Powered by ACTIVECYBER, LLC
Powered by ACTIVECYBER, LLC
I was recently challenged to write a program to analyze a list of clear-text passwords and classify them into Hashcat-like masks, listing the top 3 most common masks used within the file and how many times they occurred. While researching password analysis and creating the program, I began to realize how useful this tool could be, not only for understanding the trends in password use but also its potential in penetration tests. For instance, say you’re able to gain access to the NTDS.dit file of a domain controller and crack a number of the NTLM hashes. With this program you could analyze the cracked passwords and output the most common masks in use, which you could then use in a mask attack with Hashcat to attempt to crack additional passwords. Or if you were to capture netNTLMv2 hashes with Responder and your password lists and rules files weren’t turning up anything, before turning to a brute-force attack you could obtain the organization’s password policy and target the most common masks that fit the password policy.
For those unfamiliar with masks in Hashcat, they’re basically a way to conduct a targeted brute-force attack against hashes. The default mappings are:
• ?u — all uppercase characters [A-Z]
• ?l — all lowercase characters [a-z]
• ?d — all digits [0–9]
• ?s — all special characters (in this case, everything else that doesn’t fit in the above categories.
So if you know (or suspect) that a user’s password is 8 characters long, starts with an uppercase letter followed by lowercase letters and ends with a digit and a special character, instead of trying to brute force it with all possible combinations of 8 character strings you could use the mask “?u?l?l?l?l?l?d?s” and Hashcat will only attempt to crack the hash with strings that conform to that mask, reducing the number of possibilities and the time required to iterate through them.
If this sounds a bit confusing, I’ll clarify below with a few examples. But first, I had to make a few changes to the program. My original iteration only took a static list of passwords, one per line, analyzed the entire file, and output the top 3 most common masks. Using the standard rockyou.txt file, it would output the following results:
Top 3 Password Masks
Useful, but not quite versatile enough for what I had in mind. I wanted to be able to specify how many masks to output, and to filter out passwords below the minimum character count of the password policy. After a little bit of tinkering, I had successfully implemented the changes. Now, if I wanted to output the top 6 most common masks in rockyou.txt with 12 characters or more, I would get:
Top 6 Masks 12 Characters or Longer
To look at a different sample group, I downloaded the various password lists compiled by Daniel Miessler, Jason Haddix, and g0tmi1k in SecLists. I analyzed the three largest generic password lists in SecLists: darkc0de.txt, bt4-password.txt, and alleged-gmail-passwords.txt. After combining the 3 lists into one and removing duplicates, the top 10 masks were shown to be:
Combined List Top 10 Masks
So far, the trend appears to show that passwords consisting of only lower-case characters are still the most prevalent passwords in the most common password lists. When it comes to password cracking today, no modern corporate environment should contain 8-character passwords of only lower-case letters. However, password analysis of pre-compiled wordlists is only one potential purpose of this script. My intention with it is to evaluate password trends during penetration tests to allow for more effective cracking and to understand how those trends change over time. For instance, say you were able to gain access to the NTDS.dit file during a penetration test and crack a number of passwords using rockyou.txt and mangling rules. This script could be used to analyze the cracked passwords and display the most common masks, which can then be used to attempt to crack additional passwords. Additionally, these masks can be saved over time so as time goes on and more passwords are collected, you can analyze the most common password combinations used by one organization over time, as well as the masks in use across organizations.
To demonstrate the benefit, I generated a SHA1 hash for the 8-character string “Words23!” and attempted to brute-force the password using Hashcat on my laptop, which is admittedly not very powerful. It took approximately 15 minutes to go through every possibility 1–7 characters in length, then estimated an additional 10 hours to go through only 8-character possibilities.
8-Character Time Estimation
Now, say after some analysis of passwords in the same environment or a similar environment you had found the most common combination were 8-character passwords that started with a capital letter and ended with two digits and a special character. Trying to crack the same password as above using the appropriate mask cracked the password in less than 10 seconds.
hashcat -m 100 -a 3 hash.txt ?u?l?l?l?l?d?d?s
Hopefully, the script will assist testers in analyzing password trends and allow them to use likely password masks for better cracking.
The code for the script is available on Github. As always, this script is intended for educational purposes only. Do not use this script in environments you do not own or do not have permission to analyze.
ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD). For a full listing of all of our Advisories, visit our GitHub page here.