CMIYC 2020

By /

2020-08-28

If you don’t know what this is….move along.

ACTo get started I ran rockyou.txt list using my AllRules.rule just to crack a few and see what we are dealing with. This was the first:$5$4rm$XO0sNLIHhyJYLzKvGIXBTiK5F9LQI0G9iaWiFSlUv96:Dallas214Then there was an Okland and Phoenix one that was similar, a quick google search identified that the 3 digits on the end are area codes! Looks like we have a list of cities and area codes!Hash.Type……..: sha256crypt $5$, SHA256 (Unix)AKA: “-m 7400”Grabbed some lists of cities and area codes from here:https://simplemaps.com/data/us-cities – just downloadedhttp://jordonmeyer.com/text-list-of-us-cities/ – used cewl and copy/paste (cewl would lose city names with spaces in them)https://www.50states.com/areacodes/ (didn’t really use yet)https://www.lincmad.com/cities.html used cewl and copy/pastehttps://www.nationalnanpa.com/reports/reports_cocodes_assign.html used cewl and copy/pastehttps://www.bennetyee.org/ucsd-pages/area.html cewl and copy/pastehttps://github.com/ravisorg/Area-Code-Geolocation-Database just downloaded the csv file then formatted it for useHelpful notes:had to uppercase first letter of words, could use the hashcast “E” rule which does that but wanted to pre-process the word list so I could use my add3digits.rule so I used this sed command: sed -e "s/\b\(.\)/\u\1/g"

Also I used the combinator.bin from the hashcat-utils files to combine the area codes numbers to the city names. After that I began using the add3digits.rule mentioned below../combinator.bin cities.txt areacodes.txt > combined-city-and-area-codes.txt

Here is my current command run, notice I am keeping all these in their own pot file and the add3digits.rule came from my Netgear wifi cracking stuff.hashcat -a 0 -m 7400 --username --potfile-path AC.potfile STREET-AC.hashlist AC/list2ofcities.txt -r AC/add3digits.rule

currently 64 out of 100….

ASStarted this one same as before, with rockyou and AllRules to see what I could find out. First two cracked were “#Usher” and “#Creek” so it looks like we have a “#” symbol with a word behind it…..quickly created a rule set that would put a # in front of the words and then play with capitol/lower/title type rules and called it AS.rule and started running my 4-6 character words from the Top2Billion file and also started pulling political terms and first/last names. I also used the city names from the AC wordlists above. Also pulled some other quality word lists.

0x01006a676130a7f0052290d7d458e4bfaf3975080aec40ba00ae:#Usher

hashcat -a 0 -m 132 –username –potfile-path AS.potfile STREET_AS.hashlist AC/cities.txt -r AS/AS.rule

CCAlso started this one with rockyou but used best64.rules(comes with hashcat) to just get a few to see what we are dealing with.{SSHA}r4JFnNcaIUdpzy2MJvU/pBOWLbBoUjMw:Diner3835and got a few more similar with a word and 4 digit number on the end….so started using the short lists as above but created a rule by using the mp64.bin from the hashcat-utils to generate a rule file to add the 4 digits:mp64 -o CC.rule ‘$?d $?d $?d $?d’

I only got about 100 entries that way but found Dinner/Visa/JCB with 4 digit numbers so this helped me identify that this was related to credit card and system numbers….so I played around and found the numbers at the end were sometimes shorter/longer than only 4 digits. So I would do this:hashcat -a 3 -m 111 –username –increment –increment-min 5 –potfile-path CC.potfile STREET_CC.hashlist Visa?d?d?d?d?d?dThis would start at 5 character passwords and build it’s way up….but I still needed to know the other credit card names…so I did this:hashcat -a 3 -m 111 –username –increment -increment-min 3 –potfile-path CC.potfile STREET_CC.hashlist -1 ?u?l?d ?1?1?1?1?d?d?d?d?dand when I would find a new base name I would use the previous method to find all it’s entries. (AMEX, Diner, DISC, enr, JCB, MC, Visa, VISA, VOY)

This got me to 100% on the CC list of hashes!

JMfor this since the hashes were not computationally heavy I went ahead and started with the Top2Billion-probable.txt and the AllRules.rule files. I noticed as we were cracking that the words were based off the words bad and medicine so I created a wordlist of just bad and medicine then started running my AllRules.rule on it. As each cracking pass finished I would take all the cracked hashes and add them to my wordlist file, something like this:cat JM.potfile | cut -d ‘:’ -f 2 >> JM.wordlist.txtI would then run the crack attempt using that new wordlist and my same AllRules.rule

hashcat -a 0 -m 100 –username –potfile-path JM.potfile STREET-JM.hashlist JM/JM.wordlist.txt -r JM/jm.rule

EMThis was fun, we had to discover the hash type, and it was too long to be an Oracle 11 hash, but we looked all over the place and found some identifiers that were saying Oracle 11, so we went ahead and put in a “:” at 40 basically splitting the hashes from the salts…and that was the key! I used a sed command to help:

sed 's/^\(.\{40\}\)/\1:/' hashfile

Then I just started with my rockyou with best64.rule and then plain old Top2Billion with best64…..etc.

I looked at the passwords, they were not very complicated and some were quite random, so I ran a mask attack using the increment flag for all lower case up to 8 char then upper case up to 8 char (most of the passwords were not mixed upper/lower.

HZThis was mediawiki hashes…AKA: 3711 and started with rockyou and top2billion with no rules. Seemed like regular words….$B$rZ3WFz6F$5ed001a9fa23ace4166fc6595fa18509:HAMMER$B$rebdWsG7$6396788bfbb25f663876dbab4c563992:Thump3r$B$cYFnWPRn$800a20342b3b892dd854c6d3b2f5e6fb:Andy$B$Azr6gTvN$f13f761472c68b06e787f48ca8531e71:Bucky$B$JCSUmSGA$a883ca2a7787ed715dce08d7ef3b55d9:Sup3rb0y$B$vQf1lxk3$80ae87c4a639acc7a8c28a8e2e813e53:Thund3r$B$dHF3qkHR$d0b134417c994e9ff76e1ad9709fbcf9:Qu33n$B$AIAJubE0$aeca9fcc0085190d8899eee9e4682008:B@tm@n$B$WVkLLrYl$a7c70e4a2ae39eeee271e85c1bda7922:Sp33dy$B$B0goCogx$1444e9aa13c7bb451de84a7561ee0a2d:Sp@rr0w$B$TGLtnEyD$442abce1476cff8ca87f418c8210523e:L@ur3n$B$6sqzN0cD$89521971bd9e60feb90226f4162ab8bf:Sp3ctrum$B$V6hjA94g$3cb8085d124d8931432e6030747b7289:1c3m@n$B$U4oUh13D$2f80a35e6891a782a6565183dd11ee09:M$B$7SKEO593$93189f760d95b31418decf24be379e7d:Humbugbut it does look like we are using @ for lowercase a and 3 for lowercase e, and possibly 1 for upper case I….will run a rule like that to see what we get. (update: it went very well!)HZ.rule file contained:se3 so0 sa@ sI1so0 sa@ sI1sa@ sI1sI1se3so0sa@ I split the top2billion file using splitlen.bin from hashcat-utils and made a file that only contained 1-8 character passwords then did this:hashcat -a 0 -m 3711 –username –potfile-path HZ.potfile STREET-HZ.hashlist wordlists/split/one-to-eight.txt -r HZ/HZ.rule

NPSeems to be 20300 – $pbkdf2-sha256$ but I think I was told it should be 10900 so I need to evaluate it, I ran rockyou on it for a bit with best64 but didn’t get anything so I will come back to this one.

JGthis one appears to be 23100 – apple keychain but my hashcat isn’t new enough to handle it…guess I need to do some upgrades before I work on this one.

MRSHA2-256 hashes, and as I did my usual tests with rockyou and best64 it appears to be based off PAssword with two numbers and two symbols.So…..I tried a hybrid attack with a wordlist that contained only PAssword:hashcat -a 6 -m 1400 –username –potfile-path MR.potfile STREET_MR.hashlist MR/MR.wordlist ?d?d?s?sdidn’t get a ton but progress…now I assume there is a difference to the word PAssword I should play with….

MU1700 sha-512, did usual test rockyou/best64 to get started, got nothing…switched to AllRules.rule, started getting 2020 in words, like at different positions in the words. So looks like a insert rule at different locations, but all the letters look lower case with no other numbers and some have a period at the end. It does look like a smaller subset of words may need to look closer at that.

Created a script to create a rule that will put 2020 in at different parts of a password, and will also append a ‘.’ and a ‘,’ at the end.

!/bin/bashfor num in {1..12}donum1=$(($num+1))num2=$(($num+2))num3=$(($num+3))echo -n i$numecho -n 2 i$num1echo -n 0 i$num2echo -n 2 i$num3echo 0echo -n i$numecho -n 2 i$num1echo -n 0 i$num2echo -n 2 i$num3echo “0 $.”echo -n i$numecho -n 2 i$num1echo -n 0 i$num2echo -n 2 i$num3echo “0 $,”echo -n i$numecho -n 2 i$num1echo -n 0 i$num2echo -n 2 i$num3echo “0 \$?”echo -n i$numecho -n 2 i$num1echo -n 0 i$num2echo -n 2 i$num3echo “0 \$!”done

RP400 wordpress/joomla and ran usual rockyou/best64 started getting some…originally thought it was names/numbers of 8 char but started to get some shorter ones

TB1800, started with usual rockyou/best64 but WOW it was going to take a LONG time…so I switched to just rockyou…. on a single 1080 card no rules it still says it will take 5 days…..

TH1731 MSSQL (2012, 2014), running rockyou/best64

PREV

Ping a mac address

NEXT

pfsense

Lance Grover

© 2015-2023 Lance Grover

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top