AOH :: AOH Originals :: PWGUESSF.TXT

Fixer's Observances on Password Cracking





                Fixer's Observances on Password Cracking
                     (C) 2000 - All Rights Reserved
                   v1.0 - Probably far from complete.


                            Opening Remarks

As a lot of old-timer readers of this article may know, for 12 years I
was the sysop of THC BBS in 250.  In its heyday, THC had several
thousand members with a cross-section not unlike that of a typical
dialup ISP today.  So it stands to reason that I have seen a *lot* of
passwords used in real life by many different real people.  And after
all these years, with all the awareness there is out there in computer
magazines, TV news articles, warnings on online services, ISPs, and even
my own BBS, it still amazes me how stupid and predictable most people
are when it comes to choosing a password.

Since password cracking (and hacking overall) can be thought of as a
game of wits, it's no wonder penetration is so easy - most of your
potential opponents are completely unarmed.


                            Common Passwords

The movie "Hackers" actually had it half-right when it came to password
cracking.  Oh sure, they boiled it down to "the four most common
passwords are LOVE, SEX, SECRET and GOD".  Personally I think Lorraine
Bracco's character should have been fired on the spot for using GOD as a
password, but then there wouldn't have been a movie.

But I digress.

There is a group of several hundred common words that will get you
in to a good percentage (between 20 and 40 percent, based on experience)
of accounts.  If you don't care whose account you get into (say you're
going to fakemail someone or launch an exploit) then it stands to reason
that a relatively short wordlist plugged into an automated dictionary
hacker will come up with a valid account after a very few tries, and may
possibly turn up dozens or hundreds of accounts if allowed to churn on
indefinitely (which is not likely in this day and age).

In these supposedly security conscious times, the days of unprotected,
unshadowed go-ahead-and-download-me unix passwd files are long gone.  Any
one-day newbie already knows that much.  So I sometimes have trouble
understanding why every week I see a new "ultimate" wordlist with
millions more words than last week.  Unless you have the passwd file on
your local machine, and a supercomputer to perform the actual crack, it
is very unlikely that throwing the Encyclopaedia Britannica at an
account is going to get you very far before you are noticed.  In fact,
most password guessing you are going to be doing today will be online,
against the actual login prompt (or equivalent handshake if the password
is part of a network protocol, like Windows File Sharing for example) of
the system you are trying to penetrate.  Obviously you want to keep your
logfile presence to a minimum, and if you're smart you're not hacking
from home anyway so you likely don't have very much time to begin with.
This is why you want to reduce, not increase, the size of your
dictionary.

What are the common passwords?  Well, the "Hackers" passwords are all on
the list, of course, but words related to them should be on it too.
Words related to love and romance, female first names, words related to
sexuality, and perversions of the word God (like Ghod, gh0d, godly,
godlike, godhead, jesus, heaven, etc) should all be part of your
"abridged" dictionary file.  The "whole male ego thing" talked about in
"Hackers" really does exist in the real world and should be considered
in your password file: macho, studly, kickass, irule, and so on.  There
are a lot more, and I have included a list later on in this article.

If you are lucky enough to be hacking a Unix system with an unshadowed
/etc/passwd file (or if you have successfully deployed an exploit that
gave up the shadowed file to you) then you are in great luck indeed,
especially if it is a large system with many accounts.  With a common
passwords list you will get quite a few accounts, and with a full
dictionary file you will get many more.  As you exhaust all your word
lists, you will see patterns emerging - passwords that you may not have
thought very common but that turn up several times.  These are passwords
that are common in the real world (as opposed to lists that people like
me pull out of our asses) and should be at the very beginning of any
common-passwords list. In fact, the best possible common-passwords list
is one that is made up of passwords that have already been hacked from
other systems, sorted in descending order of frequency.  If you run that
list, you will get the most passwords in the least time, every time.

If you have the programming skills, write a program that looks for
duplicates and multiples of the same encrypted password - the same
encrypted password on multiple accounts means the same plaintext
password on those accounts.  Which is good because if you crack one you
have the password for the others, and need not waste time attacking
them.

I will include a suggested common password list at the end of this
article.


             Custom Word Lists for Specific Target Accounts

If you have a specific target account in mind, a common password list is
not very likely to crack it.  You might get lucky but chances are you
won't.  Instead, you need to find out as much as you can about the
person.  If it is someone you know then this shouldn't be hard.  If not,
then there are other sources.  Ask friends, read their newsgroup
postings, see if they have any personal information on their website -
there is always a way to find out someone's personal interests, what's
important to them.  There is a very good chance that that person's
password is a word with personal significance to him.  Once you have
accumulated a fairly complete (as far as you can tell) picture of your
target's personal life, you can create a dictionary file just for his
account that is far more likely to succeed.

Start with his username.  That's a very old slipup that still occurs in
about one in 100 accounts.  Add his first, middle, and last name and
several permutations - for example, if his name is John Thomas Smith,
add jsmith, jtsmith, johntsmith, jts and others.  If you know the names
of his wife or girlfriend, mother or father, children etc, add those.
The name of the kids' school may be a hit too.  Names of pets and pet
names for family members should be high on the list.

Then add the names (first and last) of people in his work life - his
boss, co-workers, especially any members of his preferred sex that you
think he may potentially have unrequited (or illicit) feelings for, etc.
If he is in a position where he has to have a phony mindset all day, for
example a commission salesman, add words from the motivational training
he is likely to have received - words like success and excited.  The
local real estate sales trade association's dialup database used to be
protected with words like SUCCESS and EXCELLENCE - they were very easy
to hack.  Just think of the brainwashing and corporate delusion that
salesmen endure themselves and additional words for your dictionary will
start coming to mind.  If he's not a successful salesman, words he fears
may help - quota, haggler, commission and so on.  Use the same general
line of thought I have outlined here for other lines of work - if he's
an engineer, pick engineering terms in his field.  If he's a pencil
pusher, try accounting terms.  You get the idea.  Add numbers that
relate to his work - his union local, his desk phone number, his
employee number, his terminal ID, and so on.

If your target is a student, then the same idea applies as for work,
because school is a full-time student's real job anyway.  Add words from
the subjects he takes, instructors, school buildings, names of
classmates who are attractive members of his preferred sex, etc.

Next, add words from his personal interests - get detailed, because if
he draws a word from his hobbies and interests it's as likely to be
something obscure and erudite as not.  If (for example) he's into
windsurfing, include the names and manufacturers of sailboards and
parts, the names of tournaments and champions, and so on.  If he's a
Star Trek fan, add the names of characters from all four series and the
movies, plus miscellaneous Trek words like klingon, tribble, qapla,
phaser, vulcan, and so on.  You could probably come up with a huge star
trek wordlist but it's worth it as Trekkies seem to draw passwords from
Star Trek more than any other interest group does from theirs.  A
hardcore trekkie might even use a "common" password translated into
Klingon, Vulcan etc.!

Next, add words related to the computer equipment he uses at work and at
home - in haste to think of a password quickly, and lacking imagination,
he may have chosen a password that is painted right on his computer or
monitor, e.g. compaq, ast, packardbell, sony and so on).  In the early
days of my BBS I knew for certain that one user used a Commodore 64 - his
password was IADORE from the TV commercials ("I adore my 64...").  I
used to have a Packard Bell Force 3570 PC but you will never be able to
hack any of my accounts using those words because I am just a little
smarter than that.  Most users aren't.

Then add words related to the system you are trying to penetrate - if
it's a porno site you should add names of the actors pictured on the
site, obscene and sex-related words, and so on.  And keep in mind that
your target on a sex site is probably trying to keep the fact that he
uses that site to himself - add words like dirtysecret and alibi to your
list.  On the same subject, some people think no one else would think of
using an obscenity as a password - they should think again!  Add as many
permutations of George Carlin's seven dirty words as you can think of to
your list, if they're not already in your "common words list" - they
should be!

If your target speaks languages other than English - especially if he is
a student learning a language or someone whose first language is not
English - then as many words in that person's field of interest in that
language as you can think of should be added.

Finally, add words from his basic personal makeup - his favourite foods,
authors, books, musicians.  If he's religious you should consider
getting a biblical wordlist and tacking the whole thing on.  Find out
what radio station he listens to and find out what they're playing - add
artist and album names from that playlist to your wordlist (e.g. a
country music fan might use garth, reba, trisha or dixiechicks as
passwords, not to mention any one of hundreds of others).  Find out what
TV shows he watches faithfully every week and add character names from
those shows.  And add his social security number to the list, as well as
just the last four and first three digits.  Add his license plate.  Add
his year of birth and birthdate in several formats (e.g. 1951, 51/12/25,
511225, 122551, 12-25-51 etc).  If the person was born or grew up in a
different town that the one in which he lives, the name of that town and
some surrounding areas and geographical features would be good to add to
the list.

One important thing to consider when making a wordlist for a target is
how long he has had that account - if he created his account ten years
ago he may have picked his infant daughter's baby nickname as a password,
but now that she's 10 or 11 and the name hasn't been used in years, it
may still be used as a password.  Yes, some people really do keep the
same password for that long.

By the way, try to be a little discrete when you're profiling a password
target.  If you are discovered or suspected, they will at the least
assume you are up to no good.  When that happens, the password could be
changed, or you could be accused of stalking, or worse!  So use your
head.

Go through the list and see if there are any permutations that might
work, especially in proper names.  If the system you are trying to get
into has case sensitive passwords, then only after you have run your
custom password list in all-lower-case without success should you
consider permutating cases (e.g. johnsmith might be permutated to
JohnSmith, Johnsmith, etc).

When you're done, if you've really done your homework, you should have a
few hundred password candidates.  If not, you probably need to dig for
more information about your target.  If you have large number of
words - say, a few thousand - the adage "more is better" only questionably
applies here. Remember the more passwords you try the longer it takes
and the more obvious your attack is in the system logs. So if your list
is huge, I would suggest prioritizing the words by likelihood (as
described above) and then make a "short list" of 200 to 300 words to try
first.  If that fails only then should you try again with the remainder
of the list.  If THAT fails then try a common passwords list.  And if
THAT fails, then either the target has a secure password that you're
never going to blindly guess, or perhaps you have overlooked a word with
significance to him.  In that case assume the latter (that you missed
something) and start looking for more words, and try again when you
have, say, a few dozen (or whatever you can come up with, there's no
rules on this).  If you still have no luck and you've puzzled over
possible passwords until your brain hurts, then you're going to have to
try a different method - social engineering, data interception, shoulder
surfing, logon spoofing or some other method.

Now decide which order to try the passwords in.  You want to try the
most likely ones first.  Get an idea of how strongly your target feels
about the interests you are building your password list from.  If your
target eats, sleeps and breathes windsurfing but is only a once-a-week
christian, obviously you should place the windsurfing terms ahead of the
religious ones in the list, in order to try the most likely passwords
first.  If your target has 43 pictures of family members on his desk at
work and a website about his children, then family names, especially his
kids, should be at the very beginning of the list.  Try to get into his
head!


                            Ready to Attack!

Once you've got your target's password list ready, DON'T just fire up
your web/telnet/ftp hacking program at home!  Almost all systems log
failed password attempts with your IP address.  Instead, get an account
on a free ISP with falsified information and go to a payphone or a
public access internet terminal (hopefully one with an accessible floppy
drive so you can run your hacking program) and do your hacking from
there.  Using a payphone would be unnecessarily slow and painful if you
had to use an acoustic coupler modem so find one of those nice new
payphones with a "Data Jack".  If you must hack from home, at least use
an account which does not belong to you, or a proxy service, or both,
and realize that your ISP may have Caller ID and you are still taking a
risk no matter what other precautions you take.  My first rule of
hacking is "Don't shit in your own sandbox" and how that applies here
should be obvious.

What software should you use?  Well, it can be argued that a real hacker
writes his own scanners, password guessers and so on, but others insist
that real hackers despise having to "reinvent the wheel" and will use
existing tools if they are available and suitable.  Both sides are right,
unfortunately, so it's not for me to tell you which way to go.

If you're going to write your own, congratulations, you're going to end
up with the best software possible for you, because you will be able to
give it exactly the functionality you need without the bells, whistles
and ego of other hacker-written programs.

However, if you're looking for off the shelf password hackers, I can
suggest a few titles.  All of these are available on the Hackers 2000
CD-ROM set and most are also available from numerous sites on the Web.

FTP Hacking:
 - CrackFTP (Windows)

Email Account Hacking:
 - POPCrack (MS-DOS)
 - POPCrack (Unix)

Dialup Login Prompt Hacking:
 - THC Login Hacker

Unix /etc/passwd Hacking:
 - Cracker Jack (MS-DOS)
 - Hades (MS-DOS)
 - John the Ripper (Unix/Windows)
 - SlimJim (MS-DOS)
 - Killer Cracker (MS-DOS/Unix)


                      A Suggested Common Wordlist

Here are over 500 words that I think are really good candidates for
common passwords.  This list is made up of keyboard sequences ("FRED" is
a keyboard diamond and an obscenely common password!), number sequences,
obscenities and sex terms, Star Trek references (a perennially popular
subject among nerdy and not-so-nerdy computer users), words that involve
access and entry, words from the movies Hackers, Sneakers, WarGames and
The Matrix, computer equipment names, college subjects, the male ego,
accounting terms, chess, and so on. I've seen many of these used as
passwords in the real world.  I'm sure you could think of a lot more.

Don't forget to add to this list one kind of password I cannot include:
Words from current events, current movies etc.  A couple of years ago
"Monica" and "Lewinsky" might have been common passwords but not so
much today.  Watch the news, check out the entertainment pages, and add
any names or places you see getting repeated so much that they make you
sick - when that happens to people such words are liable to be the first
to pop into mind when prompted for a new password.


123 1234 12345 123456 2600 69 6969 8472 90125 90210 abyss access
accounting accounts acer acidburn activate address admin admiral agent
agentsmith alfred algebra alpha always amazon anarchy android anime
apple apu asdfg asdfgh asmodeus asshole assimilate ast astronomy athlon attack
auction auctions bajor bajoran banana banzai bart bashir beelzebub beer
belanna ben benjamin beverly biguns bishop blackadder blowjob bones
bonsai bookstore borg brilliant budweiser burns byers cable cablemodem
calculus captain cardassia cardassian celeron cellular cerberus chakotay chang
charon checkin checkmate checkout chekov chess christmas clinton clockin
cocaine compaq compsci computer connect console cookie coors cowboy cpu
cracker crackers crash crazy creative crunch crusher crypto csc cube
cumshot cunt curry daewoo daily data dax daytek deanna death deepthroat
defcon delta demigod denied destiny devil dewercs dildo director
directory doctor dominion door doorbell doorknob doors doorway dreamcast
dropout drugs ds9 dsnine duke duke3d earth easter ebay ecstasy engineer
engineering enpassant ensign enterprise entrance entry erotic erotica
ethan ethanhunt europa extasy falken final fischer flyinhi foobar
founder founders fred freddie freddy freekevin friday fried frohicke
frontier fubar fuck fucked fucker g-spot gambit gamma gandalf ganymede
garak gates gateway geac general genius geordi gh0d ghod gibson global
god godlike godly gotcha gspot guest hack hackem hacker hackme
hackerproof hackers hacking hackthis hades handjob hell hentai hirojin
holodeck holodoc hologram holosuite holyshit homer honey hooter hooters
hunt ib6ub9 ibm illegal iloveyou imac imin impossible imsai imzadi
ingenue ingress inkjet inner innercircle insert insertion inside
intercourse inversion invert iris isis itsme jadzia janeway jemhadar
jimphelps julian jupiter justme kamikaze kang karpov kasparov kathryn
kennedy kerberos kermit kernal kernel kes kevin keyboard khan killer
killers kilo kim king kira kirk klingon knight kronos kryten laforge
lager langly laser ledger legal letmein lightman lister login logon love
lucifer lunar lunatic lust luther mac macintosh magic marijuana mars
massive master math matrix mccoy melissa mensa mercury merlin michelob
microsoft miles mimas mission mitnick mitosis modem monday monitor
monthly monty morpheus motorola mouse mulder n64 natasha ncc1701
nebuchadnezzar neelix neo neptune nerys netscape neuman nicole ninja
nintendo nixon nucleus oberon obrien odo ojsimpson omnipoint open orange
orgasm osmosis override paris passant password pawn peaches penetrate pentium
phaser phelps phoebe phone photon physics picard pilsner piss pissant
plague playstation pluto polgar porno poseidon positron power powerbook powermac poweruser
printer process prodigy punchin punchout punisher python quadrant quake
quark queen qwert qwerty rabbit random reddwarf reveal revelation riker
rimjob romance romulan romulus ronin rook root samurai sanctum satan
saturn saturn schlong science scotty screw screwed scully secret secrets
sector secure security sesame sesame setec setecastronomy seven sex shit
shuttle simpson sisko sixtynine skinner skull slam slurp slurpee
smithers sneaker sneakers software solar sony soong spassky species
spider spiders spock stalemate stoned strawberry stud student studmuffin
sucker sugar sulu sundevil superman superstud superuser support synoptic
system technician terayon textbook thermonuclear timebomb timex titan
tng topgun torpedo torres tos transporter trekkie trekkies tribble
tribbles trinity triton troi tunein turnon tuvok ub6ib9 ubermench uhura
unix unlikely unlock uranus validate venus verify verizon vindaloo virus
vorta voyager vulcan waco weds weekly weird wesley windows wireless
wizard wopr worf work workspace worm wormhole wyse xfiles xinu xtc yahoo
yar youwish zero zerobug zerocool zxcvb zxcvbn

Here are some insanely easy to type numeric keypad diamonds, sometimes
used by lazy users.  In particular, I have seen 5632 used not only as a
password, but as an arm/disarm code for an alarm system and as a long
distance company's backdoor outdial password.  One of my ex-bosses even
used it as the combination to an electronic safe!  All were "thought up"
by different people who had never met.  Try these if the target you are
hacking happens to be a voicemail account or other audio/telephone
system.

1245 4578 2356 5689 1254 2365 4587 5698 6532 9865 8754 5421 1452 2563
4785 5896 2145 3256 5478 6589 4521 5632 8965 7854 12369874 14789632


                            Closing Remarks

I certainly hope that, if nothing else, this article has taught you how
to secure your own passwords.  A secure password is one that a hacker,
even one intimately familiar with you, could not guess and could not
extract from a dictionary.  Some online services have different
approaches to password security - they use pass-phrases (such as
"ThisIsAPassPhrase"), passwords with numbers appended (such as
"beetle213"), unrelated words strung together with a special character
(the Compuserve approach, like "asphalt$teacup") and of course,
completely (apparently) random sequences of numbers and letters (e.g.
"X62ERM41").  This last kind is the most secure possible as there is no
way to guess it, but passwords like that are exceedingly hard to
remember, so targets will either change passwords like that to
less-secure ones or will make the fatal mistake of writing them down.
If your target's password totally eludes you, see if it's possible to
get access to his desk just long enough to see if that 16-digit
alphanumeric nightmare of a password might be written on a bit of paper
in the drawer...

And as always, be careful!  Keep a low profile, stay anonymous and above
all stay true to the hackers' ethic - your freedom and your karma depend
on it!

 -=( Fixer )=-

ps. All the tools and wordlists mentioned in this article are available
on the Hackers 2000 CD-ROM.  www.artofhacking.com


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.