Saturday, March 5, 2011

cracking passwords-4

below are wordlists. The other instructions in this section are not really wordlists as the resulting file every
possible combination (depending on the options you give the program) of characters. I have not come across a
word to describe these files so I am naming a file that contains every possible combination of characters a
combination list. Not very original but it does clearly differentiate between the two types of lists. The
resulting combination list can be used in place of a wordlist. Please note that when you generate a
combination list the file will be huge. Using the 95 English characters to generate every possible combination
of 10 characters the resulting file size will be 95^10 =
59,873,693,923,837,900,000 bytes
59,873,693,923,837,900 KB
59,873,693,923,838 MB
59,873,693,924 GB
59,873,694 TB
59,874 PB
60 EB
For 14 characters the file size would be 4,877 YB
10.1 Using John the Ripper to generate a wordlist
For Windows use:
C:\john\john-386.exe --stdout --incremental >wordlist.txt
For Linux use:
#/usr/local/john/john --stdout --incremental >wordlist.txt
The resulting output will be written to the wordlist.txt file.
If you know the maximum length of the password you can use --stdout=length and john output passwords of
that length or less. For example --stdout=5 will generate words that are 5 characters long or shorter. Please
note that the maximum length john supports by default is 8. If you need to generate a 9 character or longer
wordlist you will have to download the source and change a line or two of code. Or you can use a different
tool.
Cracking Passwords Version 1.1 file:///D:/password10.html
29 of 45 2/15/2010 3:48 PM
You can also have john direct its output to other programs. For example to have john feed random passwords
to air-crack use:
john --incremental=All --stdout | aircrack-ng -b 00:11:22:33:44:55 -w --test.cap
10.2 Configuring John the Ripper to use a wordlist
If you have a wordlist (wordlist.txt) you want to try against NTLM hashes use the following command:
john -f:NT -w:wordlist.txt hash.txt
or you can edit the john.conf file to use your wordlist. So it would look like this:
[Options]
# Wordlist file name, to be used in batch mode
Wordlist = $JOHN/wordlist.txt
# Use idle cycles only
Idle = N
# Crash recovery file saving delay in seconds
Save = 600
# Beep when a password is found (who needs this anyway?)
Beep = N
10.3 Using crunch to generate a wordlist
in /pentest/password/crunch run it with a --help to see the options. It will ask for a minimum length, maximum
length, character set etc.
# cd /pentest/password
# crunch 1 8 abcdefghijklmnopqrstuvwxyz0123456789
or
# crunch 1 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
the character set can be whatever you want.
The optional fourth parameter allows you specific a pattern. For example if you know that the last 2
characters of a 8 character password are 99 you can do:
# crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 -t
@@@@@@99
The @ characters will change while the 99 remains constant.
The optional fifth parameter allows you to specify a starting string. This is useful if you have to stop in the
middle a generation. Just do:
# tail output.txt
to see where the file left off and use -s start one character higher. For example:
# crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
aaaaaeDo
aaaaaeDp
aaaaaeDq
aaaaaeDr
aaaaaeDs
aaaaaeDt
aaaaaeDu
Cracking Passwords Version 1.1 file:///D:/password10.html
30 of 45 2/15/2010 3:48 PM
aaaaaeDv
aaaaaeDw
aaaaaeDx
aaaaaeDy
Press Ctrl-C
# crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 -s
aaaaaeDz
aaaaaeDz
aaaaaeDA
aaaaaeDB
aaaaaeDC
aaaaaeDD
Use >output.txt to redirect the output from the screen to a file named output.txt
10.4 Generate a wordlist from a textfile or website
Sometimes users use words from their employeer's website. Their password could be the companies name or
the name of the flagship product. I will show you how to download the website and convert it into a wordlist.
These instructions are basically a text version of Pureh@te's flash video from http://blip.tv/rss/flash/533887. I
had to update my flash player so the video wasn't choppy. To update the flashplayer in BT4 do:
# apt-get remove flashplugin-nonfree
# wget http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_10_linux.tar.gz &&
tar xzf install_flash_player_10_linux.tar.gz && mkdir ~/.mozilla/plugins && mv libflashplayer.so ~/.mozilla
/plugins
1. boot BackTrack and login as root
2. # mkdir /target
3. # cd /target
# wget -r http://targetwebsite.com
wget -r will recursively download a website
4.
5. # cd /pentest/password/wyl
6. # perl wyd.pl -n -o - possiblepasswords.txt -/target
7. # cd /root
8. # cat possiblepasswords.txt
You now have a large unsorted file containing duplicate words. You will have to sort and uniq the file before
it is of any value. See section 15.7 on how to use sort and uniq.
10.5 Using premade wordlists
Xploitz and pureh@te have released their wordlists. The first two are torrents; the rest can be downloaded
from the URL.
pureh@te's wordlist - http://www.h33t.com/details.php?id=178f55c67ca0f522831dbc67042a34983e6652f5
Xploitz's first wordlist - http://thepiratebay.org/tor/4017231
Xploitz's second wordlist part 1 - http://www.mediafire.com/?am2exxlnwma
Xploitz's second wordlist part 2 - http://www.mediafire.com/?4mzmdsbhhcn
Xploitz's second wordlist part 3 - http://www.mediafire.com/?4v9znjscgwt
Cracking Passwords Version 1.1 file:///D:/password10.html
31 of 45 2/15/2010 3:48 PM
Xploitz's second wordlist part 4 - http://www.mediafire.com/?dmj6yy3gw3x
Xploitz's second wordlist part 5 - http://www.mediafire.com/?5tyidngmztx
Xploitz's second wordlist part 6 - http://www.mediafire.com/?3utzg3jk1mb
Xploitz's second wordlist part 7 - http://www.mediafire.com/?dmwdvdrgsgb
Pureh@te has released another wordlist. It is 64 million words 8-63 characters and it was made from his other
wordlist.
http://www.megaupload.com/?d=7RN6ZB2E
10.6 Other wordlist generators
You could try the wg perl script from http://freshmeat.net/projects/wg/
# perl ./wg.pl -l 8 -u 64 -v
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\`\~\!\@\#\$\%\^\&\*
\(\)\-\_\+\=\[\]\;\'\,\.\/\< \>\?\:\"\{\}\|\ > words.txt
This will generate a list of "words" (actually character strings) between 8 and 64 characters long (-l 8 -u 64)
and output it to a text file named "words.txt". The \ characters are there to escape the bash command
characters.
Siph0n has taken a C program a thread, converted it to python, and made a couple of enhancements. Here is
the python source code:
f=open('wordlist', 'w')
def xselections(items, n):
if n==0: yield []
else:
for i in xrange(len(items)):
for ss in xselections(items, n-1):
yield [items[i]]+ss
# Numbers = 48 - 57
# Capital = 65 - 90
# Lower = 97 - 122
numb = range(48,58)
cap = range(65,91)
low = range(97,123)
choice = 0
while int(choice) not in range(1,8):
choice = raw_input('''
1) Numbers
2) Capital Letters
3) Lowercase Letters
4) Numbers + Capital Letters
5) Numbers + Lowercase Letters
6) Numbers + Capital Letters + Lowercase Letters
7) Capital Letters + Lowercase Letters
: ''')
choice = int(choice)
Cracking Passwords Version 1.1 file:///D:/password10.html
32 of 45 2/15/2010 3:48 PM
poss = []
if choice == 1:
poss += numb
elif choice == 2:
poss += cap
elif choice == 3:
poss += low
elif choice == 4:
poss += numb
poss += cap
elif choice == 5:
poss += numb
poss += low
elif choice == 6:
poss += numb
poss += cap
poss += low
elif choice == 7:
poss += cap
poss += low
bigList = []
for i in poss:
bigList.append(str(chr(i)))
MIN = raw_input("What is the min size of the word? ")
MIN = int(MIN)
MAX = raw_input("What is the max size of the word? ")
MAX = int(MAX)
for i in range(MIN,MAX+1):
for s in xselections(bigList,i): f.write(''.join(s) + '\n')
NOTE: When generating your own wordlists keep in mind that some programs (aircrack-ng) have a 2GB file
size limit.
10.7 Manipulating your wordlist
So you now have a wordlist. What should you do with it? You need to manipulate it into something you can
use. You can of course just use the wordlist without manipulating it, but you may be sacrificing performance
and space. The first thing you should do is to combine, sort, and uniq all of the wordlists you have.
The following is from http://freeworld.thc.org/thc-hydra/README
uniq your dictionary files! this can save you a lot of time :-)
cat words.txt | sort | uniq > dictionary.txt
If you know that the target is using a password policy (allowing users only to choose password with a
minimum length of 6, containing a least one letter and one number, etc. use the tool pw-inspector which
comes along with the hydra package to reduce the password list:
cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt
Cracking Passwords Version 1.1 file:///D:/password10.html
33 of 45 2/15/2010 3:48 PM
If you are creating a wordlist specifically to crack WPA and WPA2 then the following command is what you
should use as it will get rid of any words shorter than 8 characters and longer than 63:
cat dictionary.txt | pw-inspector -m 8 -M 63 > WPAwordlist.txt
The above paragraph is true for any wordlist and very good advice. Remember you want as many possible
words as you can fit on your storage device. More is better as long as the list only contains unique words.
To see the number of lines (or words in this case) in the file:
# wc -l wordlist.txt
Now that you have a sorted, uniq'd wordlist you need to look at it and see what is in it. Opening a large
wordlist in vi or kwrite can take a lot of time and memory. I prefer to use head and tail to view the beginning
and end of the wordlist.
To view the first 30 lines of wordlist.txt:
# head -n 30 wordlist.txt
To view the last 30 lines of wordlist.txt:
# tail -n 30 wordlist.txt
Say that the first 25 and last 23 lines are garbage and you want to delete them. Opening wordlist.txt in vi and
kwrite might not work so good. You can use sed to change the file
To delete the first 25 lines of wordlist.txt:
# sed '1,25d' wordlist.txt
To delete the last 23 lines of wordlist.txt:
sed -n -e :a -e ‘1,23!{P;N;D;};N;ba’
Next you can use a permutator on your wordlist to make it bigger. A permutator will add wordlists based on
criteria you set. For example you want to a number to each word in your wordlist. Or you want to change all
of the a's to @'s. You can get a permutator from:
http://www.backtrack-linux.org/forums/backtrack-howtos/689-wordlist-menu-tool-backtrack-4-final.html
You can also take your wordlist and run it through john the ripper and increase its size by about 49 times.
Use:
john --wordlist=Wordlist.txt --rules --stdout >largelist.txt
If you are feeling a little lazy M1ck3y has created a script named Giga Wordlist Creator that can do all of this
for you. You can download the script and find how to use it at (English Translation) http://translate.google.fr
/translate?u=http%3A%2F%2Fwww.crack-wpa.fr%2Fforum%2Fviewtopic.php%3Fid%3D126&hl=fr&
ie=UTF-8&sl=fr&tl=en
NOTE: When generating your own wordlists keep in mind that some programs (aircrack-ng) have a 2GB file
size limit. There is also the issue of RAM. If you can keep the entire wordlist in RAM, the cracking will
proceed that much faster. So keep your wordlists to a maximum of 2GB. If you have a 3GB wordlist and you
want to break it into 1GB chucks do:
# split -bytes=1024 m /tmp/dictionary_file_3GB /tmp/smaller_dictionary_file
please substitute 1024 m for whatever size you wish and change /tmp/ to the proper path you want to use.
It is also popular to leetify passwords. For example password becomes p@ssword, pa$$word, passw0rd,
p@$$w0rd, etc. Here is a perl script written by Gitsnik and a modified version of Gitsnik's script and modified
by robot
#!/usr/bin/env perl
Cracking Passwords Version 1.1 file:///D:/password10.html
34 of 45 2/15/2010 3:48 PM
use strict;
use warnings;
my %permution = (
"a" => [ "a", "A", "4", "@", "&"],
"b" => "bB8",
"c" => "cC",
"d" => [ "d", "D", "|)" ],
"e" => "eE3",
"f" => "fF",
"g" => "gG9",
"h" => "hH",
"i" => "iI!|1",
"j" => "jJ",
"k" => [ "k", "K", "|<" ],
"l" => [ "l", "L", "!", "7", "1", "|", "|_" ],
"m" => [ "m", "M", "/\\/\\" ],
"n" => [ "n", "N", "|\\|" ],
"o" => [ "o", "O", "0", "()" ],
"p" => "pP",
"q" => "qQ",
"r" => [ "r", "R", "|2" ],
"s" => "sS5\$",
"t" => "tT71+",
"u" => "uU",
"v" => [ "v", "V", "\\/" ],
"w" => ["w", "W", "\\/\\/" ],
"x" => "xX",
"y" => "yY",
"z" => "zZ2",
);
# End config
while (my $word = <>) {
chomp $word;
my @string = split //, lc($word);
permute(0, @string);
}
sub permute {
my $num = shift;
my @str = @_;
my $len = @str;
if ($num >= $len) {
foreach my $char (@str) {
print $char;
}
print "\n";
return;
Cracking Passwords Version 1.1 file:///D:/password10.html
35 of 45 2/15/2010 3:48 PM
}
my $per = $permution{$str[$num]};
if ($per) {
my @letters = ();
if (ref($per) eq 'ARRAY') {
@letters = @$per;
} else {
@letters = split //, $per;
}
$per = "";
foreach $per (@letters) {
my $s = "";
for (my $i = 0; $i < $len; ++$i) {
if ($i eq 0) {
if ($i eq $num) {
$s = $per;
} else {
$s = $str[0];
}
} else {
if ($i eq $num) {
$s .= $per;
} else {
$s .= $str[$i];
}
}
}
my @st = split //, $s;
permute(($num + 1), @st);
}
} else {
permute(($num + 1), @str);
}
}
A python script that leetifies passwords is included with BackTrack 4. It can be found in /pentest/passwords
/cupp. It is easy to use.
1. boot BackTrack and login as root
2. open a terminal window
3. # cd /pentest/password/cupp
4. # ./cupp -i
5. answer the questions and wait until the program is fisished generating its file

No comments:

Post a Comment