Wednesday, June 6, 2012

Cracking the 3.5 Million Password Hashes That Were Redacted

The release of millions of SHA1 hashes from linkedin.com has the internet all buzzing today... but then comes the news that 3.5 million of them have the first 5 characters redacted and replaced with 00000.
Well, if we don't have the entire hash we can't crack them... Oh wait, we still have the remaining 36 characters to do a comparison against.
So let's try this:
First, let's get just the hashes that start with the 00000. Looks like there are 3,521,180.


Now, for each line in our word list (WORDS.txt) lets calculate the SHA1 hash, chop off the first 5 characters, and compare that to our hashes list. If the partial hash is there, echo the password to the screen.
For those that can't see that, the command is:
for i in `cat WORDS.txt` ; do grep -q `echo -n $i | sha1sum |  cut -b6-41` SHA1-0s.txt  && echo $i  ; done



And boom, there are thousands of passwords scrolling down the screen.
Enjoy.

7 comments:

  1. Nice one! Ignoring (or rather wildcarding) first couple of chars in a sha1 significantly raises collision probability, doesn't it? I wonder if you ran the script with mangles WORDS.txt file or even a different dictionary, would you get different results for same hashes :)

    ReplyDelete
    Replies
    1. It certainly raises collision probability, but I'm not sure how significant it is. You still have 36 bytes of the hash... 1e4c9b93f3f0682250b6cf8331b7ee68fd8 is still a decent hash. :) Especially for our purposes, a 1 out of a billion collision doesn't really matter.
      The dictionary I used is just a bunch of passwords I've cracked from some of the other public breaches. It's just 144,456 uniques... and was really just to show the concept. You'd do much better with a good dictionary like the g0tmilk list, and with some mangling added.

      ***Also, I wrote this post within a few hours of the hashes being
      released. The have since released a custom version of hashcat that has an added option (-m 150) that will crack the redacted hashes.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Collections from the design labels such as Cheap TRX and other beauty are released after every six months.
    With every new launch, a new trx pas cher technology is developed.
    This had led to making trx pas cher remain competitive in the International market.
    The entire penny board hot sale packaging process is paid into detail to enhance the collections quality and appearance.
    Now everyone can own high-end designer Cheap TRX For Sale.
    cheap trx being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
    The fashion world, with a higher concentration on trx france, needs to provide the best packaging services that the modern world has ever seen.
    cheap trx plays a major role in creating a brand name that fashion lovers want to identify with.

    ReplyDelete