Thursday, May 31, 2012

Using twitter to build password cracking wordlist

This is going to be a quick one. We're going to show how to use twitter to build a word list for cracking passwords.
We'll use John the Ripper, and as a target we'll use the MilitarySingles.com md5 password hashes that were released by the artist formerly known as lulzsec.

First, let's hack out a quick script that will get relevant tweets for us. And yes, I use a lot of tabs. And I know I can do this cleaner... I'm in a get it done quick mood.
(EDIT: thanks to Supercow1127 and TheShadowFog for pointing out better ways to deal with JSON. See jshon, jsawk, etc).
The script will connect to twitter and get 500 tweets for the term supplied, then barf back all the words from those tweets in a list for us. Next we are going to pass the script some words that might be relevant to our target.

After we sort the list out, we're left with 4400 unique words.

Let's try those words against our hashes and see how many of them are used as passwords. We'll use the --rules option so that it mangles up various permutations of each word.

 And here come the passwords.....(scrolled off the screen)

So, from our word list of 4400 words, we yielded 1978 passwords. Let me say that again...
FROM OUR WORD LIST OF 4400 WORDS, WE YIELDED 1978 PASSWORDS!

And that's 1978 uniques. The number of accounts we actually cracked with these 1978 passwords is actually even more than 4400 accounts cause many use the same passwords as each other, and with the mangling rules John tries ~300 mutations of each word in the list (semperfi gives us semperFi, semperfi1, semperfi123, etc).

This is a very small example of what can be done to generate more relevant password lists using twitter/websites/social media to supply you with the related words. Download john, hash your passwords, build a list of words relevant to your organization, and test the security of your passwords. Heck, we haven't even started talking about GPUs and oclhashcat, but we'll leave that for another time.

Until next time, if you're going to hack, hack effectively.



And props to Kevin Young. Thanks for all the lengthy discussions about password security. I truly enjoy picking your brain.

32 comments:

  1. Pretty good! I don't usually read blogs but I guess I'll subscribe lol.

    ReplyDelete
  2. Good lord.... that's pretty damned effective!

    ReplyDelete
  3. It would be interesting to see how effective the words from twitter were by themselves, without the targeted keywords.

    ReplyDelete
    Replies
    1. I agree. The idea that there's an increase in efficiency for single words over a standard random wordlist would be shown out in the differences between targeted twitter searches and random searches. I do think there are other cool things you can do with this sort of thing, such as finding word combinations that people commonly use. Coming up with the password iloveJustinBeiber2010 wouldn't really be that easy by just mangling an entire dictionary of words together, but by searching twitter for strings (I think) you could really increase your chances.

      Delete
    2. Yes! I think so too, re finding commonly used word combinations. Here's an idea: Identify a subset of users that generates a decent amount of Twitter traffic, and has a strong thematic commonality. That is exactly what you did here. Harvest the content over a 6-month interval. That forms a corpus of all-English language text. Unstructured text analysis programs are common. They aren't so great for inferring complex behavioral trends. But current text analytics algorithms should be more than adequate for finding 2 or 3-word combo's as likely passwords!

      Are you familiar with the Google N-gram Viewer? 2-word combo's are bi-gram's, 3 words are tri-gram's, thus "n-gram". Stray thought: Use the N-gram Viewer to find UserID-password combo's. Use a good text corpus e.g. single military service people's Twitter content.

      Delete
  4. I'm doing the same with RSS feeds, compiling Country/Topic specific Wordlists is very comfortable that way.
    Language specific dumps of wikipedia, if sorted by wordlength, work very well too.

    ReplyDelete
  5. This was interesting. I have a really large wordlist and I was interested in what words the twitter search found that wasn't already in my wordlist that also resulted in a successful crack of another md5 hash. I got 24,197 of them from my own word list but there were eight that only came from the twitter search terms used in this post and most look like military terms or military slang. Thanks for the interesting diversion.

    ReplyDelete
  6. That is exactly it Joel, thanks for the comment. This is definitely not the way to generate your main wordlists, but it really does turn up great words (or word combinations) that you won't find in a normal wordlist, and that is current and relevant. Its that jargon, slang, etc that help with those more hard to reach passwords.

    ReplyDelete
  7. It might be even more productive at getting industry specific words by adding a bit of recursion. Do your first search and then search again with any words found that are not already in your master wordlist. That way terms you thought of can lead you to jargon or slang that you are not familiar with personally but are to a person in the industry or group.

    ReplyDelete
    Replies
    1. Yes, it does work quite well recursively. I was doing a bit of that already, but I figured I'd keep it simple for this post and let others build on it. Nice thinking. ;)

      Delete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Hello guys,

    I was wondering if there was any way to make a wordlist using twittter usernames only? I think that could be more than helpful to find passwords made of name+numbers or noun+numbers.

    Indeed, I noticed that of all the WPA passphrases that I've managed to crack thanks to gigantic dictionaries, a vast majority of those passwords were actually used as twitter usernames. ex: xavier1401, popolopopopopo etc.

    Any ideas?

    Cheers

    ReplyDelete
    Replies
    1. That's a great idea, and I'm sure there's a way. There are lists of facebook usernames floating around that make good password cracking dictionaries as well.

      Delete
  10. Joshua

    Quick one as I am trying to understand this and I am a bit of a rookie. Where did you get the militarysingles hashes from?

    ReplyDelete
    Replies
    1. The hashes were released publicly by a hacker group claiming to be Lulzsec. When hashes are released publicly (like the linkedin ones this week) you can usually find them by googling around a bit. Get em while they're hot, sometimes they become hard to find later.

      Delete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. OK so you used twitter and john the ripper to create a unique password list. Clever, I get it, but where does the Militarysingles.com password hash come into play?

    ReplyDelete
    Replies
    1. The point of using twitter rather than a standard huge dictionary is to be more targeted. Gotta have a target picked out to be targeted. :)
      Hence the military and dating related keywords I searched for....

      Delete
  13. Well...I suggest replace wget with curl. When do that you can make it in one line for exaple as alias and then you don't have a tempfile.

    ReplyDelete
    Replies
    1. "And I know I can do this cleaner... I'm in a get it done quick mood."

      Delete
  14. Just wondering, how could you modify this to grab words from a specific twitter log....or even a different website such as facebook, google+ or wikipedia

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. Great Stuff Joshua

    May I suggest to grab your 1400 words, run a calc_stat and then do a --markov220:0:0:12 --stdout > myfile.txt

    I had surprisingly good results with the Markov chains.

    ReplyDelete
  17. I've copied this exactly and I get a "no such file or directory" error when I try to run the script? Neat idea btw!

    ReplyDelete
  18. his is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the excellent work. Buy twitter followers

    ReplyDelete
  19. Your blog is nice keep posting very informative post. Buy Youtube Views

    ReplyDelete
  20. wow no wonder best engineer are creators of big websites like social media, twitter, people should start sharing on how to create one, you should try this social media boost

    ReplyDelete
  21. I cannot thank you enough for the blog post.Really looking forward to read more. Awesome.

    how can i get Buy keek Free Trial on keek and get followers on keek fast and free

    ReplyDelete
  22. Thank you very much for your kindness and efforts to helping us in many ways. More powers to you.

    Buy Vine Trial

    ReplyDelete
  23. I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.

    Look into my web page :
    - Buy Instagram Likespread || Buy keek Package

    ReplyDelete
  24. Now that Twitter has switched their search over to a new system that requires authentication, what do you think would be the easiest method of building this kind of list?

    ReplyDelete
    Replies
    1. twofi.rb:131:in `+': can't convert nil into Array (TypeError)
      from twofi.rb:131:in `block in '
      from twofi.rb:129:in `each'
      from twofi.rb:129:in `'

      Delete