nsav2dive.rule  --noinc

gen-leet.pl, which takes an existing rules file and leetifies it:

#!/bin/perl

# leetifies existing rules

$r="XYZZY\nXYZZYsa\@\nXYZZYse3\nXYZZYsa\@se3\nXYZZYsi1\nXYZZYsa\@si1\nXYZZYse3si1\nXYZZYsl1\nXYZZYsa\@sl1\nXYZZYse3sl1\nXYZZYsi1sl1\nXYZZYso0\nXYZZYsa\@so0\nXYZZYse3so0\nXYZZYsi1so0\nXYZZYsl1so0\nXYZZYss5\nXYZZYsa\@ss5\nXYZZYse3ss5\nXYZZYsi1ss5\nXYZZYsl1ss5\nXYZZYso0ss5\nXYZZYsa\@\nXYZZYse3\nXYZZYsa\@se3\nXYZZYsi1\nXYZZYsa\@si1\nXYZZYse3si1\nXYZZYsl|\nXYZZYsa\@sl|\nXYZZYse3sl|\nXYZZYsi1sl|\nXYZZYso0\nXYZZYsa\@so0\nXYZZYse3so0\nXYZZYsi1so0\nXYZZYsl|so0\nXYZZYss5\nXYZZYsa\@ss5\nXYZZYse3ss5\nXYZZYsi1ss5\nXYZZYsl|ss5\nXYZZYso0ss5\nXYZZYss\$\nXYZZYsa@ss\$\nXYZZYse3ss\$\nXYZZYsi1ss\$\nXYZZYsl|ss\$\nXYZZYso0ss\$\n";

while ($line=<STDIN>) {
    chomp($line);    chomp($line);

    if ($line=~m/\S/ && $line!~m/^#/) { 
        if ($line!~m/s[oOaAeEiIsS]/) {
            
            # don't do repeat substitutions
            
            $a=$r;
            $a=~s/XYZZY/$line/mg;
            
            print $a;
        }
    }
}

#usage - might need to dos2unix the source rules first 

# perl rules/gen-leet.pl < rules/nsav2dive.rule | awk '!x[$0]++' > l33tnsa.rule

# perl rules/gen-leet.pl < d3adhob0.rule.txt | awk '!x[$0]++' > deadleethobo.rule

# perl rules/gen-leet.pl < rules/InsidePro-PasswordsPro.rule | awk '!x[$0]++' > l33tpasspro.rule

# cat rules/nsav2dive.rule d3adhob0.rule.txt |  perl rules/gen-leet.pl | awk '!x[$0]++' > l33test.rule

# perl rules/gen-leet.pl < rules/best64.rule | awk '!x[$0]++' > l33t64.rule


# etc. 

No comments:

Post a Comment