Upload
sanjiv-kawa
View
262
Download
2
Embed Size (px)
Citation preview
Sanjiv Kawa & Tom Porter
Crafting tailored wordlists with WordsmithBSides LV 2016
2PSC – Proprietary and Confidential. All Rights Reserved.
Formalities
Tom’s the guy with the beardwww.porterhau5.com@porterhau5
Sanjiv’s the Canadianwww.popped.io@skawasec
3PSC – Proprietary and Confidential. All Rights Reserved.
• Penetration Testers at PSC - www.paysw.com
• PSC specializes in PCI assessments
• Our day-to-day activities consist of attacking large enterprise networks and searching for CHD
What do you guys do?
4PSC – Proprietary and Confidential. All Rights Reserved.
• Wordsmith generates wordlists for dictionary attacks!
• Wordlists can be used on their own or as a supplement
• Uses geo-location data from U.S. States to create wordlists
What’s Wordsmith?
5PSC – Proprietary and Confidential. All Rights Reserved.
• Authentication process
• Dictionary attacks
• 8 slides total!
Quick primer
6PSC – Proprietary and Confidential. All Rights Reserved.
• We have something else you can do during the primer!
• First 10 people who tweet the correct answer will get some swag
• Or go and check out Wordsmith here:https://github.com/skahwah/wordsmith
For those who already know this
7PSC – Proprietary and Confidential. All Rights Reserved.
• What hash format is this? (hint wpad)
Question
8PSC – Proprietary and Confidential. All Rights Reserved.
Back to the primer
9PSC – Proprietary and Confidential. All Rights Reserved.
Primer (1/8): Authentication process
10PSC – Proprietary and Confidential. All Rights Reserved.
• On submit, convert the password into a hashed representative
Primer (2/8): Password converted to hash
11PSC – Proprietary and Confidential. All Rights Reserved.
Primer (3/8): Credentials sent to authentication server
12PSC – Proprietary and Confidential. All Rights Reserved.
• Backend DB holds passwords for all users in a hashed state
• Check to see if hashes match
if userSuppliedCreds == userStoredCreds allow logon :)else deny logon :(
Primer (4/8): Credentials validated
13PSC – Proprietary and Confidential. All Rights Reserved.
• How do we “convert” a hash back to a cleartext password?
• No direct way. However, we can do a dictionary attack.
Primer (5/8): password == hash, right?
14PSC – Proprietary and Confidential. All Rights Reserved.
• Large lists containing common words
• Sometimes compiled from passwords obtained in breaches (LinkedIn, Yahoo, Adobe, AM, etc.)
• Dictionaries we use:– Rockyou (free)– Uniq (paid, but worth it)– top10k (free)– yahoo (free)– linkedin (free)
Primer (6/8): What are dictionaries?
15PSC – Proprietary and Confidential. All Rights Reserved.
A couple of pre-requisites:
1. A solid dictionary (also known as wordlist)
2. Need to know the hash type (md5, sha1, NTLM, NetNTLMv2, etc)
3. A list of password hashes (typically exfiltrated in post-exploitation)
Primer (7/8): Dictionary attacks
16PSC – Proprietary and Confidential. All Rights Reserved.
Primer (8/8): Conducting a dictionary attack
1. Guess
2. Encrypt
3. Compare
applebananacherry…
$hash <- encrypt(apple)$hash : 5ebe7dfa074da8ee8aef1faa2bbde876
Search for $hash in obtained hash list:
af5432a79b941528fa7fac9e7e3916515ebe7dfa074da8ee8aef1faa2bbde8768846f7eaee8fb117ad06bdd830b7586c
17PSC – Proprietary and Confidential. All Rights Reserved.
• Lets move on to Wordsmith
Primers done
18PSC – Proprietary and Confidential. All Rights Reserved.
• Wordsmith generates wordlists for dictionary attacks!
• Wordlists can be used on their own or as a supplement
• Uses geo-location data from U.S. States to create wordlists
A quick re-cap on Wordsmith
19PSC – Proprietary and Confidential. All Rights Reserved.
What kind of geo-location data is in a wordlist?
Landmarks
Sports teams
Cities, towns, etc
Streets/RoadsZip codes
Area codesCommon names
Colleges
20PSC – Proprietary and Confidential. All Rights Reserved.
• Saw more geo-location related passwords during engagements
• Thought it would be a cool project
• Improve overall password cracking efficacy
• Limit guess-encrypt compare cycles
Why geo-location data?
21PSC – Proprietary and Confidential. All Rights Reserved.
*Wikipedia, US Census and Open Street Map
Where is all of this data coming from?
22PSC – Proprietary and Confidential. All Rights Reserved.
How Wordsmith works
23PSC – Proprietary and Confidential. All Rights Reserved.
• Initial git clone (~20 MB)
Wordsmith files
24PSC – Proprietary and Confidential. All Rights Reserved.
First run
• On first run, data.tar.gz is unpacked (1 second, 175 MB)
25PSC – Proprietary and Confidential. All Rights Reserved.
• ./wordsmith/data/
• All lookups are done offline (speed & efficiency).
File structure and data lookup
26PSC – Proprietary and Confidential. All Rights Reserved.
Word is kept in its original form (special characters included)Freemont St.
You can also use the “-m” flag for basic mangling!Freemont St.Freemont StFreemontSt.StFreemontSt.FreemontSt
Sort & Uniq to remove all duplicate wordsdowncase() Min character length
What does a wordlist look like?
27PSC – Proprietary and Confidential. All Rights Reserved.
Demo time
28PSC – Proprietary and Confidential. All Rights Reserved.
Statistics and results
29PSC – Proprietary and Confidential. All Rights Reserved.
• Hash cracking rig
• Get our hands on REAL NTLM hashes– Massachusetts 404 hashes– Wisconsin 2011 hashes– New York 542 hashes
Pre-requisites
30PSC – Proprietary and Confidential. All Rights Reserved.
• Software– hashcat.net
• Hardware– NVidia GRID K520
• 3617 MH/s – nothing too crazy, but it does the trick– 1 MH/s is 1,000,000 hashes per second
• Build your own cracking rig: https://www.popped.io/2016/07/steps-to-create-aws-hash-cracking-rig.html
Hash cracking rig
31PSC – Proprietary and Confidential. All Rights Reserved.
• Crack hashes for each U.S. State using common wordlists and rules
• Crack hashes for each U.S. State using a Wordsmith wordlist for the particular State
• ruby wordsmith.rb –s WI –a –m –o wi.txt
Test Cases
State NTLM Hashes Wordsmith Wordlist
Wisconsin 2011 112k
Massachusetts 404 82k
New York 542 158k
32PSC – Proprietary and Confidential. All Rights Reserved.
Input Parameters for Cracking Session
1. Guess
2. Encrypt
3. Compare
Wordlists:• Top10k (10k)• Rockyou (14.4m)• Wordsmith
• WI, MA, NY
NTLM Hash (NT)Based on MD4Common on Active Directory domains
Hashes obtained from various clients:
Wisconsin-hashes.txt (2011 hashes)Massachusetts-hashes.txt (404 hashes)Newyork-hashes.txt (542 hashes)
Rule set:• D3adhob0 (57.5k rules)
33PSC – Proprietary and Confidential. All Rights Reserved.
Results!
34PSC – Proprietary and Confidential. All Rights Reserved.
• 2011 NTLM Hashes
Wisconsin results
Wordlist Hashcatrun time
Number of passwords recovered
Top10k(10k words)
2 secs
Rockyou(14.4m words)
27 mins
Wisconsin.txt(112k words)
12 secs
237
12%
1094
54%
229
11%
77%
35PSC – Proprietary and Confidential. All Rights Reserved.
• 404 NTLM Hashes
Massachusetts results
Wordlist Hashcatrun time
Number of passwords recovered
Top10k(10k words)
1 sec
Rockyou(14.4m words)
24 mins
Massachusetts.txt(82k words)
12 secs
52
13%
262
65%
56
14%
92%
36PSC – Proprietary and Confidential. All Rights Reserved.
• 542 NTLM Hashes
New York results
Wordlist Hashcatrun time
Number of passwords recovered
Top10k(10k words)
1 sec
Rockyou(14.4m words)
26 mins
Newyork.txt(158k words)
22 secs
0
220
41%
59
11%
52%
37PSC – Proprietary and Confidential. All Rights Reserved.
• Identifying proper nouns unique to location
• Time-CPU cycle tradeoff
• At least 11% of passwords recovered in < 20 seconds
Conclusions
38PSC – Proprietary and Confidential. All Rights Reserved.
• Data!– Team rosters, mascots, stadiums– Famous people– State symbols
– Motto, song, bird, flower, etc.– Regional food, cuisine, agriculture
– (h/t Larry Pesce - @haxorthematrix)
• Design– Modular– Extend to provinces, territories, countries– Integrate data look up by coordinates
Next Steps for Wordsmith
39PSC – Proprietary and Confidential. All Rights Reserved.
• Important to maintain, expand, and improve
• Got any additional data sources or features?
• Pull requests, submit issues, comment, share:
https://github.com/skahwah/wordsmith
Suggestions?
40PSC – Proprietary and Confidential. All Rights Reserved.
Questions?
Tom’s the guy with the beardwww.porterhau5.com@porterhau5
Sanjiv’s the Canadianwww.popped.io@skawasec
https://github.com/skahwah/wordsmith