So, we are going to need a password dictionary file for cracking and a list of passwords to crack. The most common password dictionary file is rockyou.txt. You can download that file here on Kaggle among other places.For passwords to crack, I wanted a list that wasn't too easy and wasn't too hard. I decided to build my own list of passwords that ended in a number and a special character. hashcat has a "dictionary + mask" mode that can be used to brute force these types of passwords. Passwords like "SpongeBob01!". First, I slimmed down the rockyou dictionary file to just passwords including "01!" usinggrep 01! rockyou.txt > rockyou01.txtThat gave me 482 passwords to crack. I would rather have 480 to split evenly in 4 pieces so I ran this:head -n 480 rockyou01.txt > rockyou480.txtNow I have exactly 480 passwords to crack across 4 bots. To create the 480 MD5 hashes to crack, I used a little vi-fu to turn that list of passwords into a shell script (rockyou01.sh) to create 480 hashes. That shell script looks like this:#!/bin/bashecho -n 'zoey101!' | md5sum | tr -d ' -'echo -n '9801!Jmc' | md5sum | tr -d ' -'echo -n 'woody101!' | md5sum | tr -d ' -'echo -n 'tigger101!' | md5sum | tr -d ' -'echo -n 'shotgun01!' | md5sum | tr -d ' -'echo -n 'seria101!' | md5sum | tr -d ' -'echo -n 'rocky101!' | md5sum | tr -d ' -'[snip]I then ran "rockyou01.sh > rockyou01_480.md5" The top of that file looks like this:$ head rockyou01_480.md5f4b7dc4fa32a3e2aa6516fa08f2096ff2e3e2ea1a34fc71ebdc45165444f4533353b97a58a7e33300ce2cc1f2222b55595d0ac3e58389faa9ab3c281309fcd6687d3a7272bf293c97e45e69cde87ab5760c8800eefaf6caebfdcd0ea4b230324ef8af08f43dcc58f4a283d8e17deb1c6f3104289cb3c8646aeea917375df4dc72d4492e766d99d10726948ffec74ef263f9d6897898b49716c4c7d02fcb2c21f
To make the cracking a little faster, I thinned down the enormous rockyou.txt to just passwords with the characters a-zA-Z. Here is how I did that with our friend grep:$ grep -i -E "^[a-z](?:_?[a-z]+)*$" rockyou.txt > rockyou_azAZ.txt$ wc -l rockyou_azAZ.txt 4168380 rockyou_azAZ.txtNow I have a whole bunch of password prefizes that I can brute force add numbers and special charcaters to the end of. For instance, I now have these common Sponge Bob password prefixes:SpongebobRulesSpongeboBSpongeBOBSponGebOBSPONGEbobSPONGEBOB_SCOOBYSPONGEBOBSWIFEYSPONGEBOBSQUARESPONGEBOBJOANNASPONGEBOBFANSPONGEBOBALDAYPATRICKaNdSPOngeBoB
I learned a lot about how hashcat works while experimenting with splitting up hashcat across multiple computers. At first I thought splitting the number of hashes across multiple computers would be faster. Surely cracking 120 hashes would be faster than cracking 480 hashes. Nope. Same exact time. It turns out that the time spent is the time hashing each of the 4,168,380 passwords in the rockyou_azAZ.txt dictionary and testing against each of the hashes. Comparing 4M passwords to 120 hashes takes just as long as comparing 4M passwords to 480 hashes.
Here are the timing comparisons of "hashcat -m 0 -a 6 rockyou01_480.md5 [dictionary_file] ?d?d?s"
Hashcat stores all cracked hashes in a file called "hashcat.potfile". We can also use the "hashcat --show" command using the same syntax used for cracking. For instance on bot-01, running:$ hashcat --show -m 0 -a 6 rockyou01_480.md5 rockyou_split_aa ?d?d?s87d3a7272bf293c97e45e69cde87ab57:shotgun01!0e3a5a5c8294e49c919a7e651c406d3f:damian01!6c6b74b8bcf5d771508a63e138cc821c:cheer01!85176cebcb84ce62d8ffc9eaa45c4836:River01!a332233d395c415a99c6b16a2348c129:Password01!de5356b6dfd334d6f306ad01cb03096f:yeroc01!727999e4f0194d441961f995830e0aa7:wil01!2df21e4da45ab1d84dbf0161240fd467:what01!f4606ded47bf1715476eb334cfa190f3:welkom01!d25c929d155ebde63a699ecb36580576:wanadoo01![Snip]e5df7afcc587cb4ccbf6dacae086fdbf:Daniel01!4532a3b45f2522a70844265f7fd6ba8d:Chris01!4a4e408e611202c9ea468ce43284f2cf:Change01!9b3d8e24f351047945e8e2f816e78679:Buterfly01!861a4744bbe9d548cb0df1f14f42bf3b:Bowling01!656851233892e68810759f94dc096745:Bacon01!562d1aa26c887a754eeb97c13f846c20:BUBBY01!1d7cab45255315ac71d251a42105ca1a:Angeles01!dab2be68119cd19f75c1cd60ce96c452:Amanda01!af9492665323b4f9d6b2becec77b9858:Adam01!
Well, that was fun. I always figured there was something very geeky, and slightly evil, that I could do with all those unused phones. Thanks for taking the time to read this post. I welcome your comments as well as other ideas for a cell phone bot army.