Those familiar with password cracking know that KoreLogic'srule set for John the Ripper has become the de facto standard for passwordcracking.
However, as with anything technology related, the rules areslightly starting to show their age, specifically with rules designed to take intoaccount years. So, I decided to take onthe task of making a few modifications to the rule set, this includes updatingthem to take into account the current and prior year, but also reworking someof the rules to eliminate some redundancy.
While updating the various rule sets is fine and dandy, but whatabout taking it a step further and rearranging the order in which they'reapplied? Running the complete KoreLogicrule set takes a lot of time, especially when running them against a respectabledictionary and salted hashes (NTLMv2, Crypt, etc...) When you have limited time during a pentestthis can be fairly problematic - you want to utilize the rules that will net youthe greatest amount of success in the shortest amount of time, leaving the lesssuccessful rules as "Hail Mary passes."
But how do you determine what rules will net the greatestsuccess? Comparing them against oneclient or even a few clients isn't going to give you the sample size you'relooking for. It's time to queue thepassword study from the Global Security Report; once again (spoiler alert) weare collecting hashes to perform a study on for the 2013 Global SecurityReport. Using over 2 million hashes thathave been collected so far as a sample size that cross industries, geographicregions, and encompass large and small businesses, we can give ourselves an ideaof which rules statistically speaking will give us the highest probability ofcracking a password. Then by orderingthese rules properly, one can hope to crack a large percentage of their hasheswithin the first few hours of cracking.
What I did to achieve these rules was use each KoreLogic ruleindividually with a respectable dictionary against the set of hashes, capturethe number of successfully cracked hashes, then delete the results and startagain with the next rule until I had results for each rule. From this I was able to determine which rulesnetted us the greatest result, and the time it took to completely run each rule.
Below is a table ofthe results including the percentage of hashes cracked:
| Rule | Cracked | Percentage | Time | |||
| AppendJustNumbers | 865,303 | 30.814% | 00hr:18min:24sec | |||
| L33t | 740,824 | 26.381% | 00hr:01min:34sec | |||
| ReplaceNumbers | 736,767 | 26.237% | 00hr:00min:24sec | |||
| AddJustNumbersLimit8 | 584,001 | 20.797% | 00hr:03min:54sec | |||
| AppendNumbers_and_Specials_Simple | 549,465 | 19.567% | 00hr:57min:38sec | |||
| ReplaceLetters | 429,826 | 15.306% | 00hr:00min:40sec | |||
| ReplaceLettersCaps | 215,115 | 7.660% | 00hr:00min:13sec | |||
| Append4Num | 136,360 | 4.856% | 00hr:18min:35sec | |||
| AppendYears | 52,711 | 1.877% | 00hr:00min:26sec | |||
| AppendJustSpecials | 30,501 | 1.086% | 00hr:01min:46sec | |||
| ReplaceSpecial2Special | 28,062 | 0.999% | 00hr:00min:20sec | |||
| AppendNum_AddSpecialEverywhere | 24,378 | 0.868% | 00hr:04min:58sec | |||
| PrependNumNum | 21,980 | 0.783% | 00hr:00min:24sec | |||
| AppendNumNum_AddSpecialEverywhere | 21,880 | 0.779% | 00hr:48min:16sec | |||
| Append2NumSpecial | 18,111 | 0.645% | 00hr:05min:40sec | |||
| Append5Num | 16,761 | 0.597% | 03hr:04min:07sec | |||
| PrependNumNumNum | 15,557 | 0.554% | 00hr:02min:19sec | |||
| PrependNumNumNumNum | 15,148 | 0.539% | 00hr:20min:47sec | |||
| Append2Letters | 13,682 | 0.487% | 00hr:02min:30sec | |||
| AppendSpecialNumberNumber | 13,235 | 0.471% | 00hr:05min:42sec | |||
| Add1234_Everywhere | 13,208 | 0.470% | 00hr:00min:13sec | |||
| ReplaceNumbers2Special | 11,789 | 0.420% | 00hr:00min:14sec | |||
| Append6Num | 11,262 | 0.401% | 28hr:58min:53sec | |||
| Append3NumSpecial | 7,985 | 0.284% | 00hr:54min:00sec | |||
| AppendNumNumNum_AddSpecialEverywhere | 7,863 | 0.280% | 09hr:08min:04sec | |||
| Prepend2NumbersAppend2Numbers | 7,609 | 0.271% | 00hr:21min:06sec | |||
| AppendSpecial4num | 6,576 | 0.234% | 09hr:22min:31sec | |||
| Append1_AddSpecialEverywhere | 6,545 | 0.233% | 00hr:00min:46sec | |||
| PrependSeason | 5,905 | 0.210% | 00hr:00min:41sec | |||
| Append4NumSpecial | 5,501 | 0.196% | 08hr:56min:19sec | |||
| AppendYears_AddSpecialEverywhere | 4,221 | 0.150% | 00hr:45min:24sec | |||
| AppendSpecial3num | 3,671 | 0.131% | 00hr:51min:30sec | |||
| AppendSpecialNumberNumberNumber | 3,671 | 0.131% | 00hr:55min:57sec | |||
| MonthsFullPreface | 3,383 | 0.120% | 00hr:00min:13sec | |||
| Add2010Everywhere | 3,151 | 0.112% | 00hr:00min:14sec | |||
| Prepend4LetterMonths | 2,938 | 0.105% | 00hr:00min:13sec | |||
| PrependJustSpecials | 2,628 | 0.094% | 00hr:01min:54sec | |||
| AddShortMonthsEverywhere | 2,282 | 0.081% | 00hr:01min:09sec | |||
| PrependYears | 1,716 | 0.061% | 00hr:00min:17sec | |||
| PrependHello | 1,696 | 0.060% | 00hr:00min:16sec | |||
| AppendCap-Num_or_Special-Twice | 1,430 | 0.051% | 01hr:17min:22sec | |||
| PrependDaysWeek | 1,417 | 0.050% | 00hr:06min:21sec | |||
| PrependNumNumAppendSpecial | 1,295 | 0.046% | 00hr:05min:59sec | |||
| AppendJustSpecials3Times | 816 | 0.029% | 00hr:56min:03sec | |||
| PrependAndAppendSpecial | 648 | 0.023% | 00hr:01min:58sec | |||
| PrependNumNumSpecial | 477 | 0.017% | 00hr:06min:26sec | |||
| Prepend4NumAppendSpecial | 379 | 0.013% | 10hr:29min:17sec | |||
| DevProdTestUAT | 370 | 0.013% | 00hr:00min:13sec | |||
| AppendMonthDay | 330 | 0.012% | 00hr:02min:10sec | |||
| AppendCurrentYearSpecial | 311 | 0.011% | 00hr:00min:15sec | |||
| AppendSpecialLowerLower | 239 | 0.009% | 00hr:33min:27sec | |||
| PrependSpecialSpecial | 192 | 0.007% | 00hr:02min:15sec | |||
| PrependSpecialSpecialAppendNumbersNumber | 157 | 0.006% | 02hr:14min:19sec | |||
| PrependSpecialSpecialAppendNumber | 129 | 0.005% | 00hr:12min:53sec | |||
| AppendSeason | 124 | 0.004% | 00hr:00min:42sec | |||
| PrependCAPCAPAppendSpecial | 104 | 0.004% | 00hr:21min:15sec | |||
| PrependNumNum_AppendNumSpecial | 99 | 0.004% | 00hr:59min:41sec | |||
| PrependSpecialSpecialAppendNumbersNumberNumber | 38 | 0.001% | 22hr:46min:12sec | |||
| AddDotCom | 22 | 0.001% | 00hr:00min:12sec | |||
| AppendMonthCurrentYear | 8 | 0.000% | 00hr:00min:13se |
As you can see, the number ofcracked hashes drops off fairly significantly after ReplaceLettersCaps. However there are some rules that in myopinion should still be applied, specifically ones that prepend and appendnumbers, given that our top rule was AppendJustNumbers. The time tradeoff required for a few additionalrules seems like a worthwhile compromise when you look at their success. Based off this information, here's the listof rules that I'm proposing complete with modifications and rule additions:
| Rule | Cracked | Time | Notes | |||
| PrependAppend1-4 | 909,146 | 00hr:39min:16sec | Replaced AppendJustNumbers | |||
| L33t | 740,824 | 00hr:01min:30sec | ||||
| ReplaceNumbers | 736,767 | 00hr:00min:23sec | ||||
| AddJustNumbersLimit8 | 584,001 | 00hr:03min:51sec | ||||
| AppendNumbers_and_Specials_Simple | 549,465 | 01hr:05min:11sec | ||||
| ReplaceLetters | 429,826 | 00hr:00min:42sec | ||||
| ReplaceLettersCaps | 215,115 | 00hr:00min:13sec | ||||
| Append4Num | Included in AppendJustNumbers | |||||
| AppendYears | Included in AppendJustNumbers | |||||
| AppendJustSpecials | 30,501 | 00hr:01min:56sec | ||||
| ReplaceSpecial2Special | 28,062 | 00hr:00min:19sec | ||||
| AppendNum_AddSpecialEverywhere | 24,378 | 00hr:06min:10sec | ||||
| PrependNumNum | Included in AppendJustNumbers | |||||
| AppendNumNum_AddSpecialEverywhere | 21,880 | 00hr:56min:53sec | ||||
| Append2NumSpecial | 18,111 | 00hr:05min:38sec | ||||
| Append5Num | 16,761 | 02hr:53min:16sec | ||||
| PrependNumNumNum | Included in AppendJustNumbers | |||||
| PrependNumNumNumNum | Included in AppendJustNumbers | |||||
| Append2Letters | 13,682 | 00hr:02min:28sec | ||||
| AppendSpecialNumberNumber | 13,235 | 00hr:05min:36sec | ||||
| Add1234_Everywhere | 13,208 | 00hr:00min:12sec | ||||
| ReplaceNumbers2Special | 11,789 | 00hr:00min:13sec | ||||
| Append6Num | 11,262 | 28hr:22min:48sec | ||||
| Append3NumSpecial | 7,985 | 00hr:59min:20sec | ||||
| AppendNumNumNum_AddSpecialEverywhere | 7,863 | 09hr:18min:31sec | ||||
| Prepend2NumbersAppend2Numbers | 7,609 | 00hr:20min:00sec | ||||
| Add2011Everywhere | 6,773 | 00hr:00min:14sec | New Rule | |||
| AppendSpecial4num | 6,576 | 08hr:34min:30sec | ||||
| Append1_AddSpecialEverywhere | 6,545 | 00hr:00min:46sec | ||||
| PrependAppendSeason | 6,072 | 00hr:06min:36sec | Replaced KoreRulesPrependSeason | |||
| Append4NumSpecial | 5,501 | 08hr:13min:32sec | ||||
| AppendYears_AddSpecialEverywhere | 4,221 | 00hr:37min:14sec | ||||
| AppendSpecial3num | 3,671 | 00hr:43min:48sec | ||||
| AppendSpecialNumberNumberNumber | 3,671 | 00hr:45min:14sec | ||||
| MonthsFullPreface | 3,383 | 00hr:00min:11sec | ||||
| Add2010Everywhere | 3,151 | 00hr:00min:14sec | ||||
| PrependMonthAbbrev | 4,265 | 00hr:00min:13sec | Replaced Prepend4LetterMonths | |||
| PrependJustSpecials | 2,628 | 00hr:01min:39sec | ||||
| AddShortMonthsEverywhere | 2,282 | 00hr:00min:51sec | ||||
| PrependYears | Included in AppendJustNumbers | |||||
| PrependHello | 1,698 | 00hr:00min:31sec | Added more l33t characters | |||
| Add2012Everywhere | 1,498 | 00hr:00min:12sec | New Rule | |||
| AppendCap-Num_or_Special-Twice | 1,430 | 01hr:05min:18sec | ||||
| PrependDaysWeek | 1,417 | 00hr:13min:47sec | Added more l33t characters | |||
| PrependNumNumAppendSpecial | 1,295 | 00hr:04min:55sec | ||||
| Append2011Special | 850 | 00hr:00min:15sec | New Rule | |||
| AppendJustSpecials3Times | 816 | 00hr:43min:28sec | ||||
| PrependAndAppendSpecial | 648 | 00hr:01min:39sec | ||||
| PrependNumNumSpecial | 477 | 00hr:04min:59sec | ||||
| Append2012Special | 383 | 00hr:00min:16sec | New Rule | |||
| Prepend4NumAppendSpecial | 379 | 08hr:42min:23sec | ||||
| DevProdTestUAT | 370 | 00hr:00min:11sec | ||||
| AppendMonthDay | 330 | 00hr:02min:00sec | ||||
| Append2010Special | 311 | 00hr:00min:16sec | Replaced AppendCurrentYearSpecial | |||
| AppendSpecialLowerLower | 239 | 00hr:30min:13sec | ||||
| PrependSpecialSpecial | 192 | 00hr:01min:43sec | ||||
| PrependSpecialSpecialAppendNumbersNumber | 157 | 01hr:49min:40sec | ||||
| PrependSpecialSpecialAppendNumber | 129 | 00hr:11min:43sec | ||||
| AppendSeason | Included in PrependAppendSeason | |||||
| PrependCAPCAPAppendSpecial | 104 | 00hr:22min:39sec | ||||
| PrependNumNum_AppendNumSpecial | 99 | 01hr:01min:12sec | ||||
| AddTLD | 72 | 00hr:00min:42sec | Replaced AddDotCom, Added all TLDs | |||
| PrependSpecialSpecialAppendNumbersNumberNumber | 38 | 19hr:49min:25sec | ||||
| AppendMonth2011 | 24 | 00hr:00min:13sec | New Rule | |||
| AppendMonth2010 | 8 | 00hr:00min:15sec | Replaced AppendMonthCurrentYear | |||
| AppendMonth2012 | 7 | 00hr:00min:15sec | New Rule |
Afterlooking at these rules, here are a few answers to questions you might have:
- Why are you not including 5 and 6 digits inPrependAppendJustNumbers?
- It's simply a time versus success tradeoff. Cracking a 5th and 6thdigit takes a significant amount of time to crack with very little result,whereas cracking 1-4 digits not only takes very little time, but achievesextremely high success.
- Why are 2012 based rules netting little success?
- While I don't have concrete evidence, my guesswould be that users might not have been given enough opportunity to changetheir password yet. We've beencollecting hashes since the 1st of year, and given an average passwordexpiration policy within corporations of approximately 90 days, users may haveonly changed their password once or twice during 2012 depending on when thehashes were collected.
- What was the wordlist size and hardware was usedto crack the hashes?
- 8 x 2.6ghz AMD Opteron Cores (Bulldozer) and a 1,167,382word dictionary. Remember, since NThashes are unsalted, the number of hashes you are attempting to crack will notaffect the cracking time, assuming you aren't taking into account possibleprogram inefficiencies with large hash lists. The dictionary size and hardware specifications do factor into the time.
I've uploaded the updated ruleset with a few variations to the SpiderLabs github in the following formats:
- All rules built into 1 main John ruleset (Eliminates the need for loops in scripts)
- All rules but kept separated
- Top 7 based on stats built into 1 main John ruleset
- Top 7 but kept separated
We'll be hopefully making updates in the future, and suggestions are defintely welcome, feel free to clone the repository.