Modern Password Cracking: A hands-on approach to creating an optimised and versatile attack. Chrysanthou Yiannis, Technical Report RHUL–MA–2013– 7 01 May 2013 Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom www.ma.rhul.ac.uk/tech Modern Password Cracking: A hands-on approach to creating an optimised and versatile attack Yiannis, Chrysanthou Student Number: 100721464 Supervisor: Dr. Allan Tomlinson Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London I declare that this assignment is all my own work and that I have acknowledged all quotations from the published or unpublished works of other people. I declare that I have also read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences and in accordance with it I submit this project report as my own work. Signature Date _________________________ _____________________________ i Acknowledgements I dedicate this thesis to everyone who contributed to its creation and completion. First and foremost, my family and friends who supported me in more ways than one. My parents in particular, my partner, and my friends (Carlos, Ivan, George) for influencing me to get to where I am now. To my Supervisor Dr. Tomlinson who gave me the freedom to put together my work so far and to arrive to new conclusions during the process of this thesis. To my company KPMG, for giving me the much needed time to complete this thesis. Lastly, I would like to thank Team Hashcat and Jens Steube for providing the tools that made this thesis possible. ii Executive summary Passwords are the most common means of authentication. Passwords are protected by using one-way cryptographic algorithms that produce a hash of set length. Cryptography can only protect something to the point where the only feasible attack on the encrypted secret is to try and guess it. However, in the case of passwords guessing is easy. Passwords are insecure by nature because they are used for preventing humans from guessing a small secret created by humans. This thesis shows that guessing passwords is as easy as creating them: most commonly used passwords are easy to guess and harder passwords are almost never used [1]. There are several password cracking techniques. This thesis describes the most popular. It then creates an optimized attack using various other attack techniques which are also optimized for best performance. In specific this thesis suggests the use of Markov Chains for password recovery, in combination with a range of other modified versions of attacks available. All attacks work together and make use of common resources such as Dictionaries, and Rulesets to achieve the most optimal output possible. The result is a dynamic, highly flexible and robust attack that can be used by anyone with average computer literacy and limited resources within reasonable time. The attack proposed is tested on the Phpbb password database leaked in 2009. We show that the proposed attack can run on a personal computer using free tools and recover over 75% of passwords in less than an hour. This thesis concludes that passwords should not be used on their own for authentication purposes. Instead, we need passwords to be part of multi-factor authentication. Alternatively, we must only use passwords once we have accepted the risks associated and the high probability of them failing us. iii Table of Contents 1. INTRODUCTION .................................................................................................................... 1 1.1. Background ................................................................................................................... 1 1.2. Motivation..................................................................................................................... 2 1.3. Objectives ..................................................................................................................... 3 1.4. Structure ....................................................................................................................... 3 2. Types of attacks on passwords................................................................................................ 4 2.1. 2.1 Google search hash attack and free public hash databases: .......................................... 5 2.2. Brute-force Attacks: ....................................................................................................... 5 2.3. Dictionary attack: .......................................................................................................... 6 2.4. Combined Dictionary attack: .......................................................................................... 6 2.5. Hybrid Dictionary attack: ............................................................................................... 7 2.6. Rule based Dictionary attack: ......................................................................................... 7 2.7. Pre-computed Time-memory Trade off or rainbow table attacks ....................................... 8 2.8. Conclusion .................................................................................................................... 9 3. A study of password selection patterns.................................................................................. 10 3.1. Rockyou password database ......................................................................................... 10 3.2. Phpbb password dump ................................................................................................. 15 3.3. Linkedin password leak ................................................................................................ 17 3.4. Conclusion .................................................................................................................. 20 4. Creating a dynamic, flexible, fast, and successful attack on passwords .................................... 21 4.1. Introduction................................................................................................................. 21 4.2. Rules (A1)................................................................................................................... 22 4.3. Dictionary (A2) ........................................................................................................... 23 4.4. Recovered Passwords (A3) ........................................................................................... 26 4.5. Generated Markov Chains (A4) .................................................................................... 26 4.6. Dictionary Attack with Rules (P1)................................................................................. 29 4.7. Hybrid Dictionary Attack (P2) ...................................................................................... 30 4.8. Dynamic Rule Generation (P3) ..................................................................................... 30 4.9. Markov Chains Attack (P4) .......................................................................................... 30 4.10. Combined Dictionary Attack with Rules (P5) ............................................................. 32 4.11. Conclusion:.............................................................................................................. 33 5. Applying the attack ............................................................................................................. 34 5.1. S1: Load top 64 Rules .................................................................................................. 35 5.2. S2: Load Created Dictionary......................................................................................... 35 iv 5.3. S3: Create an empty Recovered Passwords (A3) file ..................................................... 35 5.4. S4: Dictionary Attack with Rules (P1) – first run ........................................................... 35 5.5. S5: Hybrid Dictionary Attack (P2) – first run ................................................................. 36 5.6. S6: Dynamic Rule Generation (P3) – first run ................................................................ 37 5.7. S7: Dictionary Attack with Rules (P1) – second run ....................................................... 38 5.8. S8: Hybrid Dictionary Attack (P2) – second run ............................................................ 39 5.9. S9: Dynamic Rule Generation (P3) – second run............................................................ 39 5.10. S10: Dictionary Attack with Rules (P1) – third run ..................................................... 39 5.11. S11: Hybrid Dictionary Attack (P2) – third run .......................................................... 40 5.12. S12: Dynamic Rule Generation (P3) – third run.......................................................... 40 5.13. S13: Markov Chains Attack (P4) ............................................................................... 41 5.14. S14: Combined Dictionary Attack (P5) ...................................................................... 43 5.15. Summary ................................................................................................................. 44 5.16. Conclusion............................................................................................................... 44 6. Suggestions:.......................................................................................................................