Analysis of Leaked Stratfor Password Hashes

After reading an analysis of the leaked Stratfor password hashes elsewhere, I got inspired to do an analysis myself. I was rather surprised by the fact that the report only cracked 81,833 passwords in 4 hours and 53 minutes, so I decided to do a bit of cracked on my own. I did it mainly to see if I could get a more complete view of the passwords used in the Stratfor database.

Over the past years I have gathered a good amount of data and knowledge about how users get around password policies. I'm not going into detail on the Stratfor password policy, as it is already mentioned in the article linked above, but suffice to say, Stratfor like so many others, have a weak password policy, that makes hashing the passswords almost useless in terms of cracking.


The Wordlists
Some wordlists are freely avaliable, such as the widely known JohnTheRipper wordlist or the one packaged with Cain and Able. The creators of JohnTheRipper even has a public listing of free wordlists, however, the wordlists are designed to give you access to passwords very quickly and thus, they are very small and not very 'complete'. Larger wordlists can be found scattered around the Internet, but they are generally of low quality and most of the time contains garbage that has no resemblance to passwords. There are some better quality wordlists out there, some are free, some are not, but when all is said and done, it is always better to create your own custom wordlists.

Being very eccentric in the field, I have created my own wordlist based on huge amounts of data from the Internet. My personal wordlist is a whopping 14.6 GB and is based on about 5000 smaller wordlists and other data sources. Without duplicates, a password length max of 25 and sorting it according to word frequency makes it very efficient when used in combination with a GPU. I will post more details later on how to create a good wordlist.
Hashcat-Plus working on a wordlist
Rules
Some cracking applications can apply rules to passwords, this is also sometimes referred to as word mangling. It is the process of taking a password and apply some sort of transformation to it. I've listed some of the common rules used with "password" as the example:
  • Uppercase first char - result: Password
  • Append 1 - result: password1
  • Duplicate word - result: passwordpassword
  • Prepend ! - result: !password
Efficient rules can make your wordlist 10 times more efficient without using more space, at the cost of a little more time. Running all my wordlists with a custom rule-set took about 5 hours.

Brute Force
Brute forcing hashes is only effective when the password policy does not put a lower length constrain on the passwords and does not enforce the use of digits and symbols. The Stratfor password policy is one of many that has a weak policy, and thus, brute force can be used against the password hashes. Having a good strategy for what set of characters to use is essential to lower the time it takes to brute force hashes. I choose to go all out and crack all hashes from 1-8 characters in length in both uppercase, lowercase and digits. I also did a digits up to 12 in length and symbols only up to 10 in length. The total time spent on brute force is 3 days and 14 hours without optimizing hashcat to use the full potential of my graphics card. 

The Results
The Stratfor leak contained 860,160 hashes and a total of 746,324 of them were cracked. That is a whopping 86.76% of the hashes! 

Length distribution
 
Average password length: 7.907926

Character distribution
 

Contained in common wordlists
 

Top 30 most common passwords


Top 30 longest passwords
 

Notes
It struck me that almost all (86.76%) passwords were 8 characters long. A more uniform distribution is normally found in password databases.

Comments

Post a Comment

Popular posts from this blog

.NET Compression Libraries Benchmark

Image
I often find myself needing a compression library in a software development project, and after a few tests with disappointing results I usually fall back to spawning 7Zip as an external process. This time however, the application specification prohibits any data written to disk, which 7Zip needs to do in order to work correctly. I needed to do everything in memory, and so I had to test some of the C# libraries available for compression as well as the different compression algorithms. Here is a full list of the tested libraries: .NET DeflateStream ICSharpCode SharpZip Zlib.NET DotNetZip Managed LZMA LZMA SDK QuickLZ    Compression 101 Before I get to the results of the benchmark, I think it is important to understand the different archive formats and compression algorithms in order to compare the results with other benchmarks/and or tests. Lets get to it! A compression algorithm can be compared to a small machine that takes in some data, do some math on it and transfor
Read more

Reducing the size of self-contained .NET Core applications

Just for note keeping, I've written down some methods of reducing the size of a .NET Core application. I thought others could use it as well, so here you go. Original Size First off, let's see how much disk space a self-contained 'hello world' application takes up. > dotnet new console > dotnet publish -r win-x86 -c release Size: 53.9 MB -  yuck! Trimming Microsoft has built a tool that finds unused assemblies and removes them from the distribution package. This is much needed since the 'netcoreapp2.0' profile is basically .NET Framework all over again, and it contains a truckload of assemblies our little 'hello world' application don't use. > dotnet new console > dotnet add package Microsoft.Packaging.Tools.Trimming -v 1.1.0-preview1-25818-01 > dotnet publish -r win-x86 -c release /p:TrimUnusedDependencies=true Size: 15.8 MB Much better! Although, we have only removed unused assemblies - what about unused
Read more

Convex polygon based collision detection

Image
A lot of people have asked me: Why use a convex polygon only engine like Box2D? In this post I will provide some info on why convex polygons is the optimal polygon type to use. What does convex mean? Convex polygons needs to satisfy the following requirements: All internal angles must be below 180 degrees Every line segment between two vertices can be contained fully inside or at the edge the polygon A non-convex polygon is called a concave polygon and it must have an internal angle measuring greater than 180 degrees. As you might have thought about yourself; concave polygons can be quite handy. Convex-only engines can’t represent a simple player polygon like Pac-Man . Why use convex-only? There are really only one big juicy reason: performance Physics engines are able to take quite a few shortcuts and use cheap algorithms to determine the closest vertex, shortest distance and a lot more. An algorithm like Separating Axis Theorem and the Gilbert – Johnson –
Read more