Numbers

We start with the simplest of attacks by trying numbers, we begin with all the numbers of 4 digits. To do this we use a brute-force attack which in Hashcat is done with a program’s mask attack. The appropriate command is:

hashcat64.exe -m 0 -a 3 ..\collectionMD5.txt ?d?d?d?d This command gave us the following results:

Session...: hashcat Status...: Exhausted Hash.Type...: MD5

Hash.Target...: ..\collectionMD5.txt

Time.Started...: Mon Oct 21 17:11:39 2019 (7 secs) Time.Estimated...: Mon Oct 21 17:11:46 2019 (0 secs) Guess.Mask...: ?d?d?d?d [4]

Guess.Queue...: 1/1 (100.00%)

Speed.#1...: 7308.9 kH/s (0.13ms) @ Accel:512 Loops:10 Thr:256 Vec:1 Recovered...: 1515/394013 (0.38%) Digests, 0/1 (0.00%) Salts

Recovered/Time...: CUR:N/A,N/A,N/A AVG:13769,826162,19827909 (Min,Hour,Day)

Hardware.Mon.#1..: Temp: 55c Fan: 32% Util: 6% Core:1885MHz Mem:4006MHz Bus:16 Started: Mon Oct 21 17:11:33 2019

Stopped: Mon Oct 21 17:11:47 2019

Numbers with 4 digits can be anything which the user would probably also use as a PIN code or a lock/locker combination. Where these numbers really come from would be anyone’s guess, it could be dates like the person’s birthday, a loved one’s birthday or maybe the "randomly" generated PIN number they received with their first debit or credit card. Just to see what might be dates we turn to regex, explained in Section8.9. First we go for years, but as years could be in theory the whole range from 0000 to 9999 we will focus on the ones between 1900 and 2099. We use the search:(19|20)\d\d$on our output and find that 95 entries match this. Next are the dates, but as there are two readily used formats for dates we have to check both. The first of these date formats is the one that Europeans mostly use, the day/month format. To find these we use:(0[1-9]|[12]\d|3[01])(0[1-9]|1[0-2])$and find 317 passwords that match this format. Lastly we check for the format that is most popular in countries like America, the month/day format, we use the search :(0[1-9]|1[0-2])(0[1-9]|[12]\d|3[01])$and find that a total of 158 passwords that match this format. All in all of our 475 of the 1515 recovered passwords are probably a year or a date, which represents a little under one third of all passwords.

Continuing to the next logical number combination to be attacked using a mask is the set of all numbers with 6 digits, this is done with the command:

hashcat64.exe -m 0 -a 3 ..\collectionMD5.txt ?d?d?d?d?d?d This command gave us the following results:

Session...: hashcat Status...: Exhausted Hash.Type...: MD5

Hash.Target...: ..\collectionMD5.txt

Time.Started...: Mon Oct 21 17:39:39 2019 (34 secs) Time.Estimated...: Mon Oct 21 17:40:13 2019 (0 secs) Guess.Mask...: ?d?d?d?d?d?d [6]

Guess.Queue...: 1/1 (100.00%)

Speed.#1...: 719.0 MH/s (0.61ms) @ Accel:128 Loops:100 Thr:256 Vec:1 Recovered...: 9101/394013 (2.31%) Digests, 0/1 (0.00%) Salts

Recovered/Time...: CUR:N/A,N/A,N/A AVG:13714,822855,19748539 (Min,Hour,Day)

Hardware.Mon.#1..: Temp: 55c Fan: 33% Util: 5% Core:1835MHz Mem:4006MHz Bus:16 Started: Mon Oct 21 17:39:34 2019

Stopped: Mon Oct 21 17:40:14 2019

The choice of finding 6 digit numbers comes from the fact that this is the length of a person’s birthdate with the year, to the decade. This attack could be done with a bit more thought and finesse using a custom mask like -1 0123 ?1?d?1?d?d?d. This mask only tests numbers 0, 1, 2 or 3 for the first and third digits as the months are never higher then 12 and days are never above 31, so going into the 40’s is unnecessary. But we have to test for both dd/mm/yy and mm/dd/yy formats. This was not done as the time cost of the custom mask attack is almost the same as testing all possible 6 digits, relatively speaking. As we would also like to know how many of these might be birthdays we took a dive into the output files. A quick regex search with

:(0[1-9]|[12]\d|3[01])(0[1-9]|1[0-2])\d\d$ tells us that 3706 of our recovered passwords match the format dd/mm/yy. Another regex search using :(0[1-9]|1[0-2])(0[1-9]|[12]\d|3[01])\d\d$ tells us that 1511 of them match the mm/dd/yyformat. A total of 5217 out of the 7586 newly recovered passwords match a date format, which represents about 68.77%. Next in our search for relevant numbers is to test the 8 digit combinations, which is done with the command:

hashcat64.exe -m 0 -a 3 ..\collectionMD5.txt ?d?d?d?d?d?d?d?d This command gave us the following results:

Session...: hashcat Status...: Exhausted Hash.Type...: MD5

Hash.Target...: ..\collectionMD5.txt

Time.Started...: Mon Oct 21 17:42:25 2019 (20 secs) Time.Estimated...: Mon Oct 21 17:42:45 2019 (0 secs) Guess.Mask...: ?d?d?d?d?d?d?d?d [8]

Guess.Queue...: 1/1 (100.00%)

Speed.#1...: 5445.2 kH/s (3.70ms) @ Accel:128 Loops:125 Thr:256 Vec:1 Recovered...: 13888/394013 (3.52%) Digests, 0/1 (0.00%) Salts

Recovered/Time...: CUR:N/A,N/A,N/A AVG:14362,861749,20681986 (Min,Hour,Day)

Hardware.Mon.#1..: Temp: 52c Fan: 33% Util: 1% Core:1506MHz Mem:4006MHz Bus:16 Started: Mon Oct 21 17:42:20 2019

Stopped: Mon Oct 21 17:42:46 2019

These numbers, as it concerns Norwegians, could be phone numbers as they use 8 digits in their phone numebrs. It could also be the the full format of a persons full birthdate, again this could be indd/mm/yyyyor inmm/dd/yyyy. To test which might be a bithdate and which could be anything else with 8 digit, like a phone-numbers, we again turn to a regex search of the output of the attack. By using the same as before, yet changing the\d\dwith(19|20)\d\d, we recovered 638 for the first and 248 for the second when searching our passwords, this is 20.67% of 8 digit passwords. The last step in our search for numbers is just to remove all 1 to 12 digit numbers, as this is easy to do and removes some candidates later. The command for this attack is:

hashcat64.exe -m 0 -a 3 ..\collectionMD5.txt

?d?d?d?d?d?d?d?d?d?d?d?d --increment

The –increment command tells Hashcat to start at ?d and add ?d after it has tested all combinations, all the way up to ?d?d?d?d?d?d?d?d?d?d?d?d. This command gave us the following results:

Session...: hashcat Status...: Exhausted Hash.Type...: MD5

Hash.Target...: ..\collectionMD5.txt

Time.Started...: Mon Oct 21 18:41:10 2019 (4 mins, 45 secs) Time.Estimated...: Mon Oct 21 18:45:55 2019 (0 secs)

Guess.Mask...: ?d?d?d?d?d?d?d?d?d?d?d?d [12]

Guess.Queue...: 12/12 (100.00%)

Speed.#1...: 3646.7 MH/s (10.36ms) @ Accel:128 Loops:125 Thr:256 Vec:1 Recovered...: 16702/394013 (4.24%) Digests, 0/1 (0.00%) Salts

Recovered/Time...: CUR:7,N/A,N/A AVG:18,1099,26381 (Min,Hour,Day) Progress...: 1000000000000/1000000000000 (100.00%)

Rejected...: 0/1000000000000 (0.00%)

Restore.Point....: 1000000000/1000000000 (100.00%)

Restore.Sub.#1...: Salt:0 Amplifier:875-1000 Iteration:0-125 Candidates.#1....: 468475367373 -> 688749494964

Hardware.Mon.#1..: Temp: 80c Fan: 81% Util: 98% Core:1771MHz Mem:4006MHz Bus:16 Started: Mon Oct 21 18:40:17 2019

Stopped: Mon Oct 21 18:45:56 2019

The rationale for this attack is that it is easy to setup, quick to do and reveals some of the possibilities right off the bat. As one can see by the last report, we already have little over 4% of the passwords in under 6 minutes in computation time. From here we can go on to run some other attacks that are also simple, yet a little more complex than brute-force. But first we take a back-up of our results. A breakdown of the results can be found in Figure 6.1, where Sub-figure 6.1a breaks down what these numbers might be and Sub-figure 6.1b shows which format the dates are in.

(a) What the numbers might be (b) Formats used

Figure 6.1: Breakdown of Numbers Recovered