One of the problems in GPGPU is that we have to create a lot of work for the GPU to keep it busy doing something. In Brute-Force attack this is usually not a problem. The keyspace to scan can easily become huge. In Rule-based attack this means large numbers of rules applied on huge dictionaries. But these rules, to be efficient, have to be written by hand. You have to compare many times the multiple plaintext passwords with each other to figure out a “pattern” and then re-write it into a rule. This can become very intensive work.
The idea was to find a way of automating rule generation. For two reasons: The first is to make this attack attractive for GPGPU, and this means find a way to generate lots of rules to keep the GPUs busy. The second is to automate the process of pattern finding itself. After some failed attempts I realized that forcing these requirements which were originally designed for a CPU-based attack, namely to find efficient rules, are incompatible to the extent that we have to create lots of rules. In the end it would look more like a Hybrid attack than a rule-based attack. By throwing away this idea I also realized that there is no need for a rule engine. These two requirements are not compatible with each other.
With the power of GPGPU it's more important to create lots of mutations. So why not create all possible mutations? That's easier than it sounds. It can be achieved by disassembling a plaintext password into all its possible mutations. That's done with the expander, which is part of the Hashcat utils. To make use of all of these patterns we need to combine them with something. That can be either with themselves or with a dictionary. We call this Combinator attack.
The Fingerprint attack is a combination of the results of the expander with a combination engine. It is an automatically generated attack on pattern that works fine on GPGPU.
Thanks to pure_hate, he made a Video about Fingerprint Attack: https://www.question-defense.com/2010/11/24/oclhashcat-fingerprint-attack-video
The second article is one in which I am trying to show you how you can use the Fingerprint attack and oclHashcat. To make things a bit easier, I wrote a little Perl-Script that automates some of the steps described in the first article.
It then adds some randomly pre-defined rules and mixes the results of the Fingerprint attack with other classic attack modes like Combinator attack or Hybrid attack. I have tested this script successfully on both, Linux and Windows.
I wrote this article only for educational purposes, so i will show you only the Linux commands. If you want to reproduce the steps on Windows you will need some additional tools and you need to rewrite the commands. But I can assure you, it's 100% possible, I have tried it myself.
This time I uses the hashlist from Defcon 2010 CMIYC hashlist and the leaked myspace plains (and generate a hashlist of those). You can of course use whichever hashlist you like on here.
There are two ways to generate the initial pattern dictionary:
An appropriate dictionary source is the milworm dictionary. If you are new to fingerprint attack I strongly recommend you to use this dictionary since it is very small (less than 100k entries), while it contains a lot of good patterns.
$ mv mil-dic.txt cracked.dict
Thats it for initializing. However the generation of the cracked.out file is neccessary because the autocrack Script waits for its existence. The command will work on all dictionaries.
$ perl -MDigest::MD5 -ne 'chomp; printf "%s:%s\n", Digest::MD5::md5_hex ($_), $_' < cracked.dict > cracked.out
If you are not going to attack an arbitrary hashlist you can skip this step. The following command uses the leaked myspace plains and generates a hashlist out of all the words in this dictionary.
$ perl -MDigest::MD5 -ne 'chomp; printf "%s\n", Digest::MD5::md5_hex ($_)' < myspace.txt > myspace.txt.md5
If you are not going to attack the defcon hashlist, you can skip the next command. But you then have to replace the NTLM.txt with your hashlist's filename.
First, extract all NTLM hashes from the defcon hashlist:
$ cut -d: -f4 < defcon_contest_hashes.txt | sort -u > NTLM.txt
Now generate the initial dictionary. In the previous article I used a Brute-Force attack to do this. To prove that this is not required, I will use the batchcracker this time. The batchcracker.sh is just a simple script that comes with the oclHashcat packages and it executes some common attacks on a given hashlist. This includes Mask attack, Combinator attack, Hybrid attack and Brute-Force attack. However it is designed to run very quickly, so it really does only very light-weight versions of these attacks.
The next attack took less than 10 minutes on my GTX285. Do not forget to change the hash_mode variable to 1000 in batchcracker.sh:
NOTE: batchcrack.sh in oclHashcat v0.26 is broken. See here how to Patch Batchcrack in oclHashcat v0.26.
$ ./batchcrack.sh NTLM.txt
Let's see what I have so far:
$ wc -l batchcrack.out 4673 batchcrack.out
and what's left:
$ wc -l NTLM.txt 25967 NTLM.txt
OK, we are almost done. But we need to prepare the cracked.out and cracked.dict files for the autocracker. The next command throws away the hashes from the outfile so that only the plains are left.
$ mv batchcrack.out cracked.out $ cut -b34- < cracked.out > cracked.dict
Before you can use autocrack.pl you have to change all the paths to your dictionaries in the script. You can also just add or remove some of the dictionaries. Again, I strongly recommend that you have a large number of both small and big dictionaries. You may also want to change the hash_file and hash_mode variables in accordance with your hashlist in the script-header.
The following Attack takes as long as you want.
$ perl autocrack.pl
I let it run for exactly 13 hours without interaction.
$ wc -l cracked.out 16120 cracked.out
and what's left:
$ wc -l NTLM.txt 14520 NTLM.txt
Here are some excellent examples of cracked passwords:
&~defcon '#(4)\ August19681 '&a123456 10-D'Ann ~|Bailey Krist0f3r f@cebOOK Nuclear$( zxcvbn2010! 13Hark's NjB3qqm Sydney93? antalya%] Annl05de ;-Fluffy
I can compare the results with the results from the Korelogic contest.
Here are some nice Stats:
The first article about Fingerprint Attack was posted on Question Defenses's Blog some time ago.