Crafting tailored wordlists with Wordsmith

Sanjiv Kawa & Tom Porter

Crafting tailored wordlists with WordsmithBSides LV 2016

2PSC – Proprietary and Confidential. All Rights Reserved.

Formalities

Tom’s the guy with the beardwww.porterhau5.com@porterhau5

Sanjiv’s the Canadianwww.popped.io@skawasec


• Penetration Testers at PSC - www.paysw.com

• PSC specializes in PCI assessments

• Our day-to-day activities consist of attacking large enterprise networks and searching for CHD

What do you guys do?


• Wordsmith generates wordlists for dictionary attacks!

• Wordlists can be used on their own or as a supplement

• Uses geo-location data from U.S. States to create wordlists

What’s Wordsmith?


• Authentication process

• Dictionary attacks

• 8 slides total!

Quick primer


• We have something else you can do during the primer!

• First 10 people who tweet the correct answer will get some swag

• Or go and check out Wordsmith here:https://github.com/skahwah/wordsmith

For those who already know this


• What hash format is this? (hint wpad)

Question


Back to the primer


Primer (1/8): Authentication process


• On submit, convert the password into a hashed representative

Primer (2/8): Password converted to hash


Primer (3/8): Credentials sent to authentication server


• Backend DB holds passwords for all users in a hashed state

• Check to see if hashes match

if userSuppliedCreds == userStoredCreds allow logon :)else deny logon :(

Primer (4/8): Credentials validated


• How do we “convert” a hash back to a cleartext password?

• No direct way. However, we can do a dictionary attack.

Primer (5/8): password == hash, right?


• Large lists containing common words

• Sometimes compiled from passwords obtained in breaches (LinkedIn, Yahoo, Adobe, AM, etc.)

• Dictionaries we use:– Rockyou (free)– Uniq (paid, but worth it)– top10k (free)– yahoo (free)– linkedin (free)

Primer (6/8): What are dictionaries?


A couple of pre-requisites:

1. A solid dictionary (also known as wordlist)

2. Need to know the hash type (md5, sha1, NTLM, NetNTLMv2, etc)

3. A list of password hashes (typically exfiltrated in post-exploitation)

Primer (7/8): Dictionary attacks


Primer (8/8): Conducting a dictionary attack

1. Guess

2. Encrypt

3. Compare

applebananacherry…

$hash <- encrypt(apple)$hash : 5ebe7dfa074da8ee8aef1faa2bbde876

Search for $hash in obtained hash list:

af5432a79b941528fa7fac9e7e3916515ebe7dfa074da8ee8aef1faa2bbde8768846f7eaee8fb117ad06bdd830b7586c


• Lets move on to Wordsmith

Primers done


• Wordsmith generates wordlists for dictionary attacks!

• Wordlists can be used on their own or as a supplement

• Uses geo-location data from U.S. States to create wordlists

A quick re-cap on Wordsmith


What kind of geo-location data is in a wordlist?

Landmarks

Sports teams

Cities, towns, etc

Streets/RoadsZip codes

Area codesCommon names

Colleges


• Saw more geo-location related passwords during engagements

• Thought it would be a cool project

• Improve overall password cracking efficacy

• Limit guess-encrypt compare cycles

Why geo-location data?


*Wikipedia, US Census and Open Street Map

Where is all of this data coming from?


How Wordsmith works


• Initial git clone (~20 MB)

Wordsmith files


First run

• On first run, data.tar.gz is unpacked (1 second, 175 MB)


• ./wordsmith/data/

• All lookups are done offline (speed & efficiency).

File structure and data lookup


Word is kept in its original form (special characters included)Freemont St.

You can also use the “-m” flag for basic mangling!Freemont St.Freemont StFreemontSt.StFreemontSt.FreemontSt

Sort & Uniq to remove all duplicate wordsdowncase() Min character length

What does a wordlist look like?


Demo time


Statistics and results


• Hash cracking rig

• Get our hands on REAL NTLM hashes– Massachusetts 404 hashes– Wisconsin 2011 hashes– New York 542 hashes

Pre-requisites


• Software– hashcat.net

• Hardware– NVidia GRID K520

• 3617 MH/s – nothing too crazy, but it does the trick– 1 MH/s is 1,000,000 hashes per second

• Build your own cracking rig: https://www.popped.io/2016/07/steps-to-create-aws-hash-cracking-rig.html

Hash cracking rig


• Crack hashes for each U.S. State using common wordlists and rules

• Crack hashes for each U.S. State using a Wordsmith wordlist for the particular State

• ruby wordsmith.rb –s WI –a –m –o wi.txt

Test Cases

State NTLM Hashes Wordsmith Wordlist

Wisconsin 2011 112k

Massachusetts 404 82k

New York 542 158k


Input Parameters for Cracking Session

1. Guess

2. Encrypt

3. Compare

Wordlists:• Top10k (10k)• Rockyou (14.4m)• Wordsmith

• WI, MA, NY

NTLM Hash (NT)Based on MD4Common on Active Directory domains

Hashes obtained from various clients:

Wisconsin-hashes.txt (2011 hashes)Massachusetts-hashes.txt (404 hashes)Newyork-hashes.txt (542 hashes)

Rule set:• D3adhob0 (57.5k rules)


Results!


• 2011 NTLM Hashes

Wisconsin results

Wordlist Hashcatrun time

Number of passwords recovered

Top10k(10k words)

2 secs

Rockyou(14.4m words)

27 mins

Wisconsin.txt(112k words)

12 secs

237

12%

1094

54%

229

11%

77%


• 404 NTLM Hashes

Massachusetts results



Top10k(10k words)

1 sec


24 mins

Massachusetts.txt(82k words)

12 secs

52

13%

262

65%

56

14%

92%


• 542 NTLM Hashes

New York results



Top10k(10k words)

1 sec


26 mins

Newyork.txt(158k words)

22 secs

0

220

41%

59

11%

52%


• Identifying proper nouns unique to location

• Time-CPU cycle tradeoff

• At least 11% of passwords recovered in < 20 seconds

Conclusions


• Data!– Team rosters, mascots, stadiums– Famous people– State symbols

– Motto, song, bird, flower, etc.– Regional food, cuisine, agriculture

– (h/t Larry Pesce - @haxorthematrix)

• Design– Modular– Extend to provinces, territories, countries– Integrate data look up by coordinates

Next Steps for Wordsmith


• Important to maintain, expand, and improve

• Got any additional data sources or features?

• Pull requests, submit issues, comment, share:

https://github.com/skahwah/wordsmith

Suggestions?


Questions?

Tom’s the guy with the beardwww.porterhau5.com@porterhau5

Sanjiv’s the Canadianwww.popped.io@skawasec

https://github.com/skahwah/wordsmith

Technology

Crafting tailored wordlists with Wordsmith