Hey, I just met you, and this is crazy, but here's my hashes, so hack me maybe?

Those familiar with password cracking know that KoreLogic'srule set for John the Ripper has become the de facto standard for passwordcracking.

However, as with anything technology related, the rules areslightly starting to show their age, specifically with rules designed to take intoaccount years. So, I decided to take onthe task of making a few modifications to the rule set, this includes updatingthem to take into account the current and prior year, but also reworking someof the rules to eliminate some redundancy.

While updating the various rule sets is fine and dandy, but whatabout taking it a step further and rearranging the order in which they'reapplied? Running the complete KoreLogicrule set takes a lot of time, especially when running them against a respectabledictionary and salted hashes (NTLMv2, Crypt, etc...) When you have limited time during a pentestthis can be fairly problematic - you want to utilize the rules that will net youthe greatest amount of success in the shortest amount of time, leaving the lesssuccessful rules as "Hail Mary passes."

But how do you determine what rules will net the greatestsuccess? Comparing them against oneclient or even a few clients isn't going to give you the sample size you'relooking for. It's time to queue thepassword study from the Global Security Report; once again (spoiler alert) weare collecting hashes to perform a study on for the 2013 Global SecurityReport. Using over 2 million hashes thathave been collected so far as a sample size that cross industries, geographicregions, and encompass large and small businesses, we can give ourselves an ideaof which rules statistically speaking will give us the highest probability ofcracking a password. Then by orderingthese rules properly, one can hope to crack a large percentage of their hasheswithin the first few hours of cracking.

What I did to achieve these rules was use each KoreLogic ruleindividually with a respectable dictionary against the set of hashes, capturethe number of successfully cracked hashes, then delete the results and startagain with the next rule until I had results for each rule. From this I was able to determine which rulesnetted us the greatest result, and the time it took to completely run each rule.

Below is a table ofthe results including the percentage of hashes cracked:

RuleCrackedPercentageTime
AppendJustNumbers865,30330.814%00hr:18min:24sec
L33t740,82426.381%00hr:01min:34sec
ReplaceNumbers736,76726.237%00hr:00min:24sec
AddJustNumbersLimit8584,00120.797%00hr:03min:54sec
AppendNumbers_and_Specials_Simple549,46519.567%00hr:57min:38sec
ReplaceLetters429,82615.306%00hr:00min:40sec
ReplaceLettersCaps215,1157.660%00hr:00min:13sec
Append4Num136,3604.856%00hr:18min:35sec
AppendYears52,7111.877%00hr:00min:26sec
AppendJustSpecials30,5011.086%00hr:01min:46sec
ReplaceSpecial2Special28,0620.999%00hr:00min:20sec
AppendNum_AddSpecialEverywhere24,3780.868%00hr:04min:58sec
PrependNumNum21,9800.783%00hr:00min:24sec
AppendNumNum_AddSpecialEverywhere21,8800.779%00hr:48min:16sec
Append2NumSpecial18,1110.645%00hr:05min:40sec
Append5Num16,7610.597%03hr:04min:07sec
PrependNumNumNum15,5570.554%00hr:02min:19sec
PrependNumNumNumNum15,1480.539%00hr:20min:47sec
Append2Letters13,6820.487%00hr:02min:30sec
AppendSpecialNumberNumber13,2350.471%00hr:05min:42sec
Add1234_Everywhere13,2080.470%00hr:00min:13sec
ReplaceNumbers2Special11,7890.420%00hr:00min:14sec
Append6Num11,2620.401%28hr:58min:53sec
Append3NumSpecial7,9850.284%00hr:54min:00sec
AppendNumNumNum_AddSpecialEverywhere7,8630.280%09hr:08min:04sec
Prepend2NumbersAppend2Numbers7,6090.271%00hr:21min:06sec
AppendSpecial4num6,5760.234%09hr:22min:31sec
Append1_AddSpecialEverywhere6,5450.233%00hr:00min:46sec
PrependSeason5,9050.210%00hr:00min:41sec
Append4NumSpecial5,5010.196%08hr:56min:19sec
AppendYears_AddSpecialEverywhere4,2210.150%00hr:45min:24sec
AppendSpecial3num3,6710.131%00hr:51min:30sec
AppendSpecialNumberNumberNumber3,6710.131%00hr:55min:57sec
MonthsFullPreface3,3830.120%00hr:00min:13sec
Add2010Everywhere3,1510.112%00hr:00min:14sec
Prepend4LetterMonths2,9380.105%00hr:00min:13sec
PrependJustSpecials2,6280.094%00hr:01min:54sec
AddShortMonthsEverywhere2,2820.081%00hr:01min:09sec
PrependYears1,7160.061%00hr:00min:17sec
PrependHello1,6960.060%00hr:00min:16sec
AppendCap-Num_or_Special-Twice1,4300.051%01hr:17min:22sec
PrependDaysWeek1,4170.050%00hr:06min:21sec
PrependNumNumAppendSpecial1,2950.046%00hr:05min:59sec
AppendJustSpecials3Times8160.029%00hr:56min:03sec
PrependAndAppendSpecial6480.023%00hr:01min:58sec
PrependNumNumSpecial4770.017%00hr:06min:26sec
Prepend4NumAppendSpecial3790.013%10hr:29min:17sec
DevProdTestUAT3700.013%00hr:00min:13sec
AppendMonthDay3300.012%00hr:02min:10sec
AppendCurrentYearSpecial3110.011%00hr:00min:15sec
AppendSpecialLowerLower2390.009%00hr:33min:27sec
PrependSpecialSpecial1920.007%00hr:02min:15sec
PrependSpecialSpecialAppendNumbersNumber1570.006%02hr:14min:19sec
PrependSpecialSpecialAppendNumber1290.005%00hr:12min:53sec
AppendSeason1240.004%00hr:00min:42sec
PrependCAPCAPAppendSpecial1040.004%00hr:21min:15sec
PrependNumNum_AppendNumSpecial990.004%00hr:59min:41sec
PrependSpecialSpecialAppendNumbersNumberNumber380.001%22hr:46min:12sec
AddDotCom220.001%00hr:00min:12sec
AppendMonthCurrentYear80.000%00hr:00min:13se

As you can see, the number ofcracked hashes drops off fairly significantly after ReplaceLettersCaps. However there are some rules that in myopinion should still be applied, specifically ones that prepend and appendnumbers, given that our top rule was AppendJustNumbers. The time tradeoff required for a few additionalrules seems like a worthwhile compromise when you look at their success. Based off this information, here's the listof rules that I'm proposing complete with modifications and rule additions:

RuleCrackedTimeNotes
PrependAppend1-4909,14600hr:39min:16secReplaced AppendJustNumbers
L33t740,82400hr:01min:30sec
ReplaceNumbers736,76700hr:00min:23sec
AddJustNumbersLimit8584,00100hr:03min:51sec
AppendNumbers_and_Specials_Simple549,46501hr:05min:11sec
ReplaceLetters429,82600hr:00min:42sec
ReplaceLettersCaps215,11500hr:00min:13sec
Append4NumIncluded in AppendJustNumbers
AppendYearsIncluded in AppendJustNumbers
AppendJustSpecials30,50100hr:01min:56sec
ReplaceSpecial2Special28,06200hr:00min:19sec
AppendNum_AddSpecialEverywhere24,37800hr:06min:10sec
PrependNumNumIncluded in AppendJustNumbers
AppendNumNum_AddSpecialEverywhere21,88000hr:56min:53sec
Append2NumSpecial18,11100hr:05min:38sec
Append5Num16,76102hr:53min:16sec
PrependNumNumNumIncluded in AppendJustNumbers
PrependNumNumNumNumIncluded in AppendJustNumbers
Append2Letters13,68200hr:02min:28sec
AppendSpecialNumberNumber13,23500hr:05min:36sec
Add1234_Everywhere13,20800hr:00min:12sec
ReplaceNumbers2Special11,78900hr:00min:13sec
Append6Num11,26228hr:22min:48sec
Append3NumSpecial7,98500hr:59min:20sec
AppendNumNumNum_AddSpecialEverywhere7,86309hr:18min:31sec
Prepend2NumbersAppend2Numbers7,60900hr:20min:00sec
Add2011Everywhere6,77300hr:00min:14secNew Rule
AppendSpecial4num6,57608hr:34min:30sec
Append1_AddSpecialEverywhere6,54500hr:00min:46sec
PrependAppendSeason6,07200hr:06min:36sec

Replaced KoreRulesPrependSeason
Added more l33t characters

Append4NumSpecial5,50108hr:13min:32sec
AppendYears_AddSpecialEverywhere4,22100hr:37min:14sec
AppendSpecial3num3,67100hr:43min:48sec
AppendSpecialNumberNumberNumber3,67100hr:45min:14sec
MonthsFullPreface3,38300hr:00min:11sec
Add2010Everywhere3,15100hr:00min:14sec
PrependMonthAbbrev4,26500hr:00min:13sec

Replaced Prepend4LetterMonths
Adds 3 letter months

PrependJustSpecials2,62800hr:01min:39sec
AddShortMonthsEverywhere2,28200hr:00min:51sec
PrependYearsIncluded in AppendJustNumbers
PrependHello1,69800hr:00min:31secAdded more l33t characters
Add2012Everywhere1,49800hr:00min:12secNew Rule
AppendCap-Num_or_Special-Twice1,43001hr:05min:18sec
PrependDaysWeek1,41700hr:13min:47secAdded more l33t characters
PrependNumNumAppendSpecial1,29500hr:04min:55sec
Append2011Special85000hr:00min:15secNew Rule
AppendJustSpecials3Times81600hr:43min:28sec
PrependAndAppendSpecial64800hr:01min:39sec
PrependNumNumSpecial47700hr:04min:59sec
Append2012Special38300hr:00min:16secNew Rule
Prepend4NumAppendSpecial37908hr:42min:23sec
DevProdTestUAT37000hr:00min:11sec
AppendMonthDay33000hr:02min:00sec
Append2010Special31100hr:00min:16secReplaced AppendCurrentYearSpecial
AppendSpecialLowerLower23900hr:30min:13sec
PrependSpecialSpecial19200hr:01min:43sec
PrependSpecialSpecialAppendNumbersNumber15701hr:49min:40sec
PrependSpecialSpecialAppendNumber12900hr:11min:43sec
AppendSeasonIncluded in PrependAppendSeason
PrependCAPCAPAppendSpecial10400hr:22min:39sec
PrependNumNum_AppendNumSpecial9901hr:01min:12sec
AddTLD7200hr:00min:42secReplaced AddDotCom, Added all TLDs
PrependSpecialSpecialAppendNumbersNumberNumber3819hr:49min:25sec
AppendMonth20112400hr:00min:13secNew Rule
AppendMonth2010800hr:00min:15secReplaced AppendMonthCurrentYear
AppendMonth2012700hr:00min:15secNew Rule

Afterlooking at these rules, here are a few answers to questions you might have:

  • Why are you not including 5 and 6 digits inPrependAppendJustNumbers?
    • It's simply a time versus success tradeoff. Cracking a 5th and 6thdigit takes a significant amount of time to crack with very little result,whereas cracking 1-4 digits not only takes very little time, but achievesextremely high success.
  • Why are 2012 based rules netting little success?
    • While I don't have concrete evidence, my guesswould be that users might not have been given enough opportunity to changetheir password yet. We've beencollecting hashes since the 1st of year, and given an average passwordexpiration policy within corporations of approximately 90 days, users may haveonly changed their password once or twice during 2012 depending on when thehashes were collected.
  • What was the wordlist size and hardware was usedto crack the hashes?
    • 8 x 2.6ghz AMD Opteron Cores (Bulldozer) and a 1,167,382word dictionary. Remember, since NThashes are unsalted, the number of hashes you are attempting to crack will notaffect the cracking time, assuming you aren't taking into account possibleprogram inefficiencies with large hash lists. The dictionary size and hardware specifications do factor into the time.

I've uploaded the updated ruleset with a few variations to the SpiderLabs github in the following formats:

  • All rules built into 1 main John ruleset (Eliminates the need for loops in scripts)
  • All rules but kept separated
  • Top 7 based on stats built into 1 main John ruleset
  • Top 7 but kept separated

We'll be hopefully making updates in the future, and suggestions are defintely welcome, feel free to clone the repository.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.