Lance Grover

Lance Grover

CMIYC 2020

Posted date:


If you don’t know what this is….move along.

AC
To get started I ran rockyou.txt list using my AllRules.rule just to crack a few and see what we are dealing with. This was the first:
$5$4rm$XO0sNLIHhyJYLzKvGIXBTiK5F9LQI0G9iaWiFSlUv96:Dallas214
Then there was an Okland and Phoenix one that was similar, a quick google search identified that the 3 digits on the end are area codes! Looks like we have a list of cities and area codes!
Hash.Type……..: sha256crypt $5$, SHA256 (Unix)
AKA: “-m 7400”

Grabbed some lists of cities and area codes from here:
https://simplemaps.com/data/us-cities – just downloaded
http://jordonmeyer.com/text-list-of-us-cities/ – used cewl and copy/paste (cewl would lose city names with spaces in them)
https://www.50states.com/areacodes/ (didn’t really use yet)
https://www.lincmad.com/cities.html used cewl and copy/paste
https://www.nationalnanpa.com/reports/reports_cocodes_assign.html used cewl and copy/paste
https://www.bennetyee.org/ucsd-pages/area.html cewl and copy/paste
https://github.com/ravisorg/Area-Code-Geolocation-Database just downloaded the csv file then formatted it for use

Helpful notes:
had to uppercase first letter of words, could use the hashcast “E” rule which does that but wanted to pre-process the word list so I could use my add3digits.rule so I used this sed command:
sed -e "s/\b\(.\)/\u\1/g"

Also I used the combinator.bin from the hashcat-utils files to combine the area codes numbers to the city names. After that I began using the add3digits.rule mentioned below.
./combinator.bin cities.txt areacodes.txt > combined-city-and-area-codes.txt

Here is my current command run, notice I am keeping all these in their own pot file and the add3digits.rule came from my Netgear wifi cracking stuff.
hashcat -a 0 -m 7400 --username --potfile-path AC.potfile STREET-AC.hashlist AC/list2ofcities.txt -r AC/add3digits.rule

currently 64 out of 100….

AS
Started this one same as before, with rockyou and AllRules to see what I could find out. First two cracked were “#Usher” and “#Creek” so it looks like we have a “#” symbol with a word behind it…..quickly created a rule set that would put a # in front of the words and then play with capitol/lower/title type rules and called it AS.rule and started running my 4-6 character words from the Top2Billion file and also started pulling political terms and first/last names. I also used the city names from the AC wordlists above. Also pulled some other quality word lists.

0x01006a676130a7f0052290d7d458e4bfaf3975080aec40ba00ae:#Usher

hashcat -a 0 -m 132 –username –potfile-path AS.potfile STREET_AS.hashlist AC/cities.txt -r AS/AS.rule

CC
Also started this one with rockyou but used best64.rules(comes with hashcat) to just get a few to see what we are dealing with.
{SSHA}r4JFnNcaIUdpzy2MJvU/pBOWLbBoUjMw:Diner3835
and got a few more similar with a word and 4 digit number on the end….so started using the short lists as above but created a rule by using the mp64.bin from the hashcat-utils to generate a rule file to add the 4 digits:
mp64 -o CC.rule ‘$?d $?d $?d $?d’

I only got about 100 entries that way but found Dinner/Visa/JCB with 4 digit numbers so this helped me identify that this was related to credit card and system numbers….so I played around and found the numbers at the end were sometimes shorter/longer than only 4 digits. So I would do this:
hashcat -a 3 -m 111 –username –increment –increment-min 5 –potfile-path CC.potfile STREET_CC.hashlist Visa?d?d?d?d?d?d
This would start at 5 character passwords and build it’s way up….but I still needed to know the other credit card names…so I did this:
hashcat -a 3 -m 111 –username –increment -increment-min 3 –potfile-path CC.potfile STREET_CC.hashlist -1 ?u?l?d ?1?1?1?1?d?d?d?d?d
and when I would find a new base name I would use the previous method to find all it’s entries. (AMEX, Diner, DISC, enr, JCB, MC, Visa, VISA, VOY)

This got me to 100% on the CC list of hashes!

JM
for this since the hashes were not computationally heavy I went ahead and started with the Top2Billion-probable.txt and the AllRules.rule files. I noticed as we were cracking that the words were based off the words bad and medicine so I created a wordlist of just bad and medicine then started running my AllRules.rule on it. As each cracking pass finished I would take all the cracked hashes and add them to my wordlist file, something like this:
cat JM.potfile | cut -d ‘:’ -f 2 >> JM.wordlist.txt
I would then run the crack attempt using that new wordlist and my same AllRules.rule

hashcat -a 0 -m 100 –username –potfile-path JM.potfile STREET-JM.hashlist JM/JM.wordlist.txt -r JM/jm.rule

EM
This was fun, we had to discover the hash type, and it was too long to be an Oracle 11 hash, but we looked all over the place and found some identifiers that were saying Oracle 11, so we went ahead and put in a “:” at 40 basically splitting the hashes from the salts…and that was the key! I used a sed command to help:

sed 's/^\(.\{40\}\)/\1:/' hashfile

Then I just started with my rockyou with best64.rule and then plain old Top2Billion with best64…..etc.

I looked at the passwords, they were not very complicated and some were quite random, so I ran a mask attack using the increment flag for all lower case up to 8 char then upper case up to 8 char (most of the passwords were not mixed upper/lower.

HZ
This was mediawiki hashes…AKA: 3711 and started with rockyou and top2billion with no rules. Seemed like regular words….
$B$rZ3WFz6F$5ed001a9fa23ace4166fc6595fa18509:HAMMER
$B$rebdWsG7$6396788bfbb25f663876dbab4c563992:Thump3r
$B$cYFnWPRn$800a20342b3b892dd854c6d3b2f5e6fb:Andy
$B$Azr6gTvN$f13f761472c68b06e787f48ca8531e71:Bucky
$B$JCSUmSGA$a883ca2a7787ed715dce08d7ef3b55d9:Sup3rb0y
$B$vQf1lxk3$80ae87c4a639acc7a8c28a8e2e813e53:Thund3r
$B$dHF3qkHR$d0b134417c994e9ff76e1ad9709fbcf9:Qu33n
$B$AIAJubE0$aeca9fcc0085190d8899eee9e4682008:B@tm@n
$B$WVkLLrYl$a7c70e4a2ae39eeee271e85c1bda7922:Sp33dy
$B$B0goCogx$1444e9aa13c7bb451de84a7561ee0a2d:Sp@rr0w
$B$TGLtnEyD$442abce1476cff8ca87f418c8210523e:L@ur3n
$B$6sqzN0cD$89521971bd9e60feb90226f4162ab8bf:Sp3ctrum
$B$V6hjA94g$3cb8085d124d8931432e6030747b7289:1c3m@n
$B$U4oUh13D$2f80a35e6891a782a6565183dd11ee09:M
$B$7SKEO593$93189f760d95b31418decf24be379e7d:Humbug
but it does look like we are using @ for lowercase a and 3 for lowercase e, and possibly 1 for upper case I….will run a rule like that to see what we get. (update: it went very well!)
HZ.rule file contained:
se3 so0 sa@ sI1
so0 sa@ sI1
sa@ sI1
sI1
se3
so0
sa@

I split the top2billion file using splitlen.bin from hashcat-utils and made a file that only contained 1-8 character passwords then did this:

hashcat -a 0 -m 3711 –username –potfile-path HZ.potfile STREET-HZ.hashlist wordlists/split/one-to-eight.txt -r HZ/HZ.rule

NP
Seems to be 20300 – $pbkdf2-sha256$ but I think I was told it should be 10900 so I need to evaluate it, I ran rockyou on it for a bit with best64 but didn’t get anything so I will come back to this one.

JG
this one appears to be 23100 – apple keychain but my hashcat isn’t new enough to handle it…guess I need to do some upgrades before I work on this one.

MR
SHA2-256 hashes, and as I did my usual tests with rockyou and best64 it appears to be based off PAssword with two numbers and two symbols.
So…..I tried a hybrid attack with a wordlist that contained only PAssword:
hashcat -a 6 -m 1400 –username –potfile-path MR.potfile STREET_MR.hashlist MR/MR.wordlist ?d?d?s?s
didn’t get a ton but progress…now I assume there is a difference to the word PAssword I should play with….

MU
1700 sha-512, did usual test rockyou/best64 to get started, got nothing…switched to AllRules.rule, started getting 2020 in words, like at different positions in the words. So looks like a insert rule at different locations, but all the letters look lower case with no other numbers and some have a period at the end. It does look like a smaller subset of words may need to look closer at that.

Created a script to create a rule that will put 2020 in at different parts of a password, and will also append a ‘.’ and a ‘,’ at the end.

!/bin/bash
for num in {1..12}
do
num1=$(($num+1))
num2=$(($num+2))
num3=$(($num+3))
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo 0
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 $.”
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 $,”
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 \$?”
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 \$!”
done

RP
400 wordpress/joomla and ran usual rockyou/best64 started getting some…originally thought it was names/numbers of 8 char but started to get some shorter ones

TB
1800, started with usual rockyou/best64 but WOW it was going to take a LONG time…so I switched to just rockyou…. on a single 1080 card no rules it still says it will take 5 days…..

TH
1731 MSSQL (2012, 2014), running rockyou/best64