Dictionary for long passwords - Tips and ideas
#1
Hi,

I want to create a good dictionary as part of pen testing that attempts to crack NTLM hashes that are minimum 16 characters in length and with password complexity requirements. Do any of you have experience pen testing passwords of such a length? Any ideas on how I should proceed?

My initial thought was that people using passwords of 16+ characters in length would mostly use pass phrases (I.e. "I love my two dogs!"). So perhaps combining words in a common wordlist would be a way to go? Right now I have created a list of approx 650k+ words, names, dates etc. Would combining these be a way to go? If so, how? I see that there are several python/ruby scripts for this purpose... but I feel like I should have some kind of rules and not just combine words randomly.

I have also tried using the crackstation wordlist and running it through a filter that requires 16+ chars and password complexity - which resulted in the size going from 15gb to 38mb...

Any tips? I have little experience with password cracking, so any guidance will be highly appriciated!
Reply
#2
(08-03-2018, 12:10 PM)eriden Wrote: My initial thought was that people using passwords of 16+ characters in length would mostly use pass phrases (I.e. "I love my two dogs!"). So perhaps combining words in a common wordlist would be a way to go? Right now I have created a list of approx 650k+ words, names, dates etc. Would combining these be a way to go? 

Yes this would be a logical assumption, I would advise however to do some quick maths to check if it is feasible. Assuming a list of 650k where words are around 5 chars average you would need 3 words to get to around 16 chars. This makes 650000 to the power of 3 possibilities which is 274625000000000000. On a GTX 1070Ti FE (40000 MH/s for NTLM) this would take 80 days to process
This is just adding 3 random words in your list and excluding adding small words like "I, a, am, the, etc" or complexity such as numbers and special characters to make 'real' sentences. Adding those small words or complexity would multiply this number of days fast.

See https://nakedsecurity.sophos.com/2012/03...ssphrases/ where Cambridge University tried a dictionary attack using lists of movie titles, sports team names, and dozens of other types of proper nouns crawled from Wikipedia, along with idiomatic phrases crawled from sources including Urban Dictionary.

This would be more efficient (although more difficult) than trying random words and hoping they make sentences that people would use.
Reply
#3
(08-03-2018, 12:33 PM)DanielG Wrote:
(08-03-2018, 12:10 PM)eriden Wrote: My initial thought was that people using passwords of 16+ characters in length would mostly use pass phrases (I.e. "I love my two dogs!"). So perhaps combining words in a common wordlist would be a way to go? Right now I have created a list of approx 650k+ words, names, dates etc. Would combining these be a way to go? 

Yes this would be a logical assumption, I would advise however to do some quick maths to check if it is feasible. Assuming a list of 650k where words are around 5 chars average you would need 3 words to get to around 16 chars. This makes 650000 to the power of 3 possibilities which is 274625000000000000. On a GTX 1070Ti FE (40000 MH/s for NTLM) this would take 80 days to process
This is just adding 3 random words in your list and excluding adding small words like "I, a, am, the, etc" or complexity such as numbers and special characters to make 'real' sentences. Adding those small words or complexity would multiply this number of days fast.

See https://nakedsecurity.sophos.com/2012/03...ssphrases/ where Cambridge University tried a dictionary attack using lists of movie titles, sports team names, and dozens of other types of proper nouns crawled from Wikipedia, along with idiomatic phrases crawled from sources including Urban Dictionary.

This would be more efficient (although more difficult) than trying random words and hoping they make sentences that people would use.

Thank you so much for an elaborate reply. You make a good point regarding the amount of possible combinations. The article you refer to is also very interesting. Do you happen to know if the wordlists used in the article are published anywhere?

Your reply got me thinking...

What about generating a wordlist using movie titles, sport team names, books, names of places and people, as well as commonly used words from a dictionary. And then combining this into passphrases using for instance the Diceware Method. Finally using a rule set to create various combinations from the pass phrases such as uppercase letters, adding symbols/years etc. Would this be a sensible approach?

If so I have a couple of more questions:
* Do you know if there is decent tool/script that creates passphrases from a list of words?
* Any rule sets that you would recommend? (cause of the password complexity requirements)
Reply
#4
Unfortunately Cambridge University didn't post it (anywhere I could find), but researchers are nice people so you could try contacting the people in the paper.

You could look at https://github.com/Phildo/expandpass to make lists, this allows you to define lists and rules and feed it into hashcat.
For the wordlist with "movie titles, sport team names, books, names of places and people, as well as commonly used words" you must again consider the possible combinations. Every word you add multiplies your search time. The reason passphrases work so good is because with a bit of imagination you can come up with a non standard phrase that is practically uncrackable.

You mentioned Diceware, if you would follow the most standard instructions (roll for a group of five) then you will need to bruteforce a space of '64.6 bits'. Again on a GTX 1070Ti FE (40000 MH/s for NTLM) this would take 22 years to process.

Don't underestimate the power of throwing a few words together.

My best guess is to make a dictionary with commonly used phrases, start them with a uppercase letter and add an exclamation mark at the end and see how long that takes to process. Don't start with adding symbols/years or other more complex things.
Reply
#5
(08-08-2018, 10:36 AM)DanielG Wrote: Unfortunately Cambridge University didn't post it (anywhere I could find), but researchers are nice people so you could try contacting the people in the paper.

You could look at https://github.com/Phildo/expandpass to make lists, this allows you to define lists and rules and feed it into hashcat.
For the wordlist with "movie titles, sport team names, books, names of places and people, as well as commonly used words" you must again consider the possible combinations. Every word you add multiplies your search time. The reason passphrases work so good is because with a bit of imagination you can come up with a non standard phrase that is practically uncrackable.

You mentioned Diceware, if you would follow the most standard instructions (roll for a group of five) then you will need to bruteforce a space of '64.6 bits'. Again on a GTX 1070Ti FE (40000 MH/s for NTLM) this would take 22 years to process.

Don't underestimate the power of throwing a few words together.

My best guess is to make a dictionary with commonly used phrases, start them with a uppercase letter and add an exclamation mark at the end and see how long that takes to process. Don't start with adding symbols/years or other more complex things.

Thank you so much for the help! I definitely feel like I now have more grasp on what would be a feasible approach to this :-)
Reply
#6
Don't pass up keyboard combos and duplicated passwords. By duplicated passwords I mean people typing the same short password multiple times, aka 'Password123Password123'. Also common additions such as "summer18' aka 'Passwordsummer18'
Reply
#7
(08-03-2018, 12:10 PM)eriden Wrote: Hi,

I want to create a good dictionary as part of pen testing that attempts to crack NTLM hashes that are minimum 16 characters in length and with password complexity requirements. Do any of you have experience pen testing passwords of such a length? Any ideas on how I should proceed?

My initial thought was that people using passwords of 16+ characters in length would mostly use pass phrases (I.e. "I love my two dogs!"). So perhaps combining words in a common wordlist would be a way to go? Right now I have created a list of approx 650k+ words, names, dates etc. Would combining these be a way to go? If so, how? I see that there are several python/ruby scripts for this purpose... but I feel like I should have some kind of rules and not just combine words randomly.

I have also tried using the crackstation wordlist and running it through a filter that requires 16+ chars and password complexity - which resulted in the size going from 15gb to 38mb...

Any tips? I have little experience with password cracking, so any guidance will be highly appriciated!

Did you try OMEN or passgan (https://github.com/brannondorsey/PassGAN)

You could train it and then use it to generate passwords with your specifics and feed it into Hashcat
Reply
#8
For a passphrase approach, I strongly recommend the prince-processor from the hashcat-utils (pp64). It builds candidate by concatenating the words contained in the input list to a given length output.

Also from my personal experience, it has a better performance than OMEN and does not require training.

For a detailed desciption of prince: https://hashcat.net/forum/thread-3914.html
Reply