illmob.org

Breaking all the Password Managers?

August 13th, 2017 by admin in cracking, Life, News, Password Info

“Elcomsoft Distributed Password Recovery 3.40 now supports four major password manager apps including 1Password, KeePass, LastPass and Dashlane. The tool allows experts attacking a single master password and gaining access to the content of the encrypted vault, exposing any passwords, authentication credentials and other sensitive information (identity documents, credit card data etc.)”

The debate is on going about the legitimacy of the article many saying ElmcomSoft is spreading FUD and cheesy marketing. Open source project, Hashcat, has supported cracking of all the those password managers listed except Dashlane for a while now. The length of time to crack said password managers, if you are using a long enough password or passphrase, would make cracking not feasible. Especially a program such KeePass, the key transformation iteration count would greatly effect the speed of brute force attack.

In the comments of their article one of the developers of 1Password had this to say:

It would still take a number of months/days/years to crack most password managers, the use of password managers can increase overall security by relieving users from having to memorize a number of passwords. So keep on using yours as long as you have a good password/passphrase, keep your computer updated, and dont click shit, you shouldn’t be too worried anytime soon.

Password Cracking speedup using Ordered Markov Chains

February 25th, 2017 by admin in cracking

Based off this paper resulted in increased cracking accuracy by 22.5% from John the ripper’s Markov and incremental model created a tool that wass flexible enough to perform n-gram and markov chains based password generation using a cracked password list. It works because a large number of users use some part of their email or username or any other detail in their password and if we can first check passwords that start with n grams containing usernames portions, user emails portions etc, then we can intuitively speed up the accuracy and the experiments proved this intuition right. Another reason for increased accuracy was using a training word list from the same category as that of website i.e adult/relationship websites. These two factors were the main cause of the increase in accuracy.

source: http://fsecurify.com/using-ordered-markov-chains-and-user-information-to-speed-up-password-cracking/

data: https://github.com/faizann24/Using-Ordered-Markov-Chains-and-User-Information-to-Speed-up-Password-Cracking

Linkedin Top 50 Leaked Passwords

May 19th, 2016 by admin in cracking, Life, Password Info

Earlier this week passwords that were jacked from LinkedIn from 2012 were offered for sale online. What initially thought to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords. The cache of stolen accounts were hashed with the recently deprecated SHA-1 algorithm. leakedsource.com was able to get their hands on the dump the passwords weren’t salted and easily cracked. Below are their results.

Rank Password Frequency
1 123456 753,305
2 linkedin 172,523
3 password 144,458
4 123456789 94,314
5 12345678 63,769
6 111111 57,210
7 1234567 49,652
8 sunshine 39,118
9 qwerty 37,538
10 654321 33,854
11 000000 32,490
12 password1 30,981
13 abc123 30,398
14 charlie 28,049
15 linked 25,334
16 maggie 23,892
17 michael 23,075
18 666666 22,888
19 princess 22,122
20 123123 21,826
21 iloveyou 20,251
22 1234567890 19,575
23 Linkedin1 19,441
24 daniel 19,184
25 bailey 18,805
26 welcome 18,504
27 buster 18,395
28 Passw0rd 18,208
29 baseball 17,858
30 shadow 17,781
31 121212 17,134
32 hannah 17,040
33 monkey 16,958
34 thomas 16,789
35 summer 16,652
36 george 16,620
37 harley 16,275
38 222222 16,165
39 jessica 16,088
40 ginger 16,040
41 michelle 16,024
42 abcdef 15,938
43 sophie 15,884
44 jordan 15,839
45 freedom 15,793
46 555555 15,664
47 tigger 15,658
48 joshua 15,628
49 pepper 15,610

FBI Be All Like…

February 20th, 2016 by admin in cracking, Life

fbi-iphone

25 Most Popular Passwords of 2015

January 19th, 2016 by admin in cracking, Life

Every year, SplashData complies a list of the millions of stolen passwords made public throughout the last twelve months, then sorts them in order of popularity. This year the results, based on a total of over 2 million leaked passwords, are not the list of random alpha-numeric characters you might hope for. Rather, they’re a lesson in exactly how not to choose a password.
(more…)

Hashcat Now Open Source

December 4th, 2015 by admin in cracking

hashcat3

hashcat and oclHashcat have gone open source. Creator atom, posted on his forum earlier today, that he decided to finally open the source code to developers under the MIT license. He hopes to expand the tool to support new algorithms, native OSX support, and the ultimate reason to decide to go open source was the implementation of the bitsliced DES GPU kernels. Check out the code at: https://github.com/hashcat/

The top 100 passwords on Ashley Madison

September 16th, 2015 by admin in cracking, Life

Accounts exposed in the hack of Ashley Madison, had passwords that were just as weak as the rest of the internet, according to research group, CynoSure Prime, that cracked the encryption on 11.7 million of them. The top three: 123456, 12345, and password.

Here are the top 100 most common passwords found:

(more…)

Lastpass breached

June 16th, 2015 by admin in cracking, Password Info


Lastpass team discovered suspicious activity on their network 6/12. In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses. Although they harden your authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, you should change your password and add some multifactor authentication to be on the safe side.

Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash.

If you are using an easily guessed dictionary based password as described by Errata Security you should change your password. Although on a NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash using the password algorithm:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)

rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // what’s stored in the auth db

85,100 Forbidden Dropbox Passwords

June 8th, 2015 by admin in cracking

Jerod Brennen was messing around with opening the dropbox mobile app and stumbled across a javascript file that checked a user’s signup password. Inside was a file called pw.html, which had a line inside the javascript that had 85100 passwords that users were forbidden to use when signing up. It was part of an old project that Dropbox had integrated into their app called zxcvbn (You can test it live ::HERE::). Apparently WordPress also has the JavaScript library into their code too.

They had based most of the passwords on a study by Mark Burnett from 2005 and 2012 that compiled the 500 and 10000 most common passwords which we covered a few years back. The handy password cracking list is available on Jerod’s site for download ::HERE::

PixieWPS – router WPS passwords in seconds

May 4th, 2015 by admin in cracking, Wireless

pixiedust
Pixiewps is a tool used for offline brute forcing of WPS pins. It dramatically speeds up the WPS brute force attack time from what was taking up to 12 hours to a a few seconds by exploiting the low or non-existing entropy of some wireless access points. It’s based on the pixie dust attack, discovered by Dominique Bongard (slides and video). Notes on how to install it are in the video below, if you are using Kali Linux then just apt-get update && apt-get upgrade.

Next Article »