6.4 Going on the Attack
6.4.5 English
Now we see how many we can find if we do not work with Norwegian information but go for a similar approach. We be testing names, countries, place-names and words, but instead of sports we use movie based-information.
The choice to skip sports and add movies is that most of the sports information can probably be recovered usingrockyou.txt. Movie information for Norwegian adults is usually the same as those from the USA or the UK. In this section however we will go through them a bit quicker and look at fewer result reports.
Names
Again we start with names from pretty much all around the world, not just English and may contain some Norwegian. We skip the attack on emails in this case. This is what any other attacker would do in a name-based attack, first we look at the names alone.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\names_large.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Wed Oct 23 10:12:25 2019 (1 sec) Time.Estimated...: Wed Oct 23 10:12:26 2019 (0 secs) Guess.Base...: File (..\Dict\names_large.txt) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 13522.9 kH/s (0.21ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered...: 228080/394013 (57.89%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:644,38688,928533 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 53c Fan: 32% Util: 12% Core:1506MHz Mem:4006MHz Bus:16 Started: Wed Oct 23 10:12:20 2019
Stopped: Wed Oct 23 10:12:27 2019
This gave only 1 password, somewhat less then what was recovered with just names in the Norwegian attack. But let us add some numbers and some rules, to be a bit more precise let us try all the other attacks from the Norwegian attack.
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\names_large.txt ?d?d?d?d hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt ?d?d?d?d
..\Dict\names_large.txt hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\names_large_dates.txt -r rules\basic2.txt hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\dates_names_large.txt -r rules\basic2.txt hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\names_large.txt ?d?d?d --increment
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\names_large.txt ?d?d?d --increment -j c
hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt ?d?d?d
..\Dict\names_large.txt --increment hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt ?d?d?d
..\Dict\names_large.txt --increment -j c
The last one of these commands gave us the following results, where the others can be found in AppendixA.9:
Session...: hashcat Status...: Exhausted
Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Wed Oct 23 10:24:14 2019 (0 secs) Time.Estimated...: Wed Oct 23 10:24:14 2019 (0 secs)
Guess.Base...: File (..\Dict\names_large.txt), Right Side Guess.Mod...: Mask (?d?d?d) [3], Left Side
Guess.Queue.Base.: 1/1 (100.00%) Guess.Queue.Mod..: 3/3 (100.00%)
Speed.#1...: 142.3 MH/s (0.12ms) @ Accel:128 Loops:64 Thr:256 Vec:1 Recovered...: 228959/394013 (58.11%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:0,0,0 (Min,Hour,Day) Progress...: 27607000/27607000 (100.00%)
Rejected...: 0/27607000 (0.00%) Restore.Point....: 1000/1000 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:27584-27607 Iteration:0-64 Candidates.#1....: 123zukosky -> 688zywiel
Hardware.Mon.#1..: Temp: 55c Fan: 33% Util: 42% Core:1733MHz Mem:4006MHz Bus:16 Started: Wed Oct 23 10:24:07 2019
Stopped: Wed Oct 23 10:24:15 2019
With a somewhat convectional name attack we recovered another 880 passwords as apposed to the 1879 recovered with Norwegian names. That is less then half of the recovered passwords. A breakdown of the types of names are seen in Figure6.4.
Figure 6.4: Breakdown of Names Recovered
Countries and place Names
Now we move on tho testing names of countries and place-name as written in English and their native languages. First we would like to see how many are recovered by the name alone.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\countries.txt
..\Dict\places.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Wed Oct 23 13:21:11 2019 (0 secs) Time.Estimated...: Wed Oct 23 13:21:11 2019 (0 secs) Guess.Base...: File (..\Dict\places.txt)
Guess.Queue...: 2/2 (100.00%)
Speed.#1...: 34059.7 kH/s (1.39ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered...: 229006/394013 (58.12%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:13675,820505,19692126 (Min,Hour,Day) Progress...: 144948/144948 (100.00%)
Rejected...: 0/144948 (0.00%)
Restore.Point....: 144948/144948 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: a coruña -> ’aïn el turk
Hardware.Mon.#1..: Temp: 52c Fan: 31% Util: 15% Core:1506MHz Mem:4006MHz Bus:16 Started: Wed Oct 23 13:21:06 2019
Stopped: Wed Oct 23 13:21:12 2019
From this we get 358 new passwords from a plain name search of countries and places. But again what if we add some numbers and do some changes to the input.
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt ..\Dict\countries.txt
..\Dict\places.txt ?d?d?d?d --increment
hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt ?d?d?d?d ..\Dict\countries.txt
..\Dict\places.txt --increment
hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt ?d?d?d?d ..\Dict\countries.txt
..\Dict\places.txt -k c --increment
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\countries.txt
..\Dict\places.txt -r rules\basic.rule The last one of these commands gave us the following results, where the others can be found in AppendixA.10:
Session...: hashcat Status...: Exhausted
Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Wed Oct 23 13:40:49 2019 (0 secs) Time.Estimated...: Wed Oct 23 13:40:49 2019 (0 secs) Guess.Base...: File (..\Dict\places.txt)
Guess.Mod...: Rules (rules\basic.rule) Guess.Queue...: 2/2 (100.00%)
Speed.#1...: 82480.8 kH/s (8.43ms) @ Accel:128 Loops:56 Thr:64 Vec:1 Recovered...: 229865/394013 (58.34%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:12211,732708,17584994 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 53c Fan: 34% Util: 33% Core:1506MHz Mem:4006MHz Bus:16 Started: Wed Oct 23 13:40:44 2019
Stopped: Wed Oct 23 13:40:50 2019
This gave us another 906 recovered passwords, which is more than the ones recovered using Norwegian country and place names.
This gave 135 passwords, but these 135 were spawned from 337 starting names where the recent ones were from 144948.
Movies
Let us move on to trying movie information, such as titles or characters, as you might remember our fictional friendHåkonloves the movieStar Wars. He and many others easily go on to use their favorite movie as a basis for their passwords.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\movie-characters.txt ..\Dict\movie-general.txt hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\movie-characters
..\Dict\movie-general -r rules\basic.rule hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\movie-characters
..\Dict\movie-general -r rules\rockyou-30000.rule The last one of these commands gave us the following results, where the
others can be found in AppendixA.11:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Wed Oct 23 13:57:01 2019 (3 secs) Time.Estimated...: Wed Oct 23 13:57:04 2019 (0 secs) Guess.Base...: File (..\Dict\movie-general) Guess.Mod...: Rules (rules\rockyou-30000.rule)
Guess.Queue...: 2/2 (100.00%)
Speed.#1...: 387.1 MH/s (4.97ms) @ Accel:256 Loops:64 Thr:64 Vec:1 Recovered...: 230346/394013 (58.46%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:1859,111577,2677870 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 57c Fan: 34% Util: 85% Core:1873MHz Mem:4006MHz Bus:16 Started: Wed Oct 23 13:56:53 2019
Stopped: Wed Oct 23 13:57:05 2019 An English Dictionary
The last of the more standard attacks is to try a dictionary of English words.
We have a rather large one to work with, with about 700.000 words. First we try is the words themselves, alone and unaltered.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\english3.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Wed Oct 23 14:20:38 2019 (0 secs) Time.Estimated...: Wed Oct 23 14:20:38 2019 (0 secs) Guess.Base...: File (..\Dict\english3.txt) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 2452.6 kH/s (1.64ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered...: 230400/394013 (58.48%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:8231,493890,11853357 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 53c Fan: 33% Util: 2% Core:1506MHz Mem:4006MHz Bus:16 Started: Wed Oct 23 14:20:33 2019
Stopped: Wed Oct 23 14:20:39 2019
These results were Rather limited, so to improve the results we throw some rules and phrases into the mix.
hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt ..\Dict\english3.txt
..\Dict\english3.txt hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt
..\Dict\english3.txt
..\Dict\english3.txt -j c -k c hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt
..\Dict\english3.txt
..\Dict\english3.txt -j c hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\english3.txt
-r rules\rockyou-30000.rule hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\English
-r rules\OneRuleToRuleThemAll.rule
The last one of these commands gave us the following results, where the others can be found in AppendixA.12:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Wed Oct 23 20:35:24 2019 (22 secs) Time.Estimated...: Wed Oct 23 20:35:46 2019 (0 secs) Guess.Base...: File (..\Dict\English/places.txt) Guess.Mod...: Rules (rules\OneRuleToRuleThemAll.rule) Guess.Queue...: 7/7 (100.00%)
Speed.#1...: 344.4 MH/s (6.14ms) @ Accel:128 Loops:64 Thr:64 Vec:1 Recovered...: 241883/394013 (61.39%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:2396,143765,3450373 (Min,Hour,Day) Progress...: 7536571260/7536571260 (100.00%)
Rejected...: 0/7536571260 (0.00%) Restore.Point....: 144948/144948 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:51968-51995 Iteration:0-64 Candidates.#1....: kurkihar -> ’aïn dd turk
Hardware.Mon.#1..: Temp: 71c Fan: 55% Util: 79% Core:1835MHz Mem:4006MHz Bus:16 Started: Wed Oct 23 19:54:48 2019
Stopped: Wed Oct 23 20:35:48 2019
All in all the English password attack recovered a total of 13804 new passwords or another 3.5%. This is significantly less then what the Norwegian attack did with 30726 or 7.79%. A breakdown of these attack can be seen in Figure6.5.
Figure 6.5: Breakdown of English Attack