A common issue faced by people who want to learn password cracking is finding target hashes to use. When our clients want to start auditing passwords, it can be difficult to get buy-in from leadership to start downloading user passwords from domain controllers for educational purposes. For this exercise, we leaned on the excellent work of Troy Hunt and his Pwned Passwords database: "Pwned Passwords are 517,238,891 real world passwords previously exposed in data breaches."
Active Password Changer v8.0. Crack [2019]
Five hundred million passwords is a little excessive for getting started with password cracking, so we broke the file into chunks of 20,000 lines. This is a realistic size for an Active Directory database.
This creates several thousand files preprended with "hashes-". hashes-aa is the top 20,000 (or the worst 20,000) passwords in the database. These are likely to be cracked with little trouble, which will be helpful as you start working with john, as it will allow you to see the success of the various cracking modes. We chose to keep hashes-aa and hashes-zzamhr (the last file, or most unique passwords in the database) and deleted all the others to limit clutter.
A couple of notes on the john command line above. We manually specified the hash type with "--format=NT", and we then used a POT file specific to this session with "--pot=./pwned.pot". The POT file is where john stores passwords that it has already cracked for display with the "--show" command. The "--fork=4" directive tells john to split the work over four CPU cores, and of course "--incremental" specifies the cracking mode.
Incremental mode will run forever, or until every password is cracked. You could compare this mode to making popcorn. When the passwords stop scrolling, and there start to be pauses between the pops, then you hit Control-c to exit john. You can then use the "--show" directive to view the results.
The number of passwords cracked will depend on the hardware you use and the time you let it run. In preparing this guide, we let the incremental run a little over an hour before the pops slowed down to a few per minute. The results were in line with our expectations for the 20,000 worst passwords on the Internet.
The final mode we wanted to use in this session is based on Markov chains. Markov mode uses statistical analysis of similarities between passwords that have already been cracked to guide password guesses for the remaining hashes. This is most useful in organizations where statistical similarities are most relevant, as users may be getting the same tips from the help desk on how to formulate strong passwords, for example. However, passwords tend to be similar across organizations, and this cracking mode should still generate some results from our 20,000 worst passwords list.
The higher the Markov level and the longer the length, the longer this crack will run. In cases where we are onsite and trying to recover passwords quickly, we usually start at a level of 225 or 250 and hope for a quick win. If time isn't a factor and you are aiming for the highest percentage of passwords, then higher levels will get more.
As you can see here, Markov mode reveals some 10- and 11-character passwords that would not be readily available to wordlist+rules cracking. We have been in situations where passwords found via Markov mode were able to be plugged back in via wordlist+rules and still recovered more passwords. In general, password cracking is a highly iterative process where you build on successful cracks to get more and more passwords.
Over the course of a couple of days, we cracked 19,628 of the top 20,000 most prevalent passwords on the pwned passwords list. Using that same methodology, we cracked 7,211 of the last 18,891. If you are a systems administrator or corporate IT security looking to weed out weak passwords, this methodology should get you started on the right path. If you are new to penetration testing or just looking to add password cracking to your existing toolkit, this should get you comfortable working with password hashes and the iterative process of recovering passwords.
But no matter who you are, you may become addicted to password cracking as you try to get more and more passwords. This obsession will undoubtedly lead you to GPU cracking and hashcat, but that is a post for another day.
Before you start cracking, we want to leave you with a couple of precautions. During this exercise, we used publicly-disclosed breach data for password recovery and password hashes that were not associated with any user or site, so we did not concern ourselves with securing the hashes. If you are retrieving and auditing live passwords for a real organization, you should always take care to secure the data files. Also, make sure that you have permission to audit passwords before pulling live hashes into your own environment. There are many different methods for accessing passwords in Active Directory environments, but that too is a post for another day.
if i do the same process as you mentioned above for hiding and locking the formula with password, it doesn't work when i copy the file in another version of Excel. for example when i create a file in excell 2016 and copy the file in excel 2007 it cracked all password itself. What is the possible solution for this problem ? Please suggest me.
V9.0.8.15 SyncBackPro, SyncBackSE, SyncBackFree (31st July 2019) New: Can set schedule to shutdown, reboot, etc. once profiles finish New: For passive connections, always use the servers IP address setting for FTP New (Free): Profiles can now be password protected from modification and deletion Updated (Pro): Can now use Glacier and Deep Archive storage class for Amazon S3 Updated: On schedule form can now press OK on Settings page Updated: Portuguese (Brazilian) translations Updated: Hungarian translations Updated (Pro): The received date and time of emails can be changed when doing an email backup Fixed: Run history is not copied with a profile Fixed: Folders in task scheduler are not created unless a schedule is created Fixed (Pro): If there are approx. over 175,000 files on the Differences window, it may wrongly show that they have versions Fixed: On Differences window when selecting files with Shift-Up and Shift-Down it now updates display immediately Fixed (SE/Pro): Does not fail to scan files when receiving invalid dates from SyncBack Touch Fixed (SE/Pro): Sometimes crashing when using Pushover Fixed: When using WeOnlyDo FTP engine it may crash if debugging is not enabled Fixed: The mini-progress bar in the profile list was not updating Fixed: Time edit controls are now 24-hour without the spin buttons Fixed: The Add and Remove buttons were not visible on the Compression -> Compressed profile settings page Fixed (Pro): Egnyte timestamps were ignored if no metadata available Fixed: When Ctrl-Alt-Del pressed then SyncBack was asking to delete the selected profile(s) IMPORTANT! If you are using Google Storage (not via the S3 interface) then you must switch to using private keys due to security restrictions Google are implementing. See our KB article for details. IMPORTANT! Google are also implementing security restrictions on access to Gmail. If you are using Gmail with SyncBack you may need to switch to using application passwords. See our KB article for details.
V8.8.0.0 SyncBackPro, SyncBackSE and SyncBackLite (9th July 2019) New (Pro): Support for private key use with Google Storage. If you are using Google Storage (not via the S3 interface) then you must switch to using private keys due to security restrictions Google are implementing. See our KB article for details. Fixes: Minor fixes. IMPORTANT! Google are also implementing security restrictions on access to Gmail. If you are using Gmail with SyncBack you may need to switch to using application passwords. See our KB article for details.
SyncBackPro V6.4.3.0, SyncBackSE V6.4.3.0, SyncBackFree V6.4.3.0 (May 2013) New: Run a profile without allowing changes (useful for Fast Backup profiles that use Versioning) New: New "Run task as soon as possible after a scheduled start is missed" option in Vista and newer task scheduler New: Restore wizard now also checks when a profile was last run successfully New: Option to copy short filenames New (Free): Encryption on SMTP now supported as per SE and Pro New (SE/Pro): -nochanges command line parameter New (SE/Pro): Port mode for active FTP connections Updated: SyncBack now opens and reads the local files when sending via FTP instead of component Updated: The file system properties list in the log file expanded to include more file system attributes Updated: ReFS support Updated (SE/Pro): Automatic profiles backup option split so can choose to backup if attended and/or unattended Updated (Pro): Removed support for SBMS V1 Updated (Pro): Glacier objects stored in S3 are ignored Updated (Pro): Variables used in the export of the email body and attachments are now each expanded into valid filenames Fixed: Problem with Technical Support Wizard if profile name is sorted before *Program* entry Fixed: Tray icon will reappear if Windows shell (explorer) is restarted Fixed: Does not prompt twice in succession to remove blank password restriction Fixed: For FTP if automatically switching to active mode from passive mode then active settings were not being used Fixed: Looping forever in some file operations when file system lies, e.g. about having removed read only attribute Fixed: FTP looping forever reconnecting when a non-data transfer command is sent Fixed: Eject and Load of media was wrong for restore Fixed: The details for a file or folder that is a symbolic link will be from the destination and not the symbolic link itself Fixed (Free): When creating FTP backup profile in wizard, and FTP settings tested, then an invalid Fast Backup profile is created Fixed (Pro): Copies of files, e.g. when using safe copy or versioning, were not using SSE on S3 if enabled Fixed (Pro): Safe copying was failing with files over 5GB in size on S3 2ff7e9595c
Comments