Sponsor

Security Videos

Entries in dump (2)

Sunday
Apr072013

Tektip ep27 - hashCollect.py

With the #OpIsreal stuff going on right now there has been many more password dumps put out than usual. For instance using Andrew Mohawks PasteLert web app I get alerted anytime there is a pastebin post that includes the hash e10adc3949ba59abbe56e057f20f883e. e10adc3949ba59abbe56e057f20f883e is the hash of the most common password: 123456. I set up the alert for this hash because it will catch password dumps regardless of the language. I admit there are some faults though, particularly if the site that the passwords are dumped from have password requirements that would not allow a password of 123456. The following is a graph that shows the typical number of dumps I see with these parameters:

As you can see, #OpIsreal has caused a significant uptick in the number of password dumps that include the hash for 123456.

My typical process once I get a hold of the dumps from these is I download the file, manually pull out the typical header data like the name of the operation and all the propaganda, then I use the cut command to pull out just the hashes. While this isn't too lengthy of a process, I am a lazy man. From this laziness, comes hashCollect.py.

HashCollect.py is a python tool I wrote that will scrape md5 hashes out of a specific file or url. While this script is pretty bare right now it gets the job done. I have many plans for it, that you will hopefully see soon.

You can dowload hashCollect along with my other scripts at GitHub.

The help command will show the options:

root@bt:~/workspace/Automater# ./hashCollect.py -h
usage: hashCollect.py [-h] [-u URL] [-f FILE] [-o OUTPUT]
Hash Collector
optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     This option is used to search for hashes on a website
  -f FILE, --file FILE  This option is used to import a file that contains
                        hashes
  -o OUTPUT, --output OUTPUT
                        This option will output the results to a file.
Run hashCollect against a file:
root@bt:~/workspace/Automater# ./hashCollect.py -f hashes 
09a85c0ef4169a24210d741838e8c8d9
43a9b1c680ea8f8df293e58b9ce77b9d
9f22025be8346e4d4d7db80ed890b511
f1887d3f9e6ee7a32fe5e76f4ab80d63
704992a0216ae39f1ebf3771fd5cd23c
a5915fe9b6ed8d251fd342b74106e34b
16ea0d4fadc502c247209194645e4f4a
9719536c0f2d1a578b323853998e03ba
93279e3308bdbbeed946fc965017f67a
de46896de0010ae616f9c6cb3f7e4cfc
bd9b23306ab802765a63870b29d1239b
b3d6288bfd707aee52db620839f3a381
25d55ad283aa400af464c76d713c07ad
17e6ec4b774be1bfbd12e26a68f9d9bf
7d8c3a265ad7aa2f4e20b1a93fde3c54
1c2f7107394f0d29999a1c23e1deaf44
53c86172178bc31dacba8b501f34b976
aa2b0de3de9b517b592059ca5d6cfa4c
caac935aae3e50060442ee55bc9e1a3f
9824bbc389f1c39f2b2cdfa839938d05
a474b36564cc2730d27f716f3c7c2fe1
236558a7ec33e3223db4471024833013
f229ea34d627074a1fd0a474f4a51c7b
e10adc3949ba59abbe56e057f20f883e
a474b36564cc2730d27f716f3c7c2fe1
fd5972161600fb43f057efd443d77589
aa881d0c78e0e60642e006ca88c9495f
e10adc3949ba59abbe56e057f20f883e
1a92fc27d687aefa619c24851cbb1213
49518adbec43b4264c0ea840c2e233d5
1f247e3f69c363f18dec2e343008d142
Run hashCollect against a URL:
root@bt:~/workspace/Automater# ./hashCollect.py -u http://pastebin.com/2ysAGFJY
6b586e2d4ca26d9438589a85585ca0b2
db17a0bf8505f7620291a8efc466ce86
5a815fd388b6027b949d58977277a006
dbab8786ed0eca3dbb82e401ce976d7e
d772ffda95ce3417456c80a8f85606d2
a9e9f1c9d9296f0c38467efc7dca1a24
96f003089b0ad3a71261ed5a1533c794
39dcaf7a053dc372fbc391d4e6b5d693
5079a6b1fb2015dbdb0c4b205f917307
1349437e3137826639b4f5165bc7e02b
3f94e8774be14358a45e2dda6a60216a
ce5225d01c39d2567bc229501d9e610d
6403675579f6114559c90de0014cd3d6
81dc9bdb52d04dc20036dbd8313ed055
81dc9bdb52d04dc20036dbd8313ed055
c67fc3a08cc21eaecb0fadf68129c314
4e270f490ab6943cbfbe95c9b936d7bb
81dc9bdb52d04dc20036dbd8313ed055
348a6a2356c3aebe392aaad3f646c30c
0e69229f5978ebc338f2cfb8cc8caad1
dc1caba8d678508cc3f6985ae35d7c9f
4f4bdca0d270dbbff6647a356fe2ba3f
e41a2cb50c3362f0015404effec8761e
1e4a9c23007eb10f758cbf3362c8ae41
b59c67bf196a4758191e42f76670ceba
15de21c670ae7c3f6f3f1f37029303c9
44d61d552280cf5e9c55dc11ff18cbf2
1794e1d48bbf9f73d53dec1951f053d2
bb2782795456847fb533d51eefd9d360
fe43196710222556c8bcc1c23c022a74
81dc9bdb52d04dc20036dbd8313ed055
0a03d5e4473c0629cfb20c5c31543b06
fe43196710222556c8bcc1c23c022a74
c944634550c698febdd9c868db908d9d
c944634550c698febdd9c868db908d9d
c944634550c698febdd9c868db908d9d
9e94b15ed312fa42232fd87a55db0d39
a01610228fe998f515a72dd730294d87
c0079e0d4e801bc94bce6fa2ed9e008c
ece5cdf7b946687f0077abb714054a65
a31e7b7f49ae4bb4dcc460d51b0bada0
e13b330c974ba77aef5bd4504eebe5e9
cd474f6341aeffd65f93084d0dae3453
4eceed354639b6ed2b236be2eb5a065e
7e7e69ea3384874304911625ac34321c
c889144fa7ab1a735872c290d8781899
2fbec6c8aa22b895bc40efa6e89b4bac
8621c6b58f7dde244ad2261610383fae
05a70454516ecd9194c293b0e415777f
192cc6356b292ce2a105c222ab6042ae
784ec60b05fc2eaa5c74e4775220fbb1
fdcfc3f14ebf698bbd76b1157ef709fa
e10adc3949ba59abbe56e057f20f883e
e0c64dbc8cb6abc98a0c696d168ebdb9
82ce647f22861f30627ee0ae50ce0adb
02cc9f0bf98299b63cdfd77fbfec7172
44dc880ec5f9237fa80be3177161fc6f
fdcfc3f14ebf698bbd76b1157ef709fa
fe01ce2a7fbac8fafaed7c982a04e229
29988429c481f219b8c5ba8c071440e1
42bb5b74add1fe6bb353cf5e14562fb6
41ad29597e715721522a30733b96a6f3
2a85ca2b0c07c342facc02ac61d57171
4ffc938c6c948859ce9c4ec827e1e40a
6967cabefd763ac1a1a88e11159957db
33026ce64a49d23be2d07d04b6ef4384
f9a13a115a69b22323e7ef9ef9fedcb6
f92e053a1fd2c673cb899db192ad0f2e
8cbfe3eb54787170a9ad6af435964828
d860b866e9023673fd802d97b97fc357
e391997bd526a092ac4d7f9b50da8904
ae0e4bdad7b5f67141743366026d2ea5
e10adc3949ba59abbe56e057f20f883e
c4de8ced6214345614d33fb0b16a8acd
4ddc0354b46b390a933bb6d2353fff26
fa1ee3a6f55b9b5cacc571a76c3842a1
de38aee67bacae29c2e8d868418293bd
a381c2c35c9157f6b67fd07d5a200ae1
5bc06f5800d415cc95e1349edbaca425
902fbdd2b1df0c4f70b4a5d23525e932
aa15b9243a9f99d122d5803606e3c4df
e10adc3949ba59abbe56e057f20f883e
3514603c3f975120a33354aeed9039a3
da897ba0fe30eff270424ac0e768840f
2be5b6590b60d5f4eca7e13c4083af7e
f502e183d729ab3ad224f1dfcc0708e2
c5fe25896e49ddfe996db7508cf00534
c9dab21c609875c00eaa19f04d19e2d0
b0253ef863f3a4a2e746c793fa71ae7d
46f0cac183682913b2d9e685cd7da3a7
4ef02ee44e55ca014df93b75eb956103
1618a9fe1c58f2bedd2fdccefaa6da21
1618a9fe1c58f2bedd2fdccefaa6da21
abc2e2f32e486fc2e1072003cc88149a
b269e1a566f861efa042e7ea7a08b062
8562ae5e286544710b2e7ebe9858833b
4251dd1cece37b7ee6ba2c2e40039bdd
204f8213a4cc1aaffa1fb123406d1ae9
8bb75b3015682d910daf88b6d728be2c
ff2cd3d917770fdcbbd541faf5423413
c91793b6ef51da231364176994d678a9
b76c3936d26110aad104844a0496e614
827ccb0eea8a706c4c34a16891f84e7b
4297f44b13955235245b2497399d7a93
775df0ec6881d9fcb545b5cd5a409873
ae950f6eecfe4d911b6b959ec3965231
d726335216d643e3c467eb0cdfc3d4e7
1dfa9fe971cd0711ce70e794063bea22
1311c5a589710f5030ae0fa36a20774c
e85984bd537ecc6d027b43bef22e4f12
dab456a52cb642e187cd307a5cfbef79
81dc9bdb52d04dc20036dbd8313ed055
Output the results to a file:

root@bt:~/workspace/Automater# ./hashCollect.py -u http://pastebin.com/2ysAGFJY -o /tmp/outputfileforhashes.txt

[+] Printing results to file: /tmp/outputfileforhashes.txt 

That's it for now, but I will grow this out soon. Some of the features I am thinking about adding are:

  • Allow custom regex
  • Allow for pulling other hashes like SHA256
  • Check hashes against online hash crackers
  • Output to a database
  • Create a frontend
  • What would you like to see?

Have any suggestions. Let me know 1aN0rmus@TekDefense.com.

Sunday
Nov182012

TekTip ep14 - Pipal Password Analysis of Yahoo password dump

Last week are good friends over at Bruteforce Labs posted a quick tutorial for Pipal.  I figured the TekDefense user base may also benefit from this tool.
Description: A password analysis tool that gives relevant statistics of passwords given a password dump.
Uses:  Analyze password trends, create better wordlists, educate users
Installation:
*Requires Ruby1.9.x
*BT5 comes with pipal 1.0.  Update Pipal if on Backtrack to 2.0
Usage:
1.  First you will need a password dump to play with.  There are several out in the wild.  You can find some here:
http://www.skullsecurity.org/wiki/index.php/Passwords
For my demo I will use the recent (kinda) Yahoo dump
2.  Get the file ready for pipal:
You only want the passwords in a file for Pipal, cut out the rest.
cat yahoousersandpass.txt | cut -d: -f 3 > yahoopassesonly.txt
3. Run Pipal:
./pipal.rb ~/leakedpasswords/yahoopassesonly.txt -o yahoodemo
4. Analyze results
We analyzed 442837 passwords in this dump!
Total entries = 442837
Total unique entries = 342509
Here we see some pretty standard bad passwords:
Top 10 passwords
123456 = 1667 (0.38%)
password = 780 (0.18%)
welcome = 437 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)
Base passwords are password that contain a word but are not only that word:
Top 10 base words
password = 1374 (0.31%)
welcome = 535 (0.12%)
qwerty = 464 (0.1%)
monkey = 430 (0.1%)
jesus = 429 (0.1%)
love = 421 (0.1%)
money = 407 (0.09%)
freedom = 385 (0.09%)
ninja = 380 (0.09%)
sunshine = 367 (0.08%)
As we see in most password dumps, most people go with 8 character passwords.  This is a common requirement, and has been drilled into people for a while now, so no surprise there.  116 people had a 1 character password though?  I usually don't try passwords less than 4 characters when I password crack, guess I might need to bring them back in.
Password length (length ordered)
1 = 116 (0.03%)
2 = 70 (0.02%)
3 = 302 (0.07%)
4 = 2748 (0.62%)
5 = 5324 (1.2%)
6 = 79629 (17.98%)
7 = 65610 (14.82%)
8 = 119133 (26.9%)
9 = 65964 (14.9%)
10 = 54759 (12.37%)
11 = 21218 (4.79%)
12 = 21729 (4.91%)
13 = 2657 (0.6%)
14 = 1492 (0.34%)
15 = 837 (0.19%)
16 = 568 (0.13%)
17 = 262 (0.06%)
18 = 125 (0.03%)
19 = 88 (0.02%)
20 = 177 (0.04%)
21 = 10 (0.0%)
22 = 7 (0.0%)
23 = 2 (0.0%)
24 = 2 (0.0%)
27 = 1 (0.0%)
28 = 4 (0.0%)
29 = 2 (0.0%)
30 = 1 (0.0%)
Password length (count ordered)
8 = 119133 (26.9%)
6 = 79629 (17.98%)
9 = 65964 (14.9%)
7 = 65610 (14.82%)
10 = 54759 (12.37%)
12 = 21729 (4.91%)
11 = 21218 (4.79%)
5 = 5324 (1.2%)
4 = 2748 (0.62%)
13 = 2657 (0.6%)
14 = 1492 (0.34%)
15 = 837 (0.19%)
16 = 568 (0.13%)
3 = 302 (0.07%)
17 = 262 (0.06%)
20 = 177 (0.04%)
18 = 125 (0.03%)
1 = 116 (0.03%)
19 = 88 (0.02%)
2 = 70 (0.02%)
21 = 10 (0.0%)
22 = 7 (0.0%)
28 = 4 (0.0%)
23 = 2 (0.0%)
24 = 2 (0.0%)
29 = 2 (0.0%)
30 = 1 (0.0%)
27 = 1 (0.0%)
        |                                                               
        |                                                               
        |                                                               
        |                                                               
        |                                                               
      | |                                                               
      | |                                                               
      ||||                                                              
      |||||                                                             
      |||||                                                             
      |||||                                                             
      |||||                                                             
      |||||                                                             
      |||||||                                                           
      |||||||                                                           
||||||||||||||||||||||||||||||||                                        
00000000001111111111222222222233
01234567890123456789012345678901
One to six characters = 88189 (19.91%)
One to eight characters = 272932 (61.63%)
More than eight characters = 169905 (38.37%)
66% only used lowercase alpha characters or only used numbers.
Only lowercase alpha = 146516 (33.09%)
Only uppercase alpha = 1778 (0.4%)
Only alpha = 148294 (33.49%)
Only numeric = 26081 (5.89%)
A common trend is for people to capitalize the first character, or add a number or special character to the end of a password. 
First capital last symbol = 1259 (0.28%)
First capital last number = 17467 (3.94%)
While months were used in passwords a decent amount in this dump, it doesn't look like days made up many of them.
Months
january = 106 (0.02%)
february = 30 (0.01%)
march = 192 (0.04%)
april = 284 (0.06%)
may = 725 (0.16%)
june = 386 (0.09%)
july = 245 (0.06%)
august = 238 (0.05%)
september = 68 (0.02%)
october = 182 (0.04%)
november = 154 (0.03%)
december = 130 (0.03%)
Days
monday = 48 (0.01%)
tuesday = 15 (0.0%)
wednesday = 9 (0.0%)
thursday = 18 (0.0%)
friday = 47 (0.01%)
saturday = 6 (0.0%)
sunday = 30 (0.01%)
Months (Abreviated)
jan = 1007 (0.23%)
feb = 172 (0.04%)
mar = 4719 (1.07%)
apr = 472 (0.11%)
may = 725 (0.16%)
jun = 798 (0.18%)
jul = 656 (0.15%)
aug = 504 (0.11%)
sept = 184 (0.04%)
oct = 425 (0.1%)
nov = 519 (0.12%)
dec = 404 (0.09%)
Days (Abreviated)
mon = 4431 (1.0%)
tues = 16 (0.0%)
wed = 212 (0.05%)
thurs = 29 (0.01%)
fri = 479 (0.11%)
sat = 365 (0.08%)
sun = 1237 (0.28%)
Another common trend is for users to add the year of their birth, or wedding, or the current year to their password.  While it may be surprising that 2010, 2011, and 2012 didn't have many hits if you take the source into account it makes sense.  The Yahoo dump comes from an old database that was used as part of a migration for a company that Yahoo bought call Associated Content.  This purchase occurred in 2010.
Includes years
1975 = 255 (0.06%)
1976 = 266 (0.06%)
1977 = 278 (0.06%)
1978 = 332 (0.07%)
1979 = 339 (0.08%)
1980 = 353 (0.08%)
1981 = 331 (0.07%)
1982 = 359 (0.08%)
1983 = 338 (0.08%)
1984 = 392 (0.09%)
1985 = 367 (0.08%)
1986 = 361 (0.08%)
1987 = 413 (0.09%)
1988 = 360 (0.08%)
1989 = 401 (0.09%)
1990 = 304 (0.07%)
1991 = 276 (0.06%)
1992 = 251 (0.06%)
1993 = 218 (0.05%)
1994 = 202 (0.05%)
1995 = 147 (0.03%)
1996 = 171 (0.04%)
1997 = 140 (0.03%)
1998 = 155 (0.04%)
1999 = 189 (0.04%)
2000 = 617 (0.14%)
2001 = 404 (0.09%)
2002 = 404 (0.09%)
2003 = 345 (0.08%)
2004 = 424 (0.1%)
2005 = 496 (0.11%)
2006 = 572 (0.13%)
2007 = 765 (0.17%)
2008 = 1145 (0.26%)
2009 = 1052 (0.24%)
2010 = 339 (0.08%)
2011 = 92 (0.02%)
2012 = 130 (0.03%)
2013 = 50 (0.01%)
2014 = 28 (0.01%)
2015 = 24 (0.01%)
2016 = 25 (0.01%)
2017 = 26 (0.01%)
2018 = 33 (0.01%)
2019 = 84 (0.02%)
2020 = 163 (0.04%)
Years (Top 10)
2008 = 1145 (0.26%)
2009 = 1052 (0.24%)
2007 = 765 (0.17%)
2000 = 617 (0.14%)
2006 = 572 (0.13%)
2005 = 496 (0.11%)
2004 = 424 (0.1%)
1987 = 413 (0.09%)
2001 = 404 (0.09%)
2002 = 404 (0.09%)
Red and Blue make up the majority of colors in the passwords.
Colours
black = 706 (0.16%)
blue = 1143 (0.26%)
brown = 221 (0.05%)
gray = 76 (0.02%)
green = 655 (0.15%)
orange = 250 (0.06%)
pink = 357 (0.08%)
purple = 346 (0.08%)
red = 2202 (0.5%)
white = 244 (0.06%)
yellow = 228 (0.05%)
violet = 66 (0.01%)
indigo = 35 (0.01%)
As stated previously, people tend to tack numbers and special characters at the end of passwords.  These statistics support that theory.
Single digit on the end = 47391 (10.7%)
Two digits on the end = 73640 (16.63%)
Three digits on the end = 31095 (7.02%)
Last number
0 = 17553 (3.96%)
1 = 46694 (10.54%)
2 = 24623 (5.56%)
3 = 29232 (6.6%)
4 = 17692 (4.0%)
5 = 17405 (3.93%)
6 = 17885 (4.04%)
7 = 20402 (4.61%)
8 = 17847 (4.03%)
9 = 19919 (4.5%)
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 | |                                                                    
 | |                                                                    
 |||                                                                    
 |||                                                                    
||||| ||||                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
0123456789
Last digit
1 = 46694 (10.54%)
3 = 29232 (6.6%)
2 = 24623 (5.56%)
7 = 20402 (4.61%)
9 = 19919 (4.5%)
6 = 17885 (4.04%)
8 = 17847 (4.03%)
4 = 17692 (4.0%)
0 = 17553 (3.96%)
5 = 17405 (3.93%)
Last 2 digits (Top 10)
23 = 12364 (2.79%)
12 = 6416 (1.45%)
11 = 5476 (1.24%)
01 = 5097 (1.15%)
00 = 4098 (0.93%)
21 = 3669 (0.83%)
08 = 3627 (0.82%)
07 = 3598 (0.81%)
22 = 3587 (0.81%)
13 = 3548 (0.8%)
Last 3 digits (Top 10)
123 = 9446 (2.13%)
456 = 2443 (0.55%)
234 = 2160 (0.49%)
007 = 1477 (0.33%)
000 = 1268 (0.29%)
008 = 1150 (0.26%)
009 = 1086 (0.25%)
111 = 1056 (0.24%)
777 = 980 (0.22%)
101 = 895 (0.2%)
Last 4 digits (Top 10)
3456 = 2151 (0.49%)
1234 = 1968 (0.44%)
2008 = 1033 (0.23%)
2009 = 927 (0.21%)
2345 = 750 (0.17%)
2007 = 674 (0.15%)
2000 = 535 (0.12%)
2006 = 502 (0.11%)
1111 = 436 (0.1%)
2005 = 436 (0.1%)
Last 5 digits (Top 10)
23456 = 2121 (0.48%)
12345 = 724 (0.16%)
56789 = 316 (0.07%)
45678 = 305 (0.07%)
11111 = 269 (0.06%)
34567 = 231 (0.05%)
54321 = 197 (0.04%)
00000 = 162 (0.04%)
99999 = 150 (0.03%)
23123 = 132 (0.03%)
Most popular area codes based ont the 3 character numbers found.
US Area Codes
456 = Inbound International (--)
234 = NE Ohio: Canton, Akron (OH)
Now here is some data that can be directly applied to password cracking.
Character sets
loweralphanum: 224095 (50.6%)
loweralpha: 146516 (33.09%)
numeric: 26081 (5.89%)
mixedalphanum: 23238 (5.25%)
loweralphaspecialnum: 6070 (1.37%)
mixedalpha: 5122 (1.16%)
upperalphanum: 3416 (0.77%)
mixedalphaspecialnum: 3340 (0.75%)
loweralphaspecial: 2079 (0.47%)
upperalpha: 1778 (0.4%)
mixedalphaspecial: 486 (0.11%)
upperalphaspecialnum: 222 (0.05%)
specialnum: 188 (0.04%)
upperalphaspecial: 46 (0.01%)
special: 16 (0.0%)
Character set ordering
stringdigit: 185323 (41.85%)
allstring: 153416 (34.64%)
alldigit: 26081 (5.89%)
othermask: 25117 (5.67%)
digitstring: 24962 (5.64%)
stringdigitstring: 18677 (4.22%)
digitstringdigit: 4648 (1.05%)
stringspecialdigit: 2359 (0.53%)
stringspecial: 1111 (0.25%)
stringspecialstring: 833 (0.19%)
specialstringspecial: 168 (0.04%)
specialstring: 126 (0.03%)
allspecial: 16 (0.0%)
Hashcat masks (Top 10)
?l?l?l?l?l?l: 40693 (9.19%)
?l?l?l?l?l?l?l?l: 32439 (7.33%)
?l?l?l?l?l?l?l: 29129 (6.58%)
?l?l?l?l?l?l?d?d: 20316 (4.59%)
?l?l?l?l?l?l?l?l?l: 16185 (3.65%)
?l?l?l?l?l?l?l?l?d?d: 12632 (2.85%)
?d?d?d?d?d?d: 12583 (2.84%)
?l?l?l?l?l?l?l?d: 10620 (2.4%)
?l?l?l?l?l?l?l?l?l?l: 10310 (2.33%)
?l?l?l?l?l?l?l?d?d: 10281 (2.32%)
1aN0rmus@tekdefense.com
http://www.securitytube.net/user/1aN0rmus
www.youtube.com/user/TekDefense