Evil Mog bringing us some thoughtful password cracking techniques from DerbyCon 2018. These attacks take a candidate list of passwords, mangles the passwords in creative ways, and then passes the more robust results to hashcat. One should have a good understanding of the hashcat-utils functions for cutb and expander, PRobability INfinite Chained Elements (PRINCE) Processor (pp64.bin), hashcat, and the bash scripting language.
Raking
This is how generated2.rule was created, which involved looping over hashlists over the course of six months in 2012 (recency of password lists is important). This script runs hashcat 100 times with a work mode of 3 for NTLM hashes and a wordlist attack using all dictionaries in the directory. hashcat is also told to generate 100,000 rules and to set the debug level so that the original word, rule the word was cracked on, and the output is stored in the node1 debug files. The resulting files are then parsed so that a dictionary and rulset can be extracted from the process. The resulting new dictionary and password list are then used to try and crack hashes.
#!/bin/bash
for start in {1..100}; do
/opt/hashcat/hashcat –w 3 –m 1000 –a 0 /opt/hashes/hashlist /opt/wordlists/*.dict –g 100000 –debug-mode=4 –debug-file=/opt/debug/node1.$start.debug
done
cat /opt/debug/node1.*.debug | cut -d: -f2 | sort -u > /opt/rules/debug.rule
cat /opt/debug/node1.*.debug | cut -d: -f1 | sort -u > /opt/wordlists/debug.dict
cat /opt/debug/node1.*.debug | cut -d: -f3 | sort -u >> /opt/wordlists/debug.dict
/opt/hashcat/hashcat -w3 -m 1000 -a 0 /opt/hashes/hashlist /opt/wordlists/debug.dict -r /opt/rules/debug.rule
CUTB
This technique was originally referenced on this blog post here and involves taking slices of passwords from a candidate file both forwards and backwards. So if we have a password of 123password, when we run it through cutb we get 1, 12, 123, 123p, 123pa, 123pas, 123pass, and 123passw. Similarly, the reverse would reset in d, rd, ord, word, sword, ssword, assword, and password. The results of these two processes are then stored in our candidate cutb file.
#!/bin/bash
#set some paths
pp_path="/opt/utils/princeprocessor/src"
hu_path="/opt/utils/hashcat-utils/src"
work_path="/opt/cutb"
for i in {1..8}; do
$pp_path/cutb.bin 0 $i < $1 | sort -u > $workpath/$i-first.txt
done
for i in {1..8}; do
$pp_path/cutb.bin -$i < $1 | sort -u > $workpath/$i-last.txt
done
cat $workpath/*-first.txt $workpath/*-last.txt | sort -u > $workpath/cand.cutb
Expander - Modified
By default, this tool only gives a four character result, so the tool must be recompiled after setting LEN_MAX to 8 instead of 4 within the hashcat-utils source code.
Evil Mogs Blender
In this example passwords are collected from a hashcat potfile, and uniquely sorted to come up with a candidate list. The candidate list is then ran through a cutb slice both forwards and backwards. The original candidate file and the results are then emptied into a candidate cutb file that are then both ran through the expander into a candidate cutb expander file. This takes a wordlist from approximately 4MB to ~200MB.
#!/bin/bash
#set some paths
pppath="/opt/utils/princeprocessor/src"
hupath="/opt/utils/hashcat-utils/src"
hcpath="/opt/cracken2/hashcat"
workpath="/opt/evilmog/tmp"
#catches passwords with a : character in them due to -f2-
echo "[+] Sorting Potfile"
cut -d: -f2- < $hcpath/hashcat.potfile | sort -u > $workpath/cand.lst
echo "[+] Running Cutb"
for i in {1..8}; do
echo "[+] Forward Cutb segment $i"
$hupath/cutb.bin 0 $i < $workpath/cand.lst | sort -u > $workpath/$i-first.txt
done
for i in {1..8}; do
echo "[+] Reverse Cutb segment $i"
$hupath/cutb.bin -$i < $workpath/cand.lst | sort -u > $workpath/$i-last.txt
done
echo "[+] Cat Cutb"
cat $workpath/*-first.txt $workpath/*-last.txt | sort -u > $workpath/cand.cutb
echo "[+] First Expander"
$hupath/expander.bin < $workpath/cand.lst | sort -u > $workpath/cand.exp
echo "[+] Cutb Expander"
$hupath/expander.bin < $workpath/cand.cutb | sort -u > $workpath/cand.cutb.exp
Purple Rain
This is a modified raking technique observed by Netmux, which involves shuf-fling a wordlist, piping it into pp64.bin, and piping that into hashcat so that hashcat can generate rules for reuse (Purple Rain Barrel). Prince Processor is a candidate password generator that relies on the order of the initial candidate list, so shuffling the candidate list will yield different results.
shuf /opt/dict/rockyou.txt | /opt/utils/princeprocessor/src/pp64.bin | /opt/hashcat/hashcat -m 1000 -a 0 -w 3 -g 10000 hashes.ntlm
Prinception
This shuffles our candidate list, rockyou.txt, pipes it twice through the pp64.bin, and then runs it into hashcat. It’s recommended not to try this against difficult hashes that require a relatively higher workload due.
shuf /opt/dict/rockyou.txt | /opt/utils/princeprocessor/src/pp64.bin | pp64.bin | /opt/hashcat -m 1000 -a 0 -w 3 -g 10000 hashes.ntlm
Kicked up a notch, we can start with our candidate cutb file, run it through pp64.bin, and then pass that to hashcat.
shuf cand.cutb | /opt/utils/princeprocessor/src/pp64.bin | /opt/hashcat/hashcat hashfile -m 1000 -a 0 -0 -g 100000 --username --potfile-path temp1
Mask Generation
Creating masks from candidate files can be done with PACK, which takes candidate files and creates masks based on the candidate files. This expands keyspace without resorting to brute force.
#!/bin/bash
#Configure the maximum keys per seconds and the maximum mask time
workpath="/opt/evilmog/tmp"
packpath="/opt/utils/pack"
pps="160000000000"
rt="360"
#run the script over candidate expanded and cutb-ed files
python $packpath/statsgen.py --maxlength=24 -o $workpath/cand.lst.mask --hiderare $workpath/cand.lst
python $packpath/statsgen.py --maxlength=24 -o $workpath/cand.exp.mask --hiderare $workpath/cand.exp
python $packpath/statsgen.py --maxlength=24 -o $workpath/cand.cutb.mask --hiderare $workpath/cand.cutb
python $packpath/statsgen.py --maxlength=24 -o $workpath/cand.cutb.exp.mask --hiderare $workpath/cand.cutb.exp
python $packpath/maskgen.py --pps=$pps --minlength=8 --minoccurrence=10 -t $rt -o $workpath/cand.lst.hcmask $workpath/cand.lst.mask
python $packpath/maskgen.py --pps=$pps --minlength=8 --minoccurrence=10 -t $rt -o $workpath/cand.exp.hcmask $workpath/cand.exp.mask
python $packpath/maskgen.py --pps=$pps --minlength=8 --minoccurrence=10 -t $rt -o $workpath/cand.cutb.hcmask $workpath/cand.cutb.mask
python $packpath/maskgen.py --pps=$pps --minlength=8 --minoccurrence=10 -t $rt -o $workpath/cand.cutb.exp.hcmask $workpath/cand.cutb.exp.mask
Refined Mask Generation w/ Hybrid Mode
We should be using mode 6 and mode 7 within hashcat to figure out what users are appending to their passwords. This should be ran on both the passwords, the cutb files, and the expander files. This is effectively a cutb wordlist + cutb maskfile to get the hybrid attack noted here.
#!/bin/bash
workpath="/opt/evilmog/tmp"
packpath="/opt/utils/pack"
pps="160000000"
rt="360"
python $packpath/maskgen.py --pps=$pps --minlength=3 --maxlength=8 -t $rt -o $workpath/hybrid.hcmask $workpath/cand.lst
python $packpath/maskgen.py --pps=$pps --minlength=3 --maxlength=8 -t $rt -o $workpath/hybrid.exp.hcmask $workpath/cand.exp.mask
python $packpath/maskgen.py --pps=$pps --minlength=3 --maxlength=8 -t $rt -o $workpath/hybrid.cutb.hcmask $workpath/cand.cutb.mask
python $packpath/maskgen.py --pps=$pps --minlength=3 --maxlength=8 -t $rt -o $workpath/hybrid.cutb.exp.hcmask $workpath/cand.cutb.exp.mask
cat $workpath/hybrid*.hcmask | sort -u > $workpath/hybrid.sorted.hcmask
/opt/hashcat/hashcat -m 1000 /opt/passwords/combined_htlm -w3 -a 6 /tmp/cand.cutb /tmp/hybrid.sorted.mask -O --potfile-path=test.potfile
CUTB Revisited
In the original cutb example, 123password becomes 1, 12, 123, 123p, 123pa, etc. However, this example instead results in 2, 23, 23p, 23pa, 23pas. This process only takes a few minutes to run against a candidate file, and will expand the pattern components and positive results by 30% or 40%.
#!/bin/bash
hupath="/opt/utils/hashcat-utils/src"
hcpath="/opt/cracken2/hashcat"
workpath="/opt/evilmog/tmp"
echo "[+] Sorting Potfile"
cut -d: -f2- < $hcpath/hashcat.potfile | sort -u > $workpath/cand.lst
for i in {1..8}; do
for s in $( eval echo {0..$i} ); do
$hupath/cutb.bin $s $i < $workpath/cand.lst | sort -u > $workpath/$i-first-seq.txt
done
done
for i in {1..8}; do
$hupath/cutb.bin -$i < $workpath/cand.lst | sort -u > $workpath/$i-last-seq.txt
done
cat $workpath/*-first-seq.txt $workpath/*-last-seq.txt | sort -u > $workpath/cand.seq.cutb
$hupath/expander.bin < $workpath/cand.seq.cutb | sort -u > $workpath/cand.seq.cutb.exp
#second half of script reruns the process above over the output of itself (cutb+expander)
for i in {1..8}; do
for s in $( eval echo {0..$i} ); do
$hupath/cutb.bin 0 $i < $workpath/cand.seq.cutb.exp | sort -u > $workpath/$i-first-seq.txt
done
done
for i in {1..8}; do
$hupath/cutb.bin -$i < $workpath/cand.seq.cutb.exp | sort -u > $workpath/$i-last-seq.txt
done
cat $workpath/*-first-seq.txt $workpath/*-last-seq.txt | sort -u > $workpath/cand.seq.cutb.seq.cutb
$hupath/expander.bin < $workpath/cand.seq.cutb.seq.cutb | sort -u > $workpath/cand.seq.cutb.seq.cutb.exp
Don’t succumb to writer’s block when trying to crack hashes. Entropy is your friend, so try something random like pumping music lyrics in through expander | cutb | rule-based attack | cutb | pp64.bin | expander > cand.lst. Try and predict how users are creating their passwords. A comparison of the candidate file sizes starts with a size of 2.6MB and the expanded version is 189MB, which will yield far more results. Check out Evil Mog’s GitHub repository for some more nuggets of wisdom.