.

Password hashes

<<

ants

Newbie
Newbie

Posts: 25

Joined: Sun Mar 15, 2009 8:51 am

Location: Ireland

Post Tue Jul 14, 2009 11:44 am

Password hashes

Hi guys,

I am looking for some help.

I am doing a project on password cracking optimisation based on the statistical make up of passwords. I have done an analysis of over 1.5 million passwords and now I want to see if I can use this information to see if I can speed up dictionary/brute force password cracks.

So what I am looking for is some passwords hashes to crack, the more I can get the better!

I know that I could try some of the password cracking sites but I have already used them for the passwords for the analysis and I think that it is bad practice to use the same data for the testing.

So can you guys post some password hashes? I would prefer FreeBSD MD5 type hashes but am not too fussed. You can also remove any identifiable data like the account names, all that I want is the actual hashes. Or else can anybody point me to a good source of real life password hashes?

Thanks

Ants
CEH, GPEN, GCFW
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Jul 14, 2009 1:23 pm

Re: Password hashes

You can use the milw0rm list of hashes.  Just pick the ones that it hasn't / didn't crack. 

http://www.milw0rm.com/cracker/list.php
~~~~~~~~~~~~~~
Ketchup
<<

hackly66

User avatar

Jr. Member
Jr. Member

Posts: 62

Joined: Wed Jan 24, 2007 10:44 am

Location: Florida

Post Tue Jul 14, 2009 3:00 pm

Re: Password hashes

Hi Ants-

You can also create your own password and choose the different encryption that you like go to this site---->http://www.insidepro.com/hashes.php?lang=eng
A+,Net+,Sec+
<<

ants

Newbie
Newbie

Posts: 25

Joined: Sun Mar 15, 2009 8:51 am

Location: Ireland

Post Tue Jul 14, 2009 3:57 pm

Re: Password hashes

Thanks Ketchup.

I was already aware of milw0rm but it doesn't really suit my requirements.

I want to try to optimise the speed of the cracking, I won't be trying (or able to be honest) to increase the success rate.
For my testing, I need real average type passwords. The passwords that milw0rm hasn't or didn't crack will be more unusual.
Also for similar reasons, I can't use the list of passwords that it has cracked because I want a statistically Normal representative of passwords.

Thanks hackly66, that is a useful site. I have also used the Crypt::PasswdMD5 perl module to create a fairly simple script that allows me to encrypt lists of passwords. However, for my testing I can't use my own passwords, I need real passwords.
CEH, GPEN, GCFW
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Jul 14, 2009 4:42 pm

Re: Password hashes

Maybe you can use a l33t dictionary file to generate passwords, hash them, and then try to break them. 
~~~~~~~~~~~~~~
Ketchup
<<

ants

Newbie
Newbie

Posts: 25

Joined: Sun Mar 15, 2009 8:51 am

Location: Ireland

Post Tue Jul 14, 2009 5:52 pm

Re: Password hashes

Thanks Ketchup, but sorry, I can’t really do that. I think that I didn’t explain my request clearly in the original post.

Let me start (restart) by trying to explaining more about the project that I am trying to do.

My project is called - A Statistical Analysis of Password Composition – I decided to do this because I am slightly in awe of good statistics. They can be fascinating. One particularly interesting statistic is called Benford's Law http://www.intuitor.com/statistics/Benford%27s%20Law.html.  According to Benford’s Law, natural occurring numbers statistically begin with the lower order digits; 30% start with "1", 18% with "2" etc down to only 4.6% starting with 9. Rather than all the digits, 1-9, having an equal 11% chance of starting with these numbers. This seems counter-intuitive. This law has been used by tax authorities to easily discover dodgy accounts because if people are using made up numbers they tend to use as many numbers starting with a 9 as numbers starting with a one.

I decided to do an analysis of passwords to see if I could find any interesting statistical trends. To do this I got lists of cracked passwords from cracking sites such as milw0rm and gdataonline. I then had to manipulate the data a bit, for example, to filter out duplicate requests from the same person.
I now have some possible trends that I need to test to confirm that that they are correct. To do this I can’t use any of the data that I already have and I can’t make up the data. It might be OK for companies trying to sell fish oil pills to do this but I want to get good true results. For example, say I was trying to work out the odds of the result of a coin toss and I flipped a coin 6 times and I got six heads (it is possible). I could deduce that flipping a coin will always results in heads. Now if I want to test this theory, I need new data, if I use my existing data (the previous six heads results) I will confirm that it always results in heads...

So, what I was hoping to get from you guys was actual hashes that you encountered through your work as ethical hackers etc.

Thanks,
Ants
CEH, GPEN, GCFW
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jul 14, 2009 8:59 pm

Re: Password hashes

I don't have any passwords for you but I would love to see your results. It sounds fascinating!
twitter.com/timmedin | http://blog.securitywhole.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Jul 15, 2009 12:32 am

Re: Password hashes

Will you publish your work once it is finished? Would be an interesting read.

Maybe you can download some wordlists and generate from them the hashes - shouldn't be hard to automate this process. Wordlists are widely available and should offer you enough passwords which are not in your list yet. If it is really that big you may consider wordlists from foreign languages for example - depending on your thesis are not focused on English words/ phrases/ passwords only.
<<

plan2000

Newbie
Newbie

Posts: 6

Joined: Thu Feb 26, 2009 2:25 am

Post Wed Jul 15, 2009 3:28 am

Re: Password hashes

Ants, frankly speaking, I doubt that anybody truly "ethical" will be able to provide you with a statistically-enough list of real-life hashes, i guess you should seek for more online password-cracking services/communities which have lists of cracked/uncracked hashes
for example:
http://cryptohaze.com/exporthashes.php
http://hash.insidepro.com
https://hashcracking.info/index.php?4
etc.

p.s. if speaking about statistics - have you seen John the Rippers's charsets and "Markovian filter" introduced lately in jumbo patches?
<<

ants

Newbie
Newbie

Posts: 25

Joined: Sun Mar 15, 2009 8:51 am

Location: Ireland

Post Wed Jul 15, 2009 5:30 pm

Re: Password hashes

Hey, thanks everybody for your input. I think that I should now be able to workout a way forward.

Thanks plan2000, I'll check out that Markovian filter, sounds interesting.

And yeah, I'll publish here in a month or two. I hope that it holds up to your expectations.
CEH, GPEN, GCFW
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Wed Jul 15, 2009 6:39 pm

Re: Password hashes

Maybe you could try some blackhat forums, they always seem to brag about their 'hacks' and post lists of passwords.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Fri Jul 17, 2009 2:24 pm

Re: Password hashes

Ants,

I would look into the research of Matt Weir of FSU. Sounds right up your alley.

http://sites.google.com/site/reusablesec/
http://reusablesec.blogspot.com/

His talk at Defcon this year:
Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High…
Matt Weir PhD Student, Florida State University
Professor Sudhir Aggarwal Florida State University

Remember when phpbb.com was hacked in January and over 300,000 usernames and passwords were disclosed? Don't worry though, the hacker only tried to crack a third of them, (dealing with big password lists is a pain), and of those he/she only broke 24%. Of course the cracked password weren't very surprising. Yes, we already know people use "password123". What's interesting though is figuring out what the other 76% of the users were doing. In this talk I'll discuss some of my experiences cracking passwords, from dealing with large password lists, (89% of the phpbb.com list cracked so far), salted lists, (Web Hosting Talk), and individual passwords, (TrueCrypt is a pain). I'll also be releasing the tools and scripts I've developed along the way.


Last year he did a presentation on the using dictionary based rainbow tables to crack approx 15% more of the myspace.com hash list. If i remember correctly.

6) Password Cracking on a Budget

Matt Weir Security Researcher, Sudhir Aggarwal Security Researcher. Not every bad guy writes down passwords on sticky note by their monitor. Not every system administrator fully documents everything before they leave. There are a lot of legitimate reasons why you might need to crack a password. The problem is most people don’t have a supercomputer sitting in their basement or the money to go out and buy a rack of FPGAs. This talk deals with getting the most out of the computing resources you do have when cracking passwords.

Our group at Florida State University is currently working on password cracking research to aid in forensics analysis. We’ve analyzed disclosed password lists to try and figure out how real people actually create passwords. Not all of these lists have been in plain text so we’ve had to go through the pain of cracking passwords ourselves. Just like you, we are still waiting on funding for that supercomputer as well. In this talk, we’ll go over some of the tools and techniques we’ve used to crack these password lists using only a couple of PCs, such as custom wordlist generation and choosing the right word mangling rules. We’ll also talk about some of the lessons we’ve learned and the mistakes we’ve made along the way.

Slides: http://www.defcon.org/images/defcon-16/ ... 6-weir.pdf

Audio: http://avondale.good.net/dl/bd/defcon-1 ... c_t109.mp3

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software