Re: wordlists for Ncrack

[ithilgore <ithilgore.ryu.l () gmail com>]

Brandon Enright wrote:
> On Tue, 28 Jul 2009 21:14:10 +0200
> Sebastien Raveau <sebastien.raveau () epita fr> wrote:
>
> > On Tue, 28 Jul, 2009 at 16:30:10 +0400, Solar Designer
> > <solar_at_openwall.com> wrote:
> > > Obviously, most of these wordlists are too large to be used with
> > > Ncrack.
> > If your wordlists are too large, what does it make my 58,427,177
> > words list? :-P
> > http://blog.sebastien.raveau.name/2009/03/cracking-passwords-with-wikipedia.html
>
> Comparing the size of one's cracking dictionary is a digital pissing
> contest.
>
> A more important measure of a dictionary is not its size but its
> relative cracking efficiency.  Increasing the size runs into
> diminishing returns.
>
> If you are doing offline, unsalted list cracking then bigger is
> better.  If have limited cracking resources you need to use your time
> efficiently.  John's wordlist is an exercise in efficiency rather than
> completeness.

Exactly. Ncrack lists need to be efficient rather than just lengthy. We are
talking about network cracking here.

> > Agreed it is a bit too "raw" at the moment (I'll work on that) but it
> > has already proven its usefulness already:
> > http://reusablesec.blogspot.com/2009/04/ok-some-actual-results.html so
> > I thought I should mention it here as it might interest some of you in
> > general, if not for using it with Ncrack :-)
>
> Indeed, I've had a lot of success compiling similar word lists.  I too
> used Wikipedia (EN only) as starting point.
>
> One of the better sources I've compiled from are the 14,000 wikis
> hosted by Wikia:
>
> http://wikistats.wikia.com/dbdumps/dbdumps.html
>
> This includes wikis like Star Wars, Star Trek, World of Warcraft, etc.
>
> > Also, speaking of Matt Weir's blog (which is great overall on the
> > topic of password cracking) he just released a passphrase dictionary:
> > http://reusablesec.blogspot.com/2009/07/pass-phrase-input-dictionary.html
>
> Matt has done some good work.  He is giving a talk at DEFCON on his
> phbbb cracking efforts that I'm looking forward to.

That would definitely be interesting. I hope DEFCON is going to upload the
streaming videos of the talks soon enough, for those who won't be able to attend.

> Back to password lists for Nmap, Nmap/Ncrack can't ship a 10GB password
> list, not even a 100MB list.  We need to ship an efficient list.  With
> that in mind, I too have been working on cracking the phpbb passwords.
> Of the 189766 unsalted MD5 hashes, I've cracked 176620.  That's 93% ;-)
>
> http://noh.ucsd.edu/~bmenrigh/phpbb/
>
> I've posted the cracked passwords as well as a count of the
> hashes sorted by frequency.  A little real-word data is a good thing.
> I'd suggest that we cherry pick the top 100-500 passwords from this
> list to augment the list that we end up shipping.

That's probably a nice source to use some passwords. The question is: how
would you choose the top 100-500 passwords? By doing a quick parsing at
your list, the only passwords with a frequency of more than 1, were "frag"
"life" and who-would-guess "phpbb" but that's only 3. We can see however that a
lot of them start with the string "php" and the combinations from that are a
lot. We could use that part of the list as the specialized http-specific
password list for Ncrack. As I said earlier, Ncrack is going to ship with a
default list with a golden-ratio between size and being as generic as possible,
and some service-specific lists for more specialized cracking sessions. Of
course, more than 1 lists could exist for one service. For example, we could
have a phpbb-related list that would apply more to forums and another one that
would apply to web server basic/digest-auth protected areas. Both of them would
be related to the http-service.

> I've been ridiculously busy lately but at some point this summer I hope
> to publish detailed analysis of my cracking efforts and some metrics on
> the passwords cracked so far.  I put a lot of engineering time into this
> cracking.  Don't steal my thunder by doing analysis
> using my cracked list.

I am looking forward to your analysis.

> Brandon

-- ithilgore

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org