Creating Hashcat Keymap Walking Password Wordlists

Hashcat’s latest keymap walking tool, “KwProcessor”, quickly and easily generates password lists based on keymap walking techniques. In this article, the first of several password cracking themed articles, we will take a quick look at how to use this tool.

Introduction

Keymap walking passwords are popular amongst many organizations as they are pretty easy to use and remember. Basically, you start with a specific key on the keyboard and then pick a direction (or multiple directions) and start hitting keys. Your password is entered as you “walk” across the keyboard.

You can create a complex password in this manner by using the shift key and including numbers in the pattern, as seen below:

 hashcat_wordlist

Starting with the letter “z”, we move North West, hitting the “a”,”q”, and “1” keys. We then move East a row, hitting the number “2”, and then move South East back down the keyboard hitting the “w” key and stopping on “s”.

This would create the password, “zaq12ws”. If we alternately used the shift key, we would get the password, “ZaQ1@wS” which is a little more complex.

What makes keymap walking so successful (until now) is that an attacker would need to know the starting key, direction, direction changes, if any special key is used and when, and of course the ending key.  Hashcat’s new KwProcessor tool makes creating keymap walking wordlists very easy to do.

Installing KwProcessor (kwp)

We will be using Kali Linux as the operating system. At the time of this writing kwp is not installed by default. So, we will need to download and install it.

From a Kali Terminal prompt:

As seen below:

hashcat_keymap_walking2

You can type, “./kwp -V” to check that it installed correctly and display the software version.

Keymaps and Routes

To crack keymap walking passwords you will need two things, a layout of the keyboard keys and a list of routes to take to create the wordlists. In the kwp program directory you will find the “keymaps” and “routes” folders:

hashcat_keymap_walking3

The Keymaps folder contains the keyboard layout for multiple languages:

hashcat_keymap_walking4

The routes folder has 7 preconfigured keymap walks or routes that can be used to generate passwords:

hashcat_keymap_walking5

We can use these preconfigured routes or create our own using command line switches.

Type, “./kwp –help” to see the available options:

hashcat_keymap_walking6

Creating a KWP Wordlist

To create a simple kwp wordlist, we will use the English keymap and the 2-10 max 3 directional change route file. This can be accomplished by running the command below:

./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route

This causes kwp to create multiple keymap walk combinations, of 2-11 characters with a maximum of 3 direction changes:

hashcat_keymap_walking7

The output of the command is sent directly to the screen, so to create the actual wordlist file, you would need to output the command to a text file.

./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route > basickwp.txt

You can then use the resultant text file as a wordlist in Hashcat.

To create a more complex wordlist, use one of the larger route files:

./kwp basechars/full.base keymaps/en.keymap routes/2-to-16-max-3-direction-changes.route > largekwp.txt

hashcat_keymap_walking8

Foreign Language Keywalks

If you need to crack foreign language keywalks, just use one of the foreign language keymap files.  So, to create a Russian keywalk wordlist:

./kwp basechars/full.base keymaps/ru.keymap routes/2-to-16-max-3-direction-changes.route > rukwp.txt

And the resultant file:

hashcat_keymap_walking9

If we have a password hashlist that contains any of the words that were generated, it will crack them. This is shown in the Hashcat result example below:

hashcat_keymap_walking10

Conclusion

In this article we covered how to use the new Hashcat kwp tool to quickly create keymap walking wordlists. We also saw how easy it is to change the keymap language, which can come in handy if you are cracking international passwords. For more information on KWP, check out the Hashcat Github page.

If you are interested in learning more about cracking password with Hashcat, more is on the way in upcoming articles. Also, check out my Basic Security Testing with Kali Linux book that covers a lot of basic password cracking topics, plus a whole lot more!

 

 

Advertisements

Quick Creds with Responder and Kali Linux

Tool website: https://github.com/lgandx/Responder
Tool Author: Laurent Gaffie

Responder is a powerful tool for quickly gaining credentials and possibly even remote system access. It is a LLMNR, NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks.

For the last few years one of the favorite tools in the pentester’s toolbox has been Responder. Responder works by imitating several services and offering them to the network. Once a Windows system is tricked into communicating to responder via one of these services or when an incorrect UNC share name is searched for on the LAN, responder will respond to the request, grab the username & password hash and log them. Responder has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells.

In this article we will see how to use Responder in Kali Linux. In the next article we will dig a little deeper and look at some of the additional tools that are included with Responder.

Basic Usage

Responder is installed by default in Kali Linux. To view the Responder help screen and see what options are available, just use the “-h” switch.

Kali Linux Responder 1

From the help screen, the usage is:

responder -I eth0 -w -r -f

or:

responder -I eth0 -wrf

So, basically run the program, provide your network interface with the “-I” switch and then any other switches that you want. You can combine the switches together if you wish, as shown in the second usage example above. You can also use the verbose switch, “-v” to increase the text output of the program for more formation.

Analyze mode

A good place to start is “Analyze mode”. This mode runs responder but it does not respond to requests. It is specified with the “-A” switch. This can be handy to see what types of requests on the network responder could respond to, without actually doing it.

Kali Linux Responder 2

Any events will be shown on the screen, as below:

Kali Linux Responder 3

Analyze mode is also a good way to passively discover possible target systems.

Enough intro, let’s see Responder in action.

Poisoning with Responder

You can start Responder with the basic poisoner defaults by just typing:

responder -I eth0

Kali Linux Responder 4

Responder will poison responses and, if it can, capture any credentials. If a user tries to connect to a non-existing server share, Responder will answer the request and prompt them with a login prompt for access. If they enter their credentials, Responder will display and save the password hash:

Kali Linux Responder 5

We could then take the hash and attempt to crack it.

Basic Authentication & WPAD

WPAD is used in some corporate environments to automatically provide the Internet proxy for web browsers. Many Internet browsers have “enable system proxy” set by default in their internet settings, so they will seek out a WPAD server for a proxy address.

We can enable WPAD support in Responder to have it respond to these requests. If we use WPAD with the “Force Basic Authentication” option, Responder prompts users with a login screen when they try to surf the web and grabs the entered creds in clear text.

Command:

Responder -I eth0 -wbF

  • -w” Starts the WPAD Server
  • -b” Enables basic HTTP authentication
  • -F” Forces authentication for WPAD (a login prompt)

Kali Linux Responder 6

When a user goes to surf the web, the browser will reach out for proxy settings using WPAD. Responder will respond to the request and trigger a login prompt:

Kali Linux Responder 7

If the user enters their credentials, you get a copy of them in clear text. No cracking needed!

Kali Linux Responder 8

As you can see in the picture above, the user “Joe User” is using the password, “SuperSecurePassword”, which it isn’t.  🙂

Log Files

Log files for Responder are located in the /usr/share/responder/logs directory:

Kali Linux Responder 9

Along with the regular program log files, any credentials recovered will be stored in a file that includes the IP address of the target. You can view these files to see the hash or clear text creds:

Kali Linux Responder 10

If only the password hashes were recovered you can take the hash file and use it directly with your favorite cracking program:

john [responder password hash file]

Kali Linux Responder 11

Obviously, this is just an example as corporate networks should never allow “12345” as a password. But sadly enough, I have seen companies remove password complexity requirements so users could continue to use simple passwords.

Conclusion

In this article we saw how easy it is to use Responder to obtain both clear text and password hashes. How would you defend against this tool?

Basic Network Security Monitoring (NSM) will pick up and flag Basic plain text authentication attempts and WPAD auto-proxy requests. This is just one reason why NSM is so important.

You can disable the services that Responder is taking advantage of, but you must be sure that this will not affect your network functionality before you do, especially in environments with old systems still running.

For WPAD based attacks, provide an entry for WPAD in DNS, or don’t use the “system proxy” setting in the browser. In the next article, we will look at some of the extra tools included with Responder.

Also, check out my new book that has an entire chapter on Responder & Multi-Relay – “Basic Security Testing with Kali Linux, 3rd Edition“!

 

Fast Password Cracking with a Huge Dictionary File and oclHashcat-Plus

We rely on passwords to secure our home systems, business servers and to protect our online information. But as cracking programs improve and video cards get faster (Video GPU’s are used for cracking) passwords are becoming much easier to crack.

How big of a problem is this?

I was able to take a publicly released password hash dump file and crack 86% of it…

In 30 minutes…

In this article we will take a look at how fast passwords could be recovered from password hashes when a gigantic dictionary file is used combined with a super fast Video Card GPU based cracking program.

In the test we will be using oclHashcat-Plus, CrackStation’s massive 15 Gigabyte password file and an unnamed password hash file that was publicly dumped. The computer used was a Windows 7 system with a Core I-5 750 running at 2.67 Ghz and a single AMD Radeon 7870 video card.

CrackStation’s dictionary file is very impressive, according to their website it contains:

“… every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.”

I used a fairly recently released password hash file that contained over 7,000 user hashes. I chose this one due to the size. Yes much larger ones are out there, but I thought the size corresponded more realistically to an average company that a pentester or incident response team would be dealing with. Besides, how many American businesses have a million or more employees?

Okay, first up, as a baseline let’s run the hash dump against the ever popular dictionary file RockYou:

Straight Crack with Rock You Wordlist

At a speed of 9567.3k/s it took a whopping 12 seconds and was able to recover 46% of the hashes. Pretty impressive.

Okay, let’s start over and try the CrackStation word list:

Straight Crack Command

And the results:

Straight Crack Stats

At a speed of 20430.3k/s it was able to recover about 66% of the hashes in 13 minutes.

That is amazing, but what if we try running oclHashcat-plus using rules? Rules are somewhat like a programming language for password crackers. It allows you to do different things with each word in the dictionary file like invert it, double it, insert random special characters or numbers, or even transform the word into “1337 speak”.

This creates a very power capability of cracking many people’s habits of trying to disguise their password.

First up, we will use one of the standard rules, Best64:

Straight crack with base64 rule

And the results:

Straight crack with base64 rule stats

Wow, it recovered 78% of the hashes in only 5 minutes!

Alright let’s try one of the larger rule files which includes a lot more word combinations. How about passwordspro?

Straight crack with passwordpro rule command

and the results:

Straight crack with passwordpro rule

About 86% of the passwords recovered in just over 30 minutes!

There are several other rule files I could use, and I could use more involved techniques like hybrid masks and multiple dictionary files, but with using only this single dictionary file and a standard rules file I was able to recover the majority of the passwords in only 30 minutes.

The purpose of this exercise was not in showing how to crack passwords, but showing how insecure passwords can be. Simply adding a “salt” to the password hashes (a random number added to the password hash) would make each hash unique and make it significantly harder to crack.

Implementing a policy requiring your users to use long complex passwords would also help, or better yet implement multi-factor authentication for your systems.

Also it is best to use a different password for every account you have, especially important online accounts that include personal information. That way if a password if compromised the hacker will not have access to every one of your accounts.