10, 9, 8, 7, 6, 5, 4, 3, 2, 1.
And, yes, AV guy, we are starting now.
So hi, everybody.
I am Evil Mog.
This is password cracking methods.
This talk was born out of my getting tired of ranting on how to crack passwords on IRC.
And so I figured let's get some actual real captive audiences because why not.
I don't have a bio slide because I'm not that vain anymore, but I am a member of Team Hashcat.
I crack stuff for X-Force and I theoretically work for IBM until they see this talk and they fire me.
But, you know, hey, that's all right.
On that, let's get straight into what this is.
So when people talk about hashes and password cracking, first we need to go talk about the basics.
So what are hashes and KDFs?
So hashes and key derivation functions are one way.
So that means, in theory, you should not be able to take things.
If I hash something, I should be able to reverse it easily.
They're deterministic.
You hash something one way and you get the same results running through the same hash function every time.
Ideally.
Arbitrary input should produce fixed output.
So what this means is, if I go hash something of, say, I don't know, 400 characters long with MD5, it's going to put 32 bits or 32 characters of hex every time.
It's not going to change.
So this means automatically hashes are noisy.
They're also collision resistant in theory, although not really anymore.
When I say collision resistant, who here knows what a collision is?
A couple of you.
Those that don't.
A collision is, say, I take CypherCon and then I take EvilMog, I run them through the hash function, and they should not come out with the same result.
So that makes these things ideal for passwords.
So this is some important things to understand about hashes.
Also the cool part about hashes is a significantly random output should result from a small change of input.
Or put it a different way, if I take password one and password one two, the hashes should look completely different due to the avalanche effect.
So that makes this, you know, from a mathematical perspective in theory hard to go reverse.
Hashes are used in the generation of keys.
They're used to identify changes and differences between inputs.
So like your GitHub, for example, SHA-1, you can use for determining here's the output of a commit.
And they're also used to secure data in a verifiable but irreversible way, aka password hashes.
So this is our basic bits for those who understand about hashes.
So we're getting some concepts here.
So if you look at MD5, we were talking about this avalanche effect earlier.
So MD5, a password, you'll look like it's 5F, D, C, C, C, whatever.
Notice how it's way different from MD5 of password one.
So we need to find out what this 2C103 piece is.
So all password cracking is doing is basically generating dumb guesses, running through a hash function and checking the output.
It's like a checking guess, what have you.
For those of you in the back, feel free to sit.
We've got lots of room up front.
Don't worry about Hayden in the back.
He won't offend anybody.
So the point of this whole thing is we're going to go find out what password it is, right?
So we hash password.
We hash password 1.
We hash password 1, 2, 3, exclamation mark with a capital.
It matches our random question mark.
Bingo, hash cracked, congratulations, you're a hash cracker.
This is the absolute basics of hashcat.
The other important thing to understand is hashcat is absolutely stupid in the hands of an unskilled operator.
It does exactly what you tell it to.
So the reason why I'm mentioning this is the old days of hashcat, we didn't have all these funky modes.
It was just a straight combine the left and the right side.
So on that note, we get back to some psychology before I get into actual cracking pieces.
So who here thinks people make good passwords?
That's the result I expected.
Who here thinks people can make unique things?
Probably not.
I can't think of crap.
I'm not remembering 400 passwords.
You're not remembering 400 passwords.
So all my passwords will be the same rough common format.
And by the way, I know your parents have been telling you you're a beautiful unique snowflakes.
None of you are.
You all think exactly the same when it comes to password generation.
Most people think of, like, most common password is season in the year, because that's just the way things happen.
Also, humans are notoriously bad at listening to instructions.
Like, even as hackers, we put up millions of signs and you get the same million questions up at registration.
We think the rules don't apply to us.
The whole point of this is people are the weakest link.
If you understand how people generate passwords, you can crack them.
People choose common patterns.
They reuse passwords.
How many here use the same password in all your sites?
Shame on you.
Don't you have a password manager?
I'm kidding.
I'm not going to go shame people here.
The other thing is people iterate on old passwords.
So say I've got the super secure password of cyphercon 2025.
What's my password in 2026?
Exactly.
I might add an exclamation mark on it if I'm feeling spicy, but that's about it.
So important things on standard psychology.
There's a concept called stemming.
So you take the password of password123!
There's good stems in there of pass, password and word.
There's chunking.
So there's taking portions of the password.
So password123 becomes password and 123.
So what kind of patterns do we see on this?
You see password, we see 123!
That turns into a hash cat mask of digit, digit, digit, digit, digit, question mark.
Or we convert birthdays, phone numbers into common patterns.
These are the things password crackers are really actually looking for.
Forget the fancy tools.
The secret to winning hash cat cracking if you can every year is the old mark one brain.
If you can see things in a pattern, you can probably turn that into an attack technique.
So we'll take a new word, for example, we'll add 123 to the end.
We'll add 2340, et cetera, et cetera.
Now, the counterpart to this is the heat death of the universe.
None of us are immortal and some of these crack jobs will last longer than you and I will ever live or my hash rig will ever run.
And this key space goes up.
So basically hash cracking is like playing battleship with an infinite key space.
So an eight character, okay, it's doable.
As you increase the character count, the key space goes up.
Now, sure we are cracking 18 character passwords, but we're not doing it by brute force.
We're doing it purely because people use really crappy patterns.
A significantly random password with high entropy generated by a machine at 12 or 14 characters is more than sufficient to outlast the entire universe, assuming there's no major break in the cryptographic algorithm.
And you're not using NTLM.
Which, by the way, NTLM is really just MD4 with UTF-16 character encoding.
Anyway, so common hash types you're going to see is good old fashioned landman.
It's DES based.
You can brute force that with a laptop in about an hour, give or take.
The NT hash, which is basically just MD4.
You'll see that in Windows, it's mode 1000.
There's the DES based attacks in NTLM version 1, version 2, the various Kerberos.
These are common things you look for as a Windows pen tester, but they're not really relevant to the rest of this talk.
It's more as an info for the rest of you.
Do we have a lot of Windows pen testers in the house?
No, maybe a few.
All right.
So the important attacks we're going to talk about here is brute force.
So the nice part of brute force is you're guaranteed to hit a crack.
It's going to take forever.
They're highly inefficient, theoretically perfect, but a massive key space.
So what do we do instead of brute force?
We use masks.
So what you can do is, who here knows the 304 rule?
The 304 rule, most corporate places implement, is you have to have an uppercase, a lowercase, a special, or a digit, or any three combinations of those four.
This actually reduces the key space you have to attack.
Because if I rule out all the lowercase, or all the all uppercase, or all the ones that don't meet that password rule, I can generate a series of masks that will give me a far reduced key space.
Now, I'm not saying get rid of that rule, because that rule is highly effective, because, A, users don't listen to instructions, but it's one of those trade offs in security, in that, technically, it does reduce the key space we need to go to attack.
And so, instead of spending all the time on an eight character attack, I can reduce that in the Windows world to roughly two-thirds, give or take, given what you take out.
The other cool part is, you do mark-offs.
So instead of going from, you know, A, A, to A, B, C, et cetera, we'll try the most common passwords first.
And the hashcat has that built in.
So that's an important part about, you know, doing mask attacks.
So where this comes into is, we will try, there's a whole series of masks called the path wall masks, that are basically the most common mask patterns used in corporate up to about 14 characters.
So, we'll go and show you how to actually use this methodology later, but this is more theory for how we crack passwords.
The important one I love is Combinator.
So a bit of a history lesson.
Back in the day, hashcat did not have a brute force or a dictionary input method.
At all.
They didn't get that until hashcat plus.
Back in the day, you had a left side, and you had a right side.
And you crammed them together.
Left to the right until they had a match.
And so that's what we can now call Combinator.
And so the only way to actually do an attack with that, is we use the technique called fingerprint, which I'll get into next with the expander.
So, this is actually highly effective, because on your left side, I could have, say, password.
123456, change me, etc.
On the right, I could have 123777, ABC, word, the rest of it.
And that creates candidates like password123, password777, passwordABC, etc.
The key space is simply the candidates on the left, times the candidates on the right, times the number of unique salts.
And this is actually what we'll use for a lot more Active Directory attacks.
So people asked me earlier what my favorite word list was.
I said it was Rocky, but I actually kind of lied.
It's not really Rocky per se.
It's Rocky run through expander, which I'll show you next.
And then you apply it to a left and a right side on Combinator, and it's far more effective than Rocky on its own against a corporate Active Directory attack set.
So we also have hybrid.
This one's really fun.
So say you crack a bunch of hashes.
Okay, I get the plain text out.
I have the left side being a word list.
I have the right side being a mask.
So say I got like password123456, let me in, change me.
The right side I've got just a question D, question D, question D, which means try all the digits.
That gives me password123, 234, 333, etc.
So if you take known cracked passwords and then run through things like expander or even just on their own and do hybrid on the left and the right side, you get more cracks.
So the key space on this is number of candidates on the left, key space of the mask, number of the unique salts, allow the rinse repeat.
Also, I apologize, my voice is dying, hence the water breaks.
So expander.
God, I love this tool, for the record.
So we'll take a string, and I apologize for the blatant advertising.
So we have X force, split that into chunks.
So we have X, XF, XFOR, XFORC, etc.
You rotate all the chunks to the left, it's up against 4CX, etc., I'm not going to pronounce all the rest of it.
It repeats for every chunk.
You scramble those together into a giant word list, and then you run that through combinator on the left and the right sides.
That leads to an attack we call fingerprint.
So, remember I said hashcat only had one mode?
That is now called mode A1.
So your left side and your right side of the word list, you basically combine them together.
So pure hate, Martin Bowes, aka Can't Computer Now, invented this technique, where you basically take an expander and we apply those to a word list, and then we combine the left and the right side.
So in order to actually execute this, first thing you do is you compile expander.
Now there's a trick that we don't tell you about.
Expander, by default, caps out at four characters in the hashcat utilities.
Go open the C file, find four, replace it with eight.
Recompile.
I know it's real simple, but do you know when people don't actually recompile the hashcat utilities or change the source code values?
You can tweak them infinitely.
And that's the secret to unlocking all the magic.
It's kind of like a clue switch.
So, you take your word list.
You run it through cut.
Notice this is assuming you're going straight from a pot file, so we'll cut on the colon delimiter.
We use dash F2 dash.
This is important for one very simple reason.
Most people stop their cut on the first colon.
If there's a colon in the password, you're going to miss the rest of it.
Also, if you want to mess with the password cracker, put colons in your passwords.
Commas, because they'll mess with the CSVs.
Or make your password dollar sign, left bracket, sorry, dollar sign, hex, left bracket, a bunch of hex in the right bracket.
It will mess with every single hash cracker known to mankind.
Yes, I'm a professional troll.
How can you tell?
Anyways, so you pull this out of the hash file.
You pipe it through expander.bin.
You pipe it through sort unique.
And you create a candidate.exp file.
Now, from here, you run hashcat.
So, we're going to hashcat.bin.
We're on mode 1,000, which is NTLM.
We're going to specify the hash file we're cracking.
This is mode A1, left side's going to be can.exp, right side's can.exp.
Then you go back and you repeat.
We call this the expander grind.
You run this about 20 times when you're doing an Active Directory assessment.
And then you move on to the next basic technique.
Because those keep getting hashes pop out of this.
So, if you're participating in Crack the Con in the street division, this works heavily.
Hint, hint.
So, the next one is a lost art.
Because the guy who wrote this, Rance by Chort, his website disappeared.
Go figure.
He wrote it in 2012.
It magically went bye-bye.
So, this little script is a gold mine.
What it does is cup B will take password chunks out of the middle of a password, start it from the left, start it from the right.
And it will basically do something similar to expander, but not quite.
So, this little script will just go from the left to the right, and everything in between.
Combine those together, and then sort unique it, and then you'll put this can duck cut B file.
And by the way, all these will be on my GitHub, which I'll put near the end if you want to copy the scripts.
They probably did some tweaking, but, you know, chat GPT wrote half the code.
Actually, no, I wrote it, which is worse.
So, yeah, you make your bash script, you prep your word list, you run the bash script on your word list, run hashcat, then what you'll do is you'll run the A6 hybrid mode, so you take the output from cut B, you tell it all the characters of the question A,
so all possible character sets.
The tack I in here is actually using incremental mode.
So, if you look at line 5, you go hashcat.bin, mode 1000, tack I means increment, there's hash file 1000, hash you're attacking with, mode A6, the can duck cut B file you prepared, then question A, question A, question A, question A.
What increment means is it starts with one question A, there's two question As, three question As, and four question As.
Now, a problem with this, if you use distributed systems like hashtopolis or hashview is another one, hashcat does not support skip and limit when you're using increment.
So you got to manually split your hash list out when you're doing this.
So this only works with a massive GPU, which now we're all going to cloud with tiny ones, so here be dragons.
The A7 means the question A is on the left, the cut B is on the right, and you just repeat the step a couple of times until hashes stop pouring out.
So not to be outdone, Adam wrote a tool, the original author of hashcat, the king of everything, he wrote a tool called Prince, which is probably probability chain infinite something or other, also known as Prince processor.
So what you do is you download it, now Prince works off entropy, which is fantastic for us, so what you do is you'll shuffle the Rocky data list, and every time you shuffle it and through Prince, you get new candidates.
So we'll shuffle Rocky, we'll pipe it into Prince processor after you compile it, make sure you compile it, and we'll pipe it into hashcat.
We'll specify mode 1000, we'll use attack and NTLM, we'll use the dictionary mode, we'll tell it our hash list, and then we'll generate 100,000 random rules.
Why 100,000 random rules?
Because I'm lazy and I'm not creative.
We'll specify debug mode 4, and we'll tell it a debug file.
We'll wait, collect some cracks, you know, give it 20 minutes, an hour, however long you feel like waiting, you know, go for a beer , go to bed, I don't really care, just, you know, come back to it eventually.
Now what we're going to do is we're going to take a look at that debug file.
We're going to take out everything left of the first colon from debug.log, sort it, put it to a candidate list.
What that means is take all the pre-initial candidates that cracked, sort of reuse those for something else.
Then we're going to grab the modified rule.
So when you use a rule, a rule modifies a word.
So like, say I have w0, or the word of w-o-r-d, I might have a rule that replaces all the zeros, all the o's with zeros, as an example.
So we're basically going to be modifying words.
So to collect all the random rules we generated, and we're going to put those also in a debug file, along with the modified rules, or words.
Then all we're going to do is run hashcat with the candidate that we copied out of the debug, and the rules we randomly generated, and all of a sudden you have a whole bunch of cracks that you didn't have to think about.
It's like the cheat mode.
I once did crack the con with nothing but this, a GTX 1080, and a repeat bash script, and I went to grab beer, and I came in like fifth.
So I have a bunch of scripts that I wrote that automate this whole process.
I call finger cut.
I combine the cut B with the expander system.
Yes, this QR code is not phishing.
If you are taking pictures, it goes to my GitHub.
I swear to God, I will not phish you.
I'm not paid enough for that.
Take your pictures while I grab my water.
All right.
So on that, here is the super secret sauce, why you are all here at my talk.
So grab a tool like cool, crunch, or wordsmith.
These are all tools to generate a word list on your target.
You can run purple rain, rock you, or another relevant dictionary, like print processor, shuffle, debug mode, do some basic general cracking.
Extract the rules and candidates from debug mode.
That's what we call raking.
You run hashcat based on the results of step three.
Cool.
Extract all the candidates.
Then all we're going to do is run expander cut B on those candidates, and we're going to rinse and repeat this for about 20 times.
Once you've done that, you run hybrid mode A6 and A7 on your candidates, same deal.
Repeat that multiple times.
Once you've done that, go back to step seven, repeat it again.
Extract the candidates, run those through purple rain, start back at step five, run the captured rules and candidates, run the remaining large dictionaries, and then restart back at the beginning.
If you follow this methodology, you can do this almost in autopilot with an LLM running it for you and not have to think.
And this will actually win you contests, if you have enough GPUs.
This is the patented evil mogum lazy secret technique.
Feel free to take pictures.
And that is it for the actual presentation in a whopping 21 minutes, which means you guys can ask as many questions as you want for the I suck at slow hashes.
I'm only good at fast hashes because I'm lazy.
So that's a good question.
How about if it locks you out or a two-factor?
Hash cracking is inherently offline versus online hashing.
So I'm not talking to a login server.
I have dumped the Active Directory domain list or I've got access to the hashes in a raw form.
There's no network traffic, so that is irrelevant.
None of this technique works even remotely on online hashing.
Absolutely.
The question was can I go back to the slide with the QR code?
Finger cut.
This also has a bunch of other random evil mog hash cracking scripts.
I kind of update it whenever I get bored.
Some of them are good.
Some of them are terrible.
Some of them work.
Some don't.
No warranties.
Don't sue me.
Any more random questions?
Cool.
And yes, I was on
Darknet Diaries.
Yes, I do get involved in other shenanigans.
Yes, I do win Hacker Jeopardy.
Any other question for me is completely fair game.
How does this change for Wi-Fi?
Wi-Fi is heavily salted.
However, this is a fun one.
Who knew that MSCHAP V2 hashes in an EAP environment are NTLM version 1 under the hood.
It's really DES based.
Fun fact, if you can get a NTLM hash to an environment that runs MSCHAP V2, you can authenticate the wireless network with just the hash and not the actual password.
Due to the hash equivalencies and that particular format.
So MSCHAP V2 is very fun.
So the question was, do you know the history of Rocky?
Honestly, I have no idea.
All I know is one day it showed up and we started using it and it was effective.
It was the first major real clear text credential breach because they weren't encrypting their passwords.
I can't for the life of me remember.
Also, I'm not a fan of the new updated Rocktastics and all the other various integrations that aim to be like a 50 gig word list.
The optimal word list size is about 100 to 200 megs.
The one gig's kind of pushing it.
Anything higher than that's just either full of junk, email addresses, or people just inflating their numbers.
Any other questions?
So the question is, what's my average crack percentage?
Honestly, it depends on the environment.
Most modern fortune 100s tend to be a little better than most.
However, I do a lot of small medium business, small enterprise, and my average, if you discount machine hashes, is about 60%.
60 to 70 over the course of three days.
So the question is, who are the biggest offenders?
Honestly, everybody is terrible.
The only one that's not, believe it or not, are porn companies.
They tend to actually have their stuff wired tight.
So the question is, do I know what it comes to the password policy of 15 characters or more and do we have something different?
Honestly, if they're 15 characters or more, I'm doing a lot of Combinator.
But realistically, I'm very opportunistic.
Most companies, if they deploy that, they have problems with user resets more than anything else.
And so people start taking two eight-character passwords and cram them together with like an exclamation mark in between.
So if you do a long password policy, give your employees a password manager or else they're going to find ways around it.
The question is, how relevant are rainbow tables?
The answer is complicated.
Depends on the hash type.
For NTLM version one, they're not anymore due to various techniques like salting, etc.
They're highly effective for Landman still, and that's really about it.
The reason why Landman was important is back in the day, Windows used to store both the Landman and the NTLM hash.
So you crack the Landman hashes and use those to go crack the NTLM because Landman was only stored in uppercase.
That's the only real reason why they're important.
Generally, they are slow and expensive compared to using GPUs.
Anyone else?
Yeah, in the back there.
I love this question.
So here's the fun part about NIST.
The question was, with people applying NIST saying there's no rotations, etc.
required, that guidance only applies if there's a number of other conditions that are on there, including the ability for automatic detection of breach issues.
There's a whole list of things that are in there that Windows doesn't actually satisfy.
So environments say we don't have this due to NIST.
Active Directory and NIST don't actually go hand in hand.
Now, in other applications, absolutely.
In a pure entry environment, absolutely.
Legacy AD on-prem.
I'm sorry, Microsoft, because I've had this chat with Steve Sifas from Microsoft Routine Lead.
He agrees with me.
If you're on baseline, legacy Active Directory, don't use the NIST standards.
And the reason for this is in Windows, passwords are hash equivalent.
So what that means is if somebody has a domain controller hash, or a Kerberos ticket hash, or anything else, they can authenticate even without the password.
An Active Directory domain controller is 128 characters long for its password, and it changes monthly.
Trust passwords are about as long.
If you've had a or you've had a domain admin leave, if you've had a backup admin leave, if you've ever lost a backup tape, you need to rotate all your secrets anyways.
So routine secrets, especially if you get to a size of, say, a Fortune 100, or you've got 100,000 employees, you're not going to be able to keep on top of that, so you have to keep the rotation up.
Now, if you're heavily salted and you have other techniques to stop the hash equivalency, yeah, fine, apply NIST, but NIST does not apply to AD.
Okay.
So the question is, what am I using for my crack station?
Cloud.
Because I work for IBM, we have our own cloud, and I have access to a giant pile of GPUs on demand.
So I used to go spend a lot of money on buying GPUs and building systems.
Here's the thing, a massive cracking monster requires heat, it requires cooling, it requires care and feeding, it requires being raised like a pet.
My GPUs are treated like cattle.
I bring them up when I need to run them, they run for just as long as the crack job, and I shoot them when they misbehave.
Any other questions?
The question is, I'm using all these kinds of attacks, am I ever running this through Hashcat Brain?
Hashcat Brain can't keep up when you're running four terahash per second of crack rate on NTLM.
For things like Bcrypt, absolutely, or slower hashes.
But for AD, when I've got more horsepower than brains and this AI agent, I can spin up an entire data center and spin it back down again.
I'm just going to throw hashes at it and make Hashcat go brr.
Anybody else?
I'm out of time.
Apparently I'm out of time, so thank you all for coming and listen to my rant.