Cracking passwords for fun and profit - Chris Timmons

hi everyone time for cracking passwords for fun and profit uh my name is chris timmons i'm a penetration tester and security specialist team lead at ion united um second time presenting for b-sides vancouver so let's hope it's a good one this time so passwords everyone has one um and they you know people make passwords differently um you know you look at the complexity requirements and things some people think they know how to create a good password some people don't we're actually going to take a look at the back end on it and see how some of that stuff works when we're actually trying to crack passwords so if we're doing a pen test and we're getting passwords how

quickly and easy can we crack them and some of the human nature around it i mean obviously a lot of people understand why but we're going to dive into that a little bit for those who don't so who am i as i mentioned security specialist team leader ion i've been doing this for about 27 years i've been in the department of national defense i've held senior roles at various companies i've been working at ion united as a pen tester for just over three years now so we have done lots of things and according to my what loving wife and i have to say loving wife my workshop can act as a nasa disaster recovery location it is got stuff all

over the place and it's used to help extract passwords i do forensic hacking i do password cracking hardware hacking a bit of wireless did smartphones for a while uh obviously doing a lot of forensics for things like incident response and i used to play around with robots and stuff as part of an innovation team so hacking a robot is fun so why well i like shiny things and i am a chronic procrastinator if there is a reason not to do work my boss is going to think that i do it um i'm also a huge fan of build once and use many if you're gonna do it once great if you know that you're gonna have to do it twice just

automate it because then you'll thank yourself the third fourth fifth sixth seventh time you've done it and as i mentioned i like cracking passwords so this is my home rig right here i've got four nvidia gtx 1080s in it with terabytes and terabytes of space because i like to collect things i'm a data hoarder so i've got password list anytime i find a dictionary on the internet i grab it i check the quality of it breach compilation data um i've got it all and just sit there and keep building up more and more and more so i'm going to dive into a little bit on hash cat and i'm going to focus on hash cat today just because uh nothing

against john it's just i wanted to use haskat for the presentation today so one of the things with hash cat is it's very versatile um it supports what are called a number of different attack modes straight combination brute force which technically is a mask attack and then two different kinds of hybrid word list plus masks so word list and mask or mask and wordless and then another one that a lot of people don't know about uh called an association attack so we're actually going to go and walk through some of these so some of the basics on this one so dictionaries dictionaries are big giant word lists and they're either two things one they're a compilation of exposed

breached passwords so things like rock you weak pass is a good one because they go and they get all the breach data and stuff that comes out scrapes it and basically puts all the passwords and stuff into a file and it's a big file uh the latest weak pass three is just over 100 gigabytes in size so that is a lot of passwords um and they do a pretty decent job of cleaning it up crack station was one from a couple years ago it's a decent size um but it's beyond just looking at passwords that are exposed you know like summer 2022. great it's in a password file but what about other things that don't have

letters and numbers and special characters on it and that's where dictionaries really come in so use all the languages why because well you don't know what languages might be in use of the password that you're cracking um they could be using um german or russian characters or something with um lots in them and that's why i mentioned about utf-encoded dictionaries are the best to use because they support it um other wordless sports sport teams music names of songs breeds of dogs that's actually a pretty common one another one is pass phrases um i've got some stuff in here i'll show you guys on how to get some good passphrases and we're talking things like every verse of

the bible or every lyric to every song ever made or you know those are phrases that people can use when they're creating a password and of course i mentioned data breaches there's just a lot um so i don't rely necessarily on week pass and stuff like that to go get them for me i've got a couple of terabytes of breach data that i go munging through whenever i need something one of the things about is if you are ever pen testing or cracking passwords against a customer one of the important things to do is make sure that you're using words in terminology and things that are relative to that company um the number of times we've gone in and

and we're doing password cracking for a customer and they're using words that are posted on their website they're using the name of the company um so cool is a custom word list generator it's just a little rui app you tell it to go spyder a website it goes and searches through all the metadata pulls out names of things and software and that was used to create the file and then it compresses it all into a nice sorted list and you can tell it to make it all lower case and you can mangle the data however you want afterwards but it's extremely effective um first thing i run anytime i'm doing ocent on a customer uh just getting

ready for password cracking because the number of times that it's company name 12345 is the password or the name of a software project or something that they're working on and we'll actually get more into the name of the software project in just a little bit second part of hashcat is rules and the rules as part of the mask attack are just these are just some examples of some of the good ones that uh hashcat has in it and a couple that aren't um and rules this basically take letters and characters within a password and flip it so it can make lowercase to uppercase so the toggles rules for example will capitalize one to five characters in the password

concurrently so a toggles two rule we'll just take two characters so first character and last character and then first character and third character and just keeps going through the iterations um trying variations on it 99.999999 percent of the time human nature people will put a capital letter somewhere usually not more than a couple though and it's usually in the first spot a second one is a combinator rule where you can actually combine two words so you take two dictionaries or even the same dictionary and you throw it together why well because way back in the day people were telling people make good passwords and then so you would make a password your password be the name of

your dog and then they realized oh well you need to make a better password it's got to meet windows complexity requirements so it has to be a longer word oh okay well let's get the name of both of my dogs together combinator rule uh and of course you can't crack passwords without leap speak because everybody makes a password uh the dead rule um just one of the ones that i find between that and best 64. uh they you know they're a little older but they get the job done uh there's even a reduced version of the dead rule which takes the 75 000 rules or something and dumps it down to like 1500 so it's like

really small very efficient because what happens with a lot of rules and i'll show you some statistics after you hit kind of a point of okay we've gotten just about everything so but you're still processing things in the background and it's not doing anything useful the one rule to rule them all as i mentioned it's not a lord of the rings reference but it does work uh it's probably it's a large rule but it tends to be highly effective and really it depends on what you're cracking at the time um i usually just put them all i'll you can you you can load up all the rules at the same time but it'll just take forever

think of your talk nice one data the second thing is so when you take a look at when you're creating rules and masks and stuff you use character sets and these character sets all break down into different ones so the l is lowercase and upper is uppercase d is digit s stands for special characters a lot of people use the a which is all four of them uh you can also define custom character sets so i could use like dash one and say i just want lower upper and digits and no special characters and then i can use that in my mask so i'm not having to type it all out and i'll try those three different variations

within the character set some of the lesser known ones of course hexadecimal and uppercase or lowercase it's got a flag for both so why do we use masks well the masks are based on the whole strong password rules we've forced on users for years and unfortunately users are really bad at picking passwords usually it's a word and a number and a special character and as i mentioned it always starts with an uppercase letter knowing this you can actually say well let's not test every password we'll just test the key space that we want to that we assume that the users are going to go and take a look so if you use a mask of upper

lower lower lower digit digital that equals spring 2020t perfect so and because we don't have to go through all these special characters and uppercase characters and everything else you're only checking 26 potential tries for each position instead of the you know 300 and some so it makes it happen very very fast how do you generate masks well you can do it manually and there's a couple of different ways there's two that i've got here in the presentation the first is mass processor which is built into hashcat and you can actually just basically generate a word list that has a whatever you want so in this case i used mass processor and i said i want to make b

sides and i want to a file that has every possible combination or potential combination of this one so i made it and now i have a file that has b sides zero zero zero and it'll go all the way to nine nine nine nine nine obviously you're not you're you're now throwing a file at it but you know if you're using a cpu based attacker you it sometimes comes in a little handier but you can also then take this dictionary file and use it with other rules like one ruler or leap speaker something like that and generate better candidates another thing that's really handy is called packs the password analysis and cracking toolkit it basically you feed it a

password file and it just goes through and generates everything and i wish i had made this screenshot a little bigger i'm sorry um but it tells you the character sets that you're using if you look on here it says we're using lower alpha num so there's no special characters in 90 of the passwords in this and then at the end it generates masks what you can do with pack afterwards then is generate what's called a hashcat mask and it basically says here's a list of all the different rules i want or not rules masks i want you to try so i want to look at all the upper lower lower digited kind of ones and then i want a

whole bunch and with a special character on the end and things like that and it'll just run through so that makes your password cracking much more efficient and what are we cracking well common hash types for using md5 because anybody finding a backup file on the internet that's where we find it uh shaw one microsoft office files ntlm obviously the gold uh when you're doing pen testing that's the one you want net nclem v2 very common as well and then there's three types of kerberos and a little pro tip on this one if you use invoke kerberos dot powershell uh you won't you'll you'll get these but you won't be able to crack them because

the formats are all wrong and the salting is all weird but if you pull a kerberos with rubus instead every time so hashes said here's all the different kinds what were you going to get them as i mentioned config backup files this is actually one i pulled off during a pen test got access to a digi connect router and pulled out the the config file and there's the password in md5 which took me and because it ended up it was actually the default password still for the router they hadn't changed it so digiconnect by default has root and the password is dbps so that took me about a half a sec i think it took me

longer to type in the command than it did actually crack the password um curb roasting of course i mentioned before this type 23 tends to be a little faster than the 17 and 18 so if you can go for that henceforth rubio so you have you have an option to downgrade dc sync of course is always a fun one um one thing i've always had a problem with is when you get the log file from it it's painful so there's a little powershell script uh that you can use to just efficiently get all those files out and of course nttds.dit extraction so this is when you're actually either you've taken off um the volume shadow

copy service from a domain controller or as i get into it you're actually going to do it just for fun um so but how do you know what when your hashes when you're taking a look at them so for example i know this is an md5 just because of the config file and i knew that that's would do but how do you identify that well the good thing is hashcat actually has an auto detect mode um i rarely do it just because um i'm i have the example hashes bookmarked and i literally just look for the right string hash id is an older application it's about seven years old but it still gets the job done as well so you can just

either have a file full of hashes or just put it in on the command line and hit go and it'll tell you statistically which hash type it probably is scifi and cyber chef limited support they're not going to tell you have an ntlm hash or things like that um but they are very good for a couple things scifi is really good if you don't actually want to get hashcat up and doing like if you're on a ctf or something and you've just got encrypted text cyphy will actually use an ai engine in the background and crack it for you so most of the time if you have like a sha-1 encrypted or if it's using weird ciphers like veneer

or caesar or things like that it'll just crack it and spit out the plain text for you so very handy to have nice little command line tool and of course cyber chef is in use all over the place as well i do find cyphy works a lot faster on some of the auto cracking stuff just because the way the back end is but cyber chef's just gold okay so if we're going to show you guys any cracking stuff first we need hashes so what i've done is i've actually used the ntdds.dit customer files um by lauren gallant um with the she actually does a domain password analysis toolkit and so she had some sample data and there was actually

a active directory populated from rock u so this actually works out really well for some of the demos um so straight out dictionary attack so this is where we're gonna take i actually had demos and i was actually going to do video demos for this entire thing and up until the two days ago i realized i can't do videos i apologize for the the screenshots there's a lot of them um we take a look at this so what we've done we've extracted all of our ntlm files into it we've got the our actual customer.hashes file and what we've done is we've just run a straight out thing against rockyou now the flag dash 0 actually limits the

password size that you can crack so normally you can crack up like 200 256 characters when you use an optimized kernel it squishes it down to 32 so you won't crack any passwords that are bigger than 32 when you're using that flag um in this case we're using roku and 99 of the files in there are all like 8 to 12 16 character kind of passwords so it did make a difference on this one but you can see here so on this we ram rock you just straight out it took 12 seconds to run and we got 99.98 of the digests so we're missing like 20 passwords or 21 passwords out of the entire 87 000 that we were able to get pull

so that that's pretty fast let me take a look at start adding some rules so hash cat supports rules and when you actually create a rules file there's all these things so like a t means for transpose letters and stuff like that we're not going to get too much into that one because i don't think anybody on here is going to start creating their own rules from scratch um but so we'll take a look at this we did this again we ran rocky and we threw on the one rule to rule them all it took 48 seconds so you know four times increase in in time we actually got 99.99 so now we're down to just

13 passwords that we didn't get and just by doing that whenever i ran these um attacks i was using a flag on hash cat called disable pot file um and that just makes sure that it's always in memory i'm not pulling it out of my pod file this is raw results and and thanks dana for uh posting all the links it's great thank you um one small pro tip is if you have a small dictionary and a lot of rules so if i had a cool word list for example that only has like 50 60 17 you know anything up to a couple of hundred words in it uh throw dash s on it and you'll see a

speed increase from like an hour to like seconds um but if you try and do it with a larger word list it'll tell you because you'll realize really fast because your cracking goes from an hour to like three so so now what up i mentioned passphrases so passphrases are definitely something that's becoming a lot more common um you know people are saying oh passwords are bad stop using spring 2022. make a passphrase remember that you can use spaces and things like that and and so people do and you know i've already started cracking passwords where because somebody's typing in uh quick brown fox jumped over a lazy dog uh if it's a known phrase that is very popular

well we've pulled it why so on init string created a pass free word list uh last updated i think in october uh so it keeps up being recent but it he cites all the sources he's pulling stuff so he's pulling from like wikipedia like actually every word off wikipedia or quotes famous quotes bible verses everything it's all in there and there's two rules that are in there the first rule deals with capitalizations and stuff like that the second one deals with permutations so things like adding spaces between words or putting underscores or dots or things that people might do when creating their secure passphrase so it'll create a thousand permutations of each phrase so a quick round dog

jumped over would become like uppercase a lowercase a or a dot or an underscore and on and on and on when we take a look at that um oops hang on there it is um same thing i mentioned this before watch out when using dash show with pass phrases because you're still limited to 32 characters and past phrases can typically get longer than that so um sometimes maybe run it with a dash oh see what you can get and then run it again without the dash oh just to get some of the the low hanging fruit one of the things that we also have is what's called a combinator attack so very similar but this takes multiple

dictionaries into an attack where you can use the same file it's whatever you want um you just put it in the mode you take your hash files and then you list out the files so for example if you think people are making passwords with um breed of dogs and breed of cats you could put in here's your dog dictionary here's your tactics nerd and i'll just try every word so it'll be like you know or apples oranges and then i'll try oranges apples so tends to work pretty good with that you can throw rules and stuff on those sometimes as well if you can't use a rule this is where you can generate back what i mentioned for the the mass

generator because you can go create one of the files with all the digits on the end and then just use it on this one and so we take a look at how far we did on this one this one said it was going to take two hours which yeah it's about the right thing but it also creates a lot of potentials that's why it takes two hours um however you'll see that within 22 seconds i still had that as 99.98 just because we're using rocky but it if i had to do the full run it would take two hours which isn't too bad but a lot of people ask me why and the thing is when you start dealing with

combinations of words and you want to take this word and then this word so imagine two lists of a thousand words a thousand words isn't that much but that creates a million entries because you're looking at every word to every word in the list and then the second word every word in the list um you can do an attack called a combinator three and i don't really go into that one too much but there's a utility called combinator three uh in the hashcat utils and you can actually tell it to do three which makes perfect sense it takes forever um but when you're telling people to do passphrases and stuff like that or you know pick three words two you like when

you don't um that's how you're gonna have to run it um when you when you're running it in full memory it's it's you know like a thousand word file is only tiny it's a couple of kilobytes not that big at all uh if you were to try and write out all possible permutations of it we're talking petabytes of size file like the files would just become astronomical i did a combinator 3 attack kind of a halfway one so i took a thousand word word file um ran it as an output um to generate one larger file that had the million words in it and then just ran rules against it so i did a combinator attack with a

two word dictionary and then a third one the challenge of that of course is um it can't insert the word into the middle because you have to try all different three combinations so you have to generate it twice and then do it again but they're little tricks and hacks and things that you can do but they tend to work for the most part and i mentioned before we did the brute force mask attack we're doing it a little differently on this one um you'll see here we did lowercase across the board and then two digits on the end it only took one second and we got 3.64 percent of the hashes so we got 3000 passwords in just one sec

just from that so if you know what you're looking for it's pretty fast and easy to do a mask and it's much more effective than brute forcing because when you get into brute forcing so if using every special character and every possible like letter and digit you can see that exact same attack that took a second is now going to take me two days and seven hours so this and so and and take a look at these this has been running for 50 seconds and we've only gotten two percent of the digest so only 1900 so um from a speed and uh capability perspective this got much faster results um with a lot less effort

and sometimes when you're pen testing um you know it's a it's a roller coaster it's as kirk mentioned yesterday in his talk uh you know i love cracking passwords so when i crack a password i'm like yeah do the little happy dance and love to see it ringing the shelves and everything else um but when i'm sitting there trying to crack that like when you're looking at a list of this and you've got you know like 13 passwords left you want to get that hundred percent you're like right this is where you got to start pulling out some of the interesting things and taking a look and that's where tools like pack and everything else

come in really handy because it helps you try and find what's left over because some of the times if you if you go back and take a look at one of the previous slides with pack you can see at the bottom you can see the advanced masks and you'll see like one percent of your passwords are 0.1 percent of the passwords are using this mask um so you might have another one you might not but it though those ones typically uh take several hours or days to run and of course i said when you know when all else fails sometimes you just have to brute force uh pro tip a lot of customers are coming down and

using 15 character passwords this is why it's so important to use proper dictionary attacks and masks because if you actually try and brute force anything over 15 characters there's actually a math problem and and you'll actually get an integer overflow by doing it uh so we had a question can you modify change or modify your lists on the fly once you start a cracking one um it loads it up in memory and it creates an index and so if you modify that file while it's running it's not going to pick it up i do cheat once in a while by deleting the index or doing a pause on the thing when you pause hash cat if you're in the middle

of a run it creates a restore session file and it basically just tells you where in the index it was and um you know all the settings that you had done well if they can't find the index it'll rebuild it and it sometimes it might start from scratch but depending on how um how far in you were like if you were a month into it you know i've seen pastor craft over a month if if you're a month into it and you don't want to lose your spot you're probably better off just checkpointing it stopping it taking a look at the results and then trying something else because you're probably not going to get it at that

point it doesn't mean it's impossible um but you're you're typically going to have those you know like 30 day crack runs and stuff when you're doing a full brute force not necessarily a dictionary attack um like if you were to take the weak pass the big hundred gig file that i did and threw one rule against it it's gonna take a couple of days um just because that's how long it's going to take to run you know 100 000 rules against 168 billion passwords i don't brute force often but you know if there's a chance um one of the better ones that we find are actually a hybrid attack so very similar to the mask one but what you're doing

with this one is actually saying i've got a known word so things like company name or you know name of the season and just you can say i want every word in this file so as seasons as you know it's got spring summer fall january february march april may um and throw all the digits on the end of it go done uh speed dependent on gpu or cpu or both typically uh it's gpu dependent um when you're loading up very large dictionary files it loads it into memory so having more memory helps more than your cpu you can include your cpu uh in password crackings but what happens sometimes is then the operating system starts getting

a lot leggy and stuff from i o and um so i i typically don't unless i really desperate for just that last little bit of performance um but for the most part yeah if you're gonna get a box like if i were to say add another gpu or add another sticker ram or add another cpu i'd say gpu first ram second after that it's all about io for ssd and stuff for for pulling these files off the list so like for me i've got um all my stuff is using internal static the six gigabit per second stuff and anything i've got plugged in on usb is all using like usb 3.1 so it's you know

i've got 40 gigabytes per second of throughput so it's usually pretty decent on that one um so i mentioned about the association attack before and so this is really really works well for very large salted hash lists for example bcrypt um it doesn't work so well for ntlm um and the reason is when you pull an active directory database it's so ntdbs.dip file there's one salt for the entire thing and the association attack has to needs the number of words in the word list to be perfectly in sync with the number of unique salts if there's a one like if you have 99 in one file and 100 in the other it'll just stop um

so on this one what we did uh for this example is i i decrypted uh a thousand names i took here's a word list and then i made that word list decrypted them all and then fed them that same name um i'll get to that question stop in just a sec um when um so you have the salt you have the hash what happens is there's a hint for lack of a better word so the hint of the username might contain the same kind of thing and in this case you can see we ran a full 10 000 names in one second 100 success rate uh because well obviously i mean kind of cheating a little bit

because we had the known decrypt hashes but all we did was set it the name of a file and it went okay and went and just to make sure it wasn't perfectly like i sorted and shuffled and all that stuff and the reason this is an important one and i wanted to bring it up is because people tend to use names as part of the password the number of times we've been on a pen test and the service account password is the name of the service account with like one two three exclamation on the end of it happens all the time so if so commonly what i do is when i'm cracking stuff i'll pull all the usernames out so when

i extract like the ntds file for example i'll pull all the usernames and search accounts and stuff out and i'll use that in an association tech if i have to or if i'm even throwing it back at it during the password cracks because it it works don't run into this one often just because of the kind of hashes that we're running into but things like decrypt if you do have um certain logins and stuff that have been exposed it's gonna find it really fast if that works uh actually before i go on to that one so slava um cloud gpu instance ironically i just finished setting up an aws crowd clacking crap crap cloud cracking incident for a client um

they wanted to get some password cracking they're looking at enhancing some password policies and things like that so they wanted to see how bad it was um so i worked with them to set up an aws instance using um like uh aws machine learning ubuntu image throw a bunch of stuff on it it's actually for using a one large was all that we set up now because we're able to get so many password cracking efficiencies we didn't have to go to like a four times large or anything so in that has a tesla v100 and i was getting 100 giga hashes a second out of that one so my home rig was getting 160 and the single tesla v100 was getting a

hundred gigahashes so 100 billion per second um but using the combinations of like dictionary attacks and and everything else that we did um i think i've got 26 success rate out of and have to understand there's like because they had full 12 character password history there's something like 120 000 password entries that we're cracking and i've already got 20 i got 26 of them in like an hour like uh obviously going through the history the history 12 is always a easier password to crack than history six because as people create better password policies you know they always change but it's interesting because when you start analyzing the password history it gives you a chance to figure out what

their new password might be you'll see those things where people are just incrementing a number one or adding um some people realize oh password one oh i gotta make it past for two well let's make it a special character so they just go shift and the second one is the second key and the third one's the third key and yeah and that's just going crazy on that one um another interesting one is called prince so prince processor purple rain attack and basically what you do is you just feed things back in so instead of taking like a combinator where you're taking too wordless and going you're taking one word list and then it's just kind of

like chaining all of the words together and just throwing them in to find out uh you can read more about the purple rain attack on that one it's pretty effective it it basically like if it's probably one of the ones that i do about like number five or number six uh just because i want to have a good list on it and one of the things i always do is do a poor person's prints i always take my pot file spit out the password so you know colons in your password will screw up workflows uh commas work great for data breaches um this command here will actually just it flips the um the string around and then describes the first one

so you're not trying to grab the end one which you might have a this one goes right up from the first one so if there's no uh colon in it then it grabs the whole file and then i just keep running it again with all the rules and everything else yeah i've got a really good um uh link that sans actually had put out on setting up an aws cracking instance um i'll try and find it um actually i'll put it in the um in the chat here as well

we actually followed that one pretty closely there was a few things that it didn't have but for the most part that was pretty informative as well um and then so yeah with the four-person sprints like i'll pull up my password file and i will just keep using it again and again and again and again and you'll find as i go through different rules so i'll use one rule and then i'll use like the dead best 64. and then i'll go use like generated two or whatever i'll just keep going back and forth and you'll find um as you get more passwords exposed you get more success and more success and you start pulling up some

really weird ones that way i wanted to give a couple neat little tricks and tips and stuff um near the end of this one i do a lot of ctfs just because why not it's a lot of fun if you're cracking a password a dictionary you need to create a rule because when you try and crack the password is always not just like the word rock or you know like rocky uber summer 2020 it's always wrapped in the flag so um you know curly bracket flag calling password so you have to create a rule to actually wrap anything in it so the problem is when you create a rule it actually applies it in reverse order

so you would think you know i need to write flag well you actually have to go opposite way so semicolon g-a-l kind of thing so your rule looks like that you know flag that rule looks like this boom and then you can run it against it so if you're doing a ctf and you need to crack a password um 90 make sure your flag values are set to what they're looking for and you'll have a lot more efficient on the password crafting on that one because typically on ctfs they do two things they always wrap in a flag and they're always using rock you so little things people for things like passwords for files um you can you i

mentioned microsoft office files because you can actually pull out the the encrypted file and brute force it that way i get asked to do that all the time um some people are losing things like bitcoin wallets and passwords and stuff like that how you get the hash is up to the mind of the reader um but basically create a file with what you think your password is going to be or what you think it might have been or what you might have typed or if you know it taps lock accidentally on kind of thing and then to start creating a whole bunch of permutations of it so basically read in the rules put it out

and then it creates another file with here's all the permutations of it based on the rule and then just start banging on it eventually you'll get it this works more often than i'd really care to expect if you have no idea what the password is then yeah just kind of throw everything at it um in this case it was a 7-zip file you might get lucky i mean it doesn't work too well against things like things that you know you only have five chances before it deletes or itself or something so um obviously this is mostly taken off like for an office file there's you can run a command and john actually there's um was it office to john

and it'll just pull out the encrypted hash and then you just run it i wanted to obviously i've had to go through this a little fast but practice it's the best way i mean i can't always predict that i'm going to actually you know get demanded men on it on a customer and stuff and we have limited engagements so when you're cracking those you you only have so much time you know we've got a week to do the pen test and stuff so there's a you know you want what can you get an hour go um corelogic runs a cracked me if you can contest every year at defcon the nice thing is all of the previous

contest files are always available so everything going back to 2010 are there so if you go and download the contest files it's got you know whether it's a list of different hash types that they want you to crack or anything else last year they threw everybody for a loop and actually just provided an ova file of a windows domain controller and said here have fun um and then you have to go find everything right and so that's you know like grepping through ntds for um you know clear text passwords and descriptions and stuff like that it was insane um but it was a lot of fun and so you can go and you know download the contest files go

take a look at them um try cracking them yourself and see how good you do and then then go look at the at the explanations and all the write-ups and stuff and see how close she got and then try it again and then you know practice practice practice try and do it um agile bits a company makes one password actually puts out some password cracking challenges once and all on their github page um they're kind of fun but if you're looking for ways of of things to crack that are beyond like the the rocky file that um pvat put out was fantastic great for demos and stuff like that um but when you get into some of the core

logic once they start throwing weird loops at you where they're you know they're inserting two characters into a word and you have to kind of like write a tool or something to figure out how to crack that so it lets you play around with a lot of different kind of hash types and rules and processing so going over some of the like the combinator attacks and the um the hybrid attacks in six and seven those are ways of cracking a lot of those passwords and that's why they're doing them they're taking passphrases they're mangling them they're um they're throwing leap speak at things and things like that so a lot of fun to do and a

lot of really interesting ways to practice so and with that that was it perfect we got time for q a

do you have any q a that's awesome chris yeah anyone who's got any questions now's the time to ask you can put it in the chat window or in a q a poll i actually do see something that just went into the cuny ball how secure is bcrip considered as a hashing mechanism it's actually pretty good bcrypt is really nice because it's very fast to encrypt and very hard to decrypt aws put out a or amazon put out a fantastic write-up on on how they implemented bcrypt for aws and it they did not pull any punches they went through all the deep technical specs on it um and it is hard to brute force it and

that's where things like the association attack are so powerful because it lets you get a a potential up on that one because it's such a slow um decryption i saw another question up here too as well it was here's one here can you send the passwords to encrypted file or do you perform them in a veracrypt container uh actually usually just directly in the file so if if i'm brute forcing like a 7-zip file or anything like that um like i'm extracting the password hash from the file brute forcing it is just a text file or something on my rig and then i'm going back to the 7-zip and typing it in manually um there's another question here it was

when creating these setups what prevention methods do you take to ensure that these passwords are not exposed so there's a lot so for example the aws setup um absolutely firewalled completely off the internet um i had to to to do this i created a nok and i threw in a storage array on it and put all my files on it and there's a cali vm on it um so all my dictionaries and and you know public stuff is on there and then i have to vpn in uh using mfa and everything to to a jump post connect to that cali box which is firewalled off and on a special management network then i have access they put firewall

rule in for me to get up to the aws instance again with mfa and everything else uh and i had to run everything through that uh the passwords never left the box and like when we moved them off the domain controller it was a coordinated effort you know we encrypted the and the zip file and the registry hives and everything right on the server threw it over and then no password hashes or anything were decrypted until everything was firewalled off and ready to go so excellent question someone was asking can we get a link to the slides afterwards um yeah and and we will be taking this presentation and be putting it up on our youtube channel so i'll just

add that right now in the chat window feel free to subscribe to that so you'll see it when it goes live and then i've got a pdf of this one so excellent so there'll be a pdf as well blast it out on the twitters and everything and you know we'll get it to you if you need it any last minute questions we still got some time yeah we can go back over anything or anything anybody wants here's another question from alan um would a mining rig work well for cracking also not sure if they're optimized for this purpose or not or does it depend on the scenario ironically uh my password rig when i first was setting it up uh i was gonna

start this is right before the ethereum wall got hit uh so the plan for it was i was gonna sit there and mine ethereum all day and then when i needed crack passwords i would flip it over and then go back uh but yeah these rigs are exactly that's exactly built for it um you know if i had to do mine again i might put it in a better location because um my lab does not have quite the ac that i need um loudness wouldn't be much better either for that well it works great in the summer not so much in the winter um but yeah it's pretty good um but yeah a mining rig is exactly perfect um if you

if you're doing that then you can easily flip back and forth between them um and you don't necessarily mean i mean i have this big rig because i need the speed um you don't need a big rig to do this you can force cpu usage it's obviously going to take a little bit longer um but a lot of laptops um even some of the smaller ones with like the ends and stuff they work they're just going to be a little slower and not so much i i have a surface book and i use vms for everything and i can never use hash cat i have to use john because in the virtualization i just don't have the right uh

uh oomph for hashcat to run well so it's all about what you have and how you use it i guess yeah i mean i went off and grabbed another gtx 1080 and threw it into um i have a server thing that's running a bunch of torrents and everything else and so i threw that in um into there just so i could you know if i have a little job that i wanted to run while um the big jobs are going on i can just kind of jump over and do that um [Music] anything else i'm just just checking the q a q nothing more in there the chat looks pretty open wow i guess it gives us a little time to

grab a quick bite or a coffee before our next session let me just do a quick check here yeah manny's in our next session excuse to expense a gaming tower absolutely unfortunately for some strange reason when i started getting into passwords i don't play games as much well now it should be your vr setup right yes actually so that's the reality of it all is you can say that you're building and you need the compute power and gpus so you can do vr might get that written off that way or or i can try and you know because my uh my kid's teacher um uses uh oculus and stuff for um acron like this big

squirrel attack a tree game and stuff so i you know i can say hey look let's fun time for the summer but anyways yeah if anybody has any questions and stuff like um you've got my twitter and everything else hit me up send me an email whatever the case may be and uh glad to answer any other questions you have it was awesome thanks chris appreciate all of your work that was great research