Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Royce Williams

Passwords - cracking

Recommended Posts

Discussion of password cracking - techniques, tools, etc. Please do not request cracks or post hashes.

Conversations that get too "in the weeds" about specific tools might be eventually gently encouraged towards a more specialized forum. :)

Edited by Royce Williams
scope

Share this post


Link to post

Used to like HashSuite for routine password *cough* auditing *cough*

in academia, with parallel computers at my disposal, it was John the Ripper. Favourite tools out there? Or is it all memory attacks, and Mimikatz now?

Share this post


Link to post

Offline attack is still a thing - sometimes that's all you can get!

Subjective, of course ... but IMNSHO:

  • For speed (including on-GPU rules processing),  envelope-pushing, and general password fu, hashcat is the best general solution (though I'm biased ;) )
  • For complex nesting of hash types (configurable via its 'dynamic' algorithm language), maturity of approach in the historical password-auditing context, and FPGA support (such as ZTEX - disclaimer: my page), John the Ripper is still a required tool in the toolbox
  • For working with unknown hash types, arbitrarily nested iteration,  and truncated hashes, raw performance on CPU, and platform coverage (ARM, etc.) MDXfind is very useful.
  • For ease of arbitrary clustering:
    • Hashtopolis is the strongest FOSS contender
    • Hashstack likely the best commercial offering (though only available with their hardware)
    • John the Ripper has OpenMP support if needed
    • Both hashcat and John the Ripper support a basic work-splitting syntax (but you have to calculate the "blocks" of work yourself)
    • hashcat also supports loose collaboration using its relatively new 'brain' server feature (upcoming Hashtopolis has direct support for brain, IIRC)

So the short answer is ... it depends! ;)

Edited by Royce Williams
typos, missing detail

Share this post


Link to post

over the years (since starcrack for dos back in 93 ) ive tried most , I keep coming back to JtR and Hashcat - I run both for NTLM ripped from AD with this technique

https://www.dionach.com/blog/active-directory-password-auditing

 

but I don't bother with that for lost service account passwords - i just fire up https://www.nirsoft.net/utils/credentials_file_view.html

 

I find https://github.com/candera/hobocopy handy for grabbing locked SYSTEM SECURITY hives on a production server

and then pass them to https://github.com/Neohapsis/creddump7 if running nirsoft tools is out of the question

 

 

 

Share this post


Link to post

Wow, @james mckinlay - I hadn't previously heard of StarCrack!

Looks like it was previously at:

... but it has been gone for so long that it's not even in the Wayback Machine.

For historical research purposes, I'd love to find a binary and/or some docs on StarCrack.

Edit: Hey! https://packetstormsecurity.com/files/download/13743/starcrak.zip

Edited by Royce Williams
dl

Share this post


Link to post
4 minutes ago, Royce Williams said:

Wow, @james mckinlay - I hadn't previously heard of StarCrack!

Looks like it was previously at:

... but it has been gone for so long that it's not even in the Wayback Machine.

For historical research purposes, I'd love to find a binary and/or some docs on StarCrack.

Edit: Hey! https://packetstormsecurity.com/files/download/13743/starcrak.zip

allegedly i couldn't possibly have need it after viewing a /etc/passwd file using ypcat to avoid early hp unix security that was captured to a local text file using the video output of an AOL2.0  telnet client - and then ran for days on a 486DX66 ( this was the mid 90s )

http://www.ouah.org/crmi001en.htm

 

essential background reading - pre mimkatz

 

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

and probably mentions CMIYC

Edited by james mckinlay
add url to unix crack text

Share this post


Link to post

Fascinating!

Also, there's a 20-year-old easter egg in the accompanying doc file!

(Note that since these are public hashes with known provenance, they don't fall into the "no hashes" rule)

root:ur/1tzsUmWXK2:0:1:system PRIVILEGED account:/usr/users/root:/bin/csh
user1:abhtIHPO06GAs:101:20:name of the guy:/users/something/user1:/bin/csh
user2:cdudDg6nVEZGA:102:20:name of the girl:/users/something/user2:/bin/csh
user3:efRxqpKNiiMHQ:103:20:name of the dog:/users/something/user3:/bin/csh

SPOILER ALERT (highlight text below for answers)

ur/1tzsUmWXK2:curious
abhtIHPO06GAs:well
cdudDg6nVEZGA:done
efRxqpKNiiMHQ:;)

  • Like 1

Share this post


Link to post

  • Members online now

    No members to show

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy