Creating Hashcat Keymap Walking Password Wordlists

Hashcat’s latest keymap walking tool, “KwProcessor”, quickly and easily generates password lists based on keymap walking techniques. In this article, the first of several password cracking themed articles, we will take a quick look at how to use this tool.

Introduction

Keymap walking passwords are popular amongst many organizations as they are pretty easy to use and remember. Basically, you start with a specific key on the keyboard and then pick a direction (or multiple directions) and start hitting keys. Your password is entered as you “walk” across the keyboard.

You can create a complex password in this manner by using the shift key and including numbers in the pattern, as seen below:

 hashcat_wordlist

Starting with the letter “z”, we move North West, hitting the “a”,”q”, and “1” keys. We then move East a row, hitting the number “2”, and then move South East back down the keyboard hitting the “w” key and stopping on “s”.

This would create the password, “zaq12ws”. If we alternately used the shift key, we would get the password, “ZaQ1@wS” which is a little more complex.

What makes keymap walking so successful (until now) is that an attacker would need to know the starting key, direction, direction changes, if any special key is used and when, and of course the ending key.  Hashcat’s new KwProcessor tool makes creating keymap walking wordlists very easy to do.

Installing KwProcessor (kwp)

We will be using Kali Linux as the operating system. At the time of this writing kwp is not installed by default. So, we will need to download and install it.

From a Kali Terminal prompt:

As seen below:

hashcat_keymap_walking2

You can type, “./kwp -V” to check that it installed correctly and display the software version.

Keymaps and Routes

To crack keymap walking passwords you will need two things, a layout of the keyboard keys and a list of routes to take to create the wordlists. In the kwp program directory you will find the “keymaps” and “routes” folders:

hashcat_keymap_walking3

The Keymaps folder contains the keyboard layout for multiple languages:

hashcat_keymap_walking4

The routes folder has 7 preconfigured keymap walks or routes that can be used to generate passwords:

hashcat_keymap_walking5

We can use these preconfigured routes or create our own using command line switches.

Type, “./kwp –help” to see the available options:

hashcat_keymap_walking6

Creating a KWP Wordlist

To create a simple kwp wordlist, we will use the English keymap and the 2-10 max 3 directional change route file. This can be accomplished by running the command below:

./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route

This causes kwp to create multiple keymap walk combinations, of 2-11 characters with a maximum of 3 direction changes:

hashcat_keymap_walking7

The output of the command is sent directly to the screen, so to create the actual wordlist file, you would need to output the command to a text file.

./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route > basickwp.txt

You can then use the resultant text file as a wordlist in Hashcat.

To create a more complex wordlist, use one of the larger route files:

./kwp basechars/full.base keymaps/en.keymap routes/2-to-16-max-3-direction-changes.route > largekwp.txt

hashcat_keymap_walking8

Foreign Language Keywalks

If you need to crack foreign language keywalks, just use one of the foreign language keymap files.  So, to create a Russian keywalk wordlist:

./kwp basechars/full.base keymaps/ru.keymap routes/2-to-16-max-3-direction-changes.route > rukwp.txt

And the resultant file:

hashcat_keymap_walking9

If we have a password hashlist that contains any of the words that were generated, it will crack them. This is shown in the Hashcat result example below:

hashcat_keymap_walking10

Conclusion

In this article we covered how to use the new Hashcat kwp tool to quickly create keymap walking wordlists. We also saw how easy it is to change the keymap language, which can come in handy if you are cracking international passwords. For more information on KWP, check out the Hashcat Github page.

If you are interested in learning more about cracking password with Hashcat, more is on the way in upcoming articles. Also, check out my Basic Security Testing with Kali Linux book that covers a lot of basic password cracking topics, plus a whole lot more!

 

 

Advertisements

The LaZagne Project dumps 22 Different Program Passwords

LaZagne Passwords

The LaZagne Project by Alessandro ZANNI is a nifty little utility that displays passwords for 22 Windows and 12 Linux programs. This is a nice tool for penetration testers when you want to quickly dump passwords after you gain access to a system.

For Windows, simply download the standalone version and run it. Running “laZagne.exe all” will dump all the passwords that it can find:

LaZagne 2

You need to have administrator access to pull user login passwords. For “verbose” mode, which adds additional information when it runs, simply add a “-v” switch. If you just want to pull individual passwords, simply run the program using one of the modules below:

LaZagne Password modules

According to the The LaZagne Project webpage it can display the following passwords:

LaZagne Password modules 2

LaZagne works fast and easy!

 

Password Analysis of Journal News LoHud Subscriber Database Dump

As usual, I like to take sanitized lists (user account information stripped) of public password dumps and analyze them for password strength and patterns. Recently the subscriber database for Journal News, Lower Hudson Valley was allegedly hacked and was published publicly online.

The dump had user account passwords stored in MD5 hashes. So they needed to be cracked before they could be analyzed.

There were about 10,000 user accounts leaked in the dump. Many had duplicate password hashes, so the duplicates were removed. I took the password hashes that had not been cracked (some were already cracked in the dump) and ran them through an MD5 hash cracker. In a couple hours I was able to retrieve just over 85% of the passwords.

In effect there were 8,361 unique hashes. I was able to retrieve 7,148 in a fairly short amount of time. I then took the cracked passwords and ran them through Pipal, the password analysis program.

Here are the results from Pipal

Top 10 words and base words used:

Base Words

Very interesting as there are 10 passwords that are almost ALWAYS in the top ten and none of them were in this list. Okay, “password” was used as a base word, but other than that these are all new.

Let’s take a look at the password lengths:

Password Graph

Password Length 2 Password Length

A whopping 80% of the passwords were 8 characters or less, and over 50% of the passwords only used lowercase letters!

Character Set

A common practice is that users will use a word and stick a number or numbers on the end to “make it more secure”. About 25% of the passwords in this list used 3 or fewer numbers at the end of the password.

Last Digit Count

Last digit on end

Single Digit on end

And only a few passwords used the year in their password.

Top Ten Years

Overall the users in this case seemed to use very simple passwords – mostly lower case passwords with some numbers mixed in. Using long complex passwords would have made these passwords much harder to crack.

Increasing the password length and using a mix of upper and lower case letters, numbers and special characters dramatically increases the cracking times.

154 Billion Hashes per Second with Multiforcer Password Cracker

So what does it take to reach cracking speeds topping 154 Billion hashes per second with multiple hashes?

How about the Cryptohaze Multiforcer network enabled password cracker program, 6 computers and 20 video cards?

“It was done entirely with AMD hardware, and involved 9×6990, 4×6970, 4×5870, 2×5970, and 1×7990 – for a total of 31 GPU cores in 6 physical systems. We had another 11 cards with 15 GPU cores left over – we didn’t have systems to put them in (mostly nVidia).”

The crazy fast speed was attained cracking 10 hashes! They were also able to obtain speeds of 139 B/s on 1000 NTLM hashes, 101 B/s on 1000 MD5,  and 30 B/s on 1000 SHA1 hashes.

The computers where setup in 4 separate physical locations and the server was an Amazon EC2 m1.small node. The Multiforcer system code allowed all these systems to work together, OVER THE INTERNET!

The tool was created to help out pentesters who need to crack passwords, but can not submit hashes obtained to online cracking programs due to auditing agreement restrictions.

Pretty cool stuff, for more information check out the Cryptohaze Blog, downloads are available from Cryptohaze.com, or better yet check out lead developer BitWeasil’s talk, “Cryptohaze Cloud Cracking” at Defcon 20.