Taking Password Cracking to the Next Level


Hello again friends. Its time to talk about cracking again. That’s right, password cracking. There’s already several excellent blog posts on the CryptoKait website that talk about password cracking, but today, I’d like to go above and beyond the usual introduction to hashcat and talk about some of the tools available to you that compliment hashcat quite nicely…you’ll need them for the National Cyber League (NCL) Games!

This blog is an advanced tour of password cracking tools in Kali Linux and on the internet as a whole. I will assume you have experience with hashcat and understand terminology like ‘wordlists’, ‘bruteforce’, and ‘rules’.


Wordlists

Let’s talk about some wordlists you can use to crack passwords. Generally, the best lists are based off of real password dumps from in the wild, such as the infamous rockyou.txt. Others, are cultivated from larger dumps of millions of passwords and boiled down to the most commonly reoccurring items. Here are some of the more important wordlists for generic password cracking.

Rockyou.txt

The one, the only: Rock You. This was a large platform for MySpace extensions, of all things, with millions of users. All of these users and their plaintext, unencrypted passwords were leaked in 2009, to the great joy of hackers and security professionals everywhere. The RockYou list contains over 14,341,564 unique passwords ranked in order of frequency.

This list is an excellent start to any search. It’s potency has decreased over the years, but its size and quality has still been unmatched.

CrackStation Dictionary

CrackStation is a wonderful website with massive databases of passwords and their corresponding hashes that you can type hashes into and get an instant response if the hash has already been cracked in the past.

Honestly, just start by putting your hashes directly into CrackStation. If you want their dictionary for the purposes of applying rules and generating even more passwords, you can download their dictionary straight off of their website.

There are two downloads available:

  1. The complete, huge dictionary used by CrackStation itself (15 GB, about 1.5 billion accounts)
  2. The second is only the passwords that have been seen in existing database dumps. It’s much smaller at around half a GB and about 64 million passwords, and might not crack as many hashes as the complete dictionary, but in theory, should be a much more efficient use of your cracking time.

Weakpass

A website dedicated to only supplying wordlists for the express purpose of password cracking via bruteforce. Everything is free, which is nice. These lists are gathered from a variety of sources and come in sizes varying from the conservative 8 MB top one million passwords to wordlists of size 85.44 GB containing over 7 billion passwords.

SkullSecurity Wiki

I have no idea what SkullSecurity is, but their wiki has a nice, somewhat-comprehensive list of password dumps and language dictionaries. This list might include some wordlists from other database dumps, such as rockyou.txt itself.

SecLists Github

This repository is a legendary resource in the security community with a seemingly endless amount of wordlists, among many other great resources. This repository is contributed to regularly, so you can expect to find all kinds of new data in this folder.


Rulelists

Sometimes, much more important than the wordlists you use, if you’re working with hashes that don’t necessarily take a long time to crack (MD5, etc), you can afford to just get your hands on as many rules as possible and go crazy.

Built-ins

Surprisingly, some of the best wordlists out there aren’t out there at all. Just take a look in the ones included with hashcat, including the version of hashcat that comes pre-installed with Kali:

The most powerful one here is the legendary dive.rule. Think of this as the “rockyou.txt” of rulelists. It isn’t guaranteed to do the job, but it is very effective and should definitely be where you start. It contains about 99,092 rules and the file itself is around 770 kB.

Most other public general rulelists try to compete and directly compare themselves against dive.rule.

HoboRules

The rule of interest here is d3adhob0.rule. It’s around 582 kB and 57548 rules, so its a little bit smaller but still fairly successful in situations where dive.rule is not. If you only want the top 64 rules, there’s a secondary, much shorter hob064.rule list.

NSARULES

See this GitHub link for the download and explanation. NSAKEY.v2 is the highest quality competitor to dive.rule in this repository. It’s much larger, with a size of 1.18 MB and 123,289 total rules.

KoreLogic

These rules provide more granular adjustments to your wordlists then the more general rulelists of dive and others. These are useful if you’re looking for a quick mutation in particular without having to generate them yourself.

OneRuleToRuleThemAll

Probably the best competitor overall to dive.rule, actually defeats dive on certain real database dumps. It was created from an optimized version of HoboRules, KoreLogic rules, and the NSA rules mentioned above. It’s much smaller, only 393 kB and 52,014 total rules, but it is much more efficient than the other rules on this list. I make sure to keep this one on my Kali VM at all times.


Generators

A generator is a program separate from hashcat itself that can be used to generate rulelists or wordlists based on certain criteria. These can be used in conjunction with hashcat to crack the trickiest of hashes. Some of my favorite are documented below.

CeWL

The Custom Word List generator crawls websites you provide for commonly-used keywords and collects them into a list for you. The motivating example behind this tool is this: if you were trying to crack passwords in a corporate network, one of the best places to look for words that might be contained in passwords is the front page of their business’ website. Point CeWL at that same website and it’ll spider as deep as you like and gather the terms that come up (in order of frequency).

This may sound like it has a niche application, but I actually use this all the time for CTF challenges where the passwords are known to be around a particular topic (the NCL Games have been known to do this). Let’s say I know the passwords all have to do with, say, chocolate. I can just send CeWL to the Wikipedia page for chocolate:

cewl -m 4 https://en.m.wikipedia.org/wiki/Chocolate -d 0

Notice, I’m using the mobile version of the Wikipedia page since it has less fluff. I actually used this technique to solve this kind of challenge in previous NCL Seasons, but that was before I discovered relatedwords.org, which effectively does the same thing…you can still use CeWL to take advantage of this resource though!

cewl -m 4 https://relatedwords.org/api/related?term=chocolate -d 0

Just replace term= with the topic you’re looking for and it’ll pull a much higher quality list of around 500 different words in your topic. Neat!

Crunch

With Crunch, you can specify a character set, and it will generate a huge number of permutations using the characters you specify. To be honest, hashcat already supports this functionality with its bruteforcing functionalities, but Crunch is useful for doing more specific formats for usage in other applications that can’t generate bruteforcing wordlists (such as aircrack-ng, etc).

Mentalist

The Mentalist is a graphical application that is technically not a wordlist generator, but rather in the class of programs called “word manglers” that can interactively help you create rules for programs like hashcat and John the Ripper. It is basically a way to create your own rulelists without having to learn the rule syntax for hashcat.

I’ll just leave the animation here so you can see its power:

https://i.imgur.com/rDaCmqi.gif

CUPP

Stands for Common User Passwords Profiler. This excellent tool won’t come in handy often during the NCL Games, but in real life engagements this is an invaluable asset that allows you to interactively answer questions about a person, also called profiling, and generate password candidates you’ll never find in a general wordlist like rockyou.txt. It scrambles birthdays, names, and other information to create many patterns of passwords that humans are known for creating.

I won’t go over how to use it, but know it exists. Your mom’s birthday is NOT a good number to add to your password, sorry.


If you have made it this far, thanks for coming along for the ride! These are all the tools and resources I use when cracking passwords in competitions like the NCL Games. Just remember, the key to success is patience, and a willingness to try anything.

I find that my most common roadblock in these challenges is not having enough words or rules to go off of. Hopefully now, that will never be a problem again!

Aaron

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.