Jupyter Lab Framework Example: Revisiting CMIYC2022

By -

Midjourney generated picture of a cat in a tophat thowing playing cards


Everything that happens once can never happen again. But everything that happens twice will surely happen a third time.
-- Paulo Coelho

Introducing the JupyterLab Password Cracking Framework: 

For the last couple of months, I've been (slowly) working on building out a new backend/framework to be able to manage password cracking sessions using JupyterLab as the frontend/GUI. The current version of this framework is available [here].

Screenshot of the JupyterLab Framework

This project is under active development (well active for me anyways), and I'd really appreciate feedback and suggestions on how to extend and improve it. My goal is to have an opensource, community driven alternative for Team Hashcat's List Condense (LC) collaboration server ready by CMIYC2024.

About The Framework:

I view JuypterLabs as a stone soup. It provides a good interface, interactive Python debugger, and a way to save and share analysis results. But it is still up to you to do all of the backend analysis. That became very evident when I used JupyterLabs in the CMIYC2023 contest (as detailed in the previous three blog posts on this site). I spent a lot of time debugging my code and messing with data structures when I really needed to be focused on cracking passwords. I quickly realized for this approach to be effective in future password cracking contests that I'd need to develop back-end data structures and classes to better organize all the data and provide built-in features to aid in common tasks.

Backing up a bit, in the past I've really enjoyed using MITRE CRITs (Collaborative Research Into Threats) [Link]. Unfortunately CRITs is no longer being maintained (the switch from Python2 to Python3 killed the project), but it was a tool for CSOC (Cyber Security Operation Center) team members to collaborate with each other when analyzing intrusion sets and threat actors. CRITs organized Top Level Objects (TLO) into the following buckets/categories:
  • Actors
  • Campaigns
  • Certificates
  • Domains
  • Emails
  • Events
  • Indicators
  • IPs
  • PCAPs
  • Raw Data
  • Samples
  • Targets
It then made the data available in these different buckets cross linkable as well as accessible to various plugins.  Following that approach, I created several different TLOs for this password cracking framework:
  • Hashes: Contains information about the hashes including plaintext values, hash types, etc
  • Targets: Contains information about particular targets/users and metadata
  • Sessions: Contains information about a cracking session. The closes CRITs equivalent would be Campaigns.
  • PWCrackerMgr: Not really a data structure, but a way to translate between Hashcat and John the Ripper cracking sessions
In the future as this toolset becomes more developed, I may end up taking a lot of the metadata out of Targets and putting it into its own TLO much like CRITs did. Also longer term, I may end up incorporating disk storage or a database, but for now I'm keeping this focused on helping with password cracking competitions, (vs. activities like pen-testing and managing ALL my password lists). You can download the framework right now, and it already has some example Notebooks in it that show how to use it on the CMIYC2023 challenges.

What this framework WILL NOT do is crack hashes or run your actual cracking sessions. I may add some scripting/logging support in the future, but this framework is focused on helping with data analysis as well as automating some of the busywork/repetitive tasks in a password cracking competitions such as creating custom wordlists, left list, translating between JtR and Hashcat, and hash submission.

Using the Framework to Crack CMIYC2022 Challenges: 

A big question I have is how effective will this framework be in the NEXT password cracking challenge? Since I can't predict what Korelogic is going to do (beyond the fact that Bon Jovi references will somehow be involved), probably the best thing I can do is look back at past competitions. To that end I figured I might dig up the 2022 contest hashes and attempt to crack them again.

To obtain the challenge files, you can visit Korelogic's 2022 contest page [here].

Side note: Mad props to Korelogic for continuing to host past contest files. I really appreciate it!

Also, I had written a short blog post about my experiences in the contest, which is available [here].

I'll admit, it's always hard looking back on past work/documentation, but I'm a bit annoyed with my past self. I think that blog post has a lot of good information in it, but it really doesn't go into too much detail about the contest itself. On the plus side, that will make using this framework for this challenge more "realistic" since I can't just rely on my past documentation, and I have very hazy memories of what happened over a year ago.

Unpacking the Contest Files:

The CMIYC2022 contest had three file "drops" over the course of the challenge. Aka not all the hashes were released at the start, so this gave teams something constantly new to bang their heads against.

The contest files are PGP encrypted and as a player you need to decrypt them with the password that KoreLogic provided. Since the first thing I always do is Google "How do you decrypt PGP files" I'm going to put the command here for future me. Also this will hopefully disabuse you early on the false idea that I know what I'm doing ;p
  • gpg -o <output_file> -d <input_file>.pgp
Do that for all three files, saving them with .tgz extensions. Then unzip the files using the command:
  • tar -xvzf <input_file>.tgz
This creates three different directories filled with different encrypted file types. These are:
  • cmiyc-2022_street_1/
    • list18-Thursday17January2021.odt
    • list17-TOWMINTP.hashes.gpg
    • list19-paidanextra500000.zip
    • list20-Authoritiesappeartohaveuncoveredavastnefariousconspiracy.7z
    • list24-ThisYearsWorst.pdf
    • list16-FL_kdIZUGpI.zip
  • cmiyc-2022_street_2/
    • DEFCON-Street.kdbx
  • cmiyc-2022_street_3/
    • rar.sdrawkcab
    • 1991whattimeisit.tgz

Cracking the Encrypted File Containers (Part 1: File Extraction):

This competition starting to come back to me. The main issue with this challenge was to figure out how to crack the various encrypted file types. Once you cracked the top level file, it would present you an internal hash_list of fast to compute hashes that you need to crack for actual points. For the street teams, the top level file hashes are encrypted with fairly easy to guess passwords. For the pro teams ... not as much.

In my previous writeup [here] the first two "Tips" cover how to set up John the Ripper to crack these files. I'm going to largely skip those tips here, but assuming you followed them, the following commands can be used to extract and save the hash for the above file to a single file you can crack. I'm appending them all to a "encrypted_file_hashes.hash" file that I can load into JtR. If you want to use Hashcat to crack the hashes instead, you'll need to do some additional fixups to remove things like the username (or run hashcat with the --username field). Side note, I also highly recommend checking out [this] external blog entry about using John the Ripper to crack different file formats. I heavily leveraged it since it highlights things like to crack .odt files you need to use lbreoffice2john.
  • list16-FL_kdIZUGpI.zip
    • zip2john list16-FL_kdIZUGpI.zip >> hash_files/encrypted_file_hashes.hash
  • list17-TOWMINTP.hashes.gpg
    • gpg2john list17-TOWMINTP.hashes.gpg >> hash_files/encrypted_file_hashes.hash
  • list18-Thursday17January2021.odt
    • libreoffice2john.py list18-Thursday17January2021.odt >> hash_files/encrypted_file_hashes.hash
  • list19-paidanextra500000.zip
    • zip2john cmiyc-2022_list19-paidanextra500000.zip >> hash_files/encrypted_file_hashes.hash
  • list20-Authoritiesappeartohaveuncoveredavastnefariousconspiracy.7z
    • 7z2john.pl list20-Authoritiesappeartohaveuncoveredavastnefariousconspiracy.7z >> hash_files/encrypted_file_hashes.hash
  • DEFCON-Street.kdbx
    • keepass2john DEFCON-Street.kdbx >> hash_files/encrypted_file_hashes.hash
  • rar.sdrawkcab
    • rar2john rar.sdrawkcab >> hash_files/encrypted_file_hashes.hash
  • 1991whattimeisit.tgz
    • Trick challenge here! You can unzip/untar this with normal commands. Aka:
      • gunzip 1991whattimeisit.tgz
      • tar -xvf 19whattimeisit.tar
    • The real challenge is to decrypt a gocrypt message which isn't directly supported by either John the Ripper or Hashcat.
    • I'm going to skip this challenge for now. I have vague memories of downloading a gocrypt command line utility and writing a quick script to pass password into it from an external file. But since I'm focusing on the JupyterLab Framework, that yak shaving task is out of scope of this writeup.
  • list24-ThisYearsWorst.pdf
    • pdf2john.pl list24-ThisYearsWorst.pdf >> hash_files/encrypted_file_hashes.hash

Cracking the Encrypted File Containers (Part 2: JtR Cracking):

While I could certainly load these hashes into the JupyterLab Framework ... I don't see a lot of value doing so as there isn't a lot of "analysis" to do on them. Perhaps if/when I add the ability to keep track of targeted attacks, wordlists, and mangling rules run against a hash then it will make sense, but for now let's just crack these hashes so we can get access to the larger hash lists which we will be able to leverage the current JupyterLab Framework against. Below I'm going to list the JtR command I used (including mode) to crack the password as well as the plaintext. To help with spoilers, I'm setting the background of the plaintext to be black, but to read it you can just highlight the text and copy/paste it somewhere else.
  • list16-FL_kdIZUGpI.zip
    • john --pot=../pot_files/cmiyc2020_john.pot --format=pkzip encrypted_file_hashes.hash
    • Note: As I said, the street file passwords are pretty easy to guess...
    • Hackers
  • list17-TOWMINTP.hashes.gpg
    • john --pot=../pot_files/cmiyc2020_john.pot --format=gpg --wordlist=../wordlists/hacker_movies.txt --rules=Single encrypted_file_hashes.hash
    • Note: This one required a non-default attack, partially because GPG is such a slow format to make guesses against, and partially since the base word wasn't in JtR's default wordlist. Based on the other hashes I cracked I figured it'd be a Vegas themed password or from a hacker movie so I made a small wordlist based on that.
    • DEFCON
  • list18-Thursday17January2021.odt
    • john --pot=../pot_files/cmiyc2020_john.pot --format=odf --wordlist=password.lst --rules=":c;:u" encrypted_file_hashes.hash
    • Note: This was a slow enough hash that I couldn't do all the rules in Single mode in a reasonable timeframe. Also the base word wasn't in my targeted dictionary. But given the other cracked passwords I ran two rules against the default JtR dictionary on the command line (Capitalize and Uppercase). I wrote more how to specify rules on JtR's command line [here].
    • Sunday
  • list19-paidanextra500000.zip
    • john --pot=../pot_files/cmiyc2020_john.pot --format=pkzip encrypted_file_hashes.hash
    • Note: I cracked this one in the same session as list16, which is why it is nice to save all these hashes to the same hash-file
    • Swordfish
  • list20-Authoritiesappeartohaveuncoveredavastnefariousconspiracy.7z
    • john --pot=../pot_files/cmiyc2020_john.pot --format=76 --wordlist=password.lst --rules=":c;:u" encrypted_file_hashes.hash
    • Note: Same constraints and attack as I ran against list18.
    • Queen
  • DEFCON-Street.kdbx
    • john --pot=../pot_files/cmiyc2020_john.pot --format=KeePass encrypted_file_hashes.hash
    • Note: This attack froze up my laptop trying to run it under WSL, so I copied it over to my server to run which worked a lot better, with almost an instant crack. The funny part was, ((Spoiler Alert)) the "username" attack in JtR's Single mode cracked the password and not a normal dictionary attack
    • Street
  • rar.sdrawkcab
    • john --pot=../pot_files/cmiyc2020_john.pot --format=RAR5 encrypted_file_hashes.hash
    • Note: I'll admit I got thrown a bit with the format (trying --foramt=rar first) until I looked at the saved hash. Otherwise this was a simple crack with a default attack
    • drowssap
  • 1991whattimeisit.tgz
    • Didn't try this one for this writeup
  • list24-ThisYearsWorst.pdf
    • john --pot=../pot_files/cmiyc2020_john.pot --format=pdf encrypted_file_hashes.hash
    • Note: ((Spoiler)) Surprisingly it wasn't the username attack that got this one. The base word was in passwords.lst which is JtR's default wordlist.
    • Worst

Extracting the "REAL" Hash Lists:

The next step is to decrypt/unzip/open all the files and save the hashes from them. You may laugh, but I always forget the command line options to do this, so I'm listing how I did that below for future me. I'm also listing what types of hashes were in each file. To determine the hash type I mostly relied on looking at the scoreboard that KoreLogic published [link] and matching it to the hash. If that wasn't provided though, there would be several ways to figure out the hash such as using mdxfind.
  • list16-FL_kdIZUGpI.zip
    • unzip list16-FL_kdIZUGpI.zip
    • Contains: 2766 half-md5 hashes
    • JtR Mode: Not supported
    • HC Mode: 5100
  • list17-TOWMINTP.hashes.gpg
    • gpg -d list17-TOWMINTP.hashes.gpg > ../../hash_files/list17.txt
    • Note: I needed to pipe the results to a file to save them
    • Contains: 2933 raw-md5 hashes
    • JtR Mode: raw-md5
    • HC Mode: 0
  • list18-Thursday17January2021.odt
    • Open it on a Linux system using LibreOffice and paste the hashes into list18.hash
    • Contains: 5456 raw-sha1 hashes
    • JtR Mode: raw-sha1
    • HC Mode: 100
  • list19-paidanextra500000.zip
    • unzip list19-paidanextra500000.zip
    • Contains: 4997 raw-sha256 hashes
    • JtR Mode: raw-sha256
    • HC Mode: 1400
  • list20-Authoritiesappeartohaveuncoveredavastnefariousconspiracy.7z
    • 7z x list20-Authoritiesappeartohaveuncoveredavastnefariousconspiracy.7z
    • Contains: 10004 raw-sha384 hashes
    • JtR Mode: Raw-SHA384
    • HC Mode: 10800
  • DEFCON-Street.kdbx
    • Open the file in keepassx and then paste contents in list21.hashes
    • Note: There is a command line version but that became too big of a pain to figure out how to export the hashes properly
    • Contains: 10812 mssql05 hashes
    • JtR Mode: mssql05
    • HC Mode: 132
  • rar.sdrawkcab
    • unrar x rar.sdrawkcab
    • Contains: 4214 mysql CRAM hashes
    • JtR Mode: mysqlna
    • HC Mode: 11200
  • list24-ThisYearsWorst.pdf
    • Open in a PDF viewer and copy/paste the hashes into list24.hashes
    • Contains: 2000 SSHA/nsldaps hashes
    • JtR Mode: Salted-SHA1
    • HC Mode: 111

Creating a Config For the JupyterLab Framework:

Now that we have tens of thousands of password hashes to crack, it's time to use the JupyterLab password cracking framework. To do this, we'll first need to load the hashes into it, and to do that we'll need to configure the config file.

The framework uses the YAML file format for its configs. That means spaces/whitespace is important, but it is also a pretty flexible file format. For our config, we'll define our JtR and hashcat potfile locations, how much the hashes are worth, and where and how to load the hashes. I'll be including # Comments as well to help explain why I'm doing what I'm doing.

---
# This defines where the potfiles are for this contest. This lets you load cracked hashes from them
# as well as keep your JtR and HC potfiles synced.

  jtr_config:
    main_pot_file: "./challenge_files/CMIYC2022_Street/jtr_cmiyc2022.pot"
  
  hashcat_config:
    main_pot_file: "./challenge_files/CMIYC2022_Street/hc_cmiyc2022.potfile"

# This is information on where to load the challenge files. If they have additional metadata you
# may need to write a custom function to import them, but in this case they are pure raw hash lists
# so we can use the "plain_hash" plugin to import them.
#
# This plugin requires the hash type to be specified (if not it will default to "unknown"). Typically
# I use the JtR naming format for the hash type. The "source" field is used to list a source for the
# hashes in the framework. Basically it's a note for you later when looking at the cracked hashes.
#  
  challenge_files:
    list14:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list14-4214-BrunnersMentalPrisoner.hashes"
      format: "plain_hash"
      type: "mysqlna"
      source: "list14-BrunnersMentalPrisoner"
    list16:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list16-FL_kdIZUGpI.txt"
      format: "plain_hash"
      type: "half-md5"
      source: "list16-FL_kdIZUGpI"
    list17:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list17.txt"
      format: "plain_hash"
      type: "raw-md5"
      source: "list17"
    list18:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list18.hash"
      format: "plain_hash"
      type: "raw-sha1"
      source: "list18"
    list19:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list19-paidanextra500000.hashes"
      format: "plain_hash"
      type: "raw-sha256"
      source: "list19-paidanextra500000"
    list20:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list20-Authoritiesappeartohaveuncoveredavastnefariousconspiracy.hashes"
      format: "plain_hash"
      type: "raw-sha384"
      source: "list20-Authoritiesappearto"
    list21:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list21.hashes"
      format: "plain_hash"
      type: "mssql05"
      source: "list21"
    list24:
      file: "./challenge_files/CMIYC2022_Street/sample_hashes/list24.hashes"
      format: "plain_hash"
      type: "ssha"
      source: "list24"

# The score info is taken from the Korelogic scoreboard. This isn't necessary, but it is nice to have
# a local count of what your score should be so you can compare it to the official score to validate that
# you are submitting your cracks properly
  score_info:
    raw-sha384: 46
    mysqlna: 17
    raw-sha256: 13
    mssql05: 9
    raw-sha1: 5
    ssha: 5
    half-md5: 3
    raw-md5: 1

Loading the Challenge Files into JupyterLab Framework:

This is the easy part for these hashes. The biggest challenge is setting up the config file. Once that's done you can just load it up in the current framework. At this point I should mention that I'll be eventually including the Notebook in this blog post in the example files in the framework github repo.

Loading the config/hashes in the Jupyter Framework

Once it is loaded you can run the built in tools to merge Hashcat and JtR potfiles, display cracked passwords, and calculate your expected score.

Picture of status after loading the initial hashes

Next Steps - Cracking Some Passwords:

There's not a ton more analysis to do (besides look at the cracks). And don't worry, we'll get to that! But this is where I'm glad that I decided to go back through these old CMIYC challenges. The last contest in 2023 was very heavy in its use of metadata. So I of course focused on metadata analysis for this framework. But for this contest, there is very little metadata. The focus instead was on cracking encrypted containers and (cough, SPOILER ALERT, cough) building custom wordlists from online articles. This highlights other new capabilities that I really want to add into this framework. For example, going through logfiles, extracting the rule/dictionary that cracked a password, and then storing that data with the hash in this framework. That would be super cool! How about doing google searches on passwords for you? That would be cool too. That points to the stone-soup approach of this framework. Once we have these hashes/passwords/metadata stored in a searchable framework with a Python3 backend we can build upon this to add new capabilities.

Enough talking! Let's look at some cracks. Looking above, I managed to crack over 50% of the ssha hashes in under a minute cracking run in JtR. I wonder what those plaintexts look like. I can use the SessionMgr.print_all_plaintext(meta_fields=['source']) to display them.

A bunch of easy passwords followed by 2022

You don't have to be a master password cracker to design an attack against these. That being said, going back to the score graph, they aren't worth a lot of points. Even if you cracked all 2k ssha hashes (which is totally doable) you would only get 10k points. That's a lot less than most of the other hash types. So this is a list to play around with when you don't have anything better to crack and need that serotonin  hit to see cracks flash across your terminal.

That leads us to the other hash lists. Let's check out the raw-sha1 hashes:

A bunch of cracks but many of them have the same base words

At least for the limited cracks so far, it looks like these plaintexts were generated using some common words that have various mangling rules applied to them.  You can start to see why I want to automate pulling out dictionaries + rules from JtR and HC logfiles to make it easier to reverse engineer these rules vs. having to do it by hand. 

Actually, this might be a good time to end this blog entry and work on some of those new features.... All the code is uploaded to the gitlab site and I'll upload some sample hashes as well so you can follow along. But for now I probably need to look into parsing some Hashcat log files.

Comments

Post a Comment

Popular posts from this blog

Tool Deep Dive: PRINCE

By -
Image
Tool Name: PRINCE (PRobability INfinite Chained Elements) Version Reviewed: 0.12 Author: Jens Steube, (Atom from Hashcat) OS Supported: Linux, Mac, and Windows Password Crackers Supported:  It is a command line tool so it will work with any cracker that accepts input from stdin Blog Change History: 1/4/2015: Fixed some terminology after talking to Atom 1/4/2015: Removed a part in the Algorithm Design section that talked about a bug that has since been fixed in version 0.13 1/4/2015: Added an additional test with PRINCE and JtR Incremental after a dictionary attack 1/4/2015: Added a section for using PRINCE with oclHashcat Brief Description:   PRINCE is a password guess generator and can be thought of as an advanced Combinator attack . Rather than taking as input two different dictionaries and then outputting all the possible two word combinations though, PRINCE only has one input dictionary and builds "chains" of combined words. These chains can have 1 to N wo
Read more

The RockYou 32 Million Password List Top 100

By -
But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi
Read more

Cracking the MySpace List - First Impressions

By -
Image
Alt Title: An Embarrassment of Riches Backstory: Sometime around 2008, a hacker or disgruntled employee managed to break into MySpace and steal all the usernames, e-mails, and passwords from the social networking site. This included information covering more than 360 million accounts. Who knows what else they stole or did, but for the purposes of this post I'll be focusing only on the account info. For excellent coverage of why the dataset appears to be from 2008 let me refer you to the always superb Troy Hunt's blog post on the subject . Side note, most of my information about this leak also comes from Troy's coverage. This dataset has been floating around the underground crime markets since then, but didn't gain widespread notoriety until May 2016 when an advertisement offering it for sale was posted to the "Real Deal" dark market website. Then on July 1st, 2016, another researcher managed to obtain a copy and then posted a public torrent of then entir
Read more