6.4 Going on the Attack
6.4.4 Norwegian
Now that we have completed the first steps of a standard attack let us go on to using Norwegian information to see what we can recover.
Norwegian Names
First up is using names. Modern Norway is a rather multicultural country and therefore has many names that might not be in this dictionary. But we want to know what we can recover with typical Norwegian names so we run this attack anyways, we first use the filenames_norwegian.txtwithout any rules added.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\names_norwegian.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 15:15:34 2019 (1 sec) Time.Estimated...: Tue Oct 22 15:15:35 2019 (0 secs) Guess.Base...: File (..\Dict\names_norwegian.txt) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 7195.2 kH/s (0.06ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered...: 228171/394013 (57.91%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:18798,1127922,27070130 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 52c Fan: 32% Util: 3% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 15:15:30 2019
Stopped: Tue Oct 22 15:15:36 2019
We recovered 92 new passwords with names only, it is unusual for people to use their names alone. Usually they add elements to it, some add their date of birth to the end maybe with or without a !, other might just add some random digit to the end. Let us consider our fictional friendHåkon, he might think "my name is not enough, but what if I use håkon1975, håkon1410or1410ødegård".
These possible combinations can be recovered by this attack so, lets add some dates or simpler add all 4 digit combinations to the end, and then to the front.
We run the attack on Norwegian names with this additional mask.
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\names_norwegian.txt ?d?d?d?d
hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt
?d?d?d?d ..\Dict\names_norwegian.txt The second of these command gave us the following results, the first can be found in SectionA.5:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 15:24:03 2019 (1 sec) Time.Estimated...: Tue Oct 22 15:24:04 2019 (0 secs)
Guess.Base...: File (..\Dict\names_norwegian.txt), Right Side Guess.Mod...: Mask (?d?d?d?d) [4], Left Side
Guess.Queue.Base.: 1/1 (100.00%) Guess.Queue.Mod..: 1/1 (100.00%)
Speed.#1...: 41027.0 kH/s (0.33ms) @ Accel:128 Loops:64 Thr:256 Vec:1 Recovered...: 229015/394013 (58.12%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:24835,1490121,35762924 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 52c Fan: 31% Util: 5% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 15:23:57 2019
Stopped: Tue Oct 22 15:24:06 2019
Of these 844 newly recovered passwords 355 of them are from adding 4 digits to the back and 489 of them to the from. This would so far suggest that the Norwegian people are more likely to add the numbers before the name rather the after. Now we want to know if the Norwegian users also do some other changes to them as well. Take our fictional friend Håkon he has been told by his email service that his password needs a symbol so he adds one and creates håkon1410!. Now another possibility is that he is not aware of the fact that he can use the letter åso instead his password is set as hakon1410. So to find either of these possible passwords we need to do slight changes to the passwords candidates from the last attack. Unfortunately Hashcat only allows one rule at a time on this hybrid attack mode. So instead we use a Hashcat utility called combinator.exe, this allows us to combine two dictionaries. We use this utility to combinenames_norwegiananddatesinto two filesnames_norwegian_datesanddates_names_norwegian.
combinator.exe ..\names_norwegian.txt ..\dates.txt
> ..\names_norwegian_dates.txt combinator.exe ..\dates.txt ..\names_norwegian.txt
> ..\dates_names_norwegian.txt
With these two new files we can run Hashcat with a rule file and not just one rule. This would then take a few less attacks to recover passwords that are based on names with dates attached. The rule file we use is an altered form of one that also comes with Hashcat calledbasic.rule. We have altered this file to ignore its rules to append and prepend numbers and we have added some rules that alter Norwegian characters to English ones. We call this new rule file basic2.txt, this is stored in the txt format so it can handle ’øæå’ better.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\names_norwegian_dates.txt -r rules\basic2.txt
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt
..\Dict\dates_names_norwegian.txt -r rules\basic2.txt
The second of these command gave us the following results, where the first can be found in AppendixA.5:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 16:22:17 2019 (0 secs) Time.Estimated...: Tue Oct 22 16:22:17 2019 (0 secs)
Guess.Base...: File (..\Dict\dates_names_norwegian.txt) Guess.Mod...: Rules (rules\basic2.txt)
Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 105.1 MH/s (6.73ms) @ Accel:512 Loops:16 Thr:64 Vec:1 Recovered...: 229200/394013 (58.17%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:972,58344,1400273 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 52c Fan: 31% Util: 22% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 16:22:11 2019
Stopped: Tue Oct 22 16:22:18 2019
So some, but not a lot of people thought of changing their name to a small extent after they added their dates to their names. But dates are not the only numbers that are added to the end. Our fictional friendHåkonmight have just added the year to the back of his name taking the millennia and century out of the mix and usedhåkon75or just done the simplest thing and usedhåkon123.
So we have to try other combinations as well, we limit ourselves to 4 digits although. Seeing as we have already tried with 4 digits we only need to try 1 to 3. We also add the capitalize rule as this is what people typically do when prompted to add 1 uppercase letter.
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\names_norwegian.txt ?d?d?d --increment
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\names_norwegian.txt ?d?d?d --increment -j c
hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt
?d?d?d ..\Dict\names_norwegian.txt --increment
hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt
?d?d?d ..\Dict\names_norwegian.txt --increment -j c
The last of these command gave us the following results, the others can be found in AppendixA.5:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 16:37:02 2019 (0 secs) Time.Estimated...: Tue Oct 22 16:37:02 2019 (0 secs)
Guess.Base...: File (..\Dict\names_norwegian.txt), Right Side Guess.Mod...: Mask (?d?d?d) [3], Left Side
Guess.Queue.Base.: 1/1 (100.00%) Guess.Queue.Mod..: 3/3 (100.00%)
Speed.#1...: 130.3 MH/s (0.14ms) @ Accel:128 Loops:64 Thr:256 Vec:1 Recovered...: 229958/394013 (58.36%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:0,0,0 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 54c Fan: 31% Util: 26% Core:1733MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 16:36:56 2019
Stopped: Tue Oct 22 16:37:03 2019
We can see that almost the same amount of people add any random 3 digit number to the beginning or the end as those that use a possible date. One of the passwords somewhat based on names that user might use is using their email address, this can be a bit hard to do in our position but lets try anyway. To do this we add in a list of Norwegian email domains, this is limited to ".no" as we know this to be true for all emails. We try three different attacks to account for capital letter and uppercase name.
hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt
..\Dict\names_norwegian.txt
..\Dict\norske_epost_adresser.txt hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt
..\Dict\names_norwegian.txt
..\Dict\norske_epost_adresser.txt -j u hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt
..\Dict\names_norwegian.txt
..\Dict\norske_epost_adresser.txt -j c
The last of these command gave us the following results, the other can be found in AppendixA.5:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 17:28:20 2019 (0 secs) Time.Estimated...: Tue Oct 22 17:28:20 2019 (0 secs)
Guess.Base...: File (..\Dict\names_norwegian.txt), Left Side
Guess.Mod...: File (..\Dict\norske_epost_adresser.txt), Right Side Speed.#1...: 694.6 MH/s (0.17ms) @ Accel:128 Loops:64 Thr:256 Vec:1 Recovered...: 229961/394013 (58.36%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:0,0,0 (Min,Hour,Day) Progress...: 19925136/19925136 (100.00%)
Rejected...: 0/19925136 (0.00%) Restore.Point....: 4792/4792 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:4096-4158 Iteration:0-64 Candidates.#1....: Aaron(at)himolde,no -> øynes(at)line,no
Hardware.Mon.#1..: Temp: 52c Fan: 32% Util: 54% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 17:28:15 2019
Stopped: Tue Oct 22 17:28:21 2019
The low number of newly recovered, 3 passwords, was rather expected.
This of course is because email addresses are rarely just someones name and an email domain. It rather unlikly that our fictional FriendHåkon’s email is justhåkon@getmail.noor he might have a custom domain that we did not add to our list, like@ødegård.no. The attack could be done more intelligently if you have the users information , like the email they registered with. Using this information you could compile a list of their personal information and create a dictionary based on this. With a dictionary of personal information on several users a rule-based attack could be very efficient. This could also be said about the entire name based attack. A breakdown of the names found can be seen in Figure6.2
Figure 6.2: Breakdown of Names recovered Sports
The next dictionary to use is sports teams, because many people create passwords with their favorite teams name. We want as big a spread as possible so we use a file that contains football, ice hockey and handball. Like the in the previous Section, we start with the names without any changes done to them.
Take our fictional friendHåkonas he is aRosenborgsupporter he might find this to be easy to remember and use it as his password.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\sport.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 17:42:37 2019 (0 secs) Time.Estimated...: Tue Oct 22 17:42:37 2019 (0 secs) Guess.Base...: File (..\Dict\sport.txt)
Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 915.3 kH/s (0.03ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered...: 229979/394013 (58.37%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:9352,561170,13468083 (Min,Hour,Day) Progress...: 560/560 (100.00%)
Rejected...: 0/560 (0.00%) Restore.Point....: 560/560 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: aalesund -> øygardaker topphåndball
Hardware.Mon.#1..: Temp: 52c Fan: 32% Util: 12% Core:1506MHz Mem:4006MHz Bus:16
Started: Tue Oct 22 17:42:32 2019 Stopped: Tue Oct 22 17:42:38 2019
We note that relatively few passwords match team names directly, but let us see what we can recover if we do some changes to the inputs. In the case of our fictional friendHåkonthinks to make his passwordRosenborg1927, this is the year the team was renamed toRosenborg. We do this small change by adding some numbers to the start or end of our input in this next attack, we will also try with and without capitals.
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\sport.txt ?d?d?d?d --increment hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt
?d?d?d?d ..\Dict\sport.txt --increment hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\sport.txt ?d?d?d?d --increment -j c hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt
?d?d?d?d ..\Dict\sport.txt --increment -k c The last of these commands gave us the following results, the other can be found in AppendixA.6:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 18:57:03 2019 (0 secs) Time.Estimated...: Tue Oct 22 18:57:03 2019 (0 secs) Guess.Base...: File (..\Dict\sport.txt), Right Side Guess.Mod...: Mask (?d?d?d?d) [4], Left Side Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 4/4 (100.00%)
Speed.#1...: 71099.8 kH/s (0.36ms) @ Accel:128 Loops:70 Thr:256 Vec:1 Recovered...: 230289/394013 (58.45%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:18921,1135311,27247479 (Min,Hour,Day) Progress...: 5600000/5600000 (100.00%)
Rejected...: 0/5600000 (0.00%) Restore.Point....: 10000/10000 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:490-560 Iteration:0-70 Candidates.#1....: 1234Trysil -> 6883øygardaker topphåndball
Hardware.Mon.#1..: Temp: 53c Fan: 32% Util: 56% Core:1531MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 18:56:57 2019
Stopped: Tue Oct 22 18:57:04 2019
We recover a total of 310 new passwords with these four attacks, 182 of them are just numbers added to the team names. Next we change the input slightly by adding the rule filebasic.ruleto our attack
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\sport.txt
-r rules\basic.rule
This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 18:57:34 2019 (0 secs) Time.Estimated...: Tue Oct 22 18:57:34 2019 (0 secs) Guess.Base...: File (..\Dict\sport.txt)
Guess.Mod...: Rules (rules\basic.rule) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 26934.6 kH/s (0.57ms) @ Accel:128 Loops:56 Thr:64 Vec:1 Recovered...: 230306/394013 (58.45%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:9763,585837,14060090 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 53c Fan: 32% Util: 32% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 18:57:29 2019
Stopped: Tue Oct 22 18:57:35 2019
This produced another 17 recovered passwords, leaving the total of passwords recovered by using the name of Norwegian sports teams to 375.
Countries and Place Names
Another form of name that is easy to remember an thus used for passwords are country names and place names. So we try some of these in the Norwegian language to do an attack. For simplicity and efficiency these are merged into one file which we callland_sted.txt. We first try is the names alone and without any alterations.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\land_sted.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 18:58:41 2019 (0 secs) Time.Estimated...: Tue Oct 22 18:58:41 2019 (0 secs) Guess.Base...: File (..\Dict\land_sted.txt) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 517.3 kH/s (0.02ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered...: 230316/394013 (58.45%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:5825,349558,8389383 (Min,Hour,Day) Progress...: 337/337 (100.00%)
Rejected...: 0/337 (0.00%) Restore.Point....: 337/337 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[61666768616e697374616e] -> $HEX[7361727073626f72671a]
Hardware.Mon.#1..: Temp: 52c Fan: 32% Util: 20% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 18:58:36 2019
Stopped: Tue Oct 22 18:58:42 2019
There are 337 different names in the file and only 10 of them are used as passwords. But what if we add numbers at the beginning or end of the input, as well with capitals. Because our fictional friendHåkondoes not want to use Trondheimalone, no he wants to add his year of birth for added security, so he usestrondheim1975.
hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\land_sted.txt ?d?d?d?d --increment hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt
?d?d?d?d ..\Dict\land_sted.txt --increment hashcat64.exe -m 0 -a 6 ..\collectionMD5.txt
..\Dict\land_sted.txt ?d?d?d?d -j c --increment hashcat64.exe -m 0 -a 7 ..\collectionMD5.txt
?d?d?d?d ..\Dict\land_sted.txt -k c --increment The last of these commands gave us the following results, the others can be
found in AppendixA.7:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 19:02:22 2019 (0 secs) Time.Estimated...: Tue Oct 22 19:02:22 2019 (0 secs)
Guess.Base...: File (..\Dict\land_sted.txt), Right Side Guess.Mod...: Mask (?d?d?d?d) [4], Left Side
Guess.Queue.Base.: 1/1 (100.00%) Guess.Queue.Mod..: 4/4 (100.00%)
Speed.#1...: 163.3 MH/s (0.19ms) @ Accel:128 Loops:42 Thr:256 Vec:1 Recovered...: 230431/394013 (58.48%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:12386,743215,17837182 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 53c Fan: 32% Util: 42% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 19:02:15 2019
Stopped: Tue Oct 22 19:02:23 2019
Another 115 passwords were recovered using countries or place names with a number appended or prepended to the input as well as with or without capitals. But now let us add some more rules using thebasic.rule file in our attack.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\land_sted.txt
-r rules\basic.rule This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 19:02:55 2019 (0 secs) Time.Estimated...: Tue Oct 22 19:02:55 2019 (0 secs) Guess.Base...: File (..\Dict\land_sted.txt) Guess.Mod...: Rules (rules\basic.rule) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 16203.3 kH/s (0.55ms) @ Accel:128 Loops:56 Thr:64 Vec:1 Recovered...: 230441/394013 (58.49%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:6441,386460,9275043 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 52c Fan: 32% Util: 10% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 19:02:50 2019
Stopped: Tue Oct 22 19:02:56 2019
Only 135 passwords recovered using the names of places or countries as written in Norwegian.
Norwegian Words
Now lets use a larger list than the ones used above. This time let us use about 800.000 Norwegian dictionary words. We want to know how many passwords are just the words without any changes done to them. This could allow us to recoverHåkon’spasswords if he has used his dog’s name as a password, this would not be recovered by a name search assjefenis not an actual name.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\norske_ord.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 19:04:07 2019 (4 secs) Time.Estimated...: Tue Oct 22 19:04:11 2019 (0 secs) Guess.Base...: File (..\Dict\norske_ord.txt) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 283.6 kH/s (1.58ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered...: 231205/394013 (58.68%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:13087,785277,18846654 (Min,Hour,Day)
Progress...: 799198/799198 (100.00%) Rejected...: 0/799198 (0.00%)
Restore.Point....: 799198/799198 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: sports-ministerens -> øy-væringer
Hardware.Mon.#1..: Temp: 52c Fan: 32% Util: 0% Core:1506MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 19:04:03 2019
Stopped: Tue Oct 22 19:04:11 2019
764 passwords recovered in the grand scheme of the databases size is not a lot in an absolute sense. But considering that they are generic words without changes it is a relatively large number. So let us try to go after a "newer" form of passwords, the passphrase, in this case combinations of two words. This dictionary is unfortunately to large to use the utilitycombinator.exethis time.
So instead we use thecombinatorattack mode.
hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt ..\Dict\norske_ord.txt
..\Dict\norske_ord.txt This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 19:08:06 2019 (5 mins, 21 secs) Time.Estimated...: Tue Oct 22 19:13:27 2019 (0 secs)
Guess.Base...: File (..\Dict\norske_ord.txt), Left Side Guess.Mod...: File (..\Dict\norske_ord.txt), Right Side
Speed.#1...: 1883.3 MH/s (4.34ms) @ Accel:128 Loops:64 Thr:256 Vec:1 Recovered...: 236298/394013 (59.97%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:605,N/A,N/A AVG:950,57048,1369160 (Min,Hour,Day) Hardware.Mon.#1..: Temp: 75c Fan: 56% Util: 91% Core:1822MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 19:08:00 2019
Stopped: Tue Oct 22 19:13:28 2019
That is a nice amount of recovered password for a short attack, with a total of 5093 passphrases in Norwegian, at least using these Norwegian words. But lets give it some capitalization, we will try for both the words and then first word only.
hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt ..\Dict\norske_ord.txt
..\Dict\norske_ord.txt -j c -k c hashcat64.exe -m 0 -a 1 ..\collectionMD5.txt
..\Dict\norske_ord.txt
..\Dict\norske_ord.txt -j c
The second one of these commands gave us the following results, where the first can be found in AppendixA.8:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 19:21:27 2019 (4 mins, 50 secs) Time.Estimated...: Tue Oct 22 19:26:17 2019 (0 secs)
Guess.Base...: File (..\Dict\norske_ord.txt), Left Side Guess.Mod...: File (..\Dict\norske_ord.txt), Right Side
Speed.#1...: 1939.9 MH/s (4.42ms) @ Accel:128 Loops:64 Thr:256 Vec:1 Recovered...: 237516/394013 (60.28%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:153,N/A,N/A AVG:195,11759,282227 (Min,Hour,Day) Hardware.Mon.#1..: Temp: 75c Fan: 62% Util: 94% Core:1822MHz Mem:4006MHz Bus:16 Started: Tue Oct 22 19:21:21 2019
Stopped: Tue Oct 22 19:26:18 2019
Another 1218 passwords where recovered using a phrase search. But let us not stop at phrases, we also try this using a strong rule attached. We use the same as the one we used onrockyou.txt, we are talking aboutrockyou-30000.rule.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\norske_ord.txt
-r rules\rockyou-30000.rule --debug-mode=3
--debug-file=nor-rule.log This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 20:43:02 2019 (1 min, 15 secs) Time.Estimated...: Tue Oct 22 20:44:17 2019 (0 secs)
Guess.Base...: File (..\Dict\norske_ord.txt) Guess.Mod...: Rules (rules\rockyou-30000.rule) Guess.Queue...: 1/1 (100.00%)
Speed.#1...: 363.0 MH/s (9.55ms) @ Accel:128 Loops:64 Thr:64 Vec:1 Recovered...: 240443/394013 (61.02%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:1997,N/A,N/A AVG:2315,138935,3334462 (Min,Hour,Day)
Hardware.Mon.#1..: Temp: 67c Fan: 45% Util: 94% Core:1860MHz Mem:4006MHz Bus:16
Started: Tue Oct 22 20:42:56 2019 Stopped: Tue Oct 22 20:44:19 2019
All in all we recovered 9238 passwords with our Norwegian dictionary. A breakdown of these attacks can be seen in Figure6.3.
Figure 6.3: Breakdown of Norwegian Words
To see if we can find some stragglers to this we run two more time-costly attacks. The first is to run all these Norwegian dictionaries with an even more versatile rule file. This rule file is calledOneRuleToRuleThemAll.rule, this rule is a compilation of many other rule files.
hashcat64.exe -m 0 -a 0 ..\collectionMD5.txt ..\Dict\Norwegian
-r rules\OneRuleToRuleThemAll.rule --debug-mode=3
--debug-file=all_nor.log This command gave us the following results:
Session...: hashcat Status...: Exhausted Hash.Type...: MD5
Hash.Target...: ..\collectionMD5.txt
Time.Started...: Tue Oct 22 21:19:59 2019 (1 sec) Time.Estimated...: Tue Oct 22 21:20:00 2019 (0 secs) Guess.Base...: File (..\Dict\Norwegian/sport.txt) Guess.Mod...: Rules (rules\OneRuleToRuleThemAll.rule) Guess.Queue...: 6/6 (100.00%)
Speed.#1...: 32498.0 kH/s (0.38ms) @ Accel:128 Loops:64 Thr:64 Vec:1 Recovered...: 245726/394013 (62.36%) Digests, 0/1 (0.00%) Salts Recovered/Time...: CUR:N/A,N/A,N/A AVG:61,3710,89054 (Min,Hour,Day)
Progress...: 29117200/29117200 (100.00%) Rejected...: 0/29117200 (0.00%)
Restore.Point....: 560/560 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:51968-51995 Iteration:0-64 Candidates.#1....: aalesund -> øygardajjr topphåndball
Restore.Sub.#1...: Salt:0 Amplifier:51968-51995 Iteration:0-64 Candidates.#1....: aalesund -> øygardajjr topphåndball