mercperc clarinda sahrya

0 views
Skip to first unread message

Olimpia Sawaia

unread,
Aug 2, 2024, 9:59:51 PM8/2/24
to kyoureepamen

I came across a test question that said "Given a random password, which type of mode typically produces fastest results?" and the two likely answers were "brute force" and "incremental". The instructions were to circle all of the possibilities (so not you're typical multiple choice). First off, I think the question is poorly worded: does it mean random password as in any password you know nothing about or random password as in you know that a random password generator was used to produce it? This makes a difference as a user generated password probably has words in it that may be in a wordlist.

Is my reasoning correct, a wordlist is only useful if there's words in the password, and wastes time if there's not? Can an attacker know in advanced whether or not there's word in a password they're trying to crack?

It's not necessary for the password in question to contain words. It depends on the wordlist itself. A good wordlist can save you a lot of time. Some popular wordlists not only contain words that one would find in a dictionary, but also a few mangled words (I'll get to this in a bit). Programs like john and crunch can help you create a custom wordlist for your target. But yes, It is highly unlikely to find a randomly generated password in a wordlist and atleast some part of the password should contain words to improve your chances of a wordlist based attack.

Now, this is an interesting topic. Word Mangling (in case of johntheripper) is in simple terms mutating all the words in a wordlist according to rules defined in /etc/john/john.conf (on a linux machine). I'll explain this better by example.Users most commonly tend to mutate their passwords in various ways. This could include adding a few numbers at the end of the password, swapping out lowercase for capital letters, changing certain letters to numbers, etc. So lets assume that you know a particular person (or victim in our case) likes to append two numbers at the end of his/her passwords (which in most cases is a word to remember it better). You can add a rule in johntheripper's configuration file.

This will create a new wordlist (using the rules in the config file) which is a mangled version of the old wordlist, which will better your chances of a successful wordlist attack. Similarly you can append stuff (characters, numerals, special characters), change characters to upper/lower case, change specific indices to a character of your choice, etc just by adding the relevant rules to the config file. I'm not sure how to explain this better, but i hope you got the gist of it.

Yes, in this context "dictionary" and "wordlist" are interchangeable terms. This is because when the attack first came out, hackers were literally using words from the dictionary as a wordlist (people back then didn't use strong passwords). As people became aware of the "dictionary-attack", they started mangling their passwords (eg, horses1234, alabama12, etc). So the hackers developed their methods and came out with a mangled version of the dictionary. And (over the years) after all that mangling, adding slang, etc the resulting wordlist looked nothing like a dictionary and hence hackers started referring to it as a wordlist.

The list contains every wordlist, dictionary, and password database leak thatI could find on the internet (and I spent a LOT of time looking). It alsocontains every word in the Wikipedia databases (pages-articles, retrieved 2010,all languages) as well as lots of books from Project Gutenberg. It also includes thepasswords from some low-profile database breaches that were being sold in theunderground years ago.

You can test the list without downloading it by giving SHA256 hashes to the free hash cracker. Here's a tool for computing hashes easily.Here are the results of cracking LinkedIn'sand eHarmony's password hash leaks with the list.

The list is responsible forcracking about 30% of all hashes given to CrackStation's free hash cracker, butthat figure should be taken with a grain of salt because some people try hashesof really weak passwords just to test the service, and others try to crack theirhashes with other online hash crackers before finding CrackStation. Using thelist, we were able to crack 49.98% of one customer's set of 373,000human password hashes to motivate their move to a better salting scheme.

I got some requests for a wordlist with just the "real human" passwords leakedfrom various website databases. This smaller list contains just those passwords.There are about 64 million passwords in this list!

You are allowed to share these lists! They are both licensed underthe CreativeCommons Attribution-ShareAlike 3.0 license. If you do share them, I wouldappreciate it if you included a link to this page.

JtR supports several common encryption technologies out-of-the-box for UNIX and Windows-based systems. (ed. Mac is UNIX based). JtR autodetects the encryption on the hashed data and compares it against a large plain-text file that contains popular passwords, hashing each password, and then stopping it when it finds a match. Simple.

In our amazing Live Cyber Attack demo, the Varonis IR team demonstrates how to steal a hashed password, use JtR to find the true password, and use it to log into an administrative account. That is a very common use case for JtR!

JtR also includes its own wordlists of common passwords for 20+ languages. These wordlists provide JtR with thousands of possible passwords from which it can generate the corresponding hash values to make a high-value guess of the target password. Since most people choose easy-to-remember passwords, JtR is often very effective even with its out-of-the-box wordlists of passwords.

Below is the JtR command from our Live Cyber Attack Webinar. In this scenario, our hacker used kerberoast to steal a Kerberos ticket granting ticket(TGT) containing the hash to be cracked, which was saved in a file called ticket.txt. In our case, the wordlist used is the classic rockyou password file from Kali Linux, and the command was set to report progress every 3 seconds.

The one, the only: Rock You. This was a large platform for MySpace extensions, of all things, with millions of users. All of these users and their plaintext, unencrypted passwords were leaked in 2009, to the great joy of hackers and security professionals everywhere. The RockYou list contains over 14,341,564 unique passwords ranked in order of frequency.

CrackStation is a wonderful website with massive databases of passwords and their corresponding hashes that you can type hashes into and get an instant response if the hash has already been cracked in the past.

Honestly, just start by putting your hashes directly into CrackStation. If you want their dictionary for the purposes of applying rules and generating even more passwords, you can download their dictionary straight off of their website.

A website dedicated to only supplying wordlists for the express purpose of password cracking via bruteforce. Everything is free, which is nice. These lists are gathered from a variety of sources and come in sizes varying from the conservative 8 MB top one million passwords to wordlists of size 85.44 GB containing over 7 billion passwords.

I have no idea what SkullSecurity is, but their wiki has a nice, somewhat-comprehensive list of password dumps and language dictionaries. This list might include some wordlists from other database dumps, such as rockyou.txt itself.

This repository is a legendary resource in the security community with a seemingly endless amount of wordlists, among many other great resources. This repository is contributed to regularly, so you can expect to find all kinds of new data in this folder.

A generator is a program separate from hashcat itself that can be used to generate rulelists or wordlists based on certain criteria. These can be used in conjunction with hashcat to crack the trickiest of hashes. Some of my favorite are documented below.

If you have made it this far, thanks for coming along for the ride! These are all the tools and resources I use when cracking passwords in competitions like the NCL Games. Just remember, the key to success is patience, and a willingness to try anything.

Just thought i would share the link for those who are looking for a decent list to pen test their networks.

The list contains 982,963,904 words exactly no dupes and all optimized for wpa/wpa2. Would also just like to point out that this is not my work, instead it was a guy who compiled a whole load of useful lists, including his own to come up with 2 lists (one is 11gb and one is 2gb) i will be seeding this torrent indefinitely since it is shareware! 20mb up!

INFO

How does this list help crack a random 64char hex pswd? How many pswds are possible if a router accepts a 64hex (0-9, A-F) pswd? Is the list in English or does it also include all the Chinese, Pashto, and Sawhili possibilities?

If I had it on my home machine and I sent the pcap to the hashcat site,I could have made a file compatible for cracking using oclhashcat on my GPU. That 9+GB sequential list probably would have cracked in an hour or so. Got to love GPU computing. BT5 has the ability to use CUDA and OpenCL drivers too, but they don't work on my POS laptop, but just a heads up, you can crack with the 13gb list if you split it into chunks and run them in parallel too if you've got more than one GPU.

I appreciate this list but I haven't had any luck with it. Does anyone know by chance if this include the passwords that are include in the famous renderman rainbow tables? I will be trying those next.

For those new to WPA cracking I have a few short tips I learned alone the way.. Tip #0 is don't even bother unless you are using a graphics card to crack. For a long time, pyrit was the goto app for this. pyrit is not very user-friendly. I wouldn't bother with it. It's given me nothing but headaches and fails to run properly on many machines I try to compile it on. The stripLive command works ok, but I'd veer clear of pyrit and focus on the tried and true classic aircrack-ng suite. FIrst, always make sure you are sitting on one channel when collecting a handshake. Don't be hoppin, it won't work very well. So you have airodump-ng or kismet running on a single channel for a couple days or so. You can try to force some deauths using mdk3 or airreplay -0 or airdrop-ng, but why be a dick, just wait and let the handshakes come to you. If you are in a hurry you can always use the mdk3 amok mode and nuke everyone around you for maximum collection power. I haven't thought of it till just now (prolly because it'd be illegal somehow) but you might able to wardrive around firing mdk3 on one card and sniffing using airodump on another and just vaccuum in handshakes. That's pretty evil, don't do it.

c01484d022
Reply all
Reply to author
Forward
0 new messages