SlideShare una empresa de Scribd logo

Crafting tailored wordlists with Wordsmith

Descargar como PPTX, PDF
Sanjiv Kawa
Sanjiv Kawa

A copy of our PowerPoint presentation from BSides LV 2016

Tecnología
1 de 40
Sanjiv Kawa & Tom Porter Crafting tailored wordlists with Wordsmith BSides LV 2016
Formalities Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec PSC – Proprietary and Confidential. All Rights Reserved. 2
• Penetration Testers at PSC - www.paysw.com • PSC specializes in PCI assessments • Our day-to-day activities consist of attacking large enterprise networks and searching for CHD What do you guys do? PSC – Proprietary and Confidential. All Rights Reserved. 3
• Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists What’s Wordsmith? PSC – Proprietary and Confidential. All Rights Reserved. 4
• Authentication process • Dictionary attacks • 8 slides total! Quick primer PSC – Proprietary and Confidential. All Rights Reserved. 5
• We have something else you can do during the primer! • First 10 people who tweet the correct answer will get some swag • Or go and check out Wordsmith here: https://github.com/skahwah/wordsmith For those who already know this PSC – Proprietary and Confidential. All Rights Reserved. 6
• What hash format is this? (hint wpad) Question PSC – Proprietary and Confidential. All Rights Reserved. 7
Back to the primer PSC – Proprietary and Confidential. All Rights Reserved. 8
Primer (1/8): Authentication process PSC – Proprietary and Confidential. All Rights Reserved. 9
• On submit, convert the password into a hashed representative Primer (2/8): Password converted to hash PSC – Proprietary and Confidential. All Rights Reserved. 10
Primer (3/8): Credentials sent to authentication server PSC – Proprietary and Confidential. All Rights Reserved. 11
• Backend DB holds passwords for all users in a hashed state • Check to see if hashes match if userSuppliedCreds == userStoredCreds allow logon :) else deny logon :( Primer (4/8): Credentials validated PSC – Proprietary and Confidential. All Rights Reserved. 12
• How do we “convert” a hash back to a cleartext password? • No direct way. However, we can do a dictionary attack. Primer (5/8): password == hash, right? PSC – Proprietary and Confidential. All Rights Reserved. 13
• Large lists containing common words • Sometimes compiled from passwords obtained in breaches (LinkedIn, Yahoo, Adobe, AM, etc.) • Dictionaries we use: – Rockyou (free) – Uniq (paid, but worth it) – top10k (free) – yahoo (free) – linkedin (free) Primer (6/8): What are dictionaries? PSC – Proprietary and Confidential. All Rights Reserved. 14
A couple of pre-requisites: 1. A solid dictionary (also known as wordlist) 2. Need to know the hash type (md5, sha1, NTLM, NetNTLMv2, etc) 3. A list of password hashes (typically exfiltrated in post- exploitation) Primer (7/8): Dictionary attacks PSC – Proprietary and Confidential. All Rights Reserved. 15
Primer (8/8): Conducting a dictionary attack 1. Guess 2. Encrypt 3. Compare apple banana cherry … $hash <- encrypt(apple) $hash : 5ebe7dfa074da8ee8aef1faa2bbde876 Search for $hash in obtained hash list: af5432a79b941528fa7fac9e7e391651 5ebe7dfa074da8ee8aef1faa2bbde876 8846f7eaee8fb117ad06bdd830b7586c PSC – Proprietary and Confidential. All Rights Reserved. 16
• Lets move on to Wordsmith Primers done PSC – Proprietary and Confidential. All Rights Reserved. 17
• Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists A quick re-cap on Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 18
What kind of geo-location data is in a wordlist? Landmarks Sports teams Cities, towns, etc Streets/Roads Zip codes Area codes Common names Colleges PSC – Proprietary and Confidential. All Rights Reserved. 19
• Saw more geo-location related passwords during engagements • Thought it would be a cool project • Improve overall password cracking efficacy • Limit guess-encrypt compare cycles Why geo-location data? PSC – Proprietary and Confidential. All Rights Reserved. 20
*Wikipedia, US Census and Open Street Map Where is all of this data coming from? PSC – Proprietary and Confidential. All Rights Reserved. 21
How Wordsmith works PSC – Proprietary and Confidential. All Rights Reserved. 22
• Initial git clone (~20 MB) Wordsmith files PSC – Proprietary and Confidential. All Rights Reserved. 23
First run • On first run, data.tar.gz is unpacked (1 second, 175 MB) PSC – Proprietary and Confidential. All Rights Reserved. 24
• ./wordsmith/data/ • All lookups are done offline (speed & efficiency). File structure and data lookup PSC – Proprietary and Confidential. All Rights Reserved. 25
Word is kept in its original form (special characters included) Freemont St. You can also use the “-m” flag for basic mangling! Freemont St. Freemont St Freemont St. St FreemontSt. FreemontSt Sort & Uniq to remove all duplicate words downcase() Min character length What does a wordlist look like? PSC – Proprietary and Confidential. All Rights Reserved. 26
Demo time PSC – Proprietary and Confidential. All Rights Reserved. 27
Statistics and results PSC – Proprietary and Confidential. All Rights Reserved. 28
• Hash cracking rig • Get our hands on REAL NTLM hashes – Massachusetts 404 hashes – Wisconsin 2011 hashes – New York 542 hashes Pre-requisites PSC – Proprietary and Confidential. All Rights Reserved. 29
• Software – hashcat.net • Hardware – NVidia GRID K520 • 3617 MH/s – nothing too crazy, but it does the trick – 1 MH/s is 1,000,000 hashes per second • Build your own cracking rig: https://www.popped.io/2016/07/steps-to-create-aws- hash-cracking-rig.html Hash cracking rig PSC – Proprietary and Confidential. All Rights Reserved. 30
• Crack hashes for each U.S. State using common wordlists and rules • Crack hashes for each U.S. State using a Wordsmith wordlist for the particular State • ruby wordsmith.rb –s WI –a –m –o wi.txt Test Cases PSC – Proprietary and Confidential. All Rights Reserved. 31 State NTLM Hashes Wordsmith Wordlist Wisconsin 2011 112k Massachusetts 404 82k New York 542 158k
Input Parameters for Cracking Session 1. Guess 2. Encrypt 3. Compare Wordlists: • Top10k (10k) • Rockyou (14.4m) • Wordsmith • WI, MA, NY NTLM Hash (NT) Based on MD4 Common on Active Directory domains Hashes obtained from various clients: Wisconsin-hashes.txt (2011 hashes) Massachusetts-hashes.txt (404 hashes) Newyork-hashes.txt (542 hashes) Rule set: • D3adhob0 (57.5k rules) PSC – Proprietary and Confidential. All Rights Reserved. 32
Results! PSC – Proprietary and Confidential. All Rights Reserved. 33
• 2011 NTLM Hashes Wisconsin results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 2 secs Rockyou (14.4m words) 27 mins Wisconsin.txt (112k words) 12 secs 237 12% 1094 54% 229 11% 77% PSC – Proprietary and Confidential. All Rights Reserved. 34
• 404 NTLM Hashes Massachusetts results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 24 mins Massachusetts.txt (82k words) 12 secs 52 13% 262 65% 56 14% 92% PSC – Proprietary and Confidential. All Rights Reserved. 35
• 542 NTLM Hashes New York results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 26 mins Newyork.txt (158k words) 22 secs 0 220 41% 59 11% 52% PSC – Proprietary and Confidential. All Rights Reserved. 36
• Identifying proper nouns unique to location • Time-CPU cycle tradeoff • At least 11% of passwords recovered in < 20 seconds Conclusions PSC – Proprietary and Confidential. All Rights Reserved. 37
• Data! – Team rosters, mascots, stadiums – Famous people – State symbols – Motto, song, bird, flower, etc. – Regional food, cuisine, agriculture – (h/t Larry Pesce - @haxorthematrix) • Design – Modular – Extend to provinces, territories, countries – Integrate data look up by coordinates Next Steps for Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 38
• Important to maintain, expand, and improve • Got any additional data sources or features? • Pull requests, submit issues, comment, share: https://github.com/skahwah/wordsmith Suggestions? PSC – Proprietary and Confidential. All Rights Reserved. 39
Questions? Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec https://github.com/skahwah/wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 40

Recomendados

The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithSanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithSanjiv Kawa
 
เทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Googleเทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Googlezerostart77777
 
Digital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDFDigital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDFMd Mazedul Islam Khan
 
Keeping it personal
Keeping it personalKeeping it personal
Keeping it personaladactio
 
when the link makes sense
when the link makes sensewhen the link makes sense
when the link makes senseFabien Gandon
 
Annotating the Hebrew Bible
Annotating the Hebrew BibleAnnotating the Hebrew Bible
Annotating the Hebrew BibleDirk Roorda
 
Web 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyceWeb 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyceSebastian Ryszard Kruk
 

Recomendados

The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithSanjiv Kawa
 
The world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithThe world is y0ur$: Geolocation-based wordlist generation with wordsmith
The world is y0ur$: Geolocation-based wordlist generation with wordsmithSanjiv Kawa
 
เทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Googleเทคนิคการค้นหาด้วย Google
เทคนิคการค้นหาด้วย Googlezerostart77777
 
Digital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDFDigital Twin: jSON-LD, RDF
Digital Twin: jSON-LD, RDFMd Mazedul Islam Khan
 
Keeping it personal
Keeping it personalKeeping it personal
Keeping it personaladactio
 
when the link makes sense
when the link makes sensewhen the link makes sense
when the link makes senseFabien Gandon
 
Annotating the Hebrew Bible
Annotating the Hebrew BibleAnnotating the Hebrew Bible
Annotating the Hebrew BibleDirk Roorda
 
Web 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyceWeb 3.0 w teorii i praktyce
Web 3.0 w teorii i praktyceSebastian Ryszard Kruk
 
"Whatever I can get..."
"Whatever I can get...""Whatever I can get..."
"Whatever I can get..."Dan Brickley
 
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...Fariz Darari
 
(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web PagesMichael Nelson
 
Two graph data models : RDF and Property Graphs
Two graph data models : RDF and Property GraphsTwo graph data models : RDF and Property Graphs
Two graph data models : RDF and Property Graphsandyseaborne
 
Linked Data on Rails
Linked Data on RailsLinked Data on Rails
Linked Data on RailsPatrick Sinclair
 
2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)Dr.-Ing. Thomas Hartmann
 
Scaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay KleinanzeigenScaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay KleinanzeigenAndre Charton
 
Real-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter AnnotationsReal-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter AnnotationsJoshua Shinavier
 
semlavssws2015
semlavssws2015semlavssws2015
semlavssws2015hala Skaf
 
Thinking in documents
Thinking in documentsThinking in documents
Thinking in documentsCésar Rodas
 
Deepweb Tools
Deepweb ToolsDeepweb Tools
Deepweb Toolsmanigandan_ramkumar
 
Linked Data and Tools
Linked Data and ToolsLinked Data and Tools
Linked Data and ToolsPedro Szekely
 
쉽게 이해하는 LOD
쉽게 이해하는 LOD쉽게 이해하는 LOD
쉽게 이해하는 LODMyungjin Lee
 
NdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationNdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationJosé M. Giménez-García
 
DHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and TellDHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and TellGeorgina Goodlander
 
3. ldap
3. ldap3. ldap
3. ldapSaroj Sahoo
 
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, FlaxCoffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, FlaxLucidworks
 
Perl DBI Scripting with the ILS
Perl DBI Scripting with the ILSPerl DBI Scripting with the ILS
Perl DBI Scripting with the ILSRoy Zimmer
 
Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010Juan Sequeda
 
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson Victor de Boer
 
Ppsp icassp17v10
Ppsp icassp17v10Ppsp icassp17v10
Ppsp icassp17v10Gérard Chollet
 
Hash cat
Hash catHash cat
Hash catSreekanth Narendran
 

Más contenido relacionado

La actualidad más candente

"Whatever I can get..."
"Whatever I can get...""Whatever I can get..."
"Whatever I can get..."Dan Brickley
 
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...Fariz Darari
 
(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web PagesMichael Nelson
 
Two graph data models : RDF and Property Graphs
Two graph data models : RDF and Property GraphsTwo graph data models : RDF and Property Graphs
Two graph data models : RDF and Property Graphsandyseaborne
 
Scaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay KleinanzeigenScaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay KleinanzeigenAndre Charton
 
Real-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter AnnotationsReal-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter AnnotationsJoshua Shinavier
 
semlavssws2015
semlavssws2015semlavssws2015
semlavssws2015hala Skaf
 
Thinking in documents
Thinking in documentsThinking in documents
Thinking in documentsCésar Rodas
 
Linked Data and Tools
Linked Data and ToolsLinked Data and Tools
Linked Data and ToolsPedro Szekely
 
쉽게 이해하는 LOD
쉽게 이해하는 LOD쉽게 이해하는 LOD
쉽게 이해하는 LODMyungjin Lee
 
NdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationNdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationJosé M. Giménez-García
 
DHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and TellDHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and TellGeorgina Goodlander
 
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, FlaxCoffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, FlaxLucidworks
 
Perl DBI Scripting with the ILS
Perl DBI Scripting with the ILSPerl DBI Scripting with the ILS
Perl DBI Scripting with the ILSRoy Zimmer
 
Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010Juan Sequeda
 
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson Victor de Boer
 

La actualidad más candente (20)

"Whatever I can get..."
"Whatever I can get...""Whatever I can get..."
"Whatever I can get..."
 
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
Poster - Completeness Statements about RDF Data Sources and Their Use for Qu...
 
(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages(Re-) Discovering Lost Web Pages
(Re-) Discovering Lost Web Pages
 
Two graph data models : RDF and Property Graphs
Two graph data models : RDF and Property GraphsTwo graph data models : RDF and Property Graphs
Two graph data models : RDF and Property Graphs
 
Linked Data on Rails
Linked Data on RailsLinked Data on Rails
Linked Data on Rails
 
2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)2014.12 - Let's Disco (EDDI 2014)
2014.12 - Let's Disco (EDDI 2014)
 
Scaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay KleinanzeigenScaling Saved Searches at eBay Kleinanzeigen
Scaling Saved Searches at eBay Kleinanzeigen
 
Real-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter AnnotationsReal-time Semantic Web with Twitter Annotations
Real-time Semantic Web with Twitter Annotations
 
semlavssws2015
semlavssws2015semlavssws2015
semlavssws2015
 
Thinking in documents
Thinking in documentsThinking in documents
Thinking in documents
 
Deepweb Tools
Deepweb ToolsDeepweb Tools
Deepweb Tools
 
Linked Data and Tools
Linked Data and ToolsLinked Data and Tools
Linked Data and Tools
 
쉽게 이해하는 LOD
쉽게 이해하는 LOD쉽게 이해하는 LOD
쉽게 이해하는 LOD
 
NdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference PreservationNdFluents: An Ontology for Annotated Statements with Inference Preservation
NdFluents: An Ontology for Annotated Statements with Inference Preservation
 
DHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and TellDHWI Linked Open Data - Show and Tell
DHWI Linked Open Data - Show and Tell
 
3. ldap
3. ldap3. ldap
3. ldap
 
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, FlaxCoffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
Coffee, Danish & Search: Presented by Alan Woodward & Charlie Hull, Flax
 
Perl DBI Scripting with the ILS
Perl DBI Scripting with the ILSPerl DBI Scripting with the ILS
Perl DBI Scripting with the ILS
 
Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010Consuming Linked Data by Machines - WWW2010
Consuming Linked Data by Machines - WWW2010
 
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson Intro to Linked, Dutch Ships and Sailors and SPARQL handson
Intro to Linked, Dutch Ships and Sailors and SPARQL handson
 

Similar a Crafting tailored wordlists with Wordsmith

Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Ontico
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreSri Ambati
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
NoSQL Couchbase Lite & BigData HPCC Systems
NoSQL Couchbase Lite & BigData HPCC SystemsNoSQL Couchbase Lite & BigData HPCC Systems
NoSQL Couchbase Lite & BigData HPCC SystemsFujio Turner
 
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...Fwdays
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCSheetal Dolas
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Anton Dedov - Testing of password policy
Anton Dedov - Testing of password policyAnton Dedov - Testing of password policy
Anton Dedov - Testing of password policyDefconRussia
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 

Similar a Crafting tailored wordlists with Wordsmith (20)

Ppsp icassp17v10
Ppsp icassp17v10Ppsp icassp17v10
Ppsp icassp17v10
 
Hash cat
Hash catHash cat
Hash cat
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
 
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth RedmoreH2O World - Clustering & Feature Extraction on Text - Seth Redmore
H2O World - Clustering & Feature Extraction on Text - Seth Redmore
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
NoSQL Couchbase Lite & BigData HPCC Systems
NoSQL Couchbase Lite & BigData HPCC SystemsNoSQL Couchbase Lite & BigData HPCC Systems
NoSQL Couchbase Lite & BigData HPCC Systems
 
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
Евгений Бобров "Powered by OSS. Масштабируемая потоковая обработка и анализ б...
 
Checksum 101
Checksum 101Checksum 101
Checksum 101
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOC
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
 
Anton Dedov - Testing of password policy
Anton Dedov - Testing of password policyAnton Dedov - Testing of password policy
Anton Dedov - Testing of password policy
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 

Último

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Crafting tailored wordlists with Wordsmith

  • 1. Sanjiv Kawa & Tom Porter Crafting tailored wordlists with Wordsmith BSides LV 2016
  • 2. Formalities Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec PSC – Proprietary and Confidential. All Rights Reserved. 2
  • 3. • Penetration Testers at PSC - www.paysw.com • PSC specializes in PCI assessments • Our day-to-day activities consist of attacking large enterprise networks and searching for CHD What do you guys do? PSC – Proprietary and Confidential. All Rights Reserved. 3
  • 4. • Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists What’s Wordsmith? PSC – Proprietary and Confidential. All Rights Reserved. 4
  • 5. • Authentication process • Dictionary attacks • 8 slides total! Quick primer PSC – Proprietary and Confidential. All Rights Reserved. 5
  • 6. • We have something else you can do during the primer! • First 10 people who tweet the correct answer will get some swag • Or go and check out Wordsmith here: https://github.com/skahwah/wordsmith For those who already know this PSC – Proprietary and Confidential. All Rights Reserved. 6
  • 7. • What hash format is this? (hint wpad) Question PSC – Proprietary and Confidential. All Rights Reserved. 7
  • 8. Back to the primer PSC – Proprietary and Confidential. All Rights Reserved. 8
  • 9. Primer (1/8): Authentication process PSC – Proprietary and Confidential. All Rights Reserved. 9
  • 10. • On submit, convert the password into a hashed representative Primer (2/8): Password converted to hash PSC – Proprietary and Confidential. All Rights Reserved. 10
  • 11. Primer (3/8): Credentials sent to authentication server PSC – Proprietary and Confidential. All Rights Reserved. 11
  • 12. • Backend DB holds passwords for all users in a hashed state • Check to see if hashes match if userSuppliedCreds == userStoredCreds allow logon :) else deny logon :( Primer (4/8): Credentials validated PSC – Proprietary and Confidential. All Rights Reserved. 12
  • 13. • How do we “convert” a hash back to a cleartext password? • No direct way. However, we can do a dictionary attack. Primer (5/8): password == hash, right? PSC – Proprietary and Confidential. All Rights Reserved. 13
  • 14. • Large lists containing common words • Sometimes compiled from passwords obtained in breaches (LinkedIn, Yahoo, Adobe, AM, etc.) • Dictionaries we use: – Rockyou (free) – Uniq (paid, but worth it) – top10k (free) – yahoo (free) – linkedin (free) Primer (6/8): What are dictionaries? PSC – Proprietary and Confidential. All Rights Reserved. 14
  • 15. A couple of pre-requisites: 1. A solid dictionary (also known as wordlist) 2. Need to know the hash type (md5, sha1, NTLM, NetNTLMv2, etc) 3. A list of password hashes (typically exfiltrated in post- exploitation) Primer (7/8): Dictionary attacks PSC – Proprietary and Confidential. All Rights Reserved. 15
  • 16. Primer (8/8): Conducting a dictionary attack 1. Guess 2. Encrypt 3. Compare apple banana cherry … $hash <- encrypt(apple) $hash : 5ebe7dfa074da8ee8aef1faa2bbde876 Search for $hash in obtained hash list: af5432a79b941528fa7fac9e7e391651 5ebe7dfa074da8ee8aef1faa2bbde876 8846f7eaee8fb117ad06bdd830b7586c PSC – Proprietary and Confidential. All Rights Reserved. 16
  • 17. • Lets move on to Wordsmith Primers done PSC – Proprietary and Confidential. All Rights Reserved. 17
  • 18. • Wordsmith generates wordlists for dictionary attacks! • Wordlists can be used on their own or as a supplement • Uses geo-location data from U.S. States to create wordlists A quick re-cap on Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 18
  • 19. What kind of geo-location data is in a wordlist? Landmarks Sports teams Cities, towns, etc Streets/Roads Zip codes Area codes Common names Colleges PSC – Proprietary and Confidential. All Rights Reserved. 19
  • 20. • Saw more geo-location related passwords during engagements • Thought it would be a cool project • Improve overall password cracking efficacy • Limit guess-encrypt compare cycles Why geo-location data? PSC – Proprietary and Confidential. All Rights Reserved. 20
  • 21. *Wikipedia, US Census and Open Street Map Where is all of this data coming from? PSC – Proprietary and Confidential. All Rights Reserved. 21
  • 22. How Wordsmith works PSC – Proprietary and Confidential. All Rights Reserved. 22
  • 23. • Initial git clone (~20 MB) Wordsmith files PSC – Proprietary and Confidential. All Rights Reserved. 23
  • 24. First run • On first run, data.tar.gz is unpacked (1 second, 175 MB) PSC – Proprietary and Confidential. All Rights Reserved. 24
  • 25. • ./wordsmith/data/ • All lookups are done offline (speed & efficiency). File structure and data lookup PSC – Proprietary and Confidential. All Rights Reserved. 25
  • 26. Word is kept in its original form (special characters included) Freemont St. You can also use the “-m” flag for basic mangling! Freemont St. Freemont St Freemont St. St FreemontSt. FreemontSt Sort & Uniq to remove all duplicate words downcase() Min character length What does a wordlist look like? PSC – Proprietary and Confidential. All Rights Reserved. 26
  • 27. Demo time PSC – Proprietary and Confidential. All Rights Reserved. 27
  • 28. Statistics and results PSC – Proprietary and Confidential. All Rights Reserved. 28
  • 29. • Hash cracking rig • Get our hands on REAL NTLM hashes – Massachusetts 404 hashes – Wisconsin 2011 hashes – New York 542 hashes Pre-requisites PSC – Proprietary and Confidential. All Rights Reserved. 29
  • 30. • Software – hashcat.net • Hardware – NVidia GRID K520 • 3617 MH/s – nothing too crazy, but it does the trick – 1 MH/s is 1,000,000 hashes per second • Build your own cracking rig: https://www.popped.io/2016/07/steps-to-create-aws- hash-cracking-rig.html Hash cracking rig PSC – Proprietary and Confidential. All Rights Reserved. 30
  • 31. • Crack hashes for each U.S. State using common wordlists and rules • Crack hashes for each U.S. State using a Wordsmith wordlist for the particular State • ruby wordsmith.rb –s WI –a –m –o wi.txt Test Cases PSC – Proprietary and Confidential. All Rights Reserved. 31 State NTLM Hashes Wordsmith Wordlist Wisconsin 2011 112k Massachusetts 404 82k New York 542 158k
  • 32. Input Parameters for Cracking Session 1. Guess 2. Encrypt 3. Compare Wordlists: • Top10k (10k) • Rockyou (14.4m) • Wordsmith • WI, MA, NY NTLM Hash (NT) Based on MD4 Common on Active Directory domains Hashes obtained from various clients: Wisconsin-hashes.txt (2011 hashes) Massachusetts-hashes.txt (404 hashes) Newyork-hashes.txt (542 hashes) Rule set: • D3adhob0 (57.5k rules) PSC – Proprietary and Confidential. All Rights Reserved. 32
  • 33. Results! PSC – Proprietary and Confidential. All Rights Reserved. 33
  • 34. • 2011 NTLM Hashes Wisconsin results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 2 secs Rockyou (14.4m words) 27 mins Wisconsin.txt (112k words) 12 secs 237 12% 1094 54% 229 11% 77% PSC – Proprietary and Confidential. All Rights Reserved. 34
  • 35. • 404 NTLM Hashes Massachusetts results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 24 mins Massachusetts.txt (82k words) 12 secs 52 13% 262 65% 56 14% 92% PSC – Proprietary and Confidential. All Rights Reserved. 35
  • 36. • 542 NTLM Hashes New York results Wordlist Hashcat run time Number of passwords recovered Top10k (10k words) 1 sec Rockyou (14.4m words) 26 mins Newyork.txt (158k words) 22 secs 0 220 41% 59 11% 52% PSC – Proprietary and Confidential. All Rights Reserved. 36
  • 37. • Identifying proper nouns unique to location • Time-CPU cycle tradeoff • At least 11% of passwords recovered in < 20 seconds Conclusions PSC – Proprietary and Confidential. All Rights Reserved. 37
  • 38. • Data! – Team rosters, mascots, stadiums – Famous people – State symbols – Motto, song, bird, flower, etc. – Regional food, cuisine, agriculture – (h/t Larry Pesce - @haxorthematrix) • Design – Modular – Extend to provinces, territories, countries – Integrate data look up by coordinates Next Steps for Wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 38
  • 39. • Important to maintain, expand, and improve • Got any additional data sources or features? • Pull requests, submit issues, comment, share: https://github.com/skahwah/wordsmith Suggestions? PSC – Proprietary and Confidential. All Rights Reserved. 39
  • 40. Questions? Tom’s the guy with the beard www.porterhau5.com @porterhau5 Sanjiv’s the Canadian www.popped.io @skawasec https://github.com/skahwah/wordsmith PSC – Proprietary and Confidential. All Rights Reserved. 40