Re: wordlists for Ncrack

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 28 Jul 2009 18:08:23 -0600
David Fifield <david () bamsoftware com> wrote:

> On Tue, Jul 28, 2009 at 11:49:14PM +0000, Brandon Enright wrote:
> > I've included the top 500 passwords.  Even the 500th in this list
> > appeared 18 times.
>
> What's up with these?
>
> > 8945b4cb1bfb8cb5c95c137fc60ed9a0:VQsaBLPzLa
> > 8508725598abd34b53d5fc59531131f3:a00131949
>
> Those are the only ones I saw that didn't look like obvious passwords.
> They both get Google results, especially VQsaBLPzLa. My guesses are:
> they came from a random password generator seeded with the same seed,
> or they are just random passwords used repeatedly by some bot.

Forum spammers.  They register lots of accounts with the same
password.  There are a number of hashes that have high frequencies that
I haven't cracked yet.  When I look at the users that have that hash in
the table, they are obviously spam users.

> This is strange too (they were adjacent in your list):
>
> > 28c8edde3d61a0411511d3b1866f0636:c4ca4238a0b923820dcc509a6f75849b
> > c4ca4238a0b923820dcc509a6f75849b:1
>
> Do people calculate the MD5 sum of the password they were going to
> use, and then use that for a password? Or did phpBB hash it twice for
> some reason?

I don't know, in looking at the MySQL table it looks like it is some
sort of special, internal phpbb thing.

The hashes were retrieved with "egrep -o '[[:xdigit:]]{32}'" so
anything that even looked like a hash was pulled out and cracked.  I
did go through the list with a few regexes to remove the obvious
non-hash stuff.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkpvlq4ACgkQqaGPzAsl94JsNQCfbipPNK84cvW/bczUb5/R0LGy
GysAn1go7vwYLmbPh7Oz2a/FnefiIYCw
=ibAU
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org