Fast Password Cracking with a Huge Dictionary File and oclHashcat-Plus

We rely on passwords to secure our home systems, business servers and to protect our online information. But as cracking programs improve and video cards get faster (Video GPU’s are used for cracking) passwords are becoming much easier to crack.

How big of a problem is this?

I was able to take a publicly released password hash dump file and crack 86% of it…

In 30 minutes…

In this article we will take a look at how fast passwords could be recovered from password hashes when a gigantic dictionary file is used combined with a super fast Video Card GPU based cracking program.

In the test we will be using oclHashcat-Plus, CrackStation’s massive 15 Gigabyte password file and an unnamed password hash file that was publicly dumped. The computer used was a Windows 7 system with a Core I-5 750 running at 2.67 Ghz and a single AMD Radeon 7870 video card.

CrackStation’s dictionary file is very impressive, according to their website it contains:

“… every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.”

I used a fairly recently released password hash file that contained over 7,000 user hashes. I chose this one due to the size. Yes much larger ones are out there, but I thought the size corresponded more realistically to an average company that a pentester or incident response team would be dealing with. Besides, how many American businesses have a million or more employees?

Okay, first up, as a baseline let’s run the hash dump against the ever popular dictionary file RockYou:

Straight Crack with Rock You Wordlist

At a speed of 9567.3k/s it took a whopping 12 seconds and was able to recover 46% of the hashes. Pretty impressive.

Okay, let’s start over and try the CrackStation word list:

Straight Crack Command

And the results:

Straight Crack Stats

At a speed of 20430.3k/s it was able to recover about 66% of the hashes in 13 minutes.

That is amazing, but what if we try running oclHashcat-plus using rules? Rules are somewhat like a programming language for password crackers. It allows you to do different things with each word in the dictionary file like invert it, double it, insert random special characters or numbers, or even transform the word into “1337 speak”.

This creates a very power capability of cracking many people’s habits of trying to disguise their password.

First up, we will use one of the standard rules, Best64:

Straight crack with base64 rule

And the results:

Straight crack with base64 rule stats

Wow, it recovered 78% of the hashes in only 5 minutes!

Alright let’s try one of the larger rule files which includes a lot more word combinations. How about passwordspro?

Straight crack with passwordpro rule command

and the results:

Straight crack with passwordpro rule

About 86% of the passwords recovered in just over 30 minutes!

There are several other rule files I could use, and I could use more involved techniques like hybrid masks and multiple dictionary files, but with using only this single dictionary file and a standard rules file I was able to recover the majority of the passwords in only 30 minutes.

The purpose of this exercise was not in showing how to crack passwords, but showing how insecure passwords can be. Simply adding a “salt” to the password hashes (a random number added to the password hash) would make each hash unique and make it significantly harder to crack.

Implementing a policy requiring your users to use long complex passwords would also help, or better yet implement multi-factor authentication for your systems.

Also it is best to use a different password for every account you have, especially important online accounts that include personal information. That way if a password if compromised the hacker will not have access to every one of your accounts.

Advertisements

Spamhaus hit with largest DDoS Ever Recorded – More than 300 Gps

Akamai Spamhaus DDOS Stats
Current Global Attacks according to Akamai.com

Internet Spam fighting organization Spamhaus with the help of CloudFlare has recovered from the largest Distibuted Denial of Service attack ever reported. The attacks that started at 10Gbs on the 18th rapidly increased in the last week until they hit an unprecedented volume of 300 Gps!

Spamhaus tracks internet spammers and works with law enforcement to help shut them down. Apparently some bad guys didn’t like this and attacked their website with a 10 Gbs DDoS stream of traffic knocking them offline. Spamhaus turned to the popular website security company Cloudflare for help.

Cloudflare was able to deflect the attacks which according to Cloudflare’s blog ramped up to 120 Gbs on the 21st. Then the attackers stopped the attack and then tried something they had not seen before. The attackers turned their DDoS against the upstream providers for Cloudflare with attacks ranging up to 300 Gps, forcing Cloudflare to temporarily drop peering for London:

Cloudflare Spamhaus Twitter Post

The attacks effected worldwide website traffic according to an article today on Foxnews. “If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why,” said Matthew Prince, CEO of CloudFlare.

Spamhaus is up and running today. But a quick look at Akamai.com shows that global attacks are still elevated (See image at top of post).

Worldwide Map of Internet Connected SCADA Systems

Every once in a while you run across some information that should not be accessible from the internet, and SCADA systems are by far no exception. Researchers from Free University Berlin are working on a stunning project of mapping internet accessible SCADA Systems worldwide using Shodan and a custom search program.

And… Their map includes sites that contain known vulnerabilities!

According to the project website SCADACS.org, their Industrial Risk Assessment Map (IRAM) “visualizes the approximate geospatial locations of ICS/SCADA and BMS network interfaces found on the Internet. Currently, we use Google Earth and Google Maps for this purpose.”

The custom map allows a user to “browse for ICS/SCADA systems by location and by keyword, and to drill down on information the map backend gathers on these systems from open sources. One such source is the Shodan computer search engine. Another source of information is the alpha version of our own crawler which covers services the Shodan engine does not cover.”

And as you can see from their video above, this map information backend includes a list of known vulnerabilities. Yes the video shows two locations that contain vulnerabilities, one in Austria and another in the US. But before you get too excited, these locations have been tagged as no longer publicly accessible.

So, how big a problem is internet connected SCADA systems, how many are there in Europe?

Oh, a few:

SCADA Systems Europe

Okay, how about America?

SCADA Systems USA

With all the hype about a “Cyber Pearl Harbor” (when Chinese hackers take over our country, kills our power and takes away FaceBook), that doesn’t really look so bad.

But there is a catch.

According to an exceptional article titled “The Great Cyberscare: Why the Pentagon is razzmatazzing you about those big bad Chinese hackers” by Dr. Thomas Rid (Reader in War Studies at King’s College London), the map only displays German manufactured systems:

“The United States looks as if it has the measles. But note that the map is incomplete: It is biased towards German products, the project’s founder told me. If that flaw can be fixed, the United States and other countries would look as bloody red as Germany does already.”

So there is definitely a lot of work to do in securing America’s public systems. Some good news is that the Pentagon plans to create 100 defensive cyber teams by 2015. Of the 100, thirteen teams will focus on defending our national infrastructure:

National mission forces will employ 13 teams focused on securing U.S. private networks powering critical infrastructure such as transportation systems and other vital industries.

Hopefully this will be done sooner, rather than later.

A sanitized public Google Maps and Google Earth version of the IRAM map can be located at SCADACS website.

Wireless Penetration testing with Kali Linux on a Raspberry Pi

In our last article we saw how to install Kali Linux on a Raspberry Pi and connect to it remotely from a Windows system. This time we will look at how to run some basic pentesting tools including Wi-Fi monitoring.

Once your Kali is up and running you can enter “startx” or run commands from the terminal prompt. If you are using Kali remotely, you will mostly be running commands from the command prompt.

For example, here we ran a simple nmap scan:

Running Nmap

Most of the commands that run in regular Kali Linux have no problems running on the Raspberry Pi. But I did run into some snags.

For Example, I tried running Metasploit on mine, but gave up after it seemed to take forever to come up. I also tried running the Social Engineering Toolkit (se-toolkit from command prompt). Even parts of this gave random errors, thought it did look very cool:

Social Engineering Toolkit 1

Wireless Penetration testing with the Kali on PI worked very well, and was a lot of fun.

Just Plug your USB Wi-Fi adapter into the PI.

I used a TP-Link TL-WN722N.

At the command prompt type “ifconfig” and check to see if your Wi-Fi adapter is listed. It should show up as wlan0. If you don’t see it, type “ifconfig wlan0 up“. Then run “ifconfig” again and it should show up:

Wireless wlan0

Next let’s see what networks our wireless card can see.

Type, “iwlist wlan0 scanning“:

Wireless Iwlist

Very cool, it is working. Now let’s run some of the basic Aircrack-NG tools.

First we need to put our wireless adapter into monitoring mode.

Type “airmon-ng wlan0 start“:

Wireless airmon

This creates a new wireless adapter called mon0. Now we can use this interface to capture wireless management and control frames.

Normally you would just run Wireshark and tell it to capture packets from the mon0 interface. Well, I was remotely logged into Kali and couldn’t run Wireshark through Putty as it is a graphical program.

So I just used tcpdump instead.

Simply type tcpdump -i mon0:

TCPDump

This will display all the management and control communication for all wireless networks within the reach of your Wi-Fi adapter.

So with just a few short commands, we were able to perform basic Wi-Fi monitoring with Kali Linux on a Raspberry Pi.

How cool is that?

This is just a basic look at using the aircrack-NG tools on Kali.

For more information check out “Hacking Wi-Fi Networks with Fern, Kali and a Raspberry Pi

Want to learn a lot more about Wireless Penetration testing? Check out the Backtrack 5 Wireless Penetration Testing book by Vivek Ramachandran.

*** Note – as always do not access networks that you do not own or have permission to do so. ***