Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Aug 2010 15:01:17 -0500
From: Minga Minga <>
Subject: Re: Defcon18 "Crack Me If You Can" Complete Pot File

On Tue, Aug 24, 2010 at 5:09 AM, Solar Designer <> wrote:
> I second that, although it'd be non-trivial for Kore to come up with a
> new password list.  This time, they had the password list tied to their
> unreleased word mangling rules - but next time it should probably be
> different.  Perhaps the passwords will need to be more real-world'ish,
> yet not real.

As was mentioned before and during the contest, the password patterns
(and JtR rules) used to generate the password hashes for the contest were
based 100% on patterns seen "in the wild".

Let me restate this to be clear. The rules to generate the hashes were
__NOT__ created specifically for this contest. Instead, the rules were
created by me during the process of auditing passwords found on
corporate networks. These patterns were based off of patterns chosen
by __REAL__ people. Ive been learning to write JtR rules for about a
year, and have created new JtR rules every time I notice a few password
pattern. This was the basis of the contest.

(The exact same argument can be used for how the wordlists were chosen
for the contest as well. With a few exceptions).


An example that was mentioned was our use of "date based" passwords.
Although there are some default JtR rules that do date-based manipulations,
we do _NOT_ see those working to the extent we like in real-world
large scale examples. (Such as representing months as numbers, and
appending them)

>From some recent data, an Active Directory has 40000 accounts in it. The
2nd, 4th and 9th most common password revolve around the 3-letter months
prepended to a string. All in all, over 5000 of the 40000 passwords have
a month as part of the password. (Approx 12.5 %). To discount the
fact that over 12%  of the cracked hashes can be cracked with the
following rules, is illogical:


This is how/why these rules were created. _NOT_ for the contest.
Their inclusion in the contest was to show contestants about the
importance of discovering new patterns, and writing rules to meet
these patterns.


I am curious what other statistics and datasets other users have access to.

I based my opinions/data/rules off of a john.pot with:

3.2 million privately obtained cracked passwords. (no public-record
password hashes)
of which 1.2 million are NTLMs. I am currently working on a list of
210,000 {SSHA}

Each one of those passwords was hand-chosen by a user in a corporate
environment. These users usually have to change their password
every few months, and also have to meet complexity rules. (Which introduces
new patterns).

It is my opinion, that sites on the Internet (such as Google / Facebook)
will _eventually_ force password complexity and password rotation in
order to protect their users. As soon as this _does_ take place,
new patterns will be introduced by users trying to remember their
even changing passwords.

We need to adapt our methods/tools/wordlists _NOW_ in order to
crack these passwords. We cannot live in a cave, and assume our
rules do not need to be changed/adapted. After doing pentests
for 10 years, this has already been proven to me to not be beneficial.

This was the goal of the DEFCON contest. To get people to realize
this fact. I do not know if the goal was reached or not. Because we
are _still_ getting complaints about the patterns we used, and how
they don't match patterns from rockyou etc. This actually proves our
point is the ironic thing.


Many of the teams in the DEFCON contest complained at first because their
rulesets were not working. In particular, one team had created large rules
based off of the 'rockyou' list that was revealed.

The team eventually realized the error in their ways, in that, the assumption
that users in corporate environments use the same patterns as Facebook users.
This is just not true. Just like, its not 1990 any more, and passwords aren't
chosen by semi-informed UNIX users.

This is realization of the "error of your ways" is exactly what happens in
the real world when a password audit is performed.  You cannot rely
on your previous assumptions of what password patterns you will discover.


Recognize a pattern, create a rule for the pattern, attempt to crack more passes
that meet that pattern. Now, repeat the process over and over again.

Hopefully during that process, you post the rule to john-users ;)

All in all, at least on this mailing list,  I feel that when users
discuss patterns
they have seen - or rules they have written, we get blinded by the "best way"
to write this rule.

I see this as being a waste of time. If I write a rule that says:

$2$0$1$0  instead of AZ"2010"

I know we are supposed to use 'AZ' now - but guess what - during the amount
of time it takes to argue about which method is "better" - I cracked another
100 accounts - and gained root on another 300 UNIX machines.

Whats important is the pattern itself, _not_ the method used to create it.
I feel this attitude prevents users from posting their rules because of fear
of ridicule. This opinion was relayed to me by others as well while at DEFCON.

Lets get past this, and attempt to actually make _progress_ in our discussion
of password cracking / rule generation / etc.


We _hope_ to do the contest again next year. And, if you think we are
going to use
the same old tired patterns that haven't changed in 10 years, then you
are wrong.
We hope to continue to push users to evolve in their techniques/rules/wordlists/

Otherwise, what is the point? To just have a contest to see who has the best
hardware? Wheres the skill in that ?


Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.