People and Passwords
Passwords, passwords, passwords. I talk about them, I think about them; I go crazy over them!
To a penetration tester, passwords are very interesting. They are often simple dictionary words and they can tell you a lot about the owner. For example, the password ‘Samuel2014’ combines a common male name with a recent year; likely a year of birth. Samuel would be an unusual name for a pet, so we can surmise that it’s a child’s name. Perhaps the creator of this password is a parent of one year old Samuel.
Alternatively, a password of ‘Arsenal2004’ tells me that the individual is likely to be a true Gooner. If you support Arsenal then you will know why. For the record, I don’t support Arsenal, but I researched that password after finding it many times over. I now understand why the year 2004 was so important to an Arsenal fan. Passwords and simple psychology go hand in hand.
In my role as a Penetration Tester I have seen a lot of passwords. At one end of the scale I have seen passwords such as the very simple ‘password1’ and the more amusing, though still basic, ‘ihatemyboss’. At the other end of the scale, I see more complex passwords such as ‘Trfvsagfda4$3fd’. Unfortunately, I often see the latter on a post-it note attached to a monitor. I guess you can’t have it all.
In December 2009 the social networking site ‘RockYou’ experienced a data breach, resulting in the exposure of over 32 million user accounts. This was the result of storing user data in an insecure format and not patching a decade old vulnerability.
Following that breach, the password dictionary entitled ‘Rockyou.txt’ became available; it consisted of 14,344,391 real-world passwords all in one list. For a short period of time thereafter, successfully cracking passwords became relatively easy. It quickly became the password list of choice for attackers. However, with no password complexity enforced by the original RockYou website, the majority of users’ choices consisted of just lowercase letters that were short in length.
Administrators of various systems eventually became wise to this and, with the enforcement of stronger password complexity settings, the majority of the passwords in Rockyou.txt were no longer allowed by most systems.
An Approach to Complexity
Assume that a user, Mark, initially chose a password of ‘happyclappy’. Following the newly enforced password complexity settings, Mark is forced to change his password. To make his chosen password meet the new requirements, Mark changes it to ‘Happyclappy1’, which is then accepted.
From the example above, rockyou.txt has the ‘happyclappy’ word in the list but it does not have ‘Happyclappy1’. To address this, you could just use ‘John The Ripper’ or any other password cracking tool to append a number to the end of each word in your chosen dictionary and capitalise the first letter. While this is a valid option, personally I found it to be considerably slower and it can often yield spurious results. Alternatively, you could use the download available from Crackstation, but similar problems abound and storage space starts to become an issue.
A while ago, taking Rockyou.txt as a great base to start a new dictionary, I began a process that is still ongoing and probably always will be. I created a dictionary called Rocktastic.
To quickly show the difference between Rockyou.txt and Nettitude’s current working copy, titled Rocktastic10, a line count may be beneficial.
- Rockyou.txt - Mostly all lowercase with no complexity enforced: 14,344,392
- Rocktastic 10 - Complexity considered: 228,198,271
However, the real importance is not the amount of words in the dictionary, but the consideration of complexity combined with an element of guessing at human psychology. That’s what Rocktastic is really about.
Using Rockyou.txt as the base, I sorted through it, leaving only unique words:
[cpp]cat combined_rockyou_list1.txt | sort | uniq > output.txt [/cpp]
Following this all letters in this output file were made lowercase:
[cpp]dd if=input.txt of=output.txt conv=lcase [/cpp]
Following that, another password list was created to be more UK focused. This list included all the UK towns, cities and all UK football teams. This list was converted to lowercase and sorted with any duplicates removed. This was then combined into the Rocktastic1 list.
A duplicate of Rocktastic1 was created and the letter ‘o’ was replaced with the number zero.
Replacement of letters was completed:
[cpp]sed -i 's/foo/bar/g' rockyou1.txt [/cpp]
Then, using another duplicate of the Rocktastic1 wordlist, the letter ‘a’ was replaced with the @ character.
I then replaced special characters like a dot or a comma:
[cpp]sed -i 's/./,/g' *txt [/cpp]
These two duplicates were then combined with the Rocktastic1 file:
cat rockyou.txt rockyou_12_replaced_to_123.txt rockyou_a_replaced_to_@.txt rockyou_o_replaced_0.txt >> combined_rockyou_list.txt
This was duplicated again and using the copy, the first letter of every word was capitalised:
[cpp]sed 's/^(.)/U1/' Mess.txt > Mess2[/cpp]
Followed by another round of being combined and checked to make sure the results were all unique.
The first time I tested the new dictionary, I was able to crack more hashes than previous attempts using just the original rockyou.txt wordlist.
As the months went by, I steadily continued to add new password formats, including:
- The letter e was replaced with the number 3
- The letter I replaced with the number 1
- The letter f replaced with the number 4
Each variant was an addition to the dictionary, rather than a replacement.
Speed is of the Essence
Windows environments are typically very good at giving up passwords in a hashed format. The quicker those hashes can be cracked, the quicker the attacker can gain an elevated position on the network. I gave some colleagues access to Rocktastic and the feedback has been positive; the Rocktastic list strikes a good balance between cost and value.
Using the list with John The Ripper is as simple as:
[cpp]john --w=Rocktastic10 hashfile [/cpp]
Giving colleagues access to the password dictionary paid off, because I started receiving requests for additions, based on newly discovered password formats. An example of such a request was for the inclusion of common UK names with birthdates attached to the end of each name. An example of this is shown below. The years go from 1960 to 2015.
Another example but this time for days and months of the year:
The latest version that I use, Rocktastic11, has 1,133,839,463 passwords and has been used to great effect over a sustained period.
There is a great balance between cost (size, time) and value (success rate) with this approach and I will continue to refine it over time.
Sources for Rockyou.txt
The original rockyou.txt file was included in the Backtrack 5 distribution and is still available in Kali.
Wordlists can be found under the /usr/share/wordlists directory in Kali Linux.
It is also located at https://wiki.skullsecurity.org/Passwords.
To contact Nettitude's editor, please email email@example.com.