Caption(s): Enigma Machine
Source(s): Wikimedia Commons: https://commons.wikimedia.org/wiki/Enigma_machine
Security researchers have been compiling wordlists for years. They have added hundreds of thousands of words and even some of the top passwords. For example, the CrackStation wordlist from https://crackstation.net contains almost 1.5 billion words and passwords. It is easy to simply run password hashes against these giant wordlists, but they can take days to run through. To save time and resources, it is helpful to first test your password hashes against a small, custom, targeted wordlist. I have worked on several engagements for organizations where the “keys to the kingdom” can only be found by scraping the organization’s home page or the Wikipedia article for their town or state in order to create a wordlist and apply basic mangling rules to the gathered words.
Password cracking is an art form required on virtually every type of penetration test. On a wireless test, you’ll need to attack the captured handshake or enterprise domain hashes with a password cracker. On an internal penetration test, you’ll often need to crack captured password hashes to gain access to the domain, and hundreds or thousands of hashes pulled from the domain controller will need to be cracked to assess the overall password strengths and weaknesses of the organization.
Generating a custom and targeted wordlist is not as difficult as it may seem. Employees tend to use easily-guessable passwords specific to their employer, such as the company name, industry-specific keywords, or even a favorite local sports team. Your giant, general wordlist probably has many industry keywords mixed in there, but it may not have the company name or less common keywords. This means you could be missing out on cracking a vast number of weak passwords.
Where can you find a good collection of organization-specific words? Their website, blog, Wikipedia page, or even the Wikipedia pages of their city and local sports teams, etc. Get creative with it. Never underestimate how simple, non-complex, and easily-guessable passwords are, or you will constantly be surprised.
Once you have some web sources containing base words employees may use in their passwords, it’s time to scrape. One helpful tool for this step is the “Custom Word List Generator” (CeWL) by DigiNinja (https://digi.ninja/projects/cewl.php). Simply point it at the website address, and it will go to work. Shown below is CeWL running against https://lmgsecurity.com and outputting to the text file “lmg-wordlist.txt” This may take some time, depending on the number of words and links:
Caption: Scraping LMG Wordlist
Now, we have a basic, targeted wordlist in the “lmg-wordlist.txt” file. These are considered “base words” because people usually add elements to their chosen dictionary word. For example, the word ‘security’ may be transmuted to ‘s3cur1ty2018’, so it will meet corporate password complexity requirements. In order for our wordlist to account for this, we can apply “Mangling Rules,” which convert the base word into likely password candidates. There is a large variety of mangling rulesets to choose from, but let’s start with the “unix-ninja-leetspeak.rule” ruleset that comes with our Hashcat password cracker (https://hashcat.net). This ruleset swaps letters with numbers that are often used for substitution in passwords, such as ‘e’ with ‘3’ and ‘i’ with ‘1’.
Applying the unix-ninja-leetspeak.rule ruleset will increase our LMG wordlist to 71,166 unique words, as seen below:
Caption: Applying unix-ninja-leetspeak.rule Ruleset
Finally, let’s run the wordlist against our captured SHA-1 hash in “craigs-hotspot.txt,” obtained from Craig’s database. Since our wordlist isn’t very large (71,166 is relatively small), and SHA-1 hashes crack quickly; we can use a Hashcat “Mask Attack” to add more complexity to each word in our wordlist. Mask attacks add characters; such as symbols, numbers, or letters to the end or beginning of each word in the wordlist. We will add up to four numbers to the end of each of the 71,166 previously mangled words. This is helpful, because people often add a memorable year to the end of their passwords. Some people may shorten ‘1945’ to ’45,’ so we will be adding “up to” four numbers, instead of “exactly” four numbers with the –increment flag. Incrementing will also check the original word, with no additional numbers at the end. Running this attack in Hashcat can be seen below:
Caption: Cracking Password Hash with Hashcat
It turns out Craig’s password was, indeed, based on a word from the LMG website (cybersecurity), and his password hash immediately cracked to “Cyb3rs3cur1ty42”. Now we’re in!
Utilizing targeted wordlists created from online sources will likely increase the success of your pentesting efforts. The smaller wordlist size allows for more flexibility combining different attack types, such as mask and ruleset attacks. Your new wordlist will also contain incredibly specific words that won’t otherwise be tested with standard wordlists, such as the company name. For these reasons, give it a try next time you have some password hashes to crack!
If you’d like to have LMG test the strength of your organization’s passwords, contact us at [email protected]