Thursday, December 26, 2019

Visualising password strength

We can plot a graph of how quickly passwords were cracked if we use the --status flag to hashcat. Here I'm using hashcrack (my preprocessor tool), but I've bolded the actual command:

C:\Users\jamie\Desktop\hashcrack>python hashcrack.py -i defcon2010-ntlm.txt --status graphme -t ntlm
Running under win32
Reading file: C:\Users\jamie\Desktop\hashcrack\defcon2010-ntlm.txt
Cracking hash type 1000
Selected rules: l33tpasspro.rule, dict Top32Million-probable.txt, inc 7
Using dict and rules
cwd C:\Users\jamie\Desktop\hashcrack\hashcat-5.1.0
RUN: hashcat64.exe -a0 -m 1000 C:\Users\jamie\Desktop\hashcrack\defcon2010-ntlm.txt C:\Users\jamie\Desktop\hashcrack\dict\\\Top32Million-probable.txt -r C:\Users\jamie\Desktop\hashcrack\rules\\\l33tpasspro.rule  --loopback  -O --bitmap-max=26  -w3  --session hc   --status >> graphme
nvmlDeviceGetFanSpeed(): Not Supported

Which generates a file with passwords and status blocks every 10 seconds by default.

$ tail -f hashcat-5.1.0/graphme
dec8a34aa4bc2d353f2efe1444d2f221:*august44
2c11334bed44c825d8cada5750ae73f3:redsox2009*
e8f86fa257ee161f614392d857003ec2:_february02
19eb76b54408a43db967232755d765e8:Michelle2010_
1a3c6d930cb45ee973a5c8a771f40080:_july56
07084a7e69b300d8b721926d63ae4fe7:-may2010
412f4a3abd9849e0507a8a77fdbaf055:.Eland0
32c21079c515f43263008700e18ea3b2:+May2010
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hc
Status...........: Running
Hash.Type........: NTLM
Hash.Target......: C:\Users\jamie\Desktop\hashcrack\defcon2010-ntlm.txt
Time.Started.....: Tue Dec 24 10:48:55 2019 (4 mins, 1 sec)
Time.Estimated...: Tue Dec 24 13:05:44 2019 (2 hours, 12 mins)
Guess.Base.......: File (C:\Users\jamie\Desktop\hashcrack\dict\\\Top32Million-probable.txt)
Guess.Mod........: Rules (C:\Users\jamie\Desktop\hashcrack\rules\\\l33tpasspro.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#3.........:   390.4 MH/s (93.46ms) @ Accel:256 Loops:64 Thr:1024 Vec:1
Recovered........: 4301/28250 (15.22%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:237,N/A,N/A AVG:1069,64148,1539561 (Min,Hour,Day)
Progress.........: 93888119434/3205101539547 (2.93%)
Rejected.........: 197258/93888119434 (0.00%)
Restore.Point....: 524289/32496543 (1.61%)
Restore.Sub.#3...: Salt:0 Amplifier:80448-80512 Iteration:0-64
Candidates.#3....: +26031966 -> Diciebat$
Hardware.Mon.#3..: Temp: 52c Util: 98% Core:1518MHz Mem:2504MHz Bus:4

8c68736928e42e66037e5bbbb903b9b6:Vision2009$
2aad6138821080362213b077c0700c5a:Surfer2010$
2970efdb3055263f08fdcc7a29fb3f46:+Zachary|
b3dfeedddf1f3b00f5a54a7844a05a60:$Newyork2009
1277707fad19015728748852a4a1614b:$July07

A script I wrote can then be used to graph how quickly the passwords are recovered:

C:\Users\jamie\Desktop\hashcrack>python graph-by-quality.py hashcat-5.1.0\graphme

Because we've used the frequency-ranked TopNMillion-probable list, we can see the graph shows a fair amount of passwords cracked very quickly. As a system administrator, it's these you need to worry about - get rid of the weak passwords and you improve the overall "fitness" of the population quite significantly.



You can also compare cracking approaches like this - provided you make sure each one starts with an empty pot file. Below is the longer run with the --nuke option to hashcrack, which runs a number of extra bits and bobs, like suffixes.


No comments:

Post a Comment