Password Dump Tool Spreadsheet

Every wanted a list of the most commonly used password dump tools compared by capabilities? Then look no further, Bernardo Damele has created a comparison list of 46 Password recovery tools!

The Google Docs spreadsheet list includes the tool name and 24 comparative features  including if it has a GUI, local or remote, what OS it works against, and where it can obtain information from.

Pretty good list, though I don’t agree with all of it. Some tools are listed as local only and can be used remotely. Though technically the capability may not be built into the app, they can be used in conjunction with other apps to work remotely with no problems.

Mimikatz comes to mind immediately. It works great remotely, but to be fair, you do need a remote shell opened first.

Great job!

 

Password Analysis of Journal News LoHud Subscriber Database Dump

As usual, I like to take sanitized lists (user account information stripped) of public password dumps and analyze them for password strength and patterns. Recently the subscriber database for Journal News, Lower Hudson Valley was allegedly hacked and was published publicly online.

The dump had user account passwords stored in MD5 hashes. So they needed to be cracked before they could be analyzed.

There were about 10,000 user accounts leaked in the dump. Many had duplicate password hashes, so the duplicates were removed. I took the password hashes that had not been cracked (some were already cracked in the dump) and ran them through an MD5 hash cracker. In a couple hours I was able to retrieve just over 85% of the passwords.

In effect there were 8,361 unique hashes. I was able to retrieve 7,148 in a fairly short amount of time. I then took the cracked passwords and ran them through Pipal, the password analysis program.

Here are the results from Pipal

Top 10 words and base words used:

Base Words

Very interesting as there are 10 passwords that are almost ALWAYS in the top ten and none of them were in this list. Okay, “password” was used as a base word, but other than that these are all new.

Let’s take a look at the password lengths:

Password Graph

Password Length 2 Password Length

A whopping 80% of the passwords were 8 characters or less, and over 50% of the passwords only used lowercase letters!

Character Set

A common practice is that users will use a word and stick a number or numbers on the end to “make it more secure”. About 25% of the passwords in this list used 3 or fewer numbers at the end of the password.

Last Digit Count

Last digit on end

Single Digit on end

And only a few passwords used the year in their password.

Top Ten Years

Overall the users in this case seemed to use very simple passwords – mostly lower case passwords with some numbers mixed in. Using long complex passwords would have made these passwords much harder to crack.

Increasing the password length and using a mix of upper and lower case letters, numbers and special characters dramatically increases the cracking times.

BSides Cleveland Security Conference Videos

If you don’t have the chance to get to the big security conferences, then you always look forward to the conference videos when they come out. July is no exception with several awesome conferences taking place. Adrian Crenshaw (aka Irongeek) has released links to all of the BSides Cleveland Security conference videos.

Below are two of my favorites.

First up is Dave Kennedy, mad hugger, and security guru extraordinaire, with a great look at some of his pentesting secrets and techniques. This is an excellent look at his Social Engineering Toolkit, tips on bypassing Anti-Virus, elevating a user to Admin account, and egress techniques.

Next up is “Pass the Hash like a Rockstar” by Martin “Purehate” Bos. This is a great look at different techniques used to compromise systems by using pass the hash. Kind of disappointing, this is not the talk he was going to do. He was going to do a speech on password cracking, which sounded really interesting, but he had to change it at the last moment. Hopefully he will release the intended speech at some point, but this talk is very good too!

Recovering Clear Text Passwords – Updates

I recently wrote articles on both Mimikatz and WCE, two programs that can recover passwords from Windows based systems in clear text. There has been some updates for both and I just wanted to pass them along.

Mimikatz:

Benjamin Delpy aka ‘gentilkiwi‘, recently spoke at the Positive Hack Days security conference in Moscow. At the conference our friend discussed a new version of Mimikatz, one that exploits a weakness in the LiveSSP provider and allows the viewing of Windows Live passwords from Windows 8 systems!

The Mimikatz program and a copy of the PH Days presentation slides can be found at the Gentilkiwi website.

Windows Credentials Editor

When I wrote about WCE last, I noticed that for some reason the output didn’t seem right for accounts that did not have passwords. WCE seemed to mirror a password from another account when a password was not present.

Hernan from Amplia Security (creator of WCE) contacted me as soon as I posted the article. As fast as I could run some tests for him on my configuration, he created a fix for this. The delay between the original article and the fix was completely on me. Hernan was amazing!

In a test version he sent me, WCE correctly recovered and displayed both users with passwords and those without, as you can see in the screenshot below:

Secure_User has the insane password, the user George went the bad route and used his first name as a password, and Fred chose worse, as he used no password at all. And of course all three are administrator accounts. Good thing this is just a test Virtual Machine!  🙂

WCE can be obtained from Amplia Security.

The talent that both Benjamin and Hernan have is just amazing. Though I have dabbled with programming since I was a kid, (okay I suck at it!) these guys are just on a whole different level.

Thanks so much for your work!