Full Report
This was an epic week for password cracking, we had lots of new hashes and lots of competition to see who could crack the most the fastest. BLUF: I put together a cracking technique, and tested it against other techniques, generating some insight into the best performing cracking techniques. Rockyou with hob064 rules won, but my technique came a close second, and had a faster crack speed. Get the script here.
Analysis Summary
# Tool/Technique: Common Substring Attack Script/Technique
## Overview
This entry details a custom password cracking technique developed by the author, focused on utilizing the most common substrings found within already successfully cracked passwords to improve the efficiency and success rate of cracking subsequent password hashes. The technique was benchmarked against common rule-based attacks like those using `rockyou` wordlists with the `hob064` rules.
## Technical Details
- Type: Technique/Tool (Implementation script available on GitHub)
- Platform: Not explicitly stated, but the described tools (`hashcat`, `awk`, Python) suggest Linux/Unix-like environments are primary targets for the setup.
- Capabilities: Generates a highly effective, context-specific dictionary tailored from previously cracked passwords, significantly increasing cracking speed (High H/s) in certain scenarios compared to pure rules-based attacks.
- First Seen: April 19, 2018 (Date of publication).
## MITRE ATT&CK Mapping
Since this is a password cracking methodology rather than specific malware, the mapping focuses on the associated adversary behavior:
- **T1110 - Credential Access: Brute Force**
- T1110.002 - Password Guessing: Brute Force
- T1110.003 - Password Guessing: Dictionary Attack (The technique heavily relies on dictionary/wordlist manipulation)
## Functionality
### Core Capabilities
- **Substring Extraction:** Processing already cracked plaintext passwords to identify frequently occurring substrings (e.g., common names, brand names, symbols like "!!").
- **Custom Dictionary Generation:** Creating a highly targeted wordlist composed of these common substrings.
- **Performance Measurement:** Establishing a systematic framework to benchmark various cracking approaches (rules vs. custom dictionaries) based on time, Hashes per second (H/s), and percentage cracked.
### Advanced Features
- **Hashcat Combinator Attack (-a1):** Utilizing the generated substrings as the right-hand list in a combinator attack, paired with base wordlists (like `rockyou` or `facebook-firstnames`) as the left-hand list.
- **Case Manipulation:** Applying capitalization adjustments, specifically using hashcat's `-jc` flag (capitalize first letter) on the substring attacks.
- **Optimization for Speed:** Employing utilities like `awk` for rapid processing of large plaintext lists to generate substring statistics much faster than initial Python scripts.
- **Non-Unique Counting:** The methodology explicitly avoids deduplicating the cracked passwords during substring analysis, ensuring that frequently repeated passwords contribute proportionally to the common substring statistics.
## Indicators of Compromise
This technique focuses on an attack vector and does not typically generate traditional malware IOCs.
- File Hashes: [N/A - Associated with the open-source script]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A]
- Behavioral Indicators: High-speed execution of credential cracking tools (`hashcat`) utilizing custom dictionary files derived from compromised data.
## Associated Threat Actors
No specific threat actor is associated with this publicly released efficiency measurement research. However, the techniques are applicable to any adversary engaging in password cracking operations, particularly penetration testers conducting post-exploitation credential harvesting.
## Detection Methods
Detection focuses on monitoring for credential cracking activities:
- **Signature-based detection:** Signatures for specific password cracking tools (`hashcat`, John the Ripper) targeting authentication services.
- **Behavioral detection:** Anomalously high CPU/GPU utilization on systems concurrent with large-scale file access (reading credential dumps or wordlists). Monitoring for processes executing text manipulation tools (`awk`, Python) against large volumes of plaintext data.
## Mitigation Strategies
Mitigation directly addresses the success of dictionary and rule-based password attacks.
- **Prevention:** Enforcing strong, complex passwords, employing multi-factor authentication (MFA).
- **Hardening Recommendations:** Limiting the number of failed login attempts to trigger account lockouts or temporary IP bans based on observed brute-force patterns. Developing organization-specific wordlists (as demonstrated by the author's private lists outperforming public ones) and incorporating those specific substrings into blocking/detection mechanisms.
## Related Tools/Techniques
- **Rockyou Wordlist:** A widely utilized base password list.
- **hob064 Rules:** A set of rules applied to wordlists, often used in conjunction with `hashcat` or John the Ripper for common password mutations (e.g., adding digits, common symbols).
- **hashcat:** The primary password cracking tool used to execute the combinator attack (`-a1`).
- **best64 Rules:** Another rule set tested during efficiency measurements.
- **Mask Attack:** Benchmark comparison showing the relative slowness compared to dictionary attacks for a specific hash set (T1110.001).