Welcome back, my Mr. Robot fans!
In the television show, Mr. Robot on FX (past episodes are on Amazon Prime), Elliot seems to be able to hack anyone's password. For anyone who has attempted to crack a password, you know it isn't exactly that easy. Brute forcing long and complex passwords can be time-consuming and tedious without a GPU farm or a botnet. While cracking dictionary words is easy and can be done in minutes, fewer and fewer accounts have dictionary word-based passwords. Users are now taught to "munge" their passwords with numbers and special characters to make them harder to crack.
Let's look at ways that Elliot could quickly crack his target's passwords here.
Most Common Passwords
Before attempting any password cracking or for that matter any hacking, it's always a good idea to develop a strategy first. The first step in any password cracking strategy is to try the most common passwords first. Human beings tend to put little thought and effort into creating unique passwords. In addition, human beings share genes and thought-patterns that are common across the billions of us on the planet. As a result, the same passwords keep recurring across multiple platforms year after year. We know this from the billions of passwords that are found in the data dumps on the dark web.
Last year (2018), the most common passwords were;
Not very creative are they? These 25 passwords comprise about 10% of all accounts! If we use the top 10,000 passwords, I estimate that these compromise about 1/3 of all account passwords. Now tell me, why are you using wordlists with millions of words?
Of course, these common password lists won't work on all accounts (70%), the next step is to create a custom wordlist that specifically targets the individual. There are at least three ways to do this;
1. Create a custom password list with crunch using character patterns;
2. Create a custom password list from the target's web page or Twitter feed.
3. Create a custom wordlist based upon data harvested from social media.
When people munge passwords, they usually include words and symbols and numbers that are easy for them to remember. Things like their birthday, their birth year, their dog's name, their children's birthday, their partner's birthday... you get the idea. To demonstrate this tendency, go look in your email box and look at the two numbers at the end of many people's email address. Is that approximately their age, their birth year, or birthday? You will be surprised how often it is. Do you think they did a better job picking their password???
The key then it to create a password list specific to the individual that captures this often repeated behavior. As a hacker, understanding human psychology and behavior is one of your best tools. Let's examine three tools that will help us develop unique and specific wordlists that we can include in any of the password hacking tools.
Let's take a look at each of these tools that Elliot could use to create a custom wordlist. In Season 1, Episode 1, Elliot easily cracks his therapist's password. Let's use that as an example.
crunch is a tool that enables us to make a password list based upon character patterns. If we know that person's name, partner's name, pet's name, we might use those and build a password list that includes that name and add additional characters, something that users often do.
In the case of Elliot, he knows that Krista is a fan of Bob Dylan from her Facebook page. He could construct a password list that includes "dylan" beginning and ending with additional numbers or characters. Let's look at how Elliot would do this.
crunch is built into Kali, so no need to download or install anything. Simply enter crunch at the command prompt
kali > crunch
As you can see, crunch doesn't give us much information and refers us to its man page. Let's go there.
kali > man crunch
The crunch man page is voluminous! If we scroll down a bit, we can see the options for using wildcards in crunch.
If we scroll to the bottom, we can find numerous examples.
The key to using crunch effectively to create a password list is to (1) define the minimum and maximum password size and then (2) determine the pattern.
From the wildcard list we can see the following options
@ will insert lower case characters
, will insert upper case letters
% will insert numbers
^ will insert symbols
Elliot knows Krista likes Bob Dylan and may use his name in her password. Knowing this, Elliot might create a password list using the word "dylan" and then followed by four numbers (maybe her birthday?) He could create this 9 character password list as follows;
kali > crunch 9 9 -t dylan%%%% -o kristacrunchlist.txt
As you can see from the output, crunch created a list with all the possibilities of "dylan" followed by 4 numbers and created a 100,000 byte password list (10,000 passwords).
When using crunch you must be careful to not ask it to do too much. You need to be specific and narrow with your requests. For instance, if Elliot asked crunch to generate a password list with 13 characters starting with 4 lower case characters (@) and followed by 4 numbers (%), crunch would generate a 59GB list! That's bit unwieldy and probably not a useful list.
CeWL is the Custom Word List by Robin Wood. This simple and elegant tool is a Ruby script that scrapes words from the target's website or industry website and harvests the words that meet a certain criteria that would make them part of a potential password. These might include word length. Few people would consider building a secure password around a 4 letter word, right? Be strategic!
The idea here is that people often build passwords around words in their industry that aren't often used in common language. For instance, people inside the cyber security industry might use words such as "honeypot", "vulnerability", "exploit", etc. You get the idea.
People believe (will some evidence they are correct) that these specialized words are unlikely to be in the hacker's wordlist. They are likely right, but we can remedy that shortcoming. We'll simply scrape these specialized word from their website (or Twitter account).
To demonstrate how Elliot would use it, we will be a target Krista and her website www.kristas-office.com (not a real website). The idea is to scrape words from that website that might be unique to that industry.
To begin, let's look at the cewl help page for clues as to how to use this tool.
kali > cewl -h
As you can see, cewl has numerous options, but we can boil down the syntax of this tool to;
cewl [options] URL -o <output file>
Two key options in using CeWL are the depth and minimum word length. The depth option tells CeWL hope many sub-directories deep in the website to scrape and the minimum directs the tool to not scrape words less than a minimum length.
For Elliot to scrape these potential passwords from www.kristas-office.com, he could enter;
kali > cewl -d 4 m 8 https://kristas-office.com -w psychwords
After quite a awhile, CeWL completes its task and has created a password list for me. To view this list, we can simply use cat, vim, more or less, or use a text processor such as Leafpad, to open the password list
kali > cat psychwords
In addition, we can also take this list and use it in crunch to create a potential passwords using character patterns.
Our final and maybe most effective password-wordlist creating tool is cupp. cupp takes the information you have gathered on the individual through open source techniques and creates a custom wordlist based upon common munging practices.
Unlike the previous two tools, cupp is not installed on Kali, nor is it in the Kali repository. As a result, we need to grab it from github at Mebus's repository there.
kali > git clone https://github.com/ebus/cupp
The next step is to navigate to the new cupp directory.
kali > cd cupp
Now we start start the cupp interactive console by entering;
kali > cupp.py -i
As you can see above, cupp enters an interactive mode and begins to ask you questions about the target. Elliot knows the name of his therapist, Krista Gordon, and enters it. cupp then asks for her birthday. Elliot could obtain that data from many OSINT sources such as Facebook, Twitter and other social networking sites and including various online people searches. Elliot know her "boyfriends" name, Michael, and that Michael uses the nickname "mike". Elliot has also learned from OSINT techniques that she really likes Bob Dylan. We can add that info when cupp asks whether we want to add any keywords. There, we enter "Dylan".
After asking a few more questions, cupp begins to generate this custom wordlist. It's rather quick and generates a very manageable 3980 words. We can view them by displaying the file krista.txt
As you see below, cupp starts by generating multiple variations and permutations of her birth date.
It then continues on to generate munged passwords based up her name and nickname and birth date.
Elliot now has a custom built password list for his therapist, Krista, ready to use in any of the password cracking tools!
Lastly, Elliot can combine these three lists and to create a combined list of potential passwords using cat and the redirect symbol in Linux (>).
kali > cat kristacrunchlist psychwords krista > kristapasswordlist
For more on how Elliot hacks systems on Mr. Robot, check out my Mr. Robot Hacks page here.