Part 1: The Art of Password Cracking (with science!)
Part 1: The Art of Password Cracking (with science!)
When performing an on-site penetration test, there is usually a need to crack observed password hashes in a hurry. The quicker a hash is cracked and the password is recovered, the quicker privilege can be escalated and further information uncovered. However, with various wordlists, rules and masks available, it is always a bit of a guessing game to know which combination can give you results the quickest.
In order to rate all the combinations in terms of their efficiency we need to take a step back and do some research. To this end, I’ve written some scripts that will firstly analyse the performance of as many permutations as possible, giving each one a maximum of 15 minutes to run. These combinations are run against various password hash collections to gauge their performance under time pressure. This will prevent the focus on a single hash list to which a certain ruleset (for instance) is tweaked in order to gain maximum efficiency, as can be seen in many other articles that aim to pursue a similar goal as the one described above.
We also must discuss the term efficiency (or performance) in this context, as there could be a few different interpretations of this. The key hash cracking performance indicators are hash calculations per second (H/s) and the size of the key space that is being searched through for a particular list/rule/mask combination.
Efficiency can then be thought of as different things, for example:
- The % of the total hashes cracked by a given combination per time unit
- The average % of passwords per keyspace unit that a combination produces on average
- The % of password cracked by this combination alone, i.e. those not found by any other combination
- Total % of hashes cracked upon combination completion.
When dealing with “slow” hashes, such as Sha512crypt, Scrypt, Blowfish and the like, the first two ways of measuring efficiency may be very useful in deciding the combinations to use. However, with fast hashes such as plain NTLM, the final two ways may be preferable.
In the next part of this series, I’ll focus on determining the types of metadata that contribute to helping us crack more hashes.