Introduction:

As GPU horsepower continues to increase the time it takes to bruteforce a given keyspace continues to shrink. Cracking a seven character upper, lower, digit, special hash in bruteforce mode used to take as long as 6 months using JTR on a single core CPU. However times have changed and a sufficiently fast system with several GPU’s can bruteforce that same keyspace in as little as two hours or less today. Even with a fast system attacking those 9+ length password can still be a challenge, and can take longer than a security audit can allow for. This is where profiling your hashlist can help target a large majority of hashes, and it can also reveal a password policy trend. For example some password policies state the password must be at least 8 characters, contain at least one uppercase, special character, and digit. From this users typically will capitalize the first letter, and add a special character and number to the end. So today I’ll cover a simple utility that can help you target a smaller keyspace that should increase the likely hood of finding the most passwords.

Method:

The method I’ll be covering uses a Linux environment but most of it can be adapted to Windows. The first step is to download PACK(Password Analysis and Cracking Kit)  a set of python scripts developed by iphelix.  The next setup is to download the latest version of oclHashcat from Hashcat.net. A supported ATI or Nvidia card is required in order to use oclHashcat/cudaHashcat. If you don’t have a supported GPU, this can also be adapted to PasswordsPro  for the CPU but I won’t be covering that here.

In order to use PACK you will need a system that supports python of course, it also uses a python extensions called psyco. Psyco isn’t requried and line 8 and 9 in dictstat.py can be commented out or deleted if you don’t have it.

To get an idea of how it works here is the output after running dictstat.py on ‘rockyou‘ dictionary:

# python dictstat.py -f rockyou.txt

[*] Analyzing dictionary: rockyou.txt
[+] Analyzing 100% (14344391/14344391) passwords
NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords

[*] Line Count Statistics...
[+] 8: 20% (2966004)
[+] 7: 17% (2506264)
[+] 9: 15% (2191000)
[+] 10: 14% (2013690)
[+] 6: 13% (1947858)

[*] Mask statistics...
[+] stringdigit: 37% (5339715)
[+] allstring: 28% (4115881)
[+] alldigit: 16% (2346842)
[+] othermask: 05% (731240)
[+] digitstring: 04% (663975)

[*] Charset statistics...
[+] loweralphanum: 42% (6075055)
[+] loweralpha: 25% (3726656)
[+] numeric: 16% (2346842)
[+] loweralphaspecialnum: 03% (472673)

[*] Advanced Mask statistics...
[+] ?l?l?l?l?l?l?l?l: 04% (688053)
[+] ?l?l?l?l?l?l: 04% (601257)
[+] ?l?l?l?l?l?l?l: 04% (585093)
[+] ?l?l?l?l?l?l?l?l?l: 03% (516862)
[+] ?d?d?d?d?d?d?d: 03% (487437)

The output has been trimmed a bit as the output can be rather long. Each [*] section shows the analyzed dictionary in different aspects separately. We can see based on the “Line Count Statistics” that 20% of words are 8 characters, “Charset statistics” show that 42% of all words are loweralpha numeric. Based off this information it would be safe to assume that if you were to bruteforce lowercase and digits up to length 8 you would find the majority of your passwords. The nice thing is that the “Advanced Mask statistics” directly correspond to the format used by oclHashcat’s predefined mask.

Of course it’s easy to analyze a dictionary of already cracked passwords. The hard part is starting with a uncracked hashlist. So the first step is to do an initial run on your hashlist using a standard dictionary. Using oclHashcat+ with a dictionary and a good rule list will likely get you to a good starting point. Depending on if you have a ATI or Nvidia card will determine if you use cudaHashcat+ or oclHashcat+. If you haven’t yet used ocl/cudaHashcat+ you may want to read this over. For example my command was:

./cudaHashcat+64.bin -r ocl+rules.rule -m1000 -n160 -o found.out hashlist.hash /dict/rockyou.txt

In a recent pentest this attack alone netted 26,336 out of 222271 NTLM hashes, or about 11%. From this we were able to determine that the password policy for the company required at least 8 character, with at least one upper, lower, special, digit. From there the password were moved into a dictionary like so:

# cut -b 34- found.out | sort -u > found.dic

From there we can use dictstat:

# python dictstat.py -f found.dic

[*] Analyzing dictionary: found.dic
[+] Analyzing 100% (26336/26336) passwords
NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords

[*] Line Count Statistics...
[+] 8: 78% (20683)
[+] 9: 15% (4150)
[+] 10: 03% (1048)
[+] 11: 01% (355)

[*] Mask statistics...
[+] stringspecialdigit: 74% (19652)
[+] othermask: 23% (6287)
[+] stringdigit: 01% (353)
[+] stringdigitstring: 00% (22)

[*] Charset statistics...
[+] loweralphaspecialnum: 53% (14133)
[+] mixedalphaspecialnum: 44% (11708)
[+] mixedalphanum: 01% (377)
[+] upperalphaspecialnum: 00% (91)

[*] Advanced Mask statistics...
[+] ?l?l?l?l?l?l?s?d: 17% (4616)
[+] ?l?l?l?l?l?s?d?d: 13% (3622)
[+] ?u?l?l?l?l?l?s?d: 12% (3300)
[+] ?u?l?l?l?l?s?d?d: 08% (2247)

Using the (truncated) output from dictstat like before we can target those mask that would get us the most return. Keeping in mind that we can use custom mask to target more than just the preset mask.
 
# ./cudaHashcat64.bin --remove -o found.out -n160 -m 1000 hashlist.hash -1 ?l?u? -2 ?s?d -3 ?l?s -4 ?d?s ?1?2?2?2 ?2?3?4?4

Conclusion:

This is just an easy way to reduce the time taken to bruteforce a given keyspace. In the above example there are 19,393,941,834,332 combinations instead of 6,634,204,312,890,625. This of course means that it will drastically reduce the amount of time to run the attack. Of course it’s not likely to find all the hashes, it is however another technique that can be kept in the arsenal. The scripts in PACK can of course be used for several other things such as reports for managment. The README is helpful for the various other switches and options.

Links:

PACK – Password Analysis and Cracking Kit
oclHashcat+/cudaHashcat+
Regular oclHashcat/cudaHashcat
PasswordsPro