Cracking Hashes Using Logic Instead Of Power
Often times you are up against a highly complicated password hash, which your CPU/GPU power sufficient to be able to crack in that scenario we can try alternative approaches to cracking passwords, In this post, "Tyler Borland" demonstrates a method of cracking hashes by using logic instead of power,
START:
http://7habitsofhighlyeffectivehackers.blogspot.com/2013/11/can-someone-be-targeted-using-adobe.htmlThe article above talks about utilizing other compromised information rather than just hashes to aid in the hash cracking process. In particular, with the Adobe dump, the password
hints were used. Before I get into that, I'd like to talk about other styles that were used in the past.
Finding Patterns.
In cracking competitions, like the "Crack Me If You Can" competition at Defcon, you see more than just powerful hardware and clusters being utilized to crack large amounts of
hashes. Instead the logistics of the already cracked passwords are utilized to enhance and speed the cracking efforts. For example, a good writeup of this is located at:
http://www.sch0.org/index.php/crack-me-if-you-can
This article talks about finding patterns and building permutations off of it for better wordlists instead of straight bruteforcing. With password policies for a corporations, this
would be a great and useful technique to employ.
Profiling The target.)
Of course, such tactics are also used to build smart dictionaries off of individual targets for smarter bruteforcing wordlists. This method of building better wordlists is often
called 'password profiling'. An example of a Python tool to take advantage of this is CUPP:
https://github.com/Mebus/cupp
This tool asks you a series of questions about the target. Things easily retrievable from social networking profiles. It then builds up a permutation and/or combination smart wordlist to take advantage of.
Using Other Compromised Details
Fast forward to the article released today on cracking Adobe hashes. The technique being used by Joshua was not to run straight to trying to bruteforce the 3DES passwords, butinstead finding passwords used by several other people.
Joshua then looked at the password hints being deployed by these users to find clues or to piece together a multitude of similar clues. Armed with this information he was then able to piece the information together to make educated guesses, if not knowing the exact password. Example quotes from article:
"Now let's see if any other people in the dump have the exact same password hash as this account, and if so then how many.
[jdustin@localhost passwords]$ grep BBRXmv9FVlXioxG6CatHBw== cred | wc -l
207"
"Okay, let's grab those 207 the lines containing all accounts who used that same password, cut out just their password hints, and then sort them by how often that hint is in the list:
[jdustin@localhost passwords]$ grep BBRXmv9FVlXioxG6CatHBw== cred | cut -d"|" -f5 | sort | uniq -c | sort -nr | head -n50"