July 14, 2009 at 4:44 pm #4014
I am looking for some help.
I am doing a project on password cracking optimisation based on the statistical make up of passwords. I have done an analysis of over 1.5 million passwords and now I want to see if I can use this information to see if I can speed up dictionary/brute force password cracks.
So what I am looking for is some passwords hashes to crack, the more I can get the better!
I know that I could try some of the password cracking sites but I have already used them for the passwords for the analysis and I think that it is bad practice to use the same data for the testing.
So can you guys post some password hashes? I would prefer FreeBSD MD5 type hashes but am not too fussed. You can also remove any identifiable data like the account names, all that I want is the actual hashes. Or else can anybody point me to a good source of real life password hashes?
July 14, 2009 at 6:23 pm #25563
July 14, 2009 at 8:00 pm #25564
July 14, 2009 at 8:57 pm #25565
I was already aware of milw0rm but it doesn’t really suit my requirements.
I want to try to optimise the speed of the cracking, I won’t be trying (or able to be honest) to increase the success rate.
For my testing, I need real average type passwords. The passwords that milw0rm hasn’t or didn’t crack will be more unusual.
Also for similar reasons, I can’t use the list of passwords that it has cracked because I want a statistically Normal representative of passwords.
Thanks hackly66, that is a useful site. I have also used the Crypt::PasswdMD5 perl module to create a fairly simple script that allows me to encrypt lists of passwords. However, for my testing I can’t use my own passwords, I need real passwords.
July 14, 2009 at 9:42 pm #25566KetchupParticipant
Maybe you can use a l33t dictionary file to generate passwords, hash them, and then try to break them.
July 14, 2009 at 10:52 pm #25567
Thanks Ketchup, but sorry, I can’t really do that. I think that I didn’t explain my request clearly in the original post.
Let me start (restart) by trying to explaining more about the project that I am trying to do.
My project is called – A Statistical Analysis of Password Composition – I decided to do this because I am slightly in awe of good statistics. They can be fascinating. One particularly interesting statistic is called Benford’s Law http://www.intuitor.com/statistics/Benford%27s%20Law.html. According to Benford’s Law, natural occurring numbers statistically begin with the lower order digits; 30% start with “1”, 18% with “2” etc down to only 4.6% starting with 9. Rather than all the digits, 1-9, having an equal 11% chance of starting with these numbers. This seems counter-intuitive. This law has been used by tax authorities to easily discover dodgy accounts because if people are using made up numbers they tend to use as many numbers starting with a 9 as numbers starting with a one.
I decided to do an analysis of passwords to see if I could find any interesting statistical trends. To do this I got lists of cracked passwords from cracking sites such as milw0rm and gdataonline. I then had to manipulate the data a bit, for example, to filter out duplicate requests from the same person.
I now have some possible trends that I need to test to confirm that that they are correct. To do this I can’t use any of the data that I already have and I can’t make up the data. It might be OK for companies trying to sell fish oil pills to do this but I want to get good true results. For example, say I was trying to work out the odds of the result of a coin toss and I flipped a coin 6 times and I got six heads (it is possible). I could deduce that flipping a coin will always results in heads. Now if I want to test this theory, I need new data, if I use my existing data (the previous six heads results) I will confirm that it always results in heads…
So, what I was hoping to get from you guys was actual hashes that you encountered through your work as ethical hackers etc.
July 15, 2009 at 1:59 am #25568timmedinParticipant
I don’t have any passwords for you but I would love to see your results. It sounds fascinating!
July 15, 2009 at 5:32 am #25569UNIXParticipant
Will you publish your work once it is finished? Would be an interesting read.
Maybe you can download some wordlists and generate from them the hashes – shouldn’t be hard to automate this process. Wordlists are widely available and should offer you enough passwords which are not in your list yet. If it is really that big you may consider wordlists from foreign languages for example – depending on your thesis are not focused on English words/ phrases/ passwords only.
July 15, 2009 at 8:28 am #25570plan2000Participant
Ants, frankly speaking, I doubt that anybody truly “ethical” will be able to provide you with a statistically-enough list of real-life hashes, i guess you should seek for more online password-cracking services/communities which have lists of cracked/uncracked hashes
p.s. if speaking about statistics – have you seen John the Rippers’s charsets and “Markovian filter” introduced lately in jumbo patches?
July 15, 2009 at 10:30 pm #25571
Hey, thanks everybody for your input. I think that I should now be able to workout a way forward.
Thanks plan2000, I’ll check out that Markovian filter, sounds interesting.
And yeah, I’ll publish here in a month or two. I hope that it holds up to your expectations.
July 15, 2009 at 11:39 pm #25572ethicalhack3rParticipant
Maybe you could try some blackhat forums, they always seem to brag about their ‘hacks’ and post lists of passwords.
July 17, 2009 at 7:24 pm #25573JhaddixParticipant
I would look into the research of Matt Weir of FSU. Sounds right up your alley.
His talk at Defcon this year:
Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High…
Matt Weir PhD Student, Florida State University
Professor Sudhir Aggarwal Florida State University
Remember when phpbb.com was hacked in January and over 300,000 usernames and passwords were disclosed? Don’t worry though, the hacker only tried to crack a third of them, (dealing with big password lists is a pain), and of those he/she only broke 24%. Of course the cracked password weren’t very surprising. Yes, we already know people use “password123”. What’s interesting though is figuring out what the other 76% of the users were doing. In this talk I’ll discuss some of my experiences cracking passwords, from dealing with large password lists, (89% of the phpbb.com list cracked so far), salted lists, (Web Hosting Talk), and individual passwords, (TrueCrypt is a pain). I’ll also be releasing the tools and scripts I’ve developed along the way.
Last year he did a presentation on the using dictionary based rainbow tables to crack approx 15% more of the myspace.com hash list. If i remember correctly.
6) Password Cracking on a Budget
Matt Weir Security Researcher, Sudhir Aggarwal Security Researcher. Not every bad guy writes down passwords on sticky note by their monitor. Not every system administrator fully documents everything before they leave. There are a lot of legitimate reasons why you might need to crack a password. The problem is most people don’t have a supercomputer sitting in their basement or the money to go out and buy a rack of FPGAs. This talk deals with getting the most out of the computing resources you do have when cracking passwords.
Our group at Florida State University is currently working on password cracking research to aid in forensics analysis. We’ve analyzed disclosed password lists to try and figure out how real people actually create passwords. Not all of these lists have been in plain text so we’ve had to go through the pain of cracking passwords ourselves. Just like you, we are still waiting on funding for that supercomputer as well. In this talk, we’ll go over some of the tools and techniques we’ve used to crack these password lists using only a couple of PCs, such as custom wordlist generation and choosing the right word mangling rules. We’ll also talk about some of the lessons we’ve learned and the mistakes we’ve made along the way.
- You must be logged in to reply to this topic.