Top
Sponsor

Search

Recent Articles

Security Videos

Entries in password (7)

Sunday
May192013

TekTip ep29 - Collect and track hashes with hashMonitor

DateSunday, May 19, 2013 at 11:57AM

In this episode of TekTip we take a look at a new tool I created called hashMonitor. hashMonitor will monitor specific twitter and web resources for database dumps that include MD5, SHA1, or SHA256 hashes. Once found, hashMonitor will store the hashes in a local database which can then be used for cracking purposes.

To learn more about the tool usage and installation go to http://www.tekdefense.com/hashmonitor/

ProTip: hashMonitor + cronjob = Profit!  *Set to run every 30 minutes or so*

AuthorAdmin | CommentPost a Comment |
tagged , , , , , , in
Sunday
Apr072013

Tektip ep27 - hashCollect.py

DateSunday, April 7, 2013 at 4:34PM

With the #OpIsreal stuff going on right now there has been many more password dumps put out than usual. For instance using Andrew Mohawks PasteLert web app I get alerted anytime there is a pastebin post that includes the hash e10adc3949ba59abbe56e057f20f883e. e10adc3949ba59abbe56e057f20f883e is the hash of the most common password: 123456. I set up the alert for this hash because it will catch password dumps regardless of the language. I admit there are some faults though, particularly if the site that the passwords are dumped from have password requirements that would not allow a password of 123456. The following is a graph that shows the typical number of dumps I see with these parameters:

As you can see, #OpIsreal has caused a significant uptick in the number of password dumps that include the hash for 123456.

My typical process once I get a hold of the dumps from these is I download the file, manually pull out the typical header data like the name of the operation and all the propaganda, then I use the cut command to pull out just the hashes. While this isn't too lengthy of a process, I am a lazy man. From this laziness, comes hashCollect.py.

HashCollect.py is a python tool I wrote that will scrape md5 hashes out of a specific file or url. While this script is pretty bare right now it gets the job done. I have many plans for it, that you will hopefully see soon.

You can dowload hashCollect along with my other scripts at GitHub.

The help command will show the options:

root@bt:~/workspace/Automater# ./hashCollect.py -h
usage: hashCollect.py [-h] [-u URL] [-f FILE] [-o OUTPUT]
Hash Collector
optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     This option is used to search for hashes on a website
  -f FILE, --file FILE  This option is used to import a file that contains
                        hashes
  -o OUTPUT, --output OUTPUT
                        This option will output the results to a file.
Run hashCollect against a file:
root@bt:~/workspace/Automater# ./hashCollect.py -f hashes 
09a85c0ef4169a24210d741838e8c8d9
43a9b1c680ea8f8df293e58b9ce77b9d
9f22025be8346e4d4d7db80ed890b511
f1887d3f9e6ee7a32fe5e76f4ab80d63
704992a0216ae39f1ebf3771fd5cd23c
a5915fe9b6ed8d251fd342b74106e34b
16ea0d4fadc502c247209194645e4f4a
9719536c0f2d1a578b323853998e03ba
93279e3308bdbbeed946fc965017f67a
de46896de0010ae616f9c6cb3f7e4cfc
bd9b23306ab802765a63870b29d1239b
b3d6288bfd707aee52db620839f3a381
25d55ad283aa400af464c76d713c07ad
17e6ec4b774be1bfbd12e26a68f9d9bf
7d8c3a265ad7aa2f4e20b1a93fde3c54
1c2f7107394f0d29999a1c23e1deaf44
53c86172178bc31dacba8b501f34b976
aa2b0de3de9b517b592059ca5d6cfa4c
caac935aae3e50060442ee55bc9e1a3f
9824bbc389f1c39f2b2cdfa839938d05
a474b36564cc2730d27f716f3c7c2fe1
236558a7ec33e3223db4471024833013
f229ea34d627074a1fd0a474f4a51c7b
e10adc3949ba59abbe56e057f20f883e
a474b36564cc2730d27f716f3c7c2fe1
fd5972161600fb43f057efd443d77589
aa881d0c78e0e60642e006ca88c9495f
e10adc3949ba59abbe56e057f20f883e
1a92fc27d687aefa619c24851cbb1213
49518adbec43b4264c0ea840c2e233d5
1f247e3f69c363f18dec2e343008d142
Run hashCollect against a URL:
root@bt:~/workspace/Automater# ./hashCollect.py -u http://pastebin.com/2ysAGFJY
6b586e2d4ca26d9438589a85585ca0b2
db17a0bf8505f7620291a8efc466ce86
5a815fd388b6027b949d58977277a006
dbab8786ed0eca3dbb82e401ce976d7e
d772ffda95ce3417456c80a8f85606d2
a9e9f1c9d9296f0c38467efc7dca1a24
96f003089b0ad3a71261ed5a1533c794
39dcaf7a053dc372fbc391d4e6b5d693
5079a6b1fb2015dbdb0c4b205f917307
1349437e3137826639b4f5165bc7e02b
3f94e8774be14358a45e2dda6a60216a
ce5225d01c39d2567bc229501d9e610d
6403675579f6114559c90de0014cd3d6
81dc9bdb52d04dc20036dbd8313ed055
81dc9bdb52d04dc20036dbd8313ed055
c67fc3a08cc21eaecb0fadf68129c314
4e270f490ab6943cbfbe95c9b936d7bb
81dc9bdb52d04dc20036dbd8313ed055
348a6a2356c3aebe392aaad3f646c30c
0e69229f5978ebc338f2cfb8cc8caad1
dc1caba8d678508cc3f6985ae35d7c9f
4f4bdca0d270dbbff6647a356fe2ba3f
e41a2cb50c3362f0015404effec8761e
1e4a9c23007eb10f758cbf3362c8ae41
b59c67bf196a4758191e42f76670ceba
15de21c670ae7c3f6f3f1f37029303c9
44d61d552280cf5e9c55dc11ff18cbf2
1794e1d48bbf9f73d53dec1951f053d2
bb2782795456847fb533d51eefd9d360
fe43196710222556c8bcc1c23c022a74
81dc9bdb52d04dc20036dbd8313ed055
0a03d5e4473c0629cfb20c5c31543b06
fe43196710222556c8bcc1c23c022a74
c944634550c698febdd9c868db908d9d
c944634550c698febdd9c868db908d9d
c944634550c698febdd9c868db908d9d
9e94b15ed312fa42232fd87a55db0d39
a01610228fe998f515a72dd730294d87
c0079e0d4e801bc94bce6fa2ed9e008c
ece5cdf7b946687f0077abb714054a65
a31e7b7f49ae4bb4dcc460d51b0bada0
e13b330c974ba77aef5bd4504eebe5e9
cd474f6341aeffd65f93084d0dae3453
4eceed354639b6ed2b236be2eb5a065e
7e7e69ea3384874304911625ac34321c
c889144fa7ab1a735872c290d8781899
2fbec6c8aa22b895bc40efa6e89b4bac
8621c6b58f7dde244ad2261610383fae
05a70454516ecd9194c293b0e415777f
192cc6356b292ce2a105c222ab6042ae
784ec60b05fc2eaa5c74e4775220fbb1
fdcfc3f14ebf698bbd76b1157ef709fa
e10adc3949ba59abbe56e057f20f883e
e0c64dbc8cb6abc98a0c696d168ebdb9
82ce647f22861f30627ee0ae50ce0adb
02cc9f0bf98299b63cdfd77fbfec7172
44dc880ec5f9237fa80be3177161fc6f
fdcfc3f14ebf698bbd76b1157ef709fa
fe01ce2a7fbac8fafaed7c982a04e229
29988429c481f219b8c5ba8c071440e1
42bb5b74add1fe6bb353cf5e14562fb6
41ad29597e715721522a30733b96a6f3
2a85ca2b0c07c342facc02ac61d57171
4ffc938c6c948859ce9c4ec827e1e40a
6967cabefd763ac1a1a88e11159957db
33026ce64a49d23be2d07d04b6ef4384
f9a13a115a69b22323e7ef9ef9fedcb6
f92e053a1fd2c673cb899db192ad0f2e
8cbfe3eb54787170a9ad6af435964828
d860b866e9023673fd802d97b97fc357
e391997bd526a092ac4d7f9b50da8904
ae0e4bdad7b5f67141743366026d2ea5
e10adc3949ba59abbe56e057f20f883e
c4de8ced6214345614d33fb0b16a8acd
4ddc0354b46b390a933bb6d2353fff26
fa1ee3a6f55b9b5cacc571a76c3842a1
de38aee67bacae29c2e8d868418293bd
a381c2c35c9157f6b67fd07d5a200ae1
5bc06f5800d415cc95e1349edbaca425
902fbdd2b1df0c4f70b4a5d23525e932
aa15b9243a9f99d122d5803606e3c4df
e10adc3949ba59abbe56e057f20f883e
3514603c3f975120a33354aeed9039a3
da897ba0fe30eff270424ac0e768840f
2be5b6590b60d5f4eca7e13c4083af7e
f502e183d729ab3ad224f1dfcc0708e2
c5fe25896e49ddfe996db7508cf00534
c9dab21c609875c00eaa19f04d19e2d0
b0253ef863f3a4a2e746c793fa71ae7d
46f0cac183682913b2d9e685cd7da3a7
4ef02ee44e55ca014df93b75eb956103
1618a9fe1c58f2bedd2fdccefaa6da21
1618a9fe1c58f2bedd2fdccefaa6da21
abc2e2f32e486fc2e1072003cc88149a
b269e1a566f861efa042e7ea7a08b062
8562ae5e286544710b2e7ebe9858833b
4251dd1cece37b7ee6ba2c2e40039bdd
204f8213a4cc1aaffa1fb123406d1ae9
8bb75b3015682d910daf88b6d728be2c
ff2cd3d917770fdcbbd541faf5423413
c91793b6ef51da231364176994d678a9
b76c3936d26110aad104844a0496e614
827ccb0eea8a706c4c34a16891f84e7b
4297f44b13955235245b2497399d7a93
775df0ec6881d9fcb545b5cd5a409873
ae950f6eecfe4d911b6b959ec3965231
d726335216d643e3c467eb0cdfc3d4e7
1dfa9fe971cd0711ce70e794063bea22
1311c5a589710f5030ae0fa36a20774c
e85984bd537ecc6d027b43bef22e4f12
dab456a52cb642e187cd307a5cfbef79
81dc9bdb52d04dc20036dbd8313ed055
Output the results to a file:

root@bt:~/workspace/Automater# ./hashCollect.py -u http://pastebin.com/2ysAGFJY -o /tmp/outputfileforhashes.txt

[+] Printing results to file: /tmp/outputfileforhashes.txt 

That's it for now, but I will grow this out soon. Some of the features I am thinking about adding are:

  • Allow custom regex
  • Allow for pulling other hashes like SHA256
  • Check hashes against online hash crackers
  • Output to a database
  • Create a frontend
  • What would you like to see?

Have any suggestions. Let me know 1aN0rmus@TekDefense.com.

AuthorAdmin | CommentPost a Comment |
tagged , , , , , in
Sunday
Jan132013

Tektip ep20 - kippo2Wordlist 

DateSunday, January 13, 2013 at 2:28PM

In this episode of Tektip we review a tool we created kippo2Wordlist.

Description: kippo2Wordlist is a python program that reads logs from kippo to create a wordlist that can be used for anything a standard wordlist is used for such as pipal analysis, cracking passwords, and the like.

Installation: You can download the script from github.  You can also clone the git repository if you have git installed.  Place in any directory you like.  I put it at:

/opt/kipp2Wordlist/

If you are using honeydrive and haven't changed where the logs for kippo go you are all set.  Just run the script and it will function as designed.

honeydrive@honeydrive:/opt/kippo2Wordlist$ python kippo2Wordlist.py 

 

If you are not using honeydrive or have modified log paths, open kippo2Wordlist in your favorite text editor and modify the variables as needed:

# variables for the kippo logs, if your path is not the default from honeydrive, modify logPath.


# if your log files are not named kippo.log or kippor.log.x please modify logPre.


logPre = 'kippo.log'


logPath = '/opt/kippo/log/'

Once the variables are set appropriatley you can simply run the script as shown above.  When the script completes it will outup the wordlist to: 

outputFile = '/opt/kippo/log/wordlist.txt'

*Feel free to change this variable as well if you would like to output to a different directory or file name.

Now you can view the wordlist to ensure that the script has done what is supposed to.

honeydrive@honeydrive:/opt/kippo2Wordlist$ cat /opt/kippo/log/wordlist.txt 

As a sample here are a few of the passwords from the tail of my wordlist:

ortega.123#TradeLinuxKi!l|iN6#Th3Ph03$%nix@NdR3b!irD

0p9o8i

1111111

asdfghjk

temp

myftpserver

daudebautlaovi

root12

mathsacL1nuX

qwerty12345

gu3st

rootroot

education

eric

p0o9i8u7y6t5r4

boot

germaine

5393923

autt123

muieladusmanii

00000

qazwsx

!@#123

jifennet.com

zxcdsa

t35t

aceraspire

tomcat

samsung

libroot123

.sfl@zk^

system9876..

C0rb1n1-DNS

z9fasuWR

backontrack

123654re

AuthorAdmin | CommentPost a Comment |
tagged , , , in ,
Sunday
Jan062013

Tektip ep19 - Using Regex with Notepad++ 

DateSunday, January 6, 2013 at 10:08AM

After last weeks long episode on Honeydrive, I figured I would follow up this week with a shorter episode. In this we will look at how to carve out text in Notepad++ using our old friend Regex.

Notepad++: From their own about page, 

Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use is governed by GPL License.

Based on the powerful editing component ScintillaNotepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment.

While most of us probably live in the linux world where their are already built in text editors that allow for much of the functionality I will speak to today, there are many that use Windows as their primary box.  In some cases our employers push Windows on us, as they don't trust open source.

Either way we all probably have a windows box somewhere, even if it is just for malware analysis, or dare I say gaming.  Notepad++ is THE text editor to use in these situations.  With a large community building plugins, the features are limitless.  Today though we will be focusing on the Regex capabilities.

To review for those of you who did not watch my Regex Tektip, Regex or Regular Expressions are method to match patterns in strings using a flexible syntax.  I recommend you watch the Regex Tektip if you have not already.

To begin we are going to get a log of my latest Kippo hits from my honeydrive instance, which we will then try to manipulate.  Here is a small sample:

honeydrive@honeydrive:/opt/kippo/log$ cat kippo.log | grep 'login attempt' > kippologins.txt

2013-01-06 05:35:50+0000 [SSHService ssh-userauth on HoneyPotTransport,516,210.14.71.201] login attempt [root/masinadescule] failed

2013-01-06 05:35:54+0000 [SSHService ssh-userauth on HoneyPotTransport,517,210.14.71.201] login attempt [admin/.sfl@zk^] failed

2013-01-06 05:35:58+0000 [SSHService ssh-userauth on HoneyPotTransport,518,210.14.71.201] login attempt [root/zaq123] failed

2013-01-06 05:36:02+0000 [SSHService ssh-userauth on HoneyPotTransport,519,210.14.71.201] login attempt [root/==============down=================] failed

2013-01-06 05:36:06+0000 [SSHService ssh-userauth on HoneyPotTransport,520,210.14.71.201] login attempt [bin/!!(@(*#*))MNNNBHSA{{":**(@] failed

2013-01-06 05:36:11+0000 [SSHService ssh-userauth on HoneyPotTransport,521,210.14.71.201] login attempt [bin/2#%#@%$] failed

2013-01-06 05:36:14+0000 [SSHService ssh-userauth on HoneyPotTransport,522,210.14.71.201] login attempt [bin/510326mazda] failed

2013-01-06 05:36:18+0000 [SSHService ssh-userauth on HoneyPotTransport,523,210.14.71.201] login attempt [bin/FSDwef8529637531598273k1d123kid871kid872tralalalovedolce] failed

2013-01-06 05:36:22+0000 [SSHService ssh-userauth on HoneyPotTransport,524,210.14.71.201] login attempt [bin/alupigus] failed

2013-01-06 05:36:26+0000 [SSHService ssh-userauth on HoneyPotTransport,525,210.14.71.201] login attempt [bin/diana4ever] failed

2013-01-06 05:36:30+0000 [SSHService ssh-userauth on HoneyPotTransport,526,210.14.71.201] login attempt [bin/worlddomination] failed

2013-01-06 05:36:33+0000 [SSHService ssh-userauth on HoneyPotTransport,527,210.14.71.201] login attempt [bin/BUNdAS@#$RT%GQ~EQW#%^QW] failed

2013-01-06 05:36:37+0000 [SSHService ssh-userauth on HoneyPotTransport,528,210.14.71.201] login attempt [kylix/alexxutzu1$@121] failed

2013-01-06 05:36:41+0000 [SSHService ssh-userauth on HoneyPotTransport,529,210.14.71.201] login attempt [mov/masinadescule] failed

2013-01-06 05:36:45+0000 [SSHService ssh-userauth on HoneyPotTransport,530,210.14.71.201] login attempt [be/pufos1234] failed

2013-01-06 05:36:48+0000 [SSHService ssh-userauth on HoneyPotTransport,531,210.14.71.201] login attempt [richard/78274283] failed

2013-01-06 05:36:52+0000 [SSHService ssh-userauth on HoneyPotTransport,532,210.14.71.201] login attempt [root/love123] failed

2013-01-06 05:36:56+0000 [SSHService ssh-userauth on HoneyPotTransport,533,210.14.71.201] login attempt [root/Spm!0you] failed

2013-01-06 05:37:00+0000 [SSHService ssh-userauth on HoneyPotTransport,534,210.14.71.201] login attempt [root/loveandsex4ever] failed

2013-01-06 05:37:03+0000 [SSHService ssh-userauth on HoneyPotTransport,535,210.14.71.201] login attempt [root/freot87bgrtblktgb9mgh5kh] failed

2013-01-06 05:37:09+0000 [SSHService ssh-userauth on HoneyPotTransport,537,210.14.71.201] login attempt [root/=6rj8Icn=O1<Y+&=] failed

2013-01-06 05:37:13+0000 [SSHService ssh-userauth on HoneyPotTransport,538,210.14.71.201] login attempt [root/soledad] failed

2013-01-06 05:37:16+0000 [SSHService ssh-userauth on HoneyPotTransport,539,210.14.71.201] login attempt [root/system9876..] failed

2013-01-06 05:37:20+0000 [SSHService ssh-userauth on HoneyPotTransport,540,210.14.71.201] login attempt [root/cba@horitech##!$] failed

2013-01-06 05:37:24+0000 [SSHService ssh-userauth on HoneyPotTransport,541,210.14.71.201] login attempt [root/shadow@@@ubyta336331jum] failed

2013-01-06 05:37:30+0000 [SSHService ssh-userauth on HoneyPotTransport,542,210.14.71.201] login attempt [root/17tp95] failed

2013-01-06 05:37:34+0000 [SSHService ssh-userauth on HoneyPotTransport,543,210.14.71.201] login attempt [root/72fsd9320] failed

2013-01-06 05:37:38+0000 [SSHService ssh-userauth on HoneyPotTransport,544,210.14.71.201] login attempt [root/sistemas] failed

2013-01-06 05:37:42+0000 [SSHService ssh-userauth on HoneyPotTransport,545,210.14.71.201] login attempt [root/1qazXSW@] failed

2013-01-06 05:37:46+0000 [SSHService ssh-userauth on HoneyPotTransport,546,210.14.71.201] login attempt [root/ahmad750785] failed

2013-01-06 05:37:50+0000 [SSHService ssh-userauth on HoneyPotTransport,547,210.14.71.201] login attempt [root/1q2z3w4x] failed

2013-01-06 05:37:54+0000 [SSHService ssh-userauth on HoneyPotTransport,548,210.14.71.201] login attempt [root/shadow@@@ubyta] failed

2013-01-06 05:37:57+0000 [SSHService ssh-userauth on HoneyPotTransport,549,210.14.71.201] login attempt [root/68N4VpcUgoBFs11TE.] failed

2013-01-06 05:38:01+0000 [SSHService ssh-userauth on HoneyPotTransport,550,210.14.71.201] login attempt [root/mailadmin] failed

2013-01-06 05:38:04+0000 [SSHService ssh-userauth on HoneyPotTransport,551,210.14.71.201] login attempt [root/ktmyzf] failed

2013-01-06 05:38:08+0000 [SSHService ssh-userauth on HoneyPotTransport,552,210.14.71.201] login attempt [root/oracle1] failed

2013-01-06 05:38:12+0000 [SSHService ssh-userauth on HoneyPotTransport,553,210.14.71.201] login attempt [root/NB16hrah55E2.] failed

2013-01-06 05:38:16+0000 [SSHService ssh-userauth on HoneyPotTransport,554,210.14.71.201] login attempt [root/valentinaqwe] failed

2013-01-06 05:38:19+0000 [SSHService ssh-userauth on HoneyPotTransport,555,210.14.71.201] login attempt [root/Sabyn.users.undernet.org] failed

2013-01-06 05:38:23+0000 [SSHService ssh-userauth on HoneyPotTransport,556,210.14.71.201] login attempt [root/ldqsz,bpmcs.] failed

2013-01-06 05:38:31+0000 [SSHService ssh-userauth on HoneyPotTransport,557,210.14.71.201] login attempt [root/b2y3j@my1930] failed

2013-01-06 05:38:35+0000 [SSHService ssh-userauth on HoneyPotTransport,558,210.14.71.201] login attempt [root/egg98<ZsuxG%] failed

2013-01-06 05:38:40+0000 [SSHService ssh-userauth on HoneyPotTransport,559,210.14.71.201] login attempt [root/loler1q] failed

2013-01-06 05:38:43+0000 [SSHService ssh-userauth on HoneyPotTransport,560,210.14.71.201] login attempt [root/n4k4mur41sh3r3] failed

2013-01-06 05:38:47+0000 [SSHService ssh-userauth on HoneyPotTransport,561,210.14.71.201] login attempt [root/gnome-session] failed

2013-01-06 05:38:51+0000 [SSHService ssh-userauth on HoneyPotTransport,562,210.14.71.201] login attempt [root/E9832UIRF2J3IFJ23] failed

2013-01-06 05:38:55+0000 [SSHService ssh-userauth on HoneyPotTransport,563,210.14.71.201] login attempt [root/metiko] failed

2013-01-06 05:39:00+0000 [SSHService ssh-userauth on HoneyPotTransport,564,210.14.71.201] login attempt [root/ilrOm15] failed

2013-01-06 05:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport,565,210.14.71.201] login attempt [root/1111132329993] failed

2013-01-06 05:39:07+0000 [SSHService ssh-userauth on HoneyPotTransport,566,210.14.71.201] login attempt [root/1111132329993aq] failed

2013-01-06 05:39:11+0000 [SSHService ssh-userauth on HoneyPotTransport,567,210.14.71.201] login attempt [root/111111] failed

2013-01-06 05:39:15+0000 [SSHService ssh-userauth on HoneyPotTransport,568,210.14.71.201] login attempt [root/pcservlinux] failed

2013-01-06 05:39:19+0000 [SSHService ssh-userauth on HoneyPotTransport,569,210.14.71.201] login attempt [root/slain22446688] failed

2013-01-06 05:39:22+0000 [SSHService ssh-userauth on HoneyPotTransport,570,210.14.71.201] login attempt [root/server2009] failed

2013-01-06 05:39:26+0000 [SSHService ssh-userauth on HoneyPotTransport,571,210.14.71.201] login attempt [root/coadadebalena] failed

2013-01-06 05:39:30+0000 [SSHService ssh-userauth on HoneyPotTransport,572,210.14.71.201] login attempt [root/muie202020] failed

2013-01-06 05:39:33+0000 [SSHService ssh-userauth on HoneyPotTransport,573,210.14.71.201] login attempt [root/linx123] failed

2013-01-06 05:39:37+0000 [SSHService ssh-userauth on HoneyPotTransport,574,210.14.71.201] login attempt [root/miguelc] failed

2013-01-06 05:39:41+0000 [SSHService ssh-userauth on HoneyPotTransport,575,210.14.71.201] login attempt [root/demined7mc] failed

2013-01-06 05:39:46+0000 [SSHService ssh-userauth on HoneyPotTransport,576,210.14.71.201] login attempt [root/rootpollos] failed

2013-01-06 05:39:49+0000 [SSHService ssh-userauth on HoneyPotTransport,577,210.14.71.201] login attempt [root/215people4477] failed

2013-01-06 05:39:53+0000 [SSHService ssh-userauth on HoneyPotTransport,578,210.14.71.201] login attempt [root/rfhs1229] failed

2013-01-06 05:39:57+0000 [SSHService ssh-userauth on HoneyPotTransport,579,210.14.71.201] login attempt [root/L1n$ux@c@vu#m] failed

2013-01-06 05:40:01+0000 [SSHService ssh-userauth on HoneyPotTransport,580,210.14.71.201] login attempt [root/lam3r3] failed

2013-01-06 05:40:04+0000 [SSHService ssh-userauth on HoneyPotTransport,581,210.14.71.201] login attempt [root/planetbr] failed

2013-01-06 05:40:08+0000 [SSHService ssh-userauth on HoneyPotTransport,582,210.14.71.201] login attempt [root/VHCsoft@admin123] failed

2013-01-06 05:40:12+0000 [SSHService ssh-userauth on HoneyPotTransport,583,210.14.71.201] login attempt [root/tractordelemn] failed

2013-01-06 05:40:16+0000 [SSHService ssh-userauth on HoneyPotTransport,584,210.14.71.201] login attempt [root/dragos3443gff@665$G455454dragos2sd] failed

2013-01-06 05:40:19+0000 [SSHService ssh-userauth on HoneyPotTransport,585,210.14.71.201] login attempt [root/Kr3at0r@I5Th3B3st0F!#$$#!] failed

2013-01-06 05:40:23+0000 [SSHService ssh-userauth on HoneyPotTransport,586,210.14.71.201] login attempt [root/ortega.123#TradeLinuxKi!l|iN6#Th3Ph03$%nix@NdR3b!irD] failed

2013-01-06 05:40:27+0000 [SSHService ssh-userauth on HoneyPotTransport,587,210.14.71.201] login attempt [root/linuxsex123] failed

2013-01-06 05:40:30+0000 [SSHService ssh-userauth on HoneyPotTransport,588,210.14.71.201] login attempt [root/tarenatarena412414] failed

2013-01-06 05:40:34+0000 [SSHService ssh-userauth on HoneyPotTransport,589,210.14.71.201] login attempt [root/qkm@!(%.)=*^&fhE] failed

2013-01-06 05:40:40+0000 [SSHService ssh-userauth on HoneyPotTransport,590,210.14.71.201] login attempt [root/vazador108] failed

2013-01-06 05:40:46+0000 [SSHService ssh-userauth on HoneyPotTransport,591,210.14.71.201] login attempt [root/!#m@mut&#!] failed

2013-01-06 05:40:51+0000 [SSHService ssh-userauth on HoneyPotTransport,592,210.14.71.201] login attempt [root/codecmpeg4codecmpeg4] failed

2013-01-06 05:40:55+0000 [SSHService ssh-userauth on HoneyPotTransport,593,210.14.71.201] login attempt [root/UTCfs2202] failed

2013-01-06 05:40:59+0000 [SSHService ssh-userauth on HoneyPotTransport,594,210.14.71.201] login attempt [root/asroma1927] failed

2013-01-06 05:41:04+0000 [SSHService ssh-userauth on HoneyPotTransport,595,210.14.71.201] login attempt [root/P@ssw0rd] failed

2013-01-06 05:41:09+0000 [SSHService ssh-userauth on HoneyPotTransport,596,210.14.71.201] login attempt [root/ncc1701d] failed

2013-01-06 05:41:12+0000 [SSHService ssh-userauth on HoneyPotTransport,597,210.14.71.201] login attempt [root/welcome1] failed

2013-01-06 05:41:16+0000 [SSHService ssh-userauth on HoneyPotTransport,598,210.14.71.201] login attempt [root/s1rolexcom] failed

2013-01-06 05:41:20+0000 [SSHService ssh-userauth on HoneyPotTransport,599,210.14.71.201] login attempt [root/iamh4ckst4rf0r3ver] failed

2013-01-06 05:41:23+0000 [SSHService ssh-userauth on HoneyPotTransport,600,210.14.71.201] login attempt [root/wvhlyf] failed

2013-01-06 05:41:28+0000 [SSHService ssh-userauth on HoneyPotTransport,601,210.14.71.201] login attempt [root/nti-support] failed

2013-01-06 05:41:32+0000 [SSHService ssh-userauth on HoneyPotTransport,602,210.14.71.201] login attempt [root/sanja123hack] failed

2013-01-06 05:41:36+0000 [SSHService ssh-userauth on HoneyPotTransport,603,210.14.71.201] login attempt [root/zaq12wsx] failed

2013-01-06 05:41:40+0000 [SSHService ssh-userauth on HoneyPotTransport,604,210.14.71.201] login attempt [root/welcome@9] failed

2013-01-06 05:41:43+0000 [SSHService ssh-userauth on HoneyPotTransport,605,210.14.71.201] login attempt [root/clear!@#55896261] failed

2013-01-06 05:41:47+0000 [SSHService ssh-userauth on HoneyPotTransport,606,210.14.71.201] login attempt [root/dltkrhd!240!] failed

2013-01-06 05:41:50+0000 [SSHService ssh-userauth on HoneyPotTransport,607,210.14.71.201] login attempt [root/2010Root1q2w3e] failed

2013-01-06 05:41:57+0000 [SSHService ssh-userauth on HoneyPotTransport,608,210.14.71.201] login attempt [root/Pf0t3nw3g] failed

2013-01-06 05:42:01+0000 [SSHService ssh-userauth on HoneyPotTransport,609,210.14.71.201] login attempt [root/karoca gre!] failed

2013-01-06 05:42:04+0000 [SSHService ssh-userauth on HoneyPotTransport,610,210.14.71.201] login attempt [root/system1234..] failed

2013-01-06 05:42:08+0000 [SSHService ssh-userauth on HoneyPotTransport,611,210.14.71.201] login attempt [root/!msoft1956] failed

2013-01-06 05:42:12+0000 [SSHService ssh-userauth on HoneyPotTransport,612,210.14.71.201] login attempt [root/Lsr4Mny$] failed

2013-01-06 05:42:16+0000 [SSHService ssh-userauth on HoneyPotTransport,613,210.14.71.201] login attempt [root/sercon] failed

2013-01-06 05:42:19+0000 [SSHService ssh-userauth on HoneyPotTransport,614,210.14.71.201] login attempt [root/!you#ming%shun&] failed

2013-01-06 05:42:23+0000 [SSHService ssh-userauth on HoneyPotTransport,615,210.14.71.201] login attempt [root/R3lisysfanta] failed

2013-01-06 06:03:38+0000 [SSHService ssh-userauth on HoneyPotTransport,617,64.191.21.190] login attempt [173.252.237.117/cacutza] failed

2013-01-06 06:03:39+0000 [SSHService ssh-userauth on HoneyPotTransport,617,64.191.21.190] login attempt [173.252.237.117/173.252.237.115] failed

2013-01-06 07:58:11+0000 [SSHService ssh-userauth on HoneyPotTransport,618,64.191.21.190] login attempt [173.252.237.118/cacutza] failed

2013-01-06 07:58:12+0000 [SSHService ssh-userauth on HoneyPotTransport,618,64.191.21.190] login attempt [173.252.237.118/173.252.237.119] failed

Now lets say we just wanted the passwords from this log.  As this is just a small sampling, you can imagine doing this manually would not be a fun task.  Luckily, Notepad++ has a solution for this.  Open Notepad++ and paste the logs I put above in if you would like to follow along.  With Notepad++ open, hit ctrl+f to bring up the search function.
The Find function has a lot of options.  We will start in the Find Tab for now, and then move to the Replace.  By having the Regular expression radio button selected in the bottom left we are telling Notepad++ we will be using Regex.  There are some other options but we will focus on this for now.
Now we need to build our regex that will wind the password.  As their is nothing unique specifically about the passwords that we can pull for this we will have to use a pattern and select what we want from that pattern using ().  I hate to mention this again, but if you have not already watched my regex tutorial, now is the time to do so.
Looking at the log, we can quickly identify where the password is. The username and password are always between [] and always separated by a /.  The Regex for what I just described is this:
\[\w+\/.+\]
To break it down for you we are looking for "[" which is the "\[", then we are looking for any number of word characters which is covered by "\w+", then a "/" which is covered with "\/", then any number of any characters which is covered by ".+" and lastly a "]" which is covered by "\]".
Now with that regex in the find box click find all in current document which should give you something like this:
Great! Now we have a regex string that matches what we are looking for, but how do you get the data out of that log?  That is what I had a little trouble with at first.  I feel like I should be able to ctrl+c and ctrl+v like there is no tomorrow, but that is not the case.  We have to instead use the replace feature.  That is why we need to wrap () around where the password is in our regex.  So lets switch to the replace tab, and add our modified regex which should now look like this:
\[\w+\/(.+)\]
Now add \1 to the replace field.  What this means is replace with the pattern specified in the first set of (), in our case (.+) which is where the password is in the pattern. Now hit replace a couple times to see what it is doing.  So as you can probably tell, we are closer to what we want but not quite there.  This is replacing the [username/password] with password but the rest of the line is still there.
I know what you are saying at this point, "Dang 1aN0rmus, why should I bother I could probably have done this manually by now".  I understand your frustration, but trust me, after you do this a few times you'll be eating up logs like it's no ones business. Don't fret, we will get through this.
So, how do we get the rest of the line?  It's very simple, we just have to build a regex that will capture the entire line but pull out what we need.  This is easier than you are thinking. This can almost always be done by adding a ".+" before and after the regex string you already built.  Giving us the following:
.+\[\w+\/(.+)\].+
Now we can when we hit replace lets see what happens.

Perfect!  Just what we wanted.  Click Replace All and you are done. The file is perfectly formatted for Pipal

This methodology will help you tremendously, but remember you will need to change up your regex and even your replacement text to fit each new situation.  This will work fin for pulling passwords from all Kippo logs, but if your mission changes and you would like usernames and passwords you would need to modify this to suit your needs.  Hopefully you have the tools to accomplish this now though.

To show you a more complex example, in the same log a find string of:

.+\[(\w+)\/(.+)\].+

With a replace string of:

username:\1\r\npassword:\2

will produce:

AuthorAdmin | Comment2 Comments |
tagged , , , , in
Sunday
Nov182012

Connectusers Adobe Leak - 223 passwords in 2 seconds

DateSunday, November 18, 2012 at 7:06PM

As most of you already know there is word of a leak involving Adobe's Connectusers forum.  You can read more about this at The HNN.  The important things to know in relation to this post is that 642 hashes have been released so far and the attacker claims to have 150,000 more to share.  The attacker also released other information with these hashes such as name, title, phone, email, company, and username.

What I have done with the release is first strip out the data I don't want leaveing me with just the hashes.

cat adobe-leaks.txt | grep Password | cut -d: -f 2 >adobehashes 

Now that I have a file with just the hashes, I ran hashcat against the hashes using a few wordlists.

root@bt:./hashcat-cli32.bin --output-file /root/leakedpasswords/ah3.out /root/leakedpasswords/adobehashes /pentest/passwords/wordlists/rockyou.txt /pentest/passwords/wordlists/darkc0de.lst /root/leakedpasswords/yahoopassesonly.txt

In less than 2 seconds, usin only those three wordlists I was able to extract 223 of the 642 passwords.  I mention this because people who do not use these tools may not understand how fast and easy it can work.   

Here is a small sampling of the hashes and passes:

a66edf0fea452ada254f5b9df1e06a37:3622125
db3b81e16cc975d2edcc1c4acf36e895:357008
49858a41a0d7d1d2e38b61513046403d:Daniel81
b23e8ea5a3a6ba0bd3ba22630ee3f153:8biggtoes
17120d69065bd6a1b6393c6e2db4174e:CDE#4rfv
c21435496168ad21cc9ba0a8e5542ec8:C0nn3ct
a4f2a54552dc5f7e1fecb1a3e9c94a59:2more2go
e20d81b83905638dbda34442b4703b4e:2925208
34e2d1989a1dbf75cd631596133ee5ee:Video
d4a6f575e71a416ff8894c6baae0ccd9:48jjfan
14dec073747d945943aaddc07a0d965e:Soccer_14
91381b03056102fcfe5538f87721e144:@WSX4rfv
6a4de56cfde1980ea9667ef3bfb77d54:9982d26
9508cbf2647fd5a5cb23fe3a524c8cc3:Heidi123
cbbd41ba72c93d17f17f2a484295b221:404526
55d7443eeb55ed7786fa89a2cc1bf446:Pass123Word
d4af0320ac68d2b8ad0f8e5faa5a1977:mdnite
11a7a5d55a91adb201e113967eff93fe:collaboration
826805d5bdaa87a3b9c7ead9027a3067:aftereffects
71f698950c9cdadc3d19bb7411177a78:Adobe
952f9dc3ad0b4c8f94de8ec75f8daeb3:trek930
d05a718ceb3cc5c368cc166729c7c7cb:Tanner07
f896dcdeb0ca7d797b439624b0e04ffe:inciner8

The full list can be downloaded here.

So, since I just did a TekTip episode on Pipal I figured I should run the output against there as well.

cat ah.out | cut -d: -f2 > ahpassesonly

 

./pipal.rb ~/leakedpasswords/ahpassesonly -o ahanalysis.txt

 

Here are the pipal results
Total entries = 538
Total unique entries = 223
Top 10 passwords
letmein = 3 (0.56%)
lighthouse = 3 (0.56%)
fisher = 3 (0.56%)
popper = 3 (0.56%)
carefree = 3 (0.56%)
stanley = 3 (0.56%)
Video = 3 (0.56%)
Winston = 3 (0.56%)
louie = 3 (0.56%)
manish = 3 (0.56%)
Top 10 base words
buster = 6 (1.12%)
adobe = 6 (1.12%)
marina = 5 (0.93%)
soccer = 5 (0.93%)
connect = 5 (0.93%)
jonathan = 3 (0.56%)
video = 3 (0.56%)
winston = 3 (0.56%)
louie = 3 (0.56%)
manish = 3 (0.56%)
Password length (length ordered)
5 = 29 (5.39%)
6 = 174 (32.34%)
7 = 130 (24.16%)
8 = 128 (23.79%)
9 = 45 (8.36%)
10 = 21 (3.9%)
11 = 5 (0.93%)
12 = 3 (0.56%)
13 = 3 (0.56%)
Password length (count ordered)
6 = 174 (32.34%)
7 = 130 (24.16%)
8 = 128 (23.79%)
9 = 45 (8.36%)
5 = 29 (5.39%)
10 = 21 (3.9%)
11 = 5 (0.93%)
12 = 3 (0.56%)
13 = 3 (0.56%)
      |                                                                 
      |                                                                 
      |                                                                 
      |                                                                 
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      ||||                                                              
      ||||                                                              
     |||||                                                              
     ||||||                                                             
|||||||||||||||                                                         
000000000011111
012345678901234
One to six characters = 203 (37.73%)
One to eight characters = 461 (85.69%)
More than eight characters = 77 (14.31%)
Only lowercase alpha = 302 (56.13%)
Only uppercase alpha = 3 (0.56%)
Only alpha = 305 (56.69%)
Only numeric = 29 (5.39%)
First capital last symbol = 2 (0.37%)
First capital last number = 19 (3.53%)
Months
june = 2 (0.37%)
november = 2 (0.37%)
Days
None found
Months (Abreviated)
mar = 12 (2.23%)
jun = 2 (0.37%)
nov = 2 (0.37%)
Days (Abreviated)
mon = 5 (0.93%)
sat = 2 (0.37%)
sun = 2 (0.37%)
Includes years
1979 = 2 (0.37%)
1989 = 2 (0.37%)
2002 = 4 (0.74%)
2007 = 2 (0.37%)
Years (Top 10)
2002 = 4 (0.74%)
1979 = 2 (0.37%)
1989 = 2 (0.37%)
2007 = 2 (0.37%)
Colours
orange = 2 (0.37%)
red = 8 (1.49%)
white = 3 (0.56%)
Single digit on the end = 52 (9.67%)
Two digits on the end = 57 (10.59%)
Three digits on the end = 19 (3.53%)
Last number
0 = 11 (2.04%)
1 = 45 (8.36%)
2 = 16 (2.97%)
3 = 24 (4.46%)
4 = 6 (1.12%)
5 = 14 (2.6%)
6 = 13 (2.42%)
7 = 11 (2.04%)
8 = 13 (2.42%)
9 = 14 (2.6%)
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 | |                                                                    
 | |                                                                    
 | |                                                                    
 |||                                                                    
 ||| || ||                                                              
|||| |||||                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
0123456789
Last digit
1 = 45 (8.36%)
3 = 24 (4.46%)
2 = 16 (2.97%)
5 = 14 (2.6%)
9 = 14 (2.6%)
6 = 13 (2.42%)
8 = 13 (2.42%)
0 = 11 (2.04%)
7 = 11 (2.04%)
4 = 6 (1.12%)
Last 2 digits (Top 10)
23 = 16 (2.97%)
99 = 6 (1.12%)
12 = 6 (1.12%)
08 = 6 (1.12%)
25 = 6 (1.12%)
56 = 5 (0.93%)
13 = 4 (0.74%)
14 = 4 (0.74%)
66 = 4 (0.74%)
02 = 4 (0.74%)
Last 3 digits (Top 10)
123 = 14 (2.6%)
002 = 4 (0.74%)
456 = 3 (0.56%)
388 = 2 (0.37%)
085 = 2 (0.37%)
989 = 2 (0.37%)
900 = 2 (0.37%)
110 = 2 (0.37%)
966 = 2 (0.37%)
325 = 2 (0.37%)
Last 4 digits (Top 10)
2002 = 4 (0.74%)
3456 = 3 (0.56%)
2898 = 2 (0.37%)
1085 = 2 (0.37%)
1989 = 2 (0.37%)
6900 = 2 (0.37%)
6966 = 2 (0.37%)
2325 = 2 (0.37%)
3388 = 2 (0.37%)
2007 = 2 (0.37%)
Last 5 digits (Top 10)
23456 = 3 (0.56%)
12898 = 2 (0.37%)
61085 = 2 (0.37%)
26900 = 2 (0.37%)
16966 = 2 (0.37%)
52325 = 2 (0.37%)
13388 = 2 (0.37%)
52963 = 2 (0.37%)
55225 = 2 (0.37%)
11979 = 2 (0.37%)
US Area Codes
456 = Inbound International (--)
989 = Upper central Michigan: Mt Pleasant, Saginaw (MI)
900 = US toll calls -- prices vary with the number called (--)
325 = Central Texas: Abilene, Sweetwater, Snyder, San Angelo (TX)
Character sets
loweralpha: 302 (56.13%)
loweralphanum: 149 (27.7%)
numeric: 29 (5.39%)
mixedalphanum: 23 (4.28%)
mixedalpha: 18 (3.35%)
mixedalphaspecialnum: 12 (2.23%)
upperalpha: 3 (0.56%)
mixedalphaspecial: 2 (0.37%)
Character set ordering
allstring: 323 (60.04%)
stringdigit: 132 (24.54%)
alldigit: 29 (5.39%)
stringdigitstring: 24 (4.46%)
othermask: 18 (3.35%)
digitstring: 6 (1.12%)
stringspecial: 2 (0.37%)
digitstringdigit: 2 (0.37%)
stringspecialdigit: 2 (0.37%)
Hashcat masks (Top 10)
?l?l?l?l?l?l: 120 (22.3%)
?l?l?l?l?l?l?l: 71 (13.2%)
?l?l?l?l?l?l?l?l: 56 (10.41%)
?l?l?l?l?l?l?d?d: 22 (4.09%)
?l?l?l?l?l: 18 (3.35%)
?l?l?l?l?l?l?l?l?l: 17 (3.16%)
?d?d?d?d?d?d: 17 (3.16%)
?l?l?l?l?l?l?l?d: 15 (2.79%)
?l?l?l?l?l?d?d: 12 (2.23%)
?l?l?l?l?l?l?l?l?l?l: 11 (2.04%)
AuthorAdmin | CommentPost a Comment |
tagged , , , , in
Page 1 2 Next 5 Entries »