Showing posts from July, 2009

EliteHackers Data-set

If you haven't already heard, ZF0 just released their 5th installment of hacking the hackers, and boy is it a doozy . I was almost expecting to see my username/password show up there since it looks like the Cain&Able forum was hacked about a month ago. Still Mitnick, Kaminsky, and several other high profile hackers were completely 0wned. I downloaded the data dump and have been perusing through it. Coming in at whopping 400+ pages long, it will make good reading on the airplane. Of course the part that really interested me was their coverage of cracking user passwords from the website. Apparently they grabbed around 24 thousand password hashes from the site and managed to crack 43% of them, (of course they assigned it a N00b score of 87% since they multiplied it by x2 to make it look better. I guess it's like assigning a "proof" to describe the alcohol content of liqueur). That being said, since they were salted hashes, that's pretty good. Unf

Defcon 17

Just packing everything up and getting ready to head to Vegas. I'll be closing out the conference 4PM Sunday with my talk: Cracking 400,000 Passwords, or How to Explain to Your Roommate Why the Power Bill is a Little High Remember when was hacked in January and over 300,000 usernames and passwords were disclosed? Don't worry though, the hacker only tried to crack a third of them, (dealing with big password lists is a pain), and of those he/she only broke 24%. Of course the cracked password weren't very surprising. Yes, we already know people use "password123". What's interesting though is figuring out what the other 76% of the users were doing. In this talk I'll discuss some of my experiences cracking passwords, from dealing with large password lists, (95% of the list cracked so far), salted lists, (Web Hosting Talk), and individual passwords, (TrueCrypt is a pain). I'll also be releasing the tools and scripts I've developed alo

Pass-Phrase Input Dictionary

I could write some elaborate five thousand word post about this, but the following is fairly self explanatory. I created an input dictionary of all the phrases in wikiquotes for use in cracking pass-phrases. You can download it off my tools site here . The final wordlist has around 187k phrases in it. I limited the phrases to a maximum size of 140 characters since anything longer than a twitter quote probably won't be used in real life. On that note, anyone have any good ideas how to spider all the twitter postings? A couple of things: First of all I only used the primary quotes, not the derivations, since it's fairly hard to automatically parse them out without bringing in a ton of garbage as well. Second, talking about garbage, I'm parsing user generated data so there are still some "artifacts" in the wordlist. Third, I left capitalization and punctuation in the actual quotes. If anyone wants a list with those removed please let me know. Also if you want a list

Keyboard Dictionaries

By far the most popular download from my dictionary based rainbow tables has been the input dictionary I created based on keyboard combos. It's been downloaded close to 2000 times which means about 1995 more people have downloaded it than read this blog ;) So of course I'm looking to improve on it. The original dictionary was created thanks to an abundance of free time and my own personal lack of carpal tunnel syndrom as I typed each entry into it. The problem of course was that I've since found out that there were many keyboard combos that I missed. So that's why God, (or at least Solar Designer), created external moduals for John the Ripper. One of them simulates a keyboard layout so if you type ./john -stdout -external=keyboard It will start to output different strings based on how close the keys are on your actual keyboard. Me being the lazy person I am of course decided to pipe the output of that into a file to create a new and improved "keyboard dictionary&q