News: Advanced Cracking Techniques, Part 2: Intelligent Bruteforcing

Following the first part in this series on advanced cracking techniques, we are going to go over how we can intelligently crack passwords using the old-fashioned bruteforce method. These unique cracking techniques aren't widely used, because most crackers are Script Kiddies who have no idea what the concepts are behind cracking passwords, thus, word won't get around too quickly.

You are probably curious how you could improve bruteforce methods. The concept behind standard bruteforcing is simple. A program is created that can calculate password hashes very quickly, and then using a character set, the program computes the hashes by creating every possible combination of characters in their respective order.

This is exactly what we are going to exploit. Using a bit more math, let's dive into how we can drastically improve the speed of bruteforce cracking to the point where a Python program (which is notably slower for intense computation) can crack a hashed password at a considerable speed.

Requirements

• A program to crack passwords with, preferably Hashcat
• Python installed on your computer

Intelligent Bruteforce Cracking

In order to speed up bruteforcing, we need to play with some math and statistics. The most commonly used letters in the English dictionary go as follows:

    etaoinshrdlucmfwypvbgkqjxz

Using some Python code created by Null Byte moderator Sol Gates, we can feed a text file into the program and it will sort the letters by postition frequency.

| a: % 12.3 | | e: % 11.3 | | i: % 8.92 | | n: % 8.48 | | r: % 6.42 |
| l: % 6.1 | | o: % 4.32 | | t: % 3.68 | | s: % 3.02 | | h: % 2.63 |
| y: % 2.58 | | d: % 2.42 | | u: % 2.06 | | M: % 1.6 | | m: % 1.59 |
| A: % 1.43 | | C: % 1.33 | | c: % 1.32 | | S: % 1.27 | | g: % 1.07 |
| L: % 1.05 | | D: % 0.959 | | b: % 0.953 | | J: % 0.934 | | k: % 0.926 |
| R: % 0.899 | | K: % 0.881 | | B: % 0.817 | | E: % 0.737 | | E: % 0.737 |
| G: % 0.704 | | v: % 0.681 | | H: % 0.607 | | N: % 0.576 | | P: % 0.537 |
| F: % 0.488 | | p: % 0.453 | | V: % 0.379 | | z: % 0.372 | | f: % 0.352 |
| w: % 0.319 | | j: % 0.3 | | W: % 0.298 | | I: % 0.284 | | O: % 0.212 |
| Y: % 0.21 | | Z: % 0.15 | | x: % 0.124 | | q: % 0.103 | | U: %0.0622 |
| Q: %0.0447 | | X: %0.0292 |

Since this character set is ordered by using the most common characters first, this will mess with the likelihood of the password by guessing the most likely letters first. By feeding this character set into whatever program we are using to bruteforce, we effectively lower the time it takes to crack the password.

To exploit this even further, we can start trimming letters off the end of our optimized character set. The last 5 characters can definitely go. They are so rarely used that it's almost guranteed that it won't be in the password you are cracking. You can also try trimming the last 12 letters off of the character set. The likelihood of you still having all of the characters you need is 80%.

    etaoinshrdlucm

Let's get intense. To exploit this even further, let's start finding out the frequency of characters in static positions. What I mean by that is: what the most likely letter is in the first position, the second and so on.

Here's what we end up with for frequencies of the first character of any given word:

a 11.602% | b 4.702% | c 3.511% | d 2.670% | e 2.000% | f 3.779% | g 1.950% | h 7.232%
i 6.286% | j 0.631% | k 0.690% | l 2.705% | m 4.374% | n 2.365% | o 6.264% | p 2.545%
q 0.173% | r 1.653% | s 7.755% | t 16.671% | u 1.487% | v 0.619% | w 6.661% | x 0.005%
y 1.620% | z 0.050%

In order:

    tashwiobmfcldpnegryukjvqzx

If you calculate the frequency of letters in each position, you can make an incredibly optimized cracking algorithm using bruteforcing. To make it even more ridiculous, you could create a program to take the most likely letters and their positions, then compare it to actual English words. This would result in a word list that actually has the most likely passwords that someone would use in their correct order.

Want more Null Byte?

• Post to the forums
• Chat on IRC
• Follow on Twitter
• Circle on Google+