The Details:
Composition:
All password hashes are contrived and were chosen to mimic a penetration test of an internal network of a large corporate organization with a large number of Active Directory passwords, UNIX passwords, Oracle database passwords, and LDAP-based Single Sign On (SSO) passwords (SHA and SSHA hash types). The percentage of each hash type closely matches what has been observed in real corporate environments. Some teams might notice the complete lack of raw-md5 hashes. Although raw-md5 hashes are commonly seen by (and cracked by) passwords crackers on the Internet, they are rarely seen as a method of storing authentication information in corporate environments/applications. The list of hashes was generated by combining wordlists, custom rules, and random characters. These password were then placed into individual TXT files for each category. From this list, the following hashes were used: NTLM, LM, DES, Salted-MD5 ($1$ FreeBSD style), Oracle, SHA and SSHA.
For each hash type (NTLM, LM, etc) entries were randomly chosen from all wordlists. Therefore, if a complete list of last names was generated, these could be used to crack examples from all formats (NTLM, DES, SSHA, etc).
Wordlists:
KoreLogic based the wordlists on words that we are seeing in the "real world". Normal 5,6,7,8 letter words are expected but we have noticed a large amount of users who are basing passwords on names. So, a large list of last names, and male and female first names were created. Some companies have a large population of employees from foreign countries (e.g., India). Since these names are less likely to be in American-Based name lists, a new list was created. You should adjust your name lists based on what the make up of your employees/targets are like.
We have also noticed employees using a large number of passwords based on names of places (e.g, current city/state, colleges attended, the place they grew up, names of local regions, local rivers, etc.) Lists were created with this information for the DEFCON contest, but should also be created for all major cities.
For corporations that force their employees to change their passwords often, employees have developed schemes to remember these constantly changing passwords. The four major categories noticed are months (in various forms), days of the week, years, and seasons. Multiple dictionaries were based on these patterns and used for the contest. These lists are less likely to be successful on sites that do not force frequent password changes, but almost _all_ corporate environments do. In the future, KoreLogic feels that web-sites (such as Google, FaceBook, etc) will (or should) enforce these policies as well.
Additional lists such as sports and/or sport teams, common web-sites, and numbers as words (million , thousand, etc) were also used. This is based off patterns noticed in corporate environments.
Since the contrived password hashes are from a fake company located in Las Vegas, it is assumed that many passwords are based on the local city name which is very common in corporate environments. Any local addresses, slang, vernacular, regions, roads, landmarks, schools, etc should be included in your lists. KoreLogic chose the following terms: KoreLogic, DEFCON, LasVegas, BlackHat, and WhiteHat.
Some "everything" lists were also generated. These are helpful for then the rules themselves actually generate a majority of the passwords. To generate a password such as November$*!, a dictionary that includes all possible 3-character combinations was generated (3EVERYTHING.dic).
Finally, a list of all possible letter combinations was used to simulate some random nonsensical letter combinations. These lists consisted of just combinations such as aaaa aaab aaac aaad .... zzzy zzzz. These were used in 3,4 and 5 letter combinations.
Total List of Dictionaries Used (These will be available to download in the near future)
- 5 Letter Words
- 6 Letter Words
- 7 Letter Words
- 8 Letter Words
- 7 Letter Last Names
- 8 Letter Last Names
- 9 Letter Last Names
- Female Names
- Male Names
- Last Names
- Indian First Names
- 8 Letter List of Places
- 9 Letter List of Places
- List of Colleges
- Common Domain Names/WebSites
- Months (Mostly Current Months - July/August)
- Top 1000 Passwords from the "Rock You" List
- Common English Words
- Cities/Places/Rivers/States/Regions
- Days of the week
- Sports Teams / List of Sports
- Numbers as Words (One / Million / Hundred)
- Seasons
- All 3-letter combinations (aaa, aab to zzz)
- All 4-letter combinations (aaaa, aaab to zzzz)
- All 5-letter combinations (aaaaa, aaaab to zzzzz)
- Current City (Las Vegas / Vegas)
- Current Themes - KoreLogic / Defcon / BlackHat / WhiteHat / Facebook
Rules:
KoreLogic used a variety of custom rules to generate the passwords.
To obtain full descriptions (and download) these rules for your own
private use,
click on the following link.
KoreLogic has been building this rule set after analyzing almost 3 million passwords from large corporate environments. Each rule set is meant to match all possible patterns for each type. For example, "KoreLogicRulesAppend4Num" appends all possible 4 number combinations to the end of a string. Previous John the Ripper rules will only try a small subset of these patterns. This is a deficiency in the rule set, and needed to be fixed to guarantee that entire ranges were tested. This is a superior technique over just trusting the default rules to do that work for you.
Some of these rules are meant to be used with the wordlists listed above. While others are more useful with small wordlists of 2-4 characters that contain all type-able characters (letters, numbers, specials).
- KoreLogicRulesAppend4Num
- KoreLogicRulesAddDotCom
- KoreLogicRulesAdd1234_Everywhere
- KoreLogicRulesAdd2010Everywhere
- KoreLogicRulesAddShortMonthsEverywhere
- KoreLogicRulesAppend1_AddSpecialEverywhere
- KoreLogicRulesAppend2Letters
- KoreLogicRulesAppend4NumSpecial
- KoreLogicRulesAppendCap
- KoreLogicRulesAppendJustNumbers
- KoreLogicRulesAppendJustSpecials
- KoreLogicRulesAppendJustSpecials3Times
- KoreLogicRulesAppendMonthCurrentYear
- KoreLogicRulesAppendMonthDay
- KoreLogicRulesAppendNum_AddSpecialEverywhere
- KoreLogicRulesAppendNumbers_and_Specials_Simple
- KoreLogicRulesAppendNumbers_or_Specials_PrependLetter
- KoreLogicRulesAppendNumNum_AddSpecialEverywhere
- KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere
- KoreLogicRulesAppendSpecial4num
- KoreLogicRulesAppendSpecialLowerLower
- KoreLogicRulesAppendSpecialNumberNumber
- KoreLogicRulesAppendSpecialNumberNumberNumber
- KoreLogicRulesAppendYears_AddSpecialEverywhere
- KoreLogicRulesMonthsFullPreface
- KoreLogicRulesPrepend4LetterMonths
- KoreLogicRulesPrependAndAppendSpecial
- KoreLogicRulesPrependDaysWeek
- KoreLogicRulesPrependJustSpecials
- KoreLogicRulesPrependNumberNumberAppendSpecial
- KoreLogicRulesPrependNumNum
- KoreLogicRulesPrependNumNum_AppendNumSpecial
- KoreLogicRulesPrependNumNumNum
- KoreLogicRulesPrependNumNumNumNum
- KoreLogicRulesPrependNumNumSpecial
- KoreLogicRulesPrependSpecialAppendNumbersNumberNumber
- KoreLogicRulesPrependSpecialSpecial
- KoreLogicRulesPrependSpecialSpecialAppendNumber
- KoreLogicRulesPrependSpecialSpecialAppendNumbersNumber
- KoreLogicRulesReplaceLetters
- KoreLogicRulesAppendCurrentYearSpecial
- KoreLogicRulesPrependNumNumAppendSpecial
Other Patterns:
The following patterns were also used to create more advanced passwords. Some of these patterns can be cracked using the supplied wordlists and rules, while others cannot. Many of the administrative passwords came from the following categories.
- Keyboard Based Patterns (--external:keyboard) Example: qwe123qwe asdf1234
- Words that are not in large public LM rainbow tables
- Random Password from Password generators
- 10-12 character passwords, taken from a list of sports - replace the first 3 letters of each sport with a random 5-character string.
- Hand-chosen passwords based on Month/Year (0ug2010ust 0ugu2010st 1ugu2010$t 2010M0rch J2010u1y M20107rch etc).
- UNIX file references ( /etc/passwd /etc/shadow )
- Passwords designed to break/confuse passwords tools/scripts (existance of : and ??????? , "NO PASSWORD" , < notfound > )
- Random Oracle references - OracleOracle Oracle<>1 Oracle2009
- 3 Characters - then 6 numbers - xyz345678 ajg481759
- 3 letters - then '2010' then a special character - abc2010!
- Capital letter - 3 lower case letters - 4 numbers) [A-Z][a-z]{3}[0-9]{4} - Bigq8174
- 4 letters - recent year - Gaqi2009 Lasv1996
- Capital Letter - Capital Letter - 'vegas' - special character - ZZvegas!
- Capital Letter - 3 lower case letters - 4 numbers - Yelp1234
- dev/prod/test - string added to a variety of each words/unix references/DEFCON references - Examples: Prodttys devftping uattelnet
Random Passwords:
- 5 character random passwords
- 6 character random passwords
- 7 character random passwords
- 8 character random passwords
- 8 character random passwords from 'pwgen'
- 8 character random passwords - with a Capital letter, lowercase letter, a number, and a special.
- 9 character random passwords - with a Capital letter, lowercase letter, a number, and a special.
- 8 character random passwords - with Upper and lower case letters - and numbers (no specials)