This is the story about how I cracked 122 million* password hashes with John the Ripper and oclHashcat-plus.

Author: m3g9tr0n, Copy Editor: Thireus.

It was several months ago, when I (m3g9tr0n) saw a tweet from KoreLogic about atorrent file containing various hash lists of passwords for a total of 146 million passwords. This very big amount of password hashes at first discouraged me, as I only own a classic computer configuration with an AMD Phenom II 4 cores at 3,2 Mhz in addition to an ATI/AMD 5770 graphics card. But I really wanted to give it a try because the field of password cracking fascinates me.

The password cracking tools I used during this long trip were John the Ripperand oclHashcat-plus. This article is about cracking the provided MD5 hashes of KoreLogic only, but the same strategy was also applied to the SHA1 hashes.

Updates:

  • 08/29/2012 – New example in the John the Ripper section: "Crack double MD5 hashes with the help of dict2hash.pl script"
  • 08/29/2012 – New download! All in one sorted and cleaned version.

Dealing with hashes...

First of all the KoreLogic torrent file file must be decompressed, it contains a folder named "hashes". Let's check the content of this folder...

  1. root@m3g9tr0n:~/hashes$ ls
  2. longer_salts  raw-md5.hashes.txt  salted_with_md5  SHA1  vBulletin-v3.8.4

We will concentrate from now on the raw-md5.hashes.txt list. This file is 4.3 GB and includes 139444502 lines according to the wc utility.

  1. root@m3g9tr0n:~/hashes$ wc -l raw-md5.hashes.txt
  2. 139444502 raw-md5.hashes.txt

As you can assume, both John the Ripper and oclHashcat-plus are not able to load this file because it is too big. For that reason, we need to split this file. Under Linux we have a nice utility called split that does this job very well:

  1. root@m3g9tr0n:~$ split --help
  2. Usage: split [OPTION]... [INPUT [PREFIX]]
  3. Output fixed-size pieces of INPUT to PREFIXaa, PREFIXab, ...; default
  4. size is 1000 lines, and default PREFIX is `x'.  With no INPUT, or when INPUT
  5. is -, read standard input.
  7. Mandatory arguments to long options are mandatory for short options too.
  8.   -a, --suffix-length=N   use suffixes of length N (default 2)
  9.   -b, --bytes=SIZE        put SIZE bytes per output file
  10.   -C, --line-bytes=SIZE   put at most SIZE bytes of lines per output file
  11.   -d, --numeric-suffixes  use numeric suffixes instead of alphabetic
  12.   -l, --lines=NUMBER      put NUMBER lines per output file
  13.       --verbose           print a diagnostic just before each
  14.                             output file is opened
  15.       --help     display this help and exit
  16.       --version  output version information and exit
  18. SIZE may be (or may be an integer optionally followed by) one of following:
  19. KB 1000, K 1024, MB 1000*1000, M 1024*1024, and so on for G, T, P, E, Z, Y.

We can use the --lines=NUMBER parameter to split our raw-md5.hashes.txt file.

  1. root@m3g9tr0n:~/hashes$ split -l 3000000 raw-md5.hashes.txt part

Note that we can also split the file based on the amount of MBs by taking into consideration that each MD5 hash is 32 bytes long.

Cracking Passwords with oclHashcat-plus

I started playing with oclHashcat-plus because it contains the -removeoption, which removes the hashes from the hashfile once it is cracked and it is really convenient. The only limitation oclHashcat-plus has, is the constraint on password length. In other words, it is only able to crack passwords up to 15 characters. The rules that I used for oclHashcat-plus are base64.rule,passwordspro.ruleT0XlC.rule and in some cases d3ad0ne.rule. There rules can be found directly from the oclHashcat-plus suite.

Bruteforce techniques were not my first choice. I used wordlists which I downloaded from the g0tm1lk's blogspot. You will find on g0tmi1k's article other external links for more wordlists. The biggest part of cracking process was done by using these wordlists with the rules mentioned above. Let's see some examples...

Using a single rule:

  1. ./oclHashcat-plus64.bin -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -r rules/best64.rule -o Ultimate_Crack/eNtr0pY_1 --remove

Using Rules' combination:

  1. ./oclHashcat-plus64.bin -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -r rules/best64.rule r rules/passwordspro.rule -o Ultimate_Crack/eNtr0pY_1 --remove

Bruteforce attack with mask (you can specify whichever charset you want):

  1. ./oclHashcat-plus64.bin -a 3 -1 ?l?d?u?s -m 0 ~/hashes/md5_1 ?1?1?1?1?1?1?1?1 -o Ultimate_Crack/eNtr0pY_1 --remove

Combination attack:

  1. ./oclHashcat-plus64.bin -a 1 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ~/Wordlists/list -o Ultimate_Crack/eNtr0pY_1 --remove

Combination attack with rules:

  1. ./oclHashcat-plus64.bin -a 1 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ~/Wordlists/list -r rules/passwordspro.rule -o Ultimate_Crack/eNtr0pY_1 --remove

Permutation attack:

  1. ./oclHashcat-plus64.bin -a 4 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -o Ultimate_Crack/eNtr0pY_1 --remove

Permutation attack with rules:

  1. ./oclHashcat-plus64.bin -a 4 -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic -r rules/best64.rule -o Ultimate_Crack/eNtr0pY_1 --remove

In some cases, I used the hybrid + mask attack technique:

  1. ./oclHashcat-plus64.bin -a 6 -1 ?l?d -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ?1?1 -o Ultimate_Crack/eNtr0pY_1 --remove

Hybrid + mask attack with rules:

  1. ./oclHashcat-plus64.bin -a 6 -1 ?l?d -m 0 ~/hashes/md5_1 ~/Wordlists/d3ad0ne.dic ?1?1 -r rules/best64.rule -o Ultimate_Crack/eNtr0pY_1 --remove

At this point, I did not use these last two methods as they were very time consuming. I rather found a better one using KoreLogic's Rules for John the Ripper by piping the output of John the Ripper to oclHashcat-plus. As I mentioned, oclHashcat-plus is able to crack passwords up to 15 characters. For that reason, I had to define every time, via the --stdout option, the length of the produced word. If you own a very fast GPU you can skip the following example.

  1. ./john --wordlist=~/Wordlists/all.lst -rules:KoreLogicRulesPrependYears --stdout=10 | ./oclHashcat-plus64.bin -m 0 ~/hashes/md5_1 -o Ultimate_Crack/eNtr0pY_1 --remove

Of course you can use other prepend rules created from Korelogic, like KoreLogicRulesPrependNumNum, or even better create your own rules!

It was time to produce a wordlist from the cracked passwords and use it to crack the remaining hashes. From eNtr0pY_1, I removed the MD5 hashes with the following command.

  1. cut -b34- eNtr0pY_1 > eNtr0pY_1.dic

By using the above produced wordlist, a big amount of MD5 hashes were cracked using the fingerprint attack. You can read more about this attack from Martin Bos @purehate and I guarantee you that this technique is very successful!

Of course you can also use the binaries included into hashcat-utils and pipe the output of each util to oclHashcat-plus.

  1. root@m3g9tr0n:~/oclHashcat-plus-0.08/hashcat-utils$ ls
  2. combinator.bin  expander.bin  gate.bin  len.bin  mp32.bin  permute.bin  prepare.bin  req.bin  splitlen.bin

Cracking Passwords with John the Ripper

After testing all my wordlist collection and after several days, it was time to move to John the Ripper for cracking the rest of password hashes...

I used magnum-ripper compiled with OpenCL for ATI/AMD graphics card because I wanted to use the --format=raw-md5-opencl parameter. Compared to --format=raw-md5, it is way faster as it uses your CPU and GPU!

The Rules that were used with John the Ripper are:

  • wordlist
  • Single
  • NT
  • Extra
  • KoreLogicRulesAppendNumbersandSpecials_Simple
  • KoreLogicRulesAppend6Num
  • KoreLogicRulesPrependAndAppendSpecial
  • KoreLogicRulesAppendNumNum_AddSpecialEverywhere
  • KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere
  • KoreLogicRulesL33t.

You can download these rules and add them to your john.conf file:

Let’s see now some examples with John the Ripper...

Using --rules=Single:

  1. ./john --format=raw-md5-opencl --wordlist=../../Wordlists/all.lst --rules:Single ~/hashes/md5_1

The results of cracked hashes are stored in the john.pot file by default. You can examine its contents with catmorehead and tail.

  1. root@m3g9tr0n:~/Tools/Password_Cracking/magnum-jumbo-OpenCL/run$ tail -n 9 john.pot
  2. $MD5$0fad81e7a61b47d387dde893fcf8e88a:anacarolinagu
  3. $MD5$0f82fc9a81f5db07eb9289767390fd2b:fabulousfoodsu
  4. $MD5$0e22933267b2e7df062703c4e5842029:fabuloustravelu
  5. $MD5$0d40086a54fefe993c9816d1441672ac:modularhomeu
  6. $MD5$0ed8181fc4d18e260dd8e36633124bfd:greenshoppingu
  7. $MD5$0d6e8da4017ec5c384ac5536087da44d:lawofattractionu
  8. $MD5$0eb916d3c6a66a32cedd4acc6edb1dbb:hotreportu
  9. $MD5$0e241f99b5c13d56686ec618ab54d5fa:flightsandholidaysu
  10. $MD5$0f3c99478362aae389d2cbf716394269:stthomasmoresu

To generate a wordlist from the john.pot file, you can use the following command.

  1. cut -d: -f 2- john.pot | sort -u > cracked.dic

The generated wordlist can be used to crack more hashes when combined with the abovementioned rules.

When I was cracking MD5 hashes with oclHashcat-plus, I observed that some produced passwords were rejected. This is because oclHashcat-plus has a limitation about characters' length. For that reason, I piped hashcat's output to John the Ripper with the additional advantage of using hashcat rules with John the Ripper.

  1. ./hashcat-cli64.bin --stdout ~/Wordlists/d3ad0ne.dic -r rules/best64.rule | ./john --format=raw-md5-opencl --stdin ~/hashes/md5_1

After trying all the wordlists combined with the rules mentioned above, it was time to move to bruteforce attacks with John the Ripper. Unfortunately, John the Ripper does not use the mask attacks to produce passwords when implementing bruteforce attacks. We have to create our own charset based on cracked passwords contained in john.pot.

  1. ./john --make-charset=eNtr0pY.chr
  2. Loaded 7948325 plaintexts
  3. Generating charsets... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 DONE
  4. Generating cracking order... DONE
  5. Successfully written charset file: eNtr0pY.chr (95 characters)

Many of you will wonder about "31 DONE"... This is just because I compiled John the Ripper with 31 characters length. By default, John the Ripper is compiled with support for up to 8 characters length, so it is best to change it by modifying the following lines of the header file params.h located in the scrfolder of John the Ripper.

  1. #define CHARSET_MIN                     ' '
  2. #define CHARSET_MAX                     0x7E
  3. #define CHARSET_SIZE                    (CHARSET_MAX - CHARSET_MIN + 1)
  4. #define CHARSET_LENGTH                  8 //Change that to 31 or whatever you wish

At last you have to include your created charset to john.conf as provided in this example:

  1. # Incremental modes
  2. [Incremental:eNtr0pY]
  3. File = $JOHN/eNtr0pY.chr
  4. MinLen = 0
  5. MaxLen = 31
  6. CharCount = 95

Now it is time to use bruteforce attacks with our own charstet!

  1. ./john --format=raw-md5-opencl --incremental=eNtr0pY ~/hashes/md5_1

If you look into john.conf you will see some bruteforce attack modes categorized as externals. These are Double, Strip, Keyboard (which uses neighbor combinations produced from keyboard characters), KnownForce, DateTime, Repeats, Sequence, Subsets and DumbForce for crazy password formats.

  1. ./john --format=raw-md5-opencl --external=DumbForce ~/hashes/md5_1

We would also like to crack double MD5 hashes with the help of thedict2hash.pl script provided here.

  1. perl dict2hash.pl < rockyou.txt | ./john --format=raw-md5-opencl --stdin ~/md5_1

Here you can see some samples of cracked MD5s with John the Ripper:

Personally, I believe a password like "$MD5$0b26a0faf1344d6e772bf55628e10e29:n34=mn { .clipboard $me }" is impossible to crack with bruteforce attacks.

Note: All the abovementioned techniques can be used with oclHashcat-plus by defining -m 100 and with John the Ripper by defining --format=raw-sha1-opencl for SHA1 cracking with OpenCL!

Password Analysis

Finally, it worths to see an analysis using pipal (a password analyser) of a collected sample generated from cracking results.

  1. root@m3g9tr0n:~/pipal$ ruby1.9.1 pipal.rb \
  2. -o eNtr0pY_1 ~/Wordlists/Ultimate/Part1/eNtr0pY_5.dic
  3. Total entries = 759103
  4. Total unique entries = 758299
  5.  
  6. Top 10 passwords
  7. niezgadniesz123 = 3 (0.0%)
  8. ubqu = 3 (0.0%)
  9. amonys = 3 (0.0%)
  10. centralitie = 3 (0.0%)
  11. bobydu = 3 (0.0%)
  12. hanghuynh = 3 (0.0%)
  13. hmadyousi = 3 (0.0%)
  14. matthewperman = 3 (0.0%)
  15. shadowninja2 = 3 (0.0%)
  16. lhz4 = 3 (0.0%)
  17.  
  18. Top 10 base words
  19. august = 219 (0.03%)
  20. july = 205 (0.03%)
  21. april = 199 (0.03%)
  22. june = 195 (0.03%)
  23. march = 165 (0.02%)
  24. alex = 161 (0.02%)
  25. love = 132 (0.02%)
  26. chris = 130 (0.02%)
  27. daniel = 128 (0.02%)
  28. dragon = 122 (0.02%)
  29.  
  30. Password length (length ordered)
  31. 1 = 13 (0.0%)
  32. 2 = 103 (0.01%)
  33. 3 = 1332 (0.18%)
  34. 4 = 16781 (2.21%)
  35. 5 = 19831 (2.61%)
  36. 6 = 95800 (12.62%)
  37. 7 = 202414 (26.66%)
  38. 8 = 158562 (20.89%)
  39. 9 = 103855 (13.68%)
  40. 10 = 75652 (9.97%)
  41. 11 = 46023 (6.06%)
  42. 12 = 24997 (3.29%)
  43. 13 = 8423 (1.11%)
  44. 14 = 3772 (0.5%)
  45. 15 = 1560 (0.21%)
  46.  
  47. Password length (count ordered)
  48. 7 = 202414 (26.66%)
  49. 8 = 158562 (20.89%)
  50. 9 = 103855 (13.68%)
  51. 6 = 95800 (12.62%)
  52. 10 = 75652 (9.97%)
  53. 11 = 46023 (6.06%)
  54. 12 = 24997 (3.29%)
  55. 5 = 19831 (2.61%)
  56. 4 = 16781 (2.21%)
  57. 13 = 8423 (1.11%)
  58. 14 = 3772 (0.5%)
  59. 15 = 1560 (0.21%)
  60. 3 = 1332 (0.18%)
  61. 2 = 103 (0.01%)
  62. 1 = 13 (0.0%)
  63.  
  64.        |                                                               
  65.        |                                                               
  66.        |                                                               
  67.        ||                                                              
  68.        ||                                                              
  69.        ||                                                              
  70.        ||                                                              
  71.        |||                                                             
  72.       ||||                                                             
  73.       ||||                                                             
  74.       |||||                                                            
  75.       |||||                                                            
  76.       ||||||                                                           
  77.       ||||||                                                           
  78.     |||||||||                                                          
  79. |||||||||||||||||                                                      
  80. 00000000001111111
  81. 01234567890123456
  82.  
  83. One to six characters = 133854 (17.63%)
  84. One to eight characters = 494828 (65.19%)
  85. More than eight characters = 264275 (34.81%)
  86.  
  87. Only lowercase alpha = 154996 (20.42%)
  88. Only uppercase alpha = 14072 (1.85%)
  89. Only alpha = 169068 (22.27%)
  90. Only numeric = 119581 (15.75%)
  91.  
  92. First capital last symbol = 6088 (0.8%)
  93. First capital last number = 73611 (9.7%)
  94.  
  95. Months
  96. january = 109 (0.01%)
  97. february = 45 (0.01%)
  98. march = 247 (0.03%)
  99. april = 251 (0.03%)
  100. may = 850 (0.11%)
  101. june = 246 (0.03%)
  102. july = 223 (0.03%)
  103. august = 300 (0.04%)
  104. september = 80 (0.01%)
  105. october = 134 (0.02%)
  106. november = 113 (0.01%)
  107. december = 115 (0.02%)
  108.  
  109. Days
  110. monday = 59 (0.01%)
  111. tuesday = 20 (0.0%)
  112. wednesday = 7 (0.0%)
  113. thursday = 38 (0.01%)
  114. friday = 46 (0.01%)
  115. saturday = 7 (0.0%)
  116. sunday = 70 (0.01%)
  117.  
  118. Months (Abreviated)
  119. jan = 1482 (0.2%)
  120. feb = 249 (0.03%)
  121. mar = 8397 (1.11%)
  122. apr = 692 (0.09%)
  123. may = 850 (0.11%)
  124. jun = 889 (0.12%)
  125. jul = 1051 (0.14%)
  126. aug = 785 (0.1%)
  127. sept = 215 (0.03%)
  128. oct = 512 (0.07%)
  129. nov = 821 (0.11%)
  130. dec = 874 (0.12%)
  131.  
  132. Days (Abreviated)
  133. mon = 4319 (0.57%)
  134. tues = 28 (0.0%)
  135. wed = 217 (0.03%)
  136. thurs = 44 (0.01%)
  137. fri = 758 (0.1%)
  138. sat = 769 (0.1%)
  139. sun = 1018 (0.13%)
  140.  
  141. Includes years
  142. 1975 = 411 (0.05%)
  143. 1976 = 388 (0.05%)
  144. 1977 = 446 (0.06%)
  145. 1978 = 432 (0.06%)
  146. 1979 = 441 (0.06%)
  147. 1980 = 541 (0.07%)
  148. 1981 = 453 (0.06%)
  149. 1982 = 519 (0.07%)
  150. 1983 = 533 (0.07%)
  151. 1984 = 603 (0.08%)
  152. 1985 = 585 (0.08%)
  153. 1986 = 616 (0.08%)
  154. 1987 = 710 (0.09%)
  155. 1988 = 641 (0.08%)
  156. 1989 = 941 (0.12%)
  157. 1990 = 931 (0.12%)
  158. 1991 = 995 (0.13%)
  159. 1992 = 935 (0.12%)
  160. 1993 = 905 (0.12%)
  161. 1994 = 907 (0.12%)
  162. 1995 = 4021 (0.53%)
  163. 1996 = 858 (0.11%)
  164. 1997 = 486 (0.06%)
  165. 1998 = 443 (0.06%)
  166. 1999 = 416 (0.05%)
  167. 2000 = 1024 (0.13%)
  168. 2001 = 643 (0.08%)
  169. 2002 = 586 (0.08%)
  170. 2003 = 1132 (0.15%)
  171. 2004 = 1254 (0.17%)
  172. 2005 = 796 (0.1%)
  173. 2006 = 818 (0.11%)
  174. 2007 = 1442 (0.19%)
  175. 2008 = 1019 (0.13%)
  176. 2009 = 742 (0.1%)
  177. 2010 = 767 (0.1%)
  178. 2011 = 516 (0.07%)
  179. 2012 = 925 (0.12%)
  180. 2013 = 165 (0.02%)
  181. 2014 = 142 (0.02%)
  182. 2015 = 146 (0.02%)
  183. 2016 = 118 (0.02%)
  184. 2017 = 139 (0.02%)
  185. 2018 = 131 (0.02%)
  186. 2019 = 172 (0.02%)
  187. 2020 = 179 (0.02%)
  189. Years (Top 10)
  190. 1995 = 4021 (0.53%)
  191. 2007 = 1442 (0.19%)
  192. 2004 = 1254 (0.17%)
  193. 2003 = 1132 (0.15%)
  194. 2000 = 1024 (0.13%)
  195. 2008 = 1019 (0.13%)
  196. 1991 = 995 (0.13%)
  197. 1989 = 941 (0.12%)
  198. 1992 = 935 (0.12%)
  199. 1990 = 931 (0.12%)
  200.  
  201. Colours
  202. black = 485 (0.06%)
  203. blue = 549 (0.07%)
  204. brown = 184 (0.02%)
  205. gray = 89 (0.01%)
  206. green = 348 (0.05%)
  207. orange = 125 (0.02%)
  208. pink = 262 (0.03%)
  209. purple = 73 (0.01%)
  210. red = 2974 (0.39%)
  211. white = 179 (0.02%)
  212. yellow = 85 (0.01%)
  213. violet = 63 (0.01%)
  214. indigo = 22 (0.0%)
  215.  
  216. Single digit on the end = 92080 (12.13%)
  217. Two digits on the end = 87587 (11.54%)
  218. Three digits on the end = 103715 (13.66%)
  219.  
  220. Last number
  221. 0 = 45407 (5.98%)
  222. 1 = 64764 (8.53%)
  223. 2 = 52570 (6.93%)
  224. 3 = 52890 (6.97%)
  225. 4 = 43719 (5.76%)
  226. 5 = 55185 (7.27%)
  227. 6 = 42826 (5.64%)
  228. 7 = 46169 (6.08%)
  229. 8 = 42475 (5.6%)
  230. 9 = 44930 (5.92%)
  231.  
  232.  |                                                                     
  233.  |                                                                     
  234.  | | |                                                                 
  235.  ||| |                                                                 
  236. |||| | | |                                                             
  237. ||||||||||                                                             
  238. ||||||||||                                                             
  239. ||||||||||                                                             
  240. ||||||||||                                                             
  241. ||||||||||                                                             
  242. ||||||||||                                                             
  243. ||||||||||                                                             
  244. ||||||||||                                                             
  245. ||||||||||                                                             
  246. ||||||||||                                                             
  247. ||||||||||                                                             
  248. 0123456789
  249.  
  250. Last digit
  251. 1 = 64764 (8.53%)
  252. 5 = 55185 (7.27%)
  253. 3 = 52890 (6.97%)
  254. 2 = 52570 (6.93%)
  255. 7 = 46169 (6.08%)
  256. 0 = 45407 (5.98%)
  257. 9 = 44930 (5.92%)
  258. 4 = 43719 (5.76%)
  259. 6 = 42826 (5.64%)
  260. 8 = 42475 (5.6%)
  261.  
  262. Last 2 digits (Top 10)
  263. 95 = 14675 (1.93%)
  264. 23 = 12192 (1.61%)
  265. 12 = 9230 (1.22%)
  266. 11 = 8214 (1.08%)
  267. 01 = 7606 (1.0%)
  268. 00 = 7131 (0.94%)
  269. 07 = 6295 (0.83%)
  270. 10 = 6182 (0.81%)
  271. 21 = 5881 (0.77%)
  272. 99 = 5868 (0.77%)
  273.  
  274. Last 3 digits (Top 10)
  275. 123 = 6857 (0.9%)
  276. 995 = 4122 (0.54%)
  277. 971 = 2916 (0.38%)
  278. 972 = 2850 (0.38%)
  279. 007 = 2514 (0.33%)
  280. 000 = 1868 (0.25%)
  281. 234 = 1725 (0.23%)
  282. 666 = 1465 (0.19%)
  283. 777 = 1389 (0.18%)
  284. 004 = 1347 (0.18%)
  285.  
  286. Last 4 digits (Top 10)
  287. 1995 = 3886 (0.51%)
  288. 1234 = 1379 (0.18%)
  289. 2007 = 1325 (0.17%)
  290. 2004 = 1121 (0.15%)
  291. 2003 = 1016 (0.13%)
  292. 2008 = 869 (0.11%)
  293. 2000 = 846 (0.11%)
  294. 1991 = 819 (0.11%)
  295. 2012 = 809 (0.11%)
  296. 1990 = 789 (0.1%)
  297.  
  298. Last 5 digits (Top 10)
  299. 12345 = 743 (0.1%)
  300. 23456 = 652 (0.09%)
  301. 54321 = 189 (0.02%)
  302. 23123 = 140 (0.02%)
  303. 56789 = 127 (0.02%)
  304. 34567 = 102 (0.01%)
  305. 11111 = 99 (0.01%)
  306. 45678 = 75 (0.01%)
  307. 00000 = 73 (0.01%)
  308. 88888 = 68 (0.01%)
  309.  
  310. US Area Codes
  311. 971 = Oregon:  Metropolitan Portland,
  312.                Salem/Keizer area,
  313.                incl Cricket Wireless (OR)
  314. 972 = Texas: Dallas Metro (TX)
  315. 234 = NE Ohio: Canton, Akron (OH)
  316.  
  317. Character sets
  318. loweralphanum: 330937 (43.6%)
  319. loweralpha: 154996 (20.42%)
  320. numeric: 119581 (15.75%)
  321. mixedalphanum: 41121 (5.42%)
  322. upperalphanum: 41078 (5.41%)
  323. mixedalpha: 28464 (3.75%)
  324. upperalpha: 14072 (1.85%)
  325. loweralphaspecial: 10222 (1.35%)
  326. loweralphaspecialnum: 5735 (0.76%)
  327. mixedalphaspecial: 4724 (0.62%)
  328. upperalphaspecial: 2939 (0.39%)
  329. mixedalphaspecialnum: 2247 (0.3%)
  330. specialnum: 648 (0.09%)
  331. upperalphaspecialnum: 374 (0.05%)
  332. special: 47 (0.01%)
  333.  
  334. Character set ordering
  335. stringdigit: 349534 (46.05%)
  336. allstring: 197532 (26.02%)
  337. alldigit: 119581 (15.75%)
  338. digitstring: 28873 (3.8%)
  339. othermask: 18649 (2.46%)
  340. stringdigitstring: 14577 (1.92%)
  341. stringspecial: 10441 (1.38%)
  342. digitstringdigit: 9981 (1.31%)
  343. stringspecialstring: 5469 (0.72%)
  344. stringspecialdigit: 3075 (0.41%)
  345. specialstring: 834 (0.11%)
  346. specialstringspecial: 510 (0.07%)
  347. allspecial: 47 (0.01%)
  348.  
  349. Hashcat masks (Top 10)
  350. ?d?d?d?d?d?d?d: 85053 (11.2%)
  351. ?l?l?l?l?l?l: 38400 (5.06%)
  352. ?l?l?l?l?l?l?l?l: 36217 (4.77%)
  353. ?l?l?l?l?l?l?l: 35468 (4.67%)
  354. ?l?l?l?l?l?l?d?d?d: 24051 (3.17%)
  355. ?l?l?l?l?l?l?d?d: 18591 (2.45%)
  356. ?l?l?l?l?l?d?d?d: 18047 (2.38%)
  357. ?d?d?d?d?d?d: 16048 (2.11%)
  358. ?l?l?l?l?l?l?l?l?l: 14236 (1.88%)
  359. ?l?l?l?l?d?d?d: 13802 (1.82%)

Conclusion

This was a very time consuming and a hard job because I do not own the fastest graphics card. The whole cracking process took about 5 months to accomplish because I had to finish my studies for CCNP certification. The lesson learned from this is that with a good and smart dictionary combined with handy rules either for hashcat or John the Ripper even strong passwords can be cracked. Based on the above statement, admins should use a stronger hash algorithm (with salt) to store your passwords and on your side just change your passwords in a regular basis.

Thanks for reading.

You can find me on twitter, @m3g9tr0n.

Downloads

You can download the results of the cracked hashes:

721.9 MB - m3g9tr0n_122Million_Passwords_WordLists.zip

The provided KoreLogic torrent file contains various but unique password hashes. For that reason you may find duplicated passwords in these wordlists, as a single password can be hashed using various algorithmes! Meaning that 122 million unique hashes (MD5, SHA1, double MD5, etc.) were cracked and result in 83,6 million unique passwords.

You can download the “all in one” version, cleaned and sorted:

270.2 MB - m3g9tr0n_Passwords_WordList_CLEANED.zip

The command used to generate this "all in one" CLEANED wordlist was:

  1. export LC_ALL='C' && cat * | sort | uniq > eNtr0pY_ALL_sort_uniq.dic

References

Related terms:

Thireus

Cracking Story - How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords的更多相关文章

  1. Top 10 Free Wireless Network hacking/monitoring tools for ethical hackers and businesses

    There are lots of free tools available online to get easy access to the WiFi networks intended to he ...

  2. 美国政府关于Google公司2013年度的财务报表红头文件

    请管理员移至新闻版块,谢谢! 来源:http://www.sec.gov/ 财务报表下载↓ 此文仅作参考分析. 10-K 1 goog2013123110-k.htm FORM 10-K   UNIT ...

  3. Kali-linux使用Aircrack-ng工具破解无线网络

    Aircrack-ng是一款基于破解无线802.11协议的WEP及WPA-PSK加密的工具.该工具主要用了两种攻击方式进行WEP破解.一种是FMS攻击,该攻击方式是以发现该WEP漏洞的研究人员名字(S ...

  4. Java常用jar包用途

    Java常用jar包用途: USAGE INDEX JAR NAME USAGE 1 ASM asm-2.2.3.jar ASM字节码库 2 ASM asm-commons-2.2.3.jar ASM ...

  5. .net平台的RSA实现以及与Delphi之间的互操作性

    .net平台下面的RSA算法实现是RSACryptoServiceProvider,如果安装了 Microsoft Enhanced Cryptographic Provider,则 RSACrypt ...

  6. [转]加盐hash保存密码的正确方式

    0x00 背景 大多数的web开发者都会遇到设计用户账号系统的需求.账号系统最重要的一个方面就是如何保护用户的密码.一些大公司的用户数据库泄露事件也时有发生,所以我们必须采取一些措施来保护用户的密码, ...

  7. sha256

    SHA-512 (这些有时候也被称做 SHA-2). 简介 SHA 家族 SHA (Secure Hash Algorithm,译作安全散列算法) 是美国国家安全局 (NSA) 设计,美国国家标准与技 ...

  8. Spring Security(三十三):10.3 Password Encoding

    Spring Security’s PasswordEncoder interface is used to support the use of passwords which are encode ...

  9. 2018-05-27-computer-using-hints-电脑使用帮助[持续更新]

    layout: post title: 2018-05-27-computer-using-hints-电脑使用帮助 key: 20180527 tags: ubuntu cuda cudnn ten ...

随机推荐

  1. mybatis mapper.xml 配置文件问题(有的错误xml是不报的) 导致服务无法启动 。

    转载自 开源编程 一舟mybatsi xml编译报错,tomcat启动一直循环,导致内存溢出,启动失败 mapper.xml怎么知道有没有编译错误,哪个位置有错误 这应该是mybatis的一个bug, ...

  2. FreeBSD_11 - 系统管理——{ Part_5 - ZFS }

    参考資料 http://docs.oracle.com/cd/E37934_01/html/E36658/toc.html https://www.freebsd.org/doc/en_US.ISO8 ...

  3. 传统MySQL+ Memcached架构遇到的问题

    实际MySQL是适合进行海量数据存储的,通过Memcached将热点数据加载到cache,加速访问,很多公司都曾经使用过这样的架构,但随着业务数据量的不断增加,和访问量的持续增长,我们遇到了很多问题: ...

  4. 递推 N矩形问题

    Description 给你一个高为n ,宽为m列的网格,计算出这个网格中有多少个矩形,下图为高为2,宽为4的网格. Input 第一行输入一个t, 表示有t组数据,然后每行输入n,m,分别表示网格的 ...

  5. Java集合的运算之减法A-B

    import com.sun.media.sound.SoftSynthesizer; import java.util.*;   public class a123 { public static ...

  6. Linux 查杀进程

    ps -eaf |grep "stoporder.php" | grep -v "grep"| awk '{print $2}'|xargs kill -9 # ...

  7. Keepalived安装配置

    一.  介绍 keepalived:是一个类似于 layer3, 4 & 7 交换机制的软件,也就是我们平时说的第 3 层.第 4 层和第 7层交换. Keepalived 的作用是检测 we ...

  8. [SmartFoxServer概述]SFS2X协议

    SFS2X 客户端-服务器协议 SFS2X使用了一种高效的二进制协议,这种协议可以使服务器在各方面都表现出色.消息通过客户端和服务器引擎得到快速转换,在带宽上传输可更加轻便.附加的即时压缩,能够在不影 ...

  9. ubuntu 命令的快捷启动

    目前我知道的有三种方式 第一种,在配置文件 .bashrc 中 配置alias ,追加到文件末尾就行 如下: alias tmout='tail -f /usr/local/oakcloud/tomc ...

  10. 项目启动异常java.lang.OutOfMemoryError: PermGen space

    java.lang.OutOfMemoryError: PermGen space 解决办法: Eclipse-->window-->Tomcat -->JVM setting  - ...