Wednesday, June 24, 2009

Using online password crackers

Online password crackers are extremely popular and it's easy to see why. Instead of having to go through the trouble of cracking the password yourself, why don't you just submit it to someone else who has gigabytes, (to terabytes), of pre-calculated hashes to crack it for you. Just as a warning though, there are some privacy concerns when using these sites, (what? You don't think they store the hashes that are submitted to them?).

According to www.hashkiller.com, which keeps track of the effectiveness of these sites, (quick disclaimer: recently the reporting mechanism seems to be having issues), most of these sites crack around 20 to 40% of the passwords submitted to them which is fairly good, (actually really good since most of them rely on quick lookups in pre-generated tables). This statistic matches what I've seen both from my own testing and looking at other people's results, (aka the person who attacked phpbb.com submitted some of the passwords to one of the sites and cracked around 24% of them according to the textfile he/she posted online).

Recently I've been playing around with md5-utils, (available here), which is a program that will submit your password hashes to 33, (as of right now), different online password crackers. The advantage of course is that as a group online password crackers do very well. Where I've really found it useful though is as a sanity check on my own work. Aka as I posted before, I've cracked 90% of the phpbb.com list, but when I submitted a small subsection of the passwords I haven't cracked yet using md5-util I quickly found out that I needed to spend more time brute-forcing passwords that only contained uppercase letters and numbers, (I knew that was popular and even mentioned it back in my Shmoocon08 talk but for some reason I had forgotten that. Probably because I had associated it with LANMAN hashes.) People really hate hitting the shift key.

The main problem with md5-utils is that it is very "polite" in that it will only submit one hash at a time and it takes several minutes to check it. This means running even several hundred hashes though it takes a while. It would be fairly trivial to crank it up a notch, but I've been hesitant to do so since I like to live my life by the rule, "Don't be a jerk" and I don't want to hammer the online cracking sites with requests.

Now for some trivia. One password that md5-utils cracked was "HPw2207!@#" (without the quotes of course). Looking at it I was really impressed. Ok the "!@#" is fairly easy since it just is a keyboard combo, but to make a rule try three letters, (the first two capitalized), followed by four random numbers and then a keyboard combo of symbols is pretty impressive. It certainly wasn't pure brute force, that's for sure.  So of course I decided to do a google search to see if HPw2207 might actually mean something.
No, not Laura Croft. Look at the bottom right corner of the screen. Yup, the person had used the label on their monitor, HP2207, as their base password and then just added !@# to the end. I'm sure that's also how their password was cracked, aka in one of the input dictionaries someone has, they've probably listed out all the computer monitor types. Hey, I found it amusing plus it gives me a chance to post tomb raider pictures to this blog ;)

No comments: