Password Discovery Hardware
Now that we’ve thought about a password improvement program
it’s time to start gathering the tools and skills necessary to perform the work. We'll need a system on which to perform our analysis. Our goal is to provide insight into some real-world attacks on our own password infrastructure, so as much as I'd love to build a $20,000 rig
for working on this, the reality is that is neither required nor does it add much for our stated objectives. One of the best (IMHO) analyses I have performed was to point out how many passwords could be discovered using a single core on an Intel i7 processor. However, I would
recommend at least a decent desktop-class workstation with a modern processor sporting four cores, 16GB of RAM, and a few terabytes of storage. You can absolutely perform some decent analysis without a GPU, but it is more fun with one, so grab a good video card in the $180 range at minimum. If you are building, make sure to have a free PCIe slot or two so you can add video cards later, should you desire more power.
Okay, you’re not going to use an old 3dFX card, but damn, weren’t they great?
Password Discovery Tools
There are a number of password discovery tools out there, and you've probably heard of them. The ones I used are the following (in order of preference and value)
(and oclHashcat) is possibly the most well-known and arguably the best performing password discovery tool available. Once, this was split into a number of different tools, but the authors have (thankfully) merged everything back into a few packages. The primary ones are hashcat, which is CPU-based, and oclHashcat, which has support for AMD and Nvidia GPUs. Hashcat supports a huge
number of hash algorithms and is adding to this list all the time.
This power and flexibility comes at the cost of it being pretty complex to work with the first couple times. There are a number of attack modes, from masked (brute force++), combinator, rule-based character replacement and substitution, dictionary, and mixtures of the foregoing. Read the documentation, review the supplied examples, play with some commands, read the documentation again, and then go through the sample rule files.
is a cracker for Windows passwords based on rainbow tables
. It is compiled for Windows NTLM and LANMAN hashes, has source for Linux and many distributions (such as Ubuntu) have a package for it. They offer some tables for free download, and other, more complete tables are available for purchase. If you are only performing discovery against Windows systems, this is probably the easiest and fastest way to get up and running. Since it relies on pre-generated tables, this tool relies on fast CPU for lookups and a lot of RAM for storing the tables.
John the Ripper (JtR)
I wish that I had copious amounts of time to devote to research projects like this, so I could really delve into all the nuanced rulesets and masks for oclHashcat and JtR. Unfortunately, whenever I start to really delve into arcania such as that, I am invariably pulled away by another responsibility and by the time I get back to the research, I have forgotten what little progress I made. Such is my experience with the more advanced features of JtR. Fortunately, your research and review of the Hashcat documentation will not go unrewarded here. The rule syntax is the same, with the exception that Hashcat has implemented some features that John does not support.
I use JtR for two primary purposes:
- The obvious: JtR is a very solid password discovery tool supporting a larger number of algorithms and a rich ruleset language.
- More and more often, however, I find myself using John as a way to quickly generate a good word list from a shorter dictionary. I am probably doing something stupid here, but I like to run John with rules against a a short wordlist consisting of lower-case words, generating a list of those words with various permutations, depending on the rule(s) I chose. Then, I drop that into Hashcat in a hybrid-style attack.
Project Rainbow Crack
I am listing the Rainbow Crack Project
last because I have not really had a chance to use it. This is a set of tools for creating and using rainbow tables
to attack passwords. Rainbow tables essentially trade up-front time and storage space for a quicker attack time at a later date. Generating your own tables, can take a long
time, especially if your system is regularly used for other tasks. This technique makes for some fascinating reading and I highly recommend it. As the math becomes pretty complex, I recommend going to the site, reading enough to get the table generation started, and then sitting back with some strong coffee and reading all you can about the technique and process.
is a cross-platform password discovery tool with support for GPU and OpenCL acceleration, as well as support for rainbow tables. The have focused on Nvidia cards, and since all my current systems are ATI, I have not had a chance to demo this tool. However, they do have links to some very large rainbow tables via torrent, which -if available- could be a nice addition to our toolkit. (note to self to add a good system with Nvidia cards to next year’s lab budget).
just load the system up with a lot of expensive GPUs and set it loose against encrypted passwords and see what happens. There is no doubt we’d discover some passwords, and -depending on the company’s existing password complexity
policies- maybe even a decent percentage of them. However, using only brute force is going to test a lot of passwords that nobody
would ever use, and by the time we are forcing complex 10-character passwords
the effort is too costly. However, people want to create passwords they can actually remember, that means passwords based on real words, and passwords based on real words means we have a starting point: dictionaries and wordlists. Therefore, we want to use a wordlist based on common words, such as a language dictionary, proper nouns, and common slang or abbreviations.
Now that we have tools, we need some practice material! Adeptus-mechanicus
has a great archive of hashsets
from previous public password dumps, as well as analysis performed upon some of their own auditing of those leaked passwords. Another source of test material: the Password Project maintains a number of leaked password sets
Grabbing a few of these is a great way to hone our skills with the above tools, play around to gain experience with the various tools, and discover what works best for us.
Put the above together and start learning how to use the various tools I’ve listed. Working through a couple hashsets will give you a good feel for the time and effort involved in preparing and executing your password discovery run. If you come up with some good techniques or a workflow that works very well, please post in the comments!
A roundup of references and materials I either used to write this post, came across while researching this topic, or will use in subsequent postings: