Play by your own rules Tatiana Mikhailova Problem
Play by your own rules! Tatiana Mikhailova
Problem Why do we need rules? TO BREAK FREE OF COURSE! 2
Using dictionaries with and without rules 3
Hashcat rules . /hashcat-cli 64. bin -r rule --stdout word 4
Testing existing rules wc -l /hashcat/rules/* 5 Rule set Number of rules best 64. rule 64 d 3 ad 0 ne. rule 35406 dive. rule 123289 generated. rule 14734 leetspeak. rule 29 oscommerce. rule 256 rockyou-30000. rule 211 # 12000 random rules that produced good results }}}}*15'4 }}}}}}Y 4'4 d }}}}}'5'4 p 1 }}}}}'5 }}}}'4 }}}} }}}: }}} }}D 1{ }} }x 32 }x 14
Attack scenario 6
Attack scenario 54 b 3 f 4 bd 6 d 43 cc 7216 b 7 f f 064 af 97926 …. 7
Attack scenario hashcat (rockyou+best 64. rule) 8 Password 123 Gfhjkmm 88 1 q 2 w 3 e 4 r 5 t
Attack scenario hashcat (rockyou+best 64. rule) 9 Password 123 Gfhjkmm 88 1 q 2 w 3 e 4 r 5 t
Testing rules with the rockyou wordlist Rockyou. txt ~14 000 Rules 10 Result Number of rules Cracked best 64 23. 50 64 0 d 3 ad 0 ne 50. 46 35406 553 dive 54. 09 123289 1926 Hash. Manager 47. 27 6746 105 Passwords. Pro 45. 18 3254 50 T 0 Xl. C 39. 8 4089 63
Existing short rule sets https: //github. com/praetorian-inc/Hob 0 Rules https: //github. com/NSAKEY/nsa-rules 11
Existing short rule sets https: //github. com/praetorian-inc/Hob 0 Rules https: //github. com/NSAKEY/nsa-rules 12
Password analysis 20 k passwords 1. Take password 2. Disassemble i. Find out word ii. Find out mutations 3. goto 1 It’s very funny and interesting!. . . The first 100 passwords 13
Figuring out patterns Password Pattern Result Bezopasnost’ 1984 c(translit(rus_word))|year с(word) Word 21011975 flower date|word|date word 12051987 123 Tanya! ^3^2^1 c(name)$! date|word 12051987 word|digits word 555, word 123 vjcrdf 2017 layout(r_word)|year word$(symbol) word!, word% word$c(letter)$(letter) word. As 14
Making rule sets “Requirements” • Logic • Applicability for any word length • Dictionary dependency • Uniqueness E. g. Years, dates, digit sequences 15
Patterns and wordlists Wordlist Patterns 16 Name, surname c(word)$year c(word)$d$d c(word)$sequence Russian word in English layout Russian word in translit English word c(word)$year c(word)$d$d$d word$d$d$d c(word)$year c(word)$d c(word)$sequence
Patterns and wordlists • 17
Patterns and wordlists • 18
Patterns and wordlists • 19
Testing • 11000 rules • 100 wordlists • 100 hash lists 32 test lists 24 h = 86400 sec 110 000/86400= 1273 days 20 11000*100=110 000
Wow, finished! 21
Testing architecture Hash files Wordlist + Rule String apply_rule(String word, String rule) ? Result Recovered passwords 22 Rules
![Wordlists vs password dictionaries Popular rules: ]] $1 ]]c co 93 ]]] ‘ 7$1](http://slidetodoc.com/presentation_image_h/1ddd64b1ef0278dd219dd71532891b8c/image-23.jpg "Wordlists vs password dictionaries Popular rules: ]] $1 ]]c co 93 ]]] ‘ 7$1")
Wordlists vs password dictionaries Popular rules: ]] $1 ]]c co 93 ]]] ‘ 7$1 c. TBi. B+ [[[[u 23 Wordlist Rule Password dictionary moscow c$2$0$1$7 Moscow 2016 ]$7 o 97 moscow c$2$0$1$6$! Moscow 2016 $! kitty $1$2$3 kitty 123 Kitty 111 l]]$2$3 Rule
Testing again 1. Make short rule sets a. best 64 b. best 32 2. Testing a. Compare results with well-known rules 3. Take the best ones 4. . 5. Profit! !Don’t forget! Train on one data, test on another 24
Results 25 Rules Result best 64. rule 8. 75 *rockyou hobo. Rules. rule 8. 97 best 64_1 29. 36 nsa. rule 7. 88 best 64_2 29. 32 best 32. rule_1 9. 13 best 32_1 25. 41 best 32. rule_2 9. 82 best 32_2 25. 85 best 64. rule_1 10. 91 best 64 23. 50 best 64. rule_2 11. 22
Best rules : $2 $9 $0 $2$3 c $1 $3 c$! $1$1 $4 c$1 $1$2$3 $5 c$1$2$3$4 $6 c$1$2$3$4$5 $7 c$1$2$3$4$5$6 $8 c$1$2$3$4$5$6 c$2 c$3 c$2$0$1$6 c$2$0$1$7 cr. T 0 r 26
Links https: //github. com/ttmyst/tmyst_rules @imtatyanaa 27
- Slides: 27