Title: Cracking 10.000 hashes
Date: 2014-03-20 18:00

My friend Bob stumbled upon a database with something like 10.000 records: Name, surname, address, email, birth dates, telephone number, and an hash.

[John the Ripper](http://www.openwall.com/john/) tells us:
> Loaded 9489 password hashes with 142 different salts (descrypt, traditional crypt(3) [DES 128/128 AVX-16])

Too bad that *descrypt* takes only 8 chars.

The database has 9546 records, and John detects 9489 hashes. I took a quick look, and it seems that it's rotten with *unintentional* SQL injections. Fantastic.

I don't have a [cluster](http://openwall.info/wiki/HPC/Village) to process the list, only my laptop; but I managed to crack almost 60% in a week, trying various things:

- Classic dictionaries (cracked at least 25%)
- KoreLogic rules
- Stupid patterns (like `?d?d/?d?d/?d?d`, `?d?d?d?d?d?d` or `?d?d?d?d?l`).
- The [markov](http://openwall.info/wiki/john/markov) mode is funny, but you need a good dictionary
- Crawling the website with [cewl](http://www.digininja.org/projects/cewl.php) yields gems.

# Stats
Since I was asked not to disclose the name of the website, I removed some stats/name/passwords, and replaced them with `[...]`.

##Top 10 passwords

    caroline = 4 (0.08%)
    123456 = 4 (0.08%)
    doudou = 3 (0.06%)
    1664 = 3 (0.06%)
    mercedes = 3 (0.06%)
    lapin = 3 (0.06%)
    Catouill = 3 (0.06%)
    azerty = 3 (0.06%)
    [...] = 3 (0.06%)
    issnancy = 3 (0.06%)

##Top 10 base words

    [...] = 17 (0.32%)
    azerty = 14 (0.26%)
    julien = 8 (0.15%)
    nico = 7 (0.13%)
    coucou = 6 (0.11%)
    bonjour = 6 (0.11%)
    aout = 5 (0.09%)
    [...] = 5 (0.09%)
    lapin = 5 (0.09%)
    nicolas = 5 (0.09%)

The removed basewords are of course the name of the entity, and the website.

## Password length

    8 = 2914 (54.98%)
    6 = 1251 (23.6%)
    7 = 721 (13.6%)
    5 = 217 (4.09%)
    4 = 179 (3.38%)
    3 = 14 (0.26%)
    2 = 2 (0.04%)
    1 = 2 (0.04%)

## Digits
### Last number

    0 = 242 (4.57%)
    1 = 268 (5.06%)
    2 = 240 (4.53%)
    3 = 201 (3.79%)
    4 = 157 (2.96%)
    5 = 183 (3.45%)
    6 = 164 (3.09%)
    7 = 150 (2.83%)
    8 = 194 (3.66%)
    9 = 216 (4.08%)

### Last 2 digits (Top 10)

    90 = 52 (0.98%)
    88 = 51 (0.96%)
    89 = 47 (0.89%)
    85 = 42 (0.79%)
    12 = 42 (0.79%)
    87 = 41 (0.77%)
    23 = 40 (0.75%)
    00 = 40 (0.75%)
    25 = 40 (0.75%)
    10 = 39 (0.74%)

I suspect the top-4 of being birth dates.

### Last 3 digits (Top 10)

    123 = 24 (0.45%)
    987 = 20 (0.38%)
    985 = 16 (0.3%)
    986 = 16 (0.3%)
    989 = 14 (0.26%)
    984 = 14 (0.26%)
    456 = 14 (0.26%)
    988 = 12 (0.23%)
    990 = 12 (0.23%)
    198 = 11 (0.21%)

Birth dates again!

### Last 4 digits (Top 10)

    1987 = 17 (0.32%)
    1989 = 14 (0.26%)
    1986 = 14 (0.26%)
    1985 = 13 (0.25%)
    1984 = 12 (0.23%)
    1993 = 10 (0.19%)
    1990 = 8 (0.15%)
    1983 = 8 (0.15%)
    1988 = 8 (0.15%)
    1991 = 7 (0.13%)

Still birth dates.

## Charset

    loweralpha: 2644 (49.89%)
    loweralphanum: 1426 (26.91%)
    numeric: 807 (15.23%)
    mixedalphanum: 121 (2.28%)
    mixedalpha: 119 (2.25%)
    upperalpha: 62 (1.17%)
    upperalphanum: 37 (0.7%)
    loweralphaspecial: 26 (0.49%)
    loweralphaspecialnum: 25 (0.47%)
    specialnum: 6 (0.11%)
    mixedalphaspecialnum: 6 (0.11%)
    mixedalphaspecial: 5 (0.09%)
    upperalphaspecialnum: 1 (0.02%)
    special: 1 (0.02%)

## Some funny passwords
If you don't have a French background,
you may miss a lot of fun.

- vaches
- ilovesex
- sexfight
- sexylove
- 3615moim
- moimeme
- [alpine](http://winscp.net/eng/docs/faq_iphone)
- mabiteda
- 127.0.0.
- dstoncul
- schnappy
- iso9001
- [lefigaro](http://www.lefigaro.fr/)
- ...

# Conclusion
The website has been alerted, holes are being fixed, and the hash algorithm changed.

It was the first time that I used John, and I liked the experience: writing rules,
thinking about patterns, estimating complexity, ...

Now I want a big cluster :<