Passision – new wordlist creation tool

Posted by drb0n3z on

So awhile back Marcus Carey from ThreatAgent decided to ask for input on wordlist creation. The general idea was do you think geo data, City, State, zip codes, would be something good to include when trying to crack passwords. My instant response was yes as I’ve seen a decent amount of this type of thing. Remember the Linkedin hack, a ton of those passwords were some variation of the company’s name. So let’s start with how to get the tool.

 

Step 1: Go to threatagent.com and create a user account.

signup

 

Step 2: Once you receive your email, click on Drone on the main page.

drone

 

Step 3: Click on Deploy drone and figure out what company you want to create a wordlist from.

Org

 

Step 4: Click next, then input the organization’s site.

site

 

Step 5: Click next, then click Run.

Run

 

Step 6: Allow for the Drone program to complete the OSINT report.

mission

 

Step 7: Once complete, click on Apps then Passision. Click Create wordlist.

passision

 

Step 8: Allow the wordlist to be collected.  Once it’s completed, you’re able to download it.

wordlist

 

A fun little tidbit Marcus threw into his program is it informs you if your wordlist contains profanity.

 

The big thing you must keep in mind is that you only get 5 searches with a basic/limited account, so unless you’re willing to pay for more searches, make sure you’re using them wisely!

My wordlist now shared

Posted by drb0n3z on

Alright everyone, the time has come for me to finally get off my lazy @$$ and share my wordlist. Now, the main thing with this wordlist is it is a mixture of a ton of wordlists. For example, it’s including @g0tmi1k‘s 18in1, @purehate_‘s old wordlist, @tekdefense‘s random honeypot dump he gave me, @defusesec‘s 15gb wordlist that was recently released, etc. Along with those wordlists it includes TONS of dumps from @cyber_war_news‘ two sites and dumps I’ve posted along with connection to his dump site leaks-db.

I can’t thank the community and people I interact with daily enough for all the support they’ve given and teaching. This is my way of giving back.

MY WORDLIST    —–   15.4gb tar-gz. Actual size is 69.3gb so you’re aware!   <—–(EDITED TO BE A TORRENT)

Now, along with that the fun part…since everything I give you seems to be broken in some manner, there is a lot of the wordlists that probably need to be cut out and fixed. There are (I’m sure) hashes in this that don’t need to be there and possibly duplicate words/phrases BUT I’ve done my best to take care of that.

Mid post writing update: While uploading the file last week, @bwallhatestwits wrote a little python script to remove invalid characters. This did wonders and has made it the size it currently is.

Anything else people come up with don’t hesitate to contact me on the twatters! Much love and awkward hugs to everyone in the community!!!

Editing Invalid Characters in text files

Posted by drb0n3z on

So last night I was working with @bwall last night on his tool distributed-hash-solving, I ran into an issue in my MD5 pot file. It was showing NUL and other characters when viewing it in Notepad++.

After a little google-fu, I figured out a fix for it and then realized it was more then just NUL characters, it was almost every ASCII character that could be input as a two/three letter character.

We start with opening N++ and getting a sample of the character we need to remove.

nul-screen

As you can see, it decided to input between the hash and the correct output of the has. A text sample of it would be:

NUL0NUL0NUL0 etc…

Now the fix for this is hitting CTRL-F and choosing the Replace tab and choosing the corresponding ASCII hex character. In this case, it’s \x00 :

nul-replace

Now you want to select Replace ALL. It took less than a minute and replaced over 150 instances of the NUL character. The output came to this:

nul-fix

As you can see, properly fixed!

Now with that one character being fixed, I also ran into almost every other possible HEX character being thrown into that file. The quick list of these to check for is:

asciifull

\x00 – \x08  (9 actually counting as a character in some passwords you don’t want to remove this)
\x0B – \x0F  (A would do the same thing as \n, or your enter key, so again you don’t want to remove this)
\x10 – \x19
\x1A – \x1F

To ensure you ARE finding the correct characters, I recommend you hit the find next button before replacing to ensure there IS an actual character that needs to be replaced AND that you aren’t going to goof up your .pot/.txt/* file like I did the first time I did this.

If you have any questions feel free to contact me on freenode #hacktalk #intern0t #isdpodcast or #offtopicsec and on twitter @drb0n3z.

Sharing the pot and asking for help!

Posted by drb0n3z on

So I’ve taken the advice of @hacktalkblog (again) and decided to throw all of my .pot files that I have acquired together based off of hash type. Essentially, all the MD5s in one, Sha1s in one, etc.

I’ve decided to share the .pots I have, which are only MD5 and Sha1s right now, and also throw everyone who wants it a list of MD5s that I have yet been able to crack. I got the idea of sharing my .pot files from @bwall because of the hash cracking competition he is running at his site. If you decide to download it than please get back to me with what you can crack.

MD5.pot

SHA1.pot

My md5.pot file is 1.44mb (oddly small enough for a floppy =P) and my sha1.pot is 178mb.

HASHES-MD5.txt

Here is the list of hashes I haven’t been able to crack yet. It contains multiple dumps including:

7poker, acm.hdu.edu.cn, ctemag.com, digitword.com, djartsgames.ca, eharmony, euload, exonmobil, ftxtraders.eu, g4spass, some random ones from iran, last.fm, militarysingles, nvidia, and sex06.nl

About 99% of those dumps have been collected from @cwn.

One more note that comes to mind before I end this post, if you would like to share your .pot or your dictionaries, let me know and I will host the link on this post as well. I would also like a copy of whatever you can give for .pot files too.

-b0n3z

 

UPDATE: Thanks to @jmgosney & @coolacid for their help, I’ve been able to get about 400k more of those hashes cracked. Both the md5.pot and hashes-md5.txt file have been updated accordingly.

John the Ripper Intro

Posted by drb0n3z on

First off, thanks to @hacktalkblog and @nberthaume with all the help they have given me with JtR and Hashcat. This post will be a basic rundown (with a couple of advanced parts) for people just starting in the world of hash cracking.

Let me start off with saying I use cygwin because I run Windows 7 since I fail and refuse to throw a linux OS as my main. Meh. You only have to slightly alter these commands, I believe, to not incorporate cygwin.

cat *dictionaryfilelocation* | ./john –stdin –format:raw-*format* –pot=*filename*.pot –session=*name* –crack-status *hashfilelocation*

The above command should be pretty simple to understand but I will break it down just in case. Everything inside the ** is what you must set yourself.

For me, I use cat /cygdrive/b/*. That means I’m catting everything on my b drive (which is reserved for my wordlists). You only need to do this if you have MULTIPLE dictionary files that you want JtR to run through and test against.

Next is –stdin which is just saying to accept that information is being piped into JtR.

Format:raw-*format* is you inputting whatever format the hashes you want to crack are in. In most cases they will be MD5 or Sha1 from what I’ve seen in the past few months from dumps.

Your pot file is where the cracked hashes will be output to. These will be put to the same directory as JtR. The output will look something like:

$dynamic_0$5fed917b9bb2d6ace789576b239901bd:1Q2W3E4R5T6Y7U8I9O0P

The session=*name* is used for a couple reasons:

  1. So that you can pause the cracking session and resume it later
  2. So that you can run multiple JtR sessions without a hassle

Crack-status will output as such:

guesses: 3  time: 0:00:07:58  c/s: 127406M  trying: EHARMONY1Wannabethe1 – EHARMONY1azreal

Lastly for this command is the *hashfilelocation*. In my case it is:


/cygdrive/c/Users/username/Desktop/Pass\ Cracking/crackme/filename.txt

I keep all of the dumps I gather in that crackme directory for ease.

There is a few other ways to run JtR. I’ll touch on running rules with the same general command above:

cat *dictionarylocation* | ./john –pipe –format:raw-*format* –pot=*filename*.pot –session=*name* –rules=*rule* –crack-status *hashfilelocation*

The change to the above command is –pipe. I’m not sure why you have to run pipe instead of stdin when running rules, but that’s the only way I’ve been able to get it to working.

Along with that, you also have the rules=*rule* command now. If you look here than you’ll see a quick rundown of rules. The easiest rule to use is of course rules=Single. I have found it extremely useful to also create your own rules based off the website name and run those. For me, I add rules to the john.ini file located in the run folder of JtR. I’ll give an example below:

[List.Rules:Nvidia]

# Nvidia Passwords

A0″[nN][vV][iI1][dD][iI1][aA4]“

Az”[nN][vV][iI1][dD][iI1][aA4]“

If you do a quick glance through the john.ini file you will see where you can add these rules. To create your own follow the same basic guide above. List.Rules:*rulename* must be put as whatever you want it to be typed as in the command. The # is of course just a comment about what the rule is. A0 is to append everything and Az prepends. What word is being played with is Nvidia. It will adjust everything with every possible combination you see per bracket. I’ll show how I did my Linkedin rules for the recent Linkedin dump:

[List.Rules:Linkedin]

# Linkedin Passwords

A0″[lL1][iI1][nN][kK][eE3][dD][iI][nN]“

Az”[lL1][iI1][nN][kK][eE3][dD][iI][nN]“

The same principal applies to the Linkedin rule we create with the above.