7MS #478: Password Cracking in the Cloud - Part 4

This episode of 7 Minute Security is sponsored by Datadog. Now offering Cloud Security Posture Management (CPSM), Datadog provides one-click compliance posture. Built on the unified Datadog Agent and platform-wide cloud integrations, you can easily get set up minutes. Try it for yourself today and get a free Datadog t-shirt by going to https://datadog.com/7ms

Hey friends, today we're continuing our discussion of password cracking by sharing some methodology that has helped us get a high cred yield, and some tips on taking cracked passwords from multiple sources and Frankensteining them into a beautiful report for your customer.

For some background, when 7MS started as a biz, we used to crack passwords in Paperspace but invested in an on-prem cracking rig a few years ago. That rig has been flipping sweet, but had some heating issues which prompted me to send the system in for warranty and use an awesome cracking rig in AWS in the meantime.

Whether you're cracking locally or in the cloud, here's a quick methodology that has cracked many a hash for us:

  • Do a straight-up hashcat crack against the PwnedPasswords list (at time of this writing I don't have a good source for the cracked versions of these passwords. I used to grab them at hashes.org. Anybody got an alternative?

  • Do a straight-up hashcat crack through the RockYou2021 list

  • Run the hatecrack methodology, including the quick crack, the quick crack with rules (I'm partial to OneRuleToRuleThemAll), and brute-forcing all 1-8 character passwords

Once I'm ready to wrap up all the cracked passwords and put them in a nice shiny report for the customer, I do the following (using hashcombiner and pipal):

# Run hash_combiner on hashcat’s pot file and write results to a file
python /opt/hc/hash_combiner.py user_hash /opt/hashcat/hashcat.potfile > /tmp/round1.txt

# Run hash_combiner on hatecrack’s pot file and write results to a file
python /opt/hc/hash_combiner.py user_hash /opt/hatecrack/hashcat.pot > /tmp/round2.txt

# Cat the two files together into a third file
cat /tmp/round1.txt /tmp/round2.txt > /tmp/round3.txt

# Sort and de-dupe the third file 
cat /tmp/round3.txt | sort -uf > /tmp/nice-and-clean.txt

# Take just the passwords out of the “nice and clean” output
cut -d ':' -f 2 /tmp/nice-and-clean.txt > /tmp/pipal-temp.txt

# Score the passwords using pipal
/opt/pipal/pipal.rb /tmp/pipal-temp.txt > /tmp/pip-final.txt

Now you've got a nice-and-clean.txt list of users and their cracked passwords, as well as the pip-final.txt with deeper analysis of cracked passwords, their commonalities, etc.