18 Jan Part 1: The Art of Password Cracking (with science!)
When performing an on-site penetration test, there is usually a need to crack observed password hashes in a hurry. The quicker a hash is cracked and the password is recovered, the quicker privilege can be escalated and further information uncovered.
However, with various wordlists, rules and masks available, it is always a bit of a guessing game to know which particular combination can give you results the quickest, in addition to the problem that you may be running overlapping searches when trying different combinations, and hence are wasting precious time.
In order to rate all the combinations in terms of their efficiency, we need to take a step back and do some research. To this end, I’ve written some scripts that will firstly analyse the performance of as many permutations as possible, giving each one a maximum of 15 minutes to run.
These combinations are run against various password hash collections to gauge their performance under time pressure. This will prevent us from focusing too much on a single hashlist to which a certain ruleset for instance is tweaked in order to gain maximum efficiency, as can be seen in many other articles that aim to pursue a similar goal as the one described above.
We also have to discuss the term efficiency (or performance) in this context, as there could be a few different interpretations of this. The key hash cracking performance indicators are hash calculations per second (H/s) and the size of the keyspace that is being searched through for a particular list/rule/mask combination. Efficiency can then be thought of as different things, for example:
- The percentage of the total hashes cracked by a given combination per time unit.
- The average percentage of passwords per keyspace unit that a combination produces on average.
- The percentage of password cracked by this combination alone, i.e. those not found by any other. Combination.
- Total percentage of hashes cracked upon combination completion.
When dealing with “slow” hashes, such as sha512crypt, scrypt, Blowfish and the like, the first two ways of measuring efficiency may be very useful in deciding the combinations to use. However, with fast hashes such as plain NTLM, the final two ways may be preferable.
In order to improve efficiency in cracking slow hashes, I’d like to focus on trying to determine which types of meta data contribute to helping us crack more hashes. This is what the next parts in this series will focus on.