Thursday, May 31, 2012

Using twitter to build password cracking wordlist

This is going to be a quick one. We're going to show how to use twitter to build a word list for cracking passwords.
We'll use John the Ripper, and as a target we'll use the MilitarySingles.com md5 password hashes that were released by the artist formerly known as lulzsec.

First, let's hack out a quick script that will get relevant tweets for us. And yes, I use a lot of tabs. And I know I can do this cleaner... I'm in a get it done quick mood.
(EDIT: thanks to Supercow1127 and TheShadowFog for pointing out better ways to deal with JSON. See jshon, jsawk, etc).
The script will connect to twitter and get 500 tweets for the term supplied, then barf back all the words from those tweets in a list for us. Next we are going to pass the script some words that might be relevant to our target.

After we sort the list out, we're left with 4400 unique words.

Let's try those words against our hashes and see how many of them are used as passwords. We'll use the --rules option so that it mangles up various permutations of each word.

 And here come the passwords.....(scrolled off the screen)

So, from our word list of 4400 words, we yielded 1978 passwords. Let me say that again...
FROM OUR WORD LIST OF 4400 WORDS, WE YIELDED 1978 PASSWORDS!

And that's 1978 uniques. The number of accounts we actually cracked with these 1978 passwords is actually even more than 4400 accounts cause many use the same passwords as each other, and with the mangling rules John tries ~300 mutations of each word in the list (semperfi gives us semperFi, semperfi1, semperfi123, etc).

This is a very small example of what can be done to generate more relevant password lists using twitter/websites/social media to supply you with the related words. Download john, hash your passwords, build a list of words relevant to your organization, and test the security of your passwords. Heck, we haven't even started talking about GPUs and oclhashcat, but we'll leave that for another time.

Until next time, if you're going to hack, hack effectively.



And props to Kevin Young. Thanks for all the lengthy discussions about password security. I truly enjoy picking your brain.