Fast Password Cracking with a Huge Dictionary File and oclHashcat-Plus

We rely on passwords to secure our home systems, business servers and to protect our online information. But as cracking programs improve and video cards get faster (Video GPU’s are used for cracking) passwords are becoming much easier to crack.

How big of a problem is this?

I was able to take a publicly released password hash dump file and crack 86% of it…

In 30 minutes…

In this article we will take a look at how fast passwords could be recovered from password hashes when a gigantic dictionary file is used combined with a super fast Video Card GPU based cracking program.

In the test we will be using oclHashcat-Plus, CrackStation’s massive 15 Gigabyte password file and an unnamed password hash file that was publicly dumped. The computer used was a Windows 7 system with a Core I-5 750 running at 2.67 Ghz and a single AMD Radeon 7870 video card.

CrackStation’s dictionary file is very impressive, according to their website it contains:

“… every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.”

I used a fairly recently released password hash file that contained over 7,000 user hashes. I chose this one due to the size. Yes much larger ones are out there, but I thought the size corresponded more realistically to an average company that a pentester or incident response team would be dealing with. Besides, how many American businesses have a million or more employees?

Okay, first up, as a baseline let’s run the hash dump against the ever popular dictionary file RockYou:

Straight Crack with Rock You Wordlist

At a speed of 9567.3k/s it took a whopping 12 seconds and was able to recover 46% of the hashes. Pretty impressive.

Okay, let’s start over and try the CrackStation word list:

Straight Crack Command

And the results:

Straight Crack Stats

At a speed of 20430.3k/s it was able to recover about 66% of the hashes in 13 minutes.

That is amazing, but what if we try running oclHashcat-plus using rules? Rules are somewhat like a programming language for password crackers. It allows you to do different things with each word in the dictionary file like invert it, double it, insert random special characters or numbers, or even transform the word into “1337 speak”.

This creates a very power capability of cracking many people’s habits of trying to disguise their password.

First up, we will use one of the standard rules, Best64:

Straight crack with base64 rule

And the results:

Straight crack with base64 rule stats

Wow, it recovered 78% of the hashes in only 5 minutes!

Alright let’s try one of the larger rule files which includes a lot more word combinations. How about passwordspro?

Straight crack with passwordpro rule command

and the results:

Straight crack with passwordpro rule

About 86% of the passwords recovered in just over 30 minutes!

There are several other rule files I could use, and I could use more involved techniques like hybrid masks and multiple dictionary files, but with using only this single dictionary file and a standard rules file I was able to recover the majority of the passwords in only 30 minutes.

The purpose of this exercise was not in showing how to crack passwords, but showing how insecure passwords can be. Simply adding a “salt” to the password hashes (a random number added to the password hash) would make each hash unique and make it significantly harder to crack.

Implementing a policy requiring your users to use long complex passwords would also help, or better yet implement multi-factor authentication for your systems.

Also it is best to use a different password for every account you have, especially important online accounts that include personal information. That way if a password if compromised the hacker will not have access to every one of your accounts.

Password Analysis of Journal News LoHud Subscriber Database Dump

As usual, I like to take sanitized lists (user account information stripped) of public password dumps and analyze them for password strength and patterns. Recently the subscriber database for Journal News, Lower Hudson Valley was allegedly hacked and was published publicly online.

The dump had user account passwords stored in MD5 hashes. So they needed to be cracked before they could be analyzed.

There were about 10,000 user accounts leaked in the dump. Many had duplicate password hashes, so the duplicates were removed. I took the password hashes that had not been cracked (some were already cracked in the dump) and ran them through an MD5 hash cracker. In a couple hours I was able to retrieve just over 85% of the passwords.

In effect there were 8,361 unique hashes. I was able to retrieve 7,148 in a fairly short amount of time. I then took the cracked passwords and ran them through Pipal, the password analysis program.

Here are the results from Pipal

Top 10 words and base words used:

Base Words

Very interesting as there are 10 passwords that are almost ALWAYS in the top ten and none of them were in this list. Okay, “password” was used as a base word, but other than that these are all new.

Let’s take a look at the password lengths:

Password Graph

Password Length 2 Password Length

A whopping 80% of the passwords were 8 characters or less, and over 50% of the passwords only used lowercase letters!

Character Set

A common practice is that users will use a word and stick a number or numbers on the end to “make it more secure”. About 25% of the passwords in this list used 3 or fewer numbers at the end of the password.

Last Digit Count

Last digit on end

Single Digit on end

And only a few passwords used the year in their password.

Top Ten Years

Overall the users in this case seemed to use very simple passwords – mostly lower case passwords with some numbers mixed in. Using long complex passwords would have made these passwords much harder to crack.

Increasing the password length and using a mix of upper and lower case letters, numbers and special characters dramatically increases the cracking times.

Metasploitable 2 Part 4: Cracking Linux Passwords and Pentesting with Grep

All right, we have been having some real fun playing with Metasploitable 2. We found a vulnerable service, exploited it and now have root access, but what else can we do? Sure we have god-like rights on this box, but it would be nice to know the existing users and their passwords. In a pentest, these could be used to gain access to other servers and boxes.

Let’s take a look at grabbing the passwords from the Linux box and cracking them, then we will take a look at a new way to search for web app vulnerabilities using the popular command line tool, Grep.

My friend Dangertux created an exceptional tutorial on the first version of Metasploitable, and cracking the Linux password files. Let’s step through this with Metasploitable 2.

Cracking Linux Passwords

(As always, these techniques are for security professionals only, do not attempt to connect to a machine or network that you do not have permission to do so. Doing so could cost you your job and you could wind up in jail!)

We already have root level access from the past tutorial. So all we need now is to recover the password hashes and then crack them. Simply run the cat command on the /etc/passwd file:

Now just copy the text from this file to your Backtrack system by simply selecting the text with the mouse and copying it into an identically named text file in a local temporary directory, like /root/passwords.

Here is a screenshot of the passwd file data that was copied and pasted into a Gedit text file:

Now just do the same exact thing with the “shadow-” file. You should now have two text files, /root/passwords/passwd and /root/passwords/shadow- on your local Backtrack system.

Next we need to take both newly created text files and run the “Unshadow” command on them from the John the Ripper utilities. This command takes the files and places them into a single file (passwords.db) that John the Ripper can crack:

Okay, now that we have the combined “passwords.db” file, we can unleash John the Ripper on it to attempt to retrieve passwords:

And there we go, we now have 6 user names and passwords.

  • sys/ batman
  • klog/ 1234567898
  • msfadmin/ msfadmin
  • postgres/ postgres
  • user/ user
  • service/ service

Hmm… Looks like the administrator of the box used simple passwords, not a good idea.

And there you go, because we had a root shell, we were able to grab the Linux password hashes from the system by simply copying them and pasting them on our local machine. We were then able to use John the Ripper to crack them. We now have 6 passwords to play with.

If you took a good look at the Metasploit service scanner programs mentioned in an earlier tutorial, you probably noticed some had a place to set usernames and passwords. How cool would it be to just feed our newly cracked passwords into these scanners and unleash them on the Metasploitable box?

Also, as many times admins use the same passwords on other boxes, we could use the same scanners to target the whole network address space to see how many other machines we could get access to!

All from one old service that was not updated…

Pentesting with Grep

One last thing, while we still have our root shell on the Metasploitable machine. During the port scan it seemed that this machine was also a web server. Wouldn’t it be cool to be able to check from the command prompt to see if the box also had vulnerable web applications?

Well, we can! Thanks to an article by “Shipcode” on Rootcon, we can look for common web vulnerabilities and even backdoors by simply using the Grep command!

Simply run:

grep -Rn “shell_exec *(” /var/www

This searches the web server directory and returns any files that contain the shell_exec command. This usually is used in apps that are vulnerable to common web attacks. And as you can see a ton of files are found. The majority of the returns are from the “dvwa” – the “Damn Vulnerable Web Application” and Irongeek’s “Mutillidae” both are loaded with vulnerabilities so you can practice your web app pentest skills.

Now that we know they are there, and in what file the vulnerabilities exist, (thanks to Grep and Shipcode!) we could switch to testing the Web app side of this box.

(If you are enjoying this tutorial series, please leave a quick note or feedback and let me know. I appreciate your feedback and would love to hear from you!)

154 Billion Hashes per Second with Multiforcer Password Cracker

So what does it take to reach cracking speeds topping 154 Billion hashes per second with multiple hashes?

How about the Cryptohaze Multiforcer network enabled password cracker program, 6 computers and 20 video cards?

“It was done entirely with AMD hardware, and involved 9×6990, 4×6970, 4×5870, 2×5970, and 1×7990 – for a total of 31 GPU cores in 6 physical systems. We had another 11 cards with 15 GPU cores left over – we didn’t have systems to put them in (mostly nVidia).”

The crazy fast speed was attained cracking 10 hashes! They were also able to obtain speeds of 139 B/s on 1000 NTLM hashes, 101 B/s on 1000 MD5,  and 30 B/s on 1000 SHA1 hashes.

The computers where setup in 4 separate physical locations and the server was an Amazon EC2 m1.small node. The Multiforcer system code allowed all these systems to work together, OVER THE INTERNET!

The tool was created to help out pentesters who need to crack passwords, but can not submit hashes obtained to online cracking programs due to auditing agreement restrictions.

Pretty cool stuff, for more information check out the Cryptohaze Blog, downloads are available from, or better yet check out lead developer BitWeasil’s talk, “Cryptohaze Cloud Cracking” at Defcon 20.