Cracking 10.000 hashes
Thu 20 March 2014 — download

My friend Bob stumbled upon a database with something like 10.000 records: Name, surname, address, email, birth dates, telephone number, and an hash.

John the Ripper tells us:

Loaded 9489 password hashes with 142 different salts (descrypt, traditional crypt(3) [DES 128/128 AVX-16])

Too bad that descrypt takes only 8 chars.

The database has 9546 records, and John detects 9489 hashes. I took a quick look, and it seems that it's rotten with unintentional SQL injections. Fantastic.

I don't have a cluster to process the list, only my laptop; but I managed to crack almost 60% in a week, trying various things:

  • Classic dictionaries (cracked at least 25%)
  • KoreLogic rules
  • Stupid patterns (like ?d?d/?d?d/?d?d, ?d?d?d?d?d?d or ?d?d?d?d?l).
  • The markov mode is funny, but you need a good dictionary
  • Crawling the website with cewl yields gems.

Stats

Since I was asked not to disclose the name of the website, I removed some stats/name/passwords, and replaced them with [...].

Top 10 passwords

caroline = 4 (0.08%)
123456 = 4 (0.08%)
doudou = 3 (0.06%)
1664 = 3 (0.06%)
mercedes = 3 (0.06%)
lapin = 3 (0.06%)
Catouill = 3 (0.06%)
azerty = 3 (0.06%)
[...] = 3 (0.06%)
issnancy = 3 (0.06%)

Top 10 base words

[...] = 17 (0.32%)
azerty = 14 (0.26%)
julien = 8 (0.15%)
nico = 7 (0.13%)
coucou = 6 (0.11%)
bonjour = 6 (0.11%)
aout = 5 (0.09%)
[...] = 5 (0.09%)
lapin = 5 (0.09%)
nicolas = 5 (0.09%)

The removed basewords are of course the name of the entity, and the website.

Password length

8 = 2914 (54.98%)
6 = 1251 (23.6%)
7 = 721 (13.6%)
5 = 217 (4.09%)
4 = 179 (3.38%)
3 = 14 (0.26%)
2 = 2 (0.04%)
1 = 2 (0.04%)

Digits

Last number

0 = 242 (4.57%)
1 = 268 (5.06%)
2 = 240 (4.53%)
3 = 201 (3.79%)
4 = 157 (2.96%)
5 = 183 (3.45%)
6 = 164 (3.09%)
7 = 150 (2.83%)
8 = 194 (3.66%)
9 = 216 (4.08%)

Last 2 digits (Top 10)

90 = 52 (0.98%)
88 = 51 (0.96%)
89 = 47 (0.89%)
85 = 42 (0.79%)
12 = 42 (0.79%)
87 = 41 (0.77%)
23 = 40 (0.75%)
00 = 40 (0.75%)
25 = 40 (0.75%)
10 = 39 (0.74%)

I suspect the top-4 of being birth dates.

Last 3 digits (Top 10)

123 = 24 (0.45%)
987 = 20 (0.38%)
985 = 16 (0.3%)
986 = 16 (0.3%)
989 = 14 (0.26%)
984 = 14 (0.26%)
456 = 14 (0.26%)
988 = 12 (0.23%)
990 = 12 (0.23%)
198 = 11 (0.21%)

Birth dates again!

Last 4 digits (Top 10)

1987 = 17 (0.32%)
1989 = 14 (0.26%)
1986 = 14 (0.26%)
1985 = 13 (0.25%)
1984 = 12 (0.23%)
1993 = 10 (0.19%)
1990 = 8 (0.15%)
1983 = 8 (0.15%)
1988 = 8 (0.15%)
1991 = 7 (0.13%)

Still birth dates.

Charset

loweralpha: 2644 (49.89%)
loweralphanum: 1426 (26.91%)
numeric: 807 (15.23%)
mixedalphanum: 121 (2.28%)
mixedalpha: 119 (2.25%)
upperalpha: 62 (1.17%)
upperalphanum: 37 (0.7%)
loweralphaspecial: 26 (0.49%)
loweralphaspecialnum: 25 (0.47%)
specialnum: 6 (0.11%)
mixedalphaspecialnum: 6 (0.11%)
mixedalphaspecial: 5 (0.09%)
upperalphaspecialnum: 1 (0.02%)
special: 1 (0.02%)

Some funny passwords

If you don't have a French background, you may miss a lot of fun.

  • vaches
  • ilovesex
  • sexfight
  • sexylove
  • 3615moim
  • moimeme
  • alpine
  • mabiteda
  • 127.0.0.
  • dstoncul
  • schnappy
  • iso9001
  • lefigaro
  • ...

Conclusion

The website has been alerted, holes are being fixed, and the hash algorithm changed.

It was the first time that I used John, and I liked the experience: writing rules, thinking about patterns, estimating complexity, ...

Now I want a big cluster :<