Thursday, May 31, 2012

Using twitter to build password cracking wordlist

This is going to be a quick one. We're going to show how to use twitter to build a word list for cracking passwords.
We'll use John the Ripper, and as a target we'll use the MilitarySingles.com md5 password hashes that were released by the artist formerly known as lulzsec.

First, let's hack out a quick script that will get relevant tweets for us. And yes, I use a lot of tabs. And I know I can do this cleaner... I'm in a get it done quick mood.
(EDIT: thanks to Supercow1127 and TheShadowFog for pointing out better ways to deal with JSON. See jshon, jsawk, etc).
The script will connect to twitter and get 500 tweets for the term supplied, then barf back all the words from those tweets in a list for us. Next we are going to pass the script some words that might be relevant to our target.

After we sort the list out, we're left with 4400 unique words.

Let's try those words against our hashes and see how many of them are used as passwords. We'll use the --rules option so that it mangles up various permutations of each word.

 And here come the passwords.....(scrolled off the screen)

So, from our word list of 4400 words, we yielded 1978 passwords. Let me say that again...
FROM OUR WORD LIST OF 4400 WORDS, WE YIELDED 1978 PASSWORDS!

And that's 1978 uniques. The number of accounts we actually cracked with these 1978 passwords is actually even more than 4400 accounts cause many use the same passwords as each other, and with the mangling rules John tries ~300 mutations of each word in the list (semperfi gives us semperFi, semperfi1, semperfi123, etc).

This is a very small example of what can be done to generate more relevant password lists using twitter/websites/social media to supply you with the related words. Download john, hash your passwords, build a list of words relevant to your organization, and test the security of your passwords. Heck, we haven't even started talking about GPUs and oclhashcat, but we'll leave that for another time.

Until next time, if you're going to hack, hack effectively.



And props to Kevin Young. Thanks for all the lengthy discussions about password security. I truly enjoy picking your brain.

46 comments:

  1. Pretty good! I don't usually read blogs but I guess I'll subscribe lol.

    ReplyDelete
  2. Good lord.... that's pretty damned effective!

    ReplyDelete
  3. It would be interesting to see how effective the words from twitter were by themselves, without the targeted keywords.

    ReplyDelete
    Replies
    1. I agree. The idea that there's an increase in efficiency for single words over a standard random wordlist would be shown out in the differences between targeted twitter searches and random searches. I do think there are other cool things you can do with this sort of thing, such as finding word combinations that people commonly use. Coming up with the password iloveJustinBeiber2010 wouldn't really be that easy by just mangling an entire dictionary of words together, but by searching twitter for strings (I think) you could really increase your chances.

      Delete
    2. Yes! I think so too, re finding commonly used word combinations. Here's an idea: Identify a subset of users that generates a decent amount of Twitter traffic, and has a strong thematic commonality. That is exactly what you did here. Harvest the content over a 6-month interval. That forms a corpus of all-English language text. Unstructured text analysis programs are common. They aren't so great for inferring complex behavioral trends. But current text analytics algorithms should be more than adequate for finding 2 or 3-word combo's as likely passwords!

      Are you familiar with the Google N-gram Viewer? 2-word combo's are bi-gram's, 3 words are tri-gram's, thus "n-gram". Stray thought: Use the N-gram Viewer to find UserID-password combo's. Use a good text corpus e.g. single military service people's Twitter content.

      Delete
  4. I'm doing the same with RSS feeds, compiling Country/Topic specific Wordlists is very comfortable that way.
    Language specific dumps of wikipedia, if sorted by wordlength, work very well too.

    ReplyDelete
  5. This was interesting. I have a really large wordlist and I was interested in what words the twitter search found that wasn't already in my wordlist that also resulted in a successful crack of another md5 hash. I got 24,197 of them from my own word list but there were eight that only came from the twitter search terms used in this post and most look like military terms or military slang. Thanks for the interesting diversion.

    ReplyDelete
  6. That is exactly it Joel, thanks for the comment. This is definitely not the way to generate your main wordlists, but it really does turn up great words (or word combinations) that you won't find in a normal wordlist, and that is current and relevant. Its that jargon, slang, etc that help with those more hard to reach passwords.

    ReplyDelete
  7. It might be even more productive at getting industry specific words by adding a bit of recursion. Do your first search and then search again with any words found that are not already in your master wordlist. That way terms you thought of can lead you to jargon or slang that you are not familiar with personally but are to a person in the industry or group.

    ReplyDelete
    Replies
    1. Yes, it does work quite well recursively. I was doing a bit of that already, but I figured I'd keep it simple for this post and let others build on it. Nice thinking. ;)

      Delete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Hello guys,

    I was wondering if there was any way to make a wordlist using twittter usernames only? I think that could be more than helpful to find passwords made of name+numbers or noun+numbers.

    Indeed, I noticed that of all the WPA passphrases that I've managed to crack thanks to gigantic dictionaries, a vast majority of those passwords were actually used as twitter usernames. ex: xavier1401, popolopopopopo etc.

    Any ideas?

    Cheers

    ReplyDelete
    Replies
    1. That's a great idea, and I'm sure there's a way. There are lists of facebook usernames floating around that make good password cracking dictionaries as well.

      Delete
  10. Joshua

    Quick one as I am trying to understand this and I am a bit of a rookie. Where did you get the militarysingles hashes from?

    ReplyDelete
    Replies
    1. The hashes were released publicly by a hacker group claiming to be Lulzsec. When hashes are released publicly (like the linkedin ones this week) you can usually find them by googling around a bit. Get em while they're hot, sometimes they become hard to find later.

      Delete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. OK so you used twitter and john the ripper to create a unique password list. Clever, I get it, but where does the Militarysingles.com password hash come into play?

    ReplyDelete
    Replies
    1. The point of using twitter rather than a standard huge dictionary is to be more targeted. Gotta have a target picked out to be targeted. :)
      Hence the military and dating related keywords I searched for....

      Delete
  13. Well...I suggest replace wget with curl. When do that you can make it in one line for exaple as alias and then you don't have a tempfile.

    ReplyDelete
    Replies
    1. "And I know I can do this cleaner... I'm in a get it done quick mood."

      Delete
  14. Just wondering, how could you modify this to grab words from a specific twitter log....or even a different website such as facebook, google+ or wikipedia

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. Great Stuff Joshua

    May I suggest to grab your 1400 words, run a calc_stat and then do a --markov220:0:0:12 --stdout > myfile.txt

    I had surprisingly good results with the Markov chains.

    ReplyDelete
  17. I've copied this exactly and I get a "no such file or directory" error when I try to run the script? Neat idea btw!

    ReplyDelete
  18. his is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the excellent work. Buy twitter followers

    ReplyDelete
  19. Your blog is nice keep posting very informative post. Buy Youtube Views

    ReplyDelete
  20. wow no wonder best engineer are creators of big websites like social media, twitter, people should start sharing on how to create one, you should try this social media boost

    ReplyDelete
  21. I cannot thank you enough for the blog post.Really looking forward to read more. Awesome.

    how can i get Buy keek Free Trial on keek and get followers on keek fast and free

    ReplyDelete
  22. Thank you very much for your kindness and efforts to helping us in many ways. More powers to you.

    Buy Vine Trial

    ReplyDelete
  23. I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.

    Look into my web page :
    - Buy Instagram Likespread || Buy keek Package

    ReplyDelete
  24. Now that Twitter has switched their search over to a new system that requires authentication, what do you think would be the easiest method of building this kind of list?

    ReplyDelete
    Replies
    1. twofi.rb:131:in `+': can't convert nil into Array (TypeError)
      from twofi.rb:131:in `block in '
      from twofi.rb:129:in `each'
      from twofi.rb:129:in `'

      Delete
  25. This is a fantastic website and I can not recommend you guys enough. I really appreciate your post. It is very helpful for all the people on the web.

    ReplyDelete
  26. hello blogger,i really appreciate your highly thought about this matter through your post.Obviously your post is very informative.If you update your Social account, please visit buy facebook likes For facebook Service.

    ReplyDelete
  27. Greetings dear,many many thanks for sharing such wonderful information with us.I am eagerly waiting for your next post.Kindly please visit buy real facebook likes site for social information.

    ReplyDelete
  28. I must admit I have popped in a read a good number of your blogs but I have no idea how to post a response over there, so I'll tell you now how good you are at describing the stuff your at - I must admit I find it insightful to read your blogging. Keep up the good work. If you want to know more about a sites, please visit our website buy instagram followers

    ReplyDelete
  29. I must admit I have popped in a read a good number of your blogs but I have no idea how to post a response over there, so I'll tell you now how good you are at describing the stuff your at - I must admit I find it insightful to read your blogging. Keep up the good work. If you want to know more about a sites, please visit our website buy instagram followers

    ReplyDelete
  30. Amazing post dude.It will be very helpful for begginers like me.Thank you very much for this important post.Waiting for your next post.You can visit our site also buy twitter followers

    ReplyDelete
  31. I personally like this blog very much and suggest you best paraphrasing website which is perfect and provide authentic information.

    ReplyDelete
  32. Collections from the design labels such as pas cher trx and other beauty are released after every six months.
    With every new launch, a new penny skateboards cheap online technology is developed.
    This had led to making TRX For Sale remain competitive in the International market.
    The entire pas cher trx packaging process is paid into detail to enhance the collections quality and appearance.
    Now everyone can own high-end designer trx france.
    TRX Suspension Training Sale being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
    The fashion world, with a higher concentration on Discount TRX Sale, needs to provide the best packaging services that the modern world has ever seen.
    TRX Suspension Training On Sale plays a major role in creating a brand name that fashion lovers want to identify with.

    ReplyDelete
  33. One can increase their integrity by buy real Facebook post likes. There are three main marketing techniques which are used for this work. The first is the use of keywords. When keywords are searched for regarding a particular topic, the page is going to appear in the top three results and people would be attracted to the page. The second technique is of the use of hashtags which is very popular nowadays to get fans by this interesting way by describing feeling about the page. Henceforth, people would be attracted and would visit the page. Third technique is using one’s interest. People tending to have similar interests in the content of page would definitely be attracted to your page. The page would come into sight on their timeline and they will see it. Before buying likes, one must be certain to have a strong profile image and an amazing cover which totally describes the page.

    ReplyDelete
  34. PC amusements as blessings are an awesome thought particularly for children who loves to draw, to compose verse. clash royale cheats

    ReplyDelete
  35. These are diversions that can help kids expand their hand and eye coordination and showing kids through intuitive lessons. square quick online

    ReplyDelete
  36. Some PC amusements that are fitting for more established children are the pretending diversions. yandere simulator download

    ReplyDelete