Fingerprint Attack

Description

One of the problems in GPGPU is that we have to create a lot of work for the GPU to keep it busy doing something. In Brute-Force attack this is usually not a problem. The keyspace to scan can easily become huge. In Rule-based attack this means large numbers of rules applied on huge dictionaries. But these rules, to be efficient, have to be written by hand. You have to compare many times the multiple plaintext passwords with each other to figure out a “pattern” and then re-write it into a rule. This can become very intensive work.

The idea was to find a way of automating rule generation. For two reasons: The first is to make this attack attractive for GPGPU, and this means find a way to generate lots of rules to keep the GPUs busy. The second is to automate the process of pattern finding itself. After some failed attempts I realized that forcing these requirements which were originally designed for a CPU-based attack, namely to find efficient rules, are incompatible to the extent that we have to create lots of rules. In the end it would look more like a Hybrid attack than a rule-based attack. By throwing away this idea I also realized that there is no need for a rule engine. These two requirements are not compatible with each other.

With the power of GPGPU it's more important to create lots of mutations. So why not create all possible mutations? That's easier than it sounds. It can be achieved by disassembling a plaintext password into all its possible mutations. That's done with the expander, which is part of the Hashcat utils. To make use of all of these patterns we need to combine them with something. That can be either with themselves or with a dictionary. We call this Combinator attack.

The Fingerprint attack is a combination of the results of the expander with a combination engine. It is an automatically generated attack on pattern that works fine on GPGPU.

Live Demonstration

Thanks to pure_hate, he made a Video about Fingerprint Attack: https://www.question-defense.com/2010/11/24/oclhashcat-fingerprint-attack-video

How to reproduce locally

The second article is one in which I am trying to show you how you can use the Fingerprint attack and oclHashcat. To make things a bit easier, I wrote a little Perl-Script that automates some of the steps described in the first article.

This includes:

  • Cutting the outfile
  • Expanding the dictionary
  • Make results unique
  • Running oclHashcat
  • and so on.

It then adds some randomly pre-defined rules and mixes the results of the Fingerprint attack with other classic attack modes like Combinator attack or Hybrid attack. I have tested this script successfully on both, Linux and Windows.

Requirements

I wrote this article only for educational purposes, so i will show you only the Linux commands. If you want to reproduce the steps on Windows you will need some additional tools and you need to rewrite the commands. But I can assure you, it's 100% possible, I have tried it myself.

Preparation

This time I uses the hashlist from Defcon 2010 CMIYC hashlist and the leaked myspace plains (and generate a hashlist of those). You can of course use whichever hashlist you like on here.

There are two ways to generate the initial pattern dictionary:

  • The first one should be used when running against arbitrary hashlists.
  • The second one is an optimized initialization which is preferred, but it works only if you can get a lot of initial passes from it.

Initialising

Possibility Nr. 1

An appropriate dictionary source is the milworm dictionary. If you are new to fingerprint attack I strongly recommend you to use this dictionary since it is very small (less than 100k entries), while it contains a lot of good patterns.

$ mv mil-dic.txt cracked.dict

Thats it for initializing. However the generation of the cracked.out file is neccessary because the autocrack Script waits for its existence. The command will work on all dictionaries.

$ perl -MDigest::MD5 -ne 'chomp; printf "%s:%s\n", Digest::MD5::md5_hex ($_), $_' < cracked.dict > cracked.out

If you are not going to attack an arbitrary hashlist you can skip this step. The following command uses the leaked myspace plains and generates a hashlist out of all the words in this dictionary.

$ perl -MDigest::MD5 -ne 'chomp; printf "%s\n", Digest::MD5::md5_hex ($_)' < myspace.txt > myspace.txt.md5

Possibility Nr. 2

If you are not going to attack the defcon hashlist, you can skip the next command. But you then have to replace the NTLM.txt with your hashlist's filename.

First, extract all NTLM hashes from the defcon hashlist:

$ cut -d: -f4 < defcon_contest_hashes.txt | sort -u > NTLM.txt

Now generate the initial dictionary. In the previous article I used a Brute-Force attack to do this. To prove that this is not required, I will use the batchcracker this time. The batchcracker.sh is just a simple script that comes with the oclHashcat packages and it executes some common attacks on a given hashlist. This includes Mask attack, Combinator attack, Hybrid attack and Brute-Force attack. However it is designed to run very quickly, so it really does only very light-weight versions of these attacks.

The next attack took less than 10 minutes on my GTX285. Do not forget to change the hash_mode variable to 1000 in batchcracker.sh:

NOTE: batchcrack.sh in oclHashcat v0.26 is broken. See here how to Patch Batchcrack in oclHashcat v0.26.

$ ./batchcrack.sh NTLM.txt

Let's see what I have so far:

$ wc -l batchcrack.out
4673 batchcrack.out

and what's left:

$ wc -l NTLM.txt
25967 NTLM.txt

OK, we are almost done. But we need to prepare the cracked.out and cracked.dict files for the autocracker. The next command throws away the hashes from the outfile so that only the plains are left.

$ mv batchcrack.out cracked.out
$ cut -b34- < cracked.out > cracked.dict

Main

Before you can use autocrack.pl you have to change all the paths to your dictionaries in the script. You can also just add or remove some of the dictionaries. Again, I strongly recommend that you have a large number of both small and big dictionaries. You may also want to change the hash_file and hash_mode variables in accordance with your hashlist in the script-header.

The following Attack takes as long as you want.

$ perl autocrack.pl

Results

I let it run for exactly 13 hours without interaction.

$ wc -l cracked.out
16120 cracked.out

and what's left:

$ wc -l NTLM.txt
14520 NTLM.txt

Here are some excellent examples of cracked passwords:

&~defcon
'#(4)\
August19681
'&a123456
10-D'Ann
~|Bailey
Krist0f3r
f@cebOOK
Nuclear$(
zxcvbn2010!
13Hark's
NjB3qqm
Sydney93?
antalya%]
Annl05de
;-Fluffy

Conclusion

I can compare the results with the results from the Korelogic contest.

Here are some nice Stats:

  • On CMIYC 2010, Team Hashcat cracked 20100 hashes after 13 hours but with 10 experienced password crackers and nearly 20 GPU's and doing it using manually optimized attacks.
  • autocrack.pl cracked 16120 of the same hashes in the same amount of time but without any human intervention needed in optimizing these attacks and only with a single GTX285.
  • On CMIYC 2010, Team Hashcat used Hashcat-specific attacks like Togglecase attack, Permutation attack, specific pattern based rule-based and random rule-based attacks.
  • autocrack.pl proves that a Fingerprint attack can generate nearly the same results without having all these different attacking engines.
  • I tried the myspace hashlist with it. This is a good test object since these passwords are real-life passwords. This again shows how effective fingerprint attack is on real-life passwords.
  • Another nice thing is that these hashes have not already been attacked by other crackers so we can call it a “clean” hashlist. I let the autocracker script run for about 16 hours, it cracked an impressive 30348 of 37144 hashes (81%).

Older Articles

The first article about Fingerprint Attack was posted on Question Defenses's Blog some time ago.

See here: https://www.question-defense.com/2010/08/15/automated-password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack