TekDefense

Entries in Pipal (3)

Sunday

Jul202014

Over a year with Kippo

Sunday, July 20, 2014 at 8:31PM

UPDATE: After posting @ikoniaris of Honeydrive and Bruteforce fame recommended running these. Here are the results of kippo-stats.pl created by Tomasz Miklas and Miguel jacq.

As many of you know from previous posts, I am a big fan of honeypots, particularly Kippo. My main Kippo instance sitting in AWS has been online for over a year now. Let's take a look at what we have captured and learned over this past year. If you want to validate any of these statistics I have made the raw logs available for download.

General Stats:

Unique values (135526 connections):

*csv with geo location

*Map Generated with JCSOCAL's GIPC

Top 11 Countries

China: 699

United States: 654

Brazil: 76

Russian Federation: 69

Germany: 65

Korea, Republic of: 57

Romania: 56

Egypt: 52

Japan: 50

India: 41

Indonesia: 41

Unique Usernames: 8600 (Username list)

Unique Passwords: 75780 (wordlist)

Unique Sources: 1985 (list of IPs)

Passwords:

One of my favorite uses of kippo data is to generate wordlists from login attempts. I wrote a quick script to parse the kippo logs and pull out all passwords and unique them into a wordlist. Feel free to grab. Additionally I made the wordlists available for download.

Using Pipal I performed analysis of all the login attempts over this year:

Two items of note here are that over 60% of password attempts were 1-8 characters. 40% of attempts were for lowercase alpha characters only. The most used password was 123456. This is the default pass for Kippo.

If a user attempts to create an account or change the root password in a Kippo session those passwords are captured and added to the allowed credentials list. The following credentials were created:

root:0:albertinoalbert123

root:0:fgashyeq77dhshfa

root:0:florian12eu

root:0:hgd177q891999wwwwwe1.dON

root:0:iphone5

root:0:kokot

root:0:nope

root:0:picvina

root:0:scorpi123

root:0:test

root:0:xiaozhe

root:0:12345

root:0:bnn318da9031kdamfaihheq1fa

root:0:ls

root:0:neonhostt1

root:0:wget123

Downloads:

When an attacker attempts to download a tool via wget, within Kippo we allow that file to be downloaded, although they cannot interact with it. With this we are able to get a copy of whatever is being downloaded. In most cases these are IRC bots, but not all. I have made them all available for download.

Here is a listing of all the files:

*Duplicates and obviously legitimate files have been removed from the list.

20131030113401_http___198_2_192_204_22_disknyp

20131103183232_http___61_132_227_111_8080_meimei

20131104045744_http___198_2_192_204_22_disknyp

20131114214017_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz

20131116130541_http___198_2_192_204_22_disknyp

20131129165151_http___dl_dropboxusercontent_com_s_1bxj9ak8m1octmk_ktx_c

20131129165438_http___dl_dropboxusercontent_com_s_66gpt66lvut4gdu_ktx

20131202040921_http___198_2_192_204_22_disknyp

20131207123419_http___packetstorm_wowhacker_com_DoS_juno_c

20131216143108_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz

20131216143208_http___X_hackersoft_org_scanner_gosh_jpg

20131216143226_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe

20131217163423_http___ha_ckers_org_slowloris_slowloris_pl

20131217163456_http___www_lemarinel_net_perl

20131222084315_http___maxhub_com_auto_bill_pipe_bot

20140103142644_http___ftp_gnu_org_gnu_autoconf_autoconf_2_69_tar_gz

20140109170001_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_linux_x86_tar_gz

20140120152204_http___111_39_43_54_5555_dos32

20140122202342_http___layer1_cpanel_net_latest

20140122202549_http___linux_duke_edu_projects_yum_download_2_0_yum_2_0_7_tar_gz

20140122202751_http___www_ehcp_net_ehcp_latest_tgz

20140201131804_http___www_suplementar_com_br_images_stories_goon_pooler_cpuminer_2_3_2_tar_gz

20140201152307_http___nemo_rdsor_ro_darwin_jpg

20140208081358_http___www_youtube_com_watch_v_6hVQs5ll064

20140208184835_http___sharplase_ru_x_txt

20140215141909_http___tenet_dl_sourceforge_net_project_cpuminer_pooler_cpuminer_2_3_2_tar_gz

20140215142830_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_tar_gz

20140219072721_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz

20140328031725_http___dl_dropboxusercontent_com_u_133538399_multi_py

20140409053322_http___www_c99php_com_shell_c99_rar

20140409053728_http___github_com_downloads_orbweb_PHP_SHELL_WSO_wso2_5_1_php

20140413130110_http___www_iphobos_com_hb_unixcod_rar

20140416194008_http___linux_help_bugs3_com_Camel_mail_txt

20140419143734_http___www_activestate_com_activeperl_downloads_thank_you_dl_http___downloads_activestate_com_ActivePerl_releases_5_18_2_1802_ActivePerl_5_18_2_1802_x86_64_linux_glibc_2_5_298023_tar_gz

20140419144043_http___ha_ckers_org_slowloris_slowloris_pl

20140420104056_http___downloads_metasploit_com_data_releases_archive_metasploit_4_9_2_linux_x64_installer_run

20140420104325_http___nmap_org_dist_nmap_6_46_1_i386_rpm

20140505073503_http___116_255_239_180_888_007

20140505093229_http___119_148_161_25_805_sd32

20140505111511_http___112_117_223_10_280_1

20140515091557_http___112_117_223_10_280__bash_6_phpmysql

20140519193800_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz

20140523120411_http___lemonjuice_tk_netcat_sh

20140610174516_http___59_63_183_193_280__etc_Test8888

20140614200901_http___kismetismy_name_ktx

20140625032113_http___ftp_mirrorservice_org_sites_ftp_wiretapped_net_pub_security_packet_construction_netcat_gnu_netcat_netcat_0_7_1_tar_gz

20140720005010_http___www_bl4ck_viper_persiangig_com_p8_localroots_2_6_x_cw7_3

To see the full source for some of the scripts downloaded by the attackers you can go to this Github Repo. A couple of my favorite ones.

TTY Replay Sessions:

My absolute favorite feature of Kippo is the ability to replay interactive sessions of attacker activity. Watching these replays gives us an idea of what attackers do once inside a session. For instance almost every session begins with a "w" which shows logged in users and uptime, and then a "uname -a" to show them system details. I made a Youtube series called The Kippo Kronicles a while back to showcase some of these sessions. While I don't have the time necessary to continue putting up videos for each session I have put the output of each session up at this Github Repo.

Here is a fun example:

AWSWeb:~# adduser

adduser: Only one or two names allowed.

AWSWeb:~# useradd

adduser: Only one or two names allowed.

AWSWeb:~# ls

AWSWeb:~# pwd

root

AWSWeb:~# cd /[1D[1P[1D[1P[1D[1P[1D[1Pcat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

richard:x:1000:1000:richard,,,:/home/richard:/bin/bash

sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin

AWSWeb:~# user

bash: user: command not found

AWSWeb:~# adduser obz

Adding user `obz' ...

Adding new group `obz' (1001) ...

Adding new user `obz' (1001) with group `obz' ...

Creating home directory `/home/obz' ...

Copying files from `/etc/skel' ...

Password:

Password again:

Changing the user information for obz

Enter the new value, or press ENTER for the default

Username []:

Must enter a value!

Username []: obz

Full Name []: l[1D[1Padmin obz

Room Number []: 1

Work Phone []: 1234567890

Home Phone []:

Must enter a value!

Home Phone []: 0

Mobile Phone []: 0

Country []: cn

City []: xang

Language []: mand

Favorite movie []: 1

Other []: 1

Is the information correct? [Y/n] y

ERROR: Some of the information you entered is invalid

Deleting user `obz' ...

Deleting group `obz' (1001) ...

Deleting home directory `/home/obz' ...

Try again? [Y/n] y

Changing the user information for obz

Enter the new value, or press ENTER for the default

Username []: obx

Full Name []: obx toor

Room Number []: 1

Work Phone []: 1[1D[1P9089543121

Home Phone []: 9089342135

Mobile Phone []: 9089439012

Country []: cn

City []: xang

Language []: man[1D[1P[1D[1P[1D[1Penglish

Favorite movie []: one

Other []: two[1D[1P[1D[1P[1D[1Pfour

Is the information correct? [Y/n] y

ERROR: Some of the information you entered is invalid

Deleting user `obz' ...

Deleting group `obz' (1001) ...

Deleting home directory `/home/obz' ...

Try again? [Y/n] n

AWSWeb:~# cat adduser obz user cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

richard:x:1000:1000:richard,,,:/home/richard:/bin/bash

sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin

AWSWeb:~# cat /etc/shadow

cat: /etc/shadow: No such file or directory

AWSWeb:~# /etc/init.d\[1D[1P[1D[1PD/ssh start

bash: /etc/init.D/ssh: command not found

AWSWeb:~# [K/etc/init.D/ssh start[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1Pd

bash: /etc/init.d/ssh: command not found

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~# exit

cConnection to server closed.

localhost:~# exit

Connection to server closed.

localhost:~# bye

bash: bye: command not found

localhost:~# exit

Connection to server closed.

localhost:~# admin

bash: admin: command not found

localhost:~# su

localhost:~# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

localhost:~# pwd

/root

localhost:~# cd /

localhost:/# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..

drwxr-xr-x 1 root root 0 2009-11-20 08:19 sys

drwxr-xr-x 1 root root 4096 2009-11-08 15:42 bin

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 mnt

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 media

lrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 opt

lrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinux

drwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmp

dr-xr-xr-x 1 root root 0 2009-11-20 08:19 proc

drwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbin

drwxr-xr-x 1 root root 4096 2009-11-20 08:20 etc

drwxr-xr-x 1 root root 3200 2009-11-20 08:20 dev

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 srv

lrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 lib

drwxr-xr-x 1 root root 4096 2009-11-06 11:22 home

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 var

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 usr

drwxr-xr-x 1 root root 4096 2009-11-08 15:39 boot

drwxr-xr-x 1 root root 4096 2009-11-20 09:08 root

drwx------ 1 root root 16384 2009-11-06 11:08 lost+found

localhost:/# cd /home

localhost:/home# ls -l

ldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..

drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard

localhost:/home# exit

Connection to server closed.

localhost:~#

localhost:~#

localhost:~#

localhost:~#

localhost:~#

localhost:~#

localhost:~# ssh -D root@http://60.250.65.112/ 1337

The authenticity of host '60.250.65.112 (60.250.65.112)' can't be established.

RSA key fingerprint is 9d:30:97:8a:9e:48:0d:de:04:8d:76:3a:7b:4b:30:f8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '60.250.65.112' (RSA) to the list of known hosts.

root@60.250.65.112's password:

Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686

Last login: Sat Feb 2 07:07:11 2013 from 192.168.9.4

localhost:~# uname -a

Linux localhost 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686 GNU/Linux

localhost:~# pwd

/root

localhost:~# cd /

localhost:/# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:19 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..

drwxr-xr-x 1 root root 0 2009-11-20 08:19 sys

drwxr-xr-x 1 root root 4096 2009-11-08 15:42 bin

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 mnt

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 media

lrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 opt

lrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinux

drwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmp

dr-xr-xr-x 1 root root 0 2009-11-20 08:19 proc

drwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbin

drwxr-xr-x 1 root root 4096 2009-11-20 08:20 etc

drwxr-xr-x 1 root root 3200 2009-11-20 08:20 dev

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 srv

lrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 lib

drwxr-xr-x 1 root root 4096 2009-11-06 11:22 home

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 var

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 usr

drwxr-xr-x 1 root root 4096 2009-11-08 15:39 boot

drwxr-xr-x 1 root root 4096 2009-11-20 09:08 root

drwx------ 1 root root 16384 2009-11-06 11:08 lost+found

localhost:/# cd /root

localhost:~# ls -l

ldrwxr-xr-x 1 root root 4096 2013-02-03 17:19 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

localhost:~# cd /ho[1D[1P[1D[1P[1D[1P[1D[1P[1D[1P[1D[1Pcd /home/

localhost:/home# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:20 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:20 ..

drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard

localhost:/home# exit

Connection to server closed.

localhost:~# exit

Connection to server closed.

localhost:~#

Conclusion:

After a year with Kippo, I have learned a lot about what these basic attackers do when connecting to seemingly open ssh hosts. There is plenty more to learn though. I have some plans on building out a larger honeypot infrastructure, and automating some of the data collection and parsing. Additionally I would like to spend more time analyzing the sessions and malware for further trends. I'll keep you all posted!

*Big thanks to Bruteforce Labs for their tools and expertise in honeypots.

Admin |

1 Comment |

tagged

Kippo,

Pipal,

honeypot,

python,

ssh in

News

Sunday

Nov182012

Connectusers Adobe Leak - 223 passwords in 2 seconds

Sunday, November 18, 2012 at 7:06PM

As most of you already know there is word of a leak involving Adobe's Connectusers forum. You can read more about this at The HNN. The important things to know in relation to this post is that 642 hashes have been released so far and the attacker claims to have 150,000 more to share. The attacker also released other information with these hashes such as name, title, phone, email, company, and username.

What I have done with the release is first strip out the data I don't want leaveing me with just the hashes.

cat adobe-leaks.txt | grep Password | cut -d: -f 2 >adobehashes

Now that I have a file with just the hashes, I ran hashcat against the hashes using a few wordlists.

root@bt:./hashcat-cli32.bin --output-file /root/leakedpasswords/ah3.out /root/leakedpasswords/adobehashes /pentest/passwords/wordlists/rockyou.txt /pentest/passwords/wordlists/darkc0de.lst /root/leakedpasswords/yahoopassesonly.txt

In less than 2 seconds, usin only those three wordlists I was able to extract 223 of the 642 passwords. I mention this because people who do not use these tools may not understand how fast and easy it can work.

Here is a small sampling of the hashes and passes:

a66edf0fea452ada254f5b9df1e06a37:3622125

db3b81e16cc975d2edcc1c4acf36e895:357008

49858a41a0d7d1d2e38b61513046403d:Daniel81

b23e8ea5a3a6ba0bd3ba22630ee3f153:8biggtoes

17120d69065bd6a1b6393c6e2db4174e:CDE#4rfv

c21435496168ad21cc9ba0a8e5542ec8:C0nn3ct

a4f2a54552dc5f7e1fecb1a3e9c94a59:2more2go

e20d81b83905638dbda34442b4703b4e:2925208

34e2d1989a1dbf75cd631596133ee5ee:Video

d4a6f575e71a416ff8894c6baae0ccd9:48jjfan

14dec073747d945943aaddc07a0d965e:Soccer_14

91381b03056102fcfe5538f87721e144:@WSX4rfv

6a4de56cfde1980ea9667ef3bfb77d54:9982d26

9508cbf2647fd5a5cb23fe3a524c8cc3:Heidi123

cbbd41ba72c93d17f17f2a484295b221:404526

55d7443eeb55ed7786fa89a2cc1bf446:Pass123Word

d4af0320ac68d2b8ad0f8e5faa5a1977:mdnite

11a7a5d55a91adb201e113967eff93fe:collaboration

826805d5bdaa87a3b9c7ead9027a3067:aftereffects

71f698950c9cdadc3d19bb7411177a78:Adobe

952f9dc3ad0b4c8f94de8ec75f8daeb3:trek930

d05a718ceb3cc5c368cc166729c7c7cb:Tanner07

f896dcdeb0ca7d797b439624b0e04ffe:inciner8

The full list can be downloaded here.

So, since I just did a TekTip episode on Pipal I figured I should run the output against there as well.

cat ah.out | cut -d: -f2 > ahpassesonly

./pipal.rb ~/leakedpasswords/ahpassesonly -o ahanalysis.txt

Here are the pipal results

Total entries = 538

Total unique entries = 223

Top 10 passwords

letmein = 3 (0.56%)

lighthouse = 3 (0.56%)

fisher = 3 (0.56%)

popper = 3 (0.56%)

carefree = 3 (0.56%)

stanley = 3 (0.56%)

Video = 3 (0.56%)

Winston = 3 (0.56%)

louie = 3 (0.56%)

manish = 3 (0.56%)

Top 10 base words

buster = 6 (1.12%)

adobe = 6 (1.12%)

marina = 5 (0.93%)

soccer = 5 (0.93%)

connect = 5 (0.93%)

jonathan = 3 (0.56%)

video = 3 (0.56%)

winston = 3 (0.56%)

louie = 3 (0.56%)

manish = 3 (0.56%)

Password length (length ordered)

5 = 29 (5.39%)

6 = 174 (32.34%)

7 = 130 (24.16%)

8 = 128 (23.79%)

9 = 45 (8.36%)

10 = 21 (3.9%)

11 = 5 (0.93%)

12 = 3 (0.56%)

13 = 3 (0.56%)

Password length (count ordered)

6 = 174 (32.34%)

7 = 130 (24.16%)

8 = 128 (23.79%)

9 = 45 (8.36%)

5 = 29 (5.39%)

10 = 21 (3.9%)

11 = 5 (0.93%)

12 = 3 (0.56%)

13 = 3 (0.56%)

|

|

|

|

|||

|||

|||

|||

|||

|||

|||

||||

||||

|||||

||||||

|||||||||||||||

000000000011111

012345678901234

One to six characters = 203 (37.73%)

One to eight characters = 461 (85.69%)

More than eight characters = 77 (14.31%)

Only lowercase alpha = 302 (56.13%)

Only uppercase alpha = 3 (0.56%)

Only alpha = 305 (56.69%)

Only numeric = 29 (5.39%)

First capital last symbol = 2 (0.37%)

First capital last number = 19 (3.53%)

Months

june = 2 (0.37%)

november = 2 (0.37%)

Days

None found

Months (Abreviated)

mar = 12 (2.23%)

jun = 2 (0.37%)

nov = 2 (0.37%)

Days (Abreviated)

mon = 5 (0.93%)

sat = 2 (0.37%)

sun = 2 (0.37%)

Includes years

1979 = 2 (0.37%)

1989 = 2 (0.37%)

2002 = 4 (0.74%)

2007 = 2 (0.37%)

Years (Top 10)

2002 = 4 (0.74%)

1979 = 2 (0.37%)

1989 = 2 (0.37%)

2007 = 2 (0.37%)

Colours

orange = 2 (0.37%)

red = 8 (1.49%)

white = 3 (0.56%)

Single digit on the end = 52 (9.67%)

Two digits on the end = 57 (10.59%)

Three digits on the end = 19 (3.53%)

Last number

0 = 11 (2.04%)

1 = 45 (8.36%)

2 = 16 (2.97%)

3 = 24 (4.46%)

4 = 6 (1.12%)

5 = 14 (2.6%)

6 = 13 (2.42%)

7 = 11 (2.04%)

8 = 13 (2.42%)

9 = 14 (2.6%)

|

|

|

|

|

|

|

| |

| |

| |

|||

||| || ||

|||| |||||

||||||||||

||||||||||

||||||||||

0123456789

Last digit

1 = 45 (8.36%)

3 = 24 (4.46%)

2 = 16 (2.97%)

5 = 14 (2.6%)

9 = 14 (2.6%)

6 = 13 (2.42%)

8 = 13 (2.42%)

0 = 11 (2.04%)

7 = 11 (2.04%)

4 = 6 (1.12%)

Last 2 digits (Top 10)

23 = 16 (2.97%)

99 = 6 (1.12%)

12 = 6 (1.12%)

08 = 6 (1.12%)

25 = 6 (1.12%)

56 = 5 (0.93%)

13 = 4 (0.74%)

14 = 4 (0.74%)

66 = 4 (0.74%)

02 = 4 (0.74%)

Last 3 digits (Top 10)

123 = 14 (2.6%)

002 = 4 (0.74%)

456 = 3 (0.56%)

388 = 2 (0.37%)

085 = 2 (0.37%)

989 = 2 (0.37%)

900 = 2 (0.37%)

110 = 2 (0.37%)

966 = 2 (0.37%)

325 = 2 (0.37%)

Last 4 digits (Top 10)

2002 = 4 (0.74%)

3456 = 3 (0.56%)

2898 = 2 (0.37%)

1085 = 2 (0.37%)

1989 = 2 (0.37%)

6900 = 2 (0.37%)

6966 = 2 (0.37%)

2325 = 2 (0.37%)

3388 = 2 (0.37%)

2007 = 2 (0.37%)

Last 5 digits (Top 10)

23456 = 3 (0.56%)

12898 = 2 (0.37%)

61085 = 2 (0.37%)

26900 = 2 (0.37%)

16966 = 2 (0.37%)

52325 = 2 (0.37%)

13388 = 2 (0.37%)

52963 = 2 (0.37%)

55225 = 2 (0.37%)

11979 = 2 (0.37%)

US Area Codes

456 = Inbound International (--)

989 = Upper central Michigan: Mt Pleasant, Saginaw (MI)

900 = US toll calls -- prices vary with the number called (--)

325 = Central Texas: Abilene, Sweetwater, Snyder, San Angelo (TX)

Character sets

loweralpha: 302 (56.13%)

loweralphanum: 149 (27.7%)

numeric: 29 (5.39%)

mixedalphanum: 23 (4.28%)

mixedalpha: 18 (3.35%)

mixedalphaspecialnum: 12 (2.23%)

upperalpha: 3 (0.56%)

mixedalphaspecial: 2 (0.37%)

Character set ordering

allstring: 323 (60.04%)

stringdigit: 132 (24.54%)

alldigit: 29 (5.39%)

stringdigitstring: 24 (4.46%)

othermask: 18 (3.35%)

digitstring: 6 (1.12%)

stringspecial: 2 (0.37%)

digitstringdigit: 2 (0.37%)

stringspecialdigit: 2 (0.37%)

Hashcat masks (Top 10)

?l?l?l?l?l?l: 120 (22.3%)

?l?l?l?l?l?l?l: 71 (13.2%)

?l?l?l?l?l?l?l?l: 56 (10.41%)

?l?l?l?l?l?l?d?d: 22 (4.09%)

?l?l?l?l?l: 18 (3.35%)

?l?l?l?l?l?l?l?l?l: 17 (3.16%)

?d?d?d?d?d?d: 17 (3.16%)

?l?l?l?l?l?l?l?d: 15 (2.79%)

?l?l?l?l?l?d?d: 12 (2.23%)

?l?l?l?l?l?l?l?l?l?l: 11 (2.04%)

Admin |

TekTip ep14 - Pipal Password Analysis of Yahoo password dump

Sunday, November 18, 2012 at 2:25PM

Last week are good friends over at Bruteforce Labs posted a quick tutorial for Pipal. I figured the TekDefense user base may also benefit from this tool.

Pipal @ DigiNinja

Description: A password analysis tool that gives relevant statistics of passwords given a password dump.

Uses: Analyze password trends, create better wordlists, educate users

Installation:

Pipal on Github

*Requires Ruby1.9.x

*BT5 comes with pipal 1.0. Update Pipal if on Backtrack to 2.0

Usage:

1. First you will need a password dump to play with. There are several out in the wild. You can find some here:

http://www.skullsecurity.org/wiki/index.php/Passwords

For my demo I will use the recent (kinda) Yahoo dump

2. Get the file ready for pipal:

You only want the passwords in a file for Pipal, cut out the rest.

cat yahoousersandpass.txt | cut -d: -f 3 > yahoopassesonly.txt

3. Run Pipal:

./pipal.rb ~/leakedpasswords/yahoopassesonly.txt -o yahoodemo

4. Analyze results

We analyzed 442837 passwords in this dump!

Total entries = 442837

Total unique entries = 342509

Here we see some pretty standard bad passwords:

Top 10 passwords

123456 = 1667 (0.38%)

password = 780 (0.18%)

welcome = 437 (0.1%)

ninja = 333 (0.08%)

abc123 = 250 (0.06%)

123456789 = 222 (0.05%)

12345678 = 208 (0.05%)

sunshine = 205 (0.05%)

princess = 202 (0.05%)

qwerty = 172 (0.04%)

Base passwords are password that contain a word but are not only that word:

Top 10 base words

password = 1374 (0.31%)

welcome = 535 (0.12%)

qwerty = 464 (0.1%)

monkey = 430 (0.1%)

jesus = 429 (0.1%)

love = 421 (0.1%)

money = 407 (0.09%)

freedom = 385 (0.09%)

ninja = 380 (0.09%)

sunshine = 367 (0.08%)

As we see in most password dumps, most people go with 8 character passwords. This is a common requirement, and has been drilled into people for a while now, so no surprise there. 116 people had a 1 character password though? I usually don't try passwords less than 4 characters when I password crack, guess I might need to bring them back in.

Password length (length ordered)

1 = 116 (0.03%)

2 = 70 (0.02%)

3 = 302 (0.07%)

4 = 2748 (0.62%)

5 = 5324 (1.2%)

6 = 79629 (17.98%)

7 = 65610 (14.82%)

8 = 119133 (26.9%)

9 = 65964 (14.9%)

10 = 54759 (12.37%)

11 = 21218 (4.79%)

12 = 21729 (4.91%)

13 = 2657 (0.6%)

14 = 1492 (0.34%)

15 = 837 (0.19%)

16 = 568 (0.13%)

17 = 262 (0.06%)

18 = 125 (0.03%)

19 = 88 (0.02%)

20 = 177 (0.04%)

21 = 10 (0.0%)

22 = 7 (0.0%)

23 = 2 (0.0%)

24 = 2 (0.0%)

27 = 1 (0.0%)

28 = 4 (0.0%)

29 = 2 (0.0%)

30 = 1 (0.0%)

Password length (count ordered)

8 = 119133 (26.9%)

6 = 79629 (17.98%)

9 = 65964 (14.9%)

7 = 65610 (14.82%)

10 = 54759 (12.37%)

12 = 21729 (4.91%)

11 = 21218 (4.79%)

5 = 5324 (1.2%)

4 = 2748 (0.62%)

13 = 2657 (0.6%)

14 = 1492 (0.34%)

15 = 837 (0.19%)

16 = 568 (0.13%)

3 = 302 (0.07%)

17 = 262 (0.06%)

20 = 177 (0.04%)

18 = 125 (0.03%)

1 = 116 (0.03%)

19 = 88 (0.02%)

2 = 70 (0.02%)

21 = 10 (0.0%)

22 = 7 (0.0%)

28 = 4 (0.0%)

23 = 2 (0.0%)

24 = 2 (0.0%)

29 = 2 (0.0%)

30 = 1 (0.0%)

27 = 1 (0.0%)

|

|

|

|

|

| |

| |

||||

|||||

|||||

|||||

|||||

|||||

|||||||

|||||||

||||||||||||||||||||||||||||||||

00000000001111111111222222222233

01234567890123456789012345678901

One to six characters = 88189 (19.91%)

One to eight characters = 272932 (61.63%)

More than eight characters = 169905 (38.37%)

66% only used lowercase alpha characters or only used numbers.

Only lowercase alpha = 146516 (33.09%)

Only uppercase alpha = 1778 (0.4%)

Only alpha = 148294 (33.49%)

Only numeric = 26081 (5.89%)

A common trend is for people to capitalize the first character, or add a number or special character to the end of a password.

First capital last symbol = 1259 (0.28%)

First capital last number = 17467 (3.94%)

While months were used in passwords a decent amount in this dump, it doesn't look like days made up many of them.

Months

january = 106 (0.02%)

february = 30 (0.01%)

march = 192 (0.04%)

april = 284 (0.06%)

may = 725 (0.16%)

june = 386 (0.09%)

july = 245 (0.06%)

august = 238 (0.05%)

september = 68 (0.02%)

october = 182 (0.04%)

november = 154 (0.03%)

december = 130 (0.03%)

Days

monday = 48 (0.01%)

tuesday = 15 (0.0%)

wednesday = 9 (0.0%)

thursday = 18 (0.0%)

friday = 47 (0.01%)

saturday = 6 (0.0%)

sunday = 30 (0.01%)

Months (Abreviated)

jan = 1007 (0.23%)

feb = 172 (0.04%)

mar = 4719 (1.07%)

apr = 472 (0.11%)

may = 725 (0.16%)

jun = 798 (0.18%)

jul = 656 (0.15%)

aug = 504 (0.11%)

sept = 184 (0.04%)

oct = 425 (0.1%)

nov = 519 (0.12%)

dec = 404 (0.09%)

Days (Abreviated)

mon = 4431 (1.0%)

tues = 16 (0.0%)

wed = 212 (0.05%)

thurs = 29 (0.01%)

fri = 479 (0.11%)

sat = 365 (0.08%)

sun = 1237 (0.28%)

Another common trend is for users to add the year of their birth, or wedding, or the current year to their password. While it may be surprising that 2010, 2011, and 2012 didn't have many hits if you take the source into account it makes sense. The Yahoo dump comes from an old database that was used as part of a migration for a company that Yahoo bought call Associated Content. This purchase occurred in 2010.

Includes years

1975 = 255 (0.06%)

1976 = 266 (0.06%)

1977 = 278 (0.06%)

1978 = 332 (0.07%)

1979 = 339 (0.08%)

1980 = 353 (0.08%)

1981 = 331 (0.07%)

1982 = 359 (0.08%)

1983 = 338 (0.08%)

1984 = 392 (0.09%)

1985 = 367 (0.08%)

1986 = 361 (0.08%)

1987 = 413 (0.09%)

1988 = 360 (0.08%)

1989 = 401 (0.09%)

1990 = 304 (0.07%)

1991 = 276 (0.06%)

1992 = 251 (0.06%)

1993 = 218 (0.05%)

1994 = 202 (0.05%)

1995 = 147 (0.03%)

1996 = 171 (0.04%)

1997 = 140 (0.03%)

1998 = 155 (0.04%)

1999 = 189 (0.04%)

2000 = 617 (0.14%)

2001 = 404 (0.09%)

2002 = 404 (0.09%)

2003 = 345 (0.08%)

2004 = 424 (0.1%)

2005 = 496 (0.11%)

2006 = 572 (0.13%)

2007 = 765 (0.17%)

2008 = 1145 (0.26%)

2009 = 1052 (0.24%)

2010 = 339 (0.08%)

2011 = 92 (0.02%)

2012 = 130 (0.03%)

2013 = 50 (0.01%)

2014 = 28 (0.01%)

2015 = 24 (0.01%)

2016 = 25 (0.01%)

2017 = 26 (0.01%)

2018 = 33 (0.01%)

2019 = 84 (0.02%)

2020 = 163 (0.04%)

Years (Top 10)

2008 = 1145 (0.26%)

2009 = 1052 (0.24%)

2007 = 765 (0.17%)

2000 = 617 (0.14%)

2006 = 572 (0.13%)

2005 = 496 (0.11%)

2004 = 424 (0.1%)

1987 = 413 (0.09%)

2001 = 404 (0.09%)

2002 = 404 (0.09%)

Red and Blue make up the majority of colors in the passwords.

Colours

black = 706 (0.16%)

blue = 1143 (0.26%)

brown = 221 (0.05%)

gray = 76 (0.02%)

green = 655 (0.15%)

orange = 250 (0.06%)

pink = 357 (0.08%)

purple = 346 (0.08%)

red = 2202 (0.5%)

white = 244 (0.06%)

yellow = 228 (0.05%)

violet = 66 (0.01%)

indigo = 35 (0.01%)

As stated previously, people tend to tack numbers and special characters at the end of passwords. These statistics support that theory.

Single digit on the end = 47391 (10.7%)

Two digits on the end = 73640 (16.63%)

Three digits on the end = 31095 (7.02%)

Last number

0 = 17553 (3.96%)

1 = 46694 (10.54%)

2 = 24623 (5.56%)

3 = 29232 (6.6%)

4 = 17692 (4.0%)

5 = 17405 (3.93%)

6 = 17885 (4.04%)

7 = 20402 (4.61%)

8 = 17847 (4.03%)

9 = 19919 (4.5%)

|

|

|

|

|

| |

| |

|||

|||

||||| ||||

||||||||||

||||||||||

||||||||||

||||||||||

||||||||||

||||||||||

0123456789

Last digit

1 = 46694 (10.54%)

3 = 29232 (6.6%)

2 = 24623 (5.56%)

7 = 20402 (4.61%)

9 = 19919 (4.5%)

6 = 17885 (4.04%)

8 = 17847 (4.03%)

4 = 17692 (4.0%)

0 = 17553 (3.96%)

5 = 17405 (3.93%)

Last 2 digits (Top 10)

23 = 12364 (2.79%)

12 = 6416 (1.45%)

11 = 5476 (1.24%)

01 = 5097 (1.15%)

00 = 4098 (0.93%)

21 = 3669 (0.83%)

08 = 3627 (0.82%)

07 = 3598 (0.81%)

22 = 3587 (0.81%)

13 = 3548 (0.8%)

Last 3 digits (Top 10)

123 = 9446 (2.13%)

456 = 2443 (0.55%)

234 = 2160 (0.49%)

007 = 1477 (0.33%)

000 = 1268 (0.29%)

008 = 1150 (0.26%)

009 = 1086 (0.25%)

111 = 1056 (0.24%)

777 = 980 (0.22%)

101 = 895 (0.2%)

Last 4 digits (Top 10)

3456 = 2151 (0.49%)

1234 = 1968 (0.44%)

2008 = 1033 (0.23%)

2009 = 927 (0.21%)

2345 = 750 (0.17%)

2007 = 674 (0.15%)

2000 = 535 (0.12%)

2006 = 502 (0.11%)

1111 = 436 (0.1%)

2005 = 436 (0.1%)

Last 5 digits (Top 10)

23456 = 2121 (0.48%)

12345 = 724 (0.16%)

56789 = 316 (0.07%)

45678 = 305 (0.07%)

11111 = 269 (0.06%)

34567 = 231 (0.05%)

54321 = 197 (0.04%)

00000 = 162 (0.04%)

99999 = 150 (0.03%)

23123 = 132 (0.03%)

Most popular area codes based ont the 3 character numbers found.

US Area Codes

456 = Inbound International (--)

234 = NE Ohio: Canton, Akron (OH)

Now here is some data that can be directly applied to password cracking.

Character sets

loweralphanum: 224095 (50.6%)

loweralpha: 146516 (33.09%)

numeric: 26081 (5.89%)

mixedalphanum: 23238 (5.25%)

loweralphaspecialnum: 6070 (1.37%)

mixedalpha: 5122 (1.16%)

upperalphanum: 3416 (0.77%)

mixedalphaspecialnum: 3340 (0.75%)

loweralphaspecial: 2079 (0.47%)

upperalpha: 1778 (0.4%)

mixedalphaspecial: 486 (0.11%)

upperalphaspecialnum: 222 (0.05%)

specialnum: 188 (0.04%)

upperalphaspecial: 46 (0.01%)

special: 16 (0.0%)

Character set ordering

stringdigit: 185323 (41.85%)

allstring: 153416 (34.64%)

alldigit: 26081 (5.89%)

othermask: 25117 (5.67%)

digitstring: 24962 (5.64%)

stringdigitstring: 18677 (4.22%)

digitstringdigit: 4648 (1.05%)

stringspecialdigit: 2359 (0.53%)

stringspecial: 1111 (0.25%)

stringspecialstring: 833 (0.19%)

specialstringspecial: 168 (0.04%)

specialstring: 126 (0.03%)

allspecial: 16 (0.0%)

Hashcat masks (Top 10)

?l?l?l?l?l?l: 40693 (9.19%)

?l?l?l?l?l?l?l?l: 32439 (7.33%)

?l?l?l?l?l?l?l: 29129 (6.58%)

?l?l?l?l?l?l?d?d: 20316 (4.59%)

?l?l?l?l?l?l?l?l?l: 16185 (3.65%)

?l?l?l?l?l?l?l?l?d?d: 12632 (2.85%)

?d?d?d?d?d?d: 12583 (2.84%)

?l?l?l?l?l?l?l?d: 10620 (2.4%)

?l?l?l?l?l?l?l?l?l?l: 10310 (2.33%)

?l?l?l?l?l?l?l?d?d: 10281 (2.32%)

1aN0rmus@tekdefense.com

http://www.securitytube.net/user/1aN0rmus

www.youtube.com/user/TekDefense

Admin |

Links

Entries in Pipal (3)

Over a year with Kippo

General Stats:

Passwords:

Downloads:

TTY Replay Sessions:

Conclusion:

Connectusers Adobe Leak - 223 passwords in 2 seconds

TekTip ep14 - Pipal Password Analysis of Yahoo password dump