Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model...
Transcript of Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model...
![Page 1: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/1.jpg)
Reasoning Analytically About
Password-Cracking Software
Enze “Alex” Liu, Amanda Nakanishi,
Maximilian Golla, David Cash, Blase Ur
![Page 2: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/2.jpg)
Chic4go
2
![Page 3: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/3.jpg)
Attack Model
80d561388725fa74f2d03cd16e1d687c
1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e
2. h(“password”) = 5f4dcc3b5aa765d61d8327deb882cf99
3. h(“monkey”) = d0763edaa9d9bd2a9516280e9044d885
4. h(“letmein”) = 0d107d09f5bbe40cade3de5c71e9e9b7
5. h(“p@ssw0rd”) = 0f359740bd1cda994f8b55330c86d845
6. h(“Chic4go”) = 80d561388725fa74f2d03cd16e1d687c
3
![Page 4: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/4.jpg)
Guess # 6
Guess # 13,545,239,432
Chic4go
4
![Page 5: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/5.jpg)
5
![Page 6: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/6.jpg)
Password-Cracking Methods
Probabilistic Models Software Tools
6
Chic4go Guess #
![Page 7: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/7.jpg)
Guess Number by Enumeration
1. 123456
2. password
3. monkey
4. letmein
5. p@ssw0rd
6. Chic4go
7Does Not Scale !!!
![Page 8: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/8.jpg)
Our Analysis Goals
1. Compute guess numbers efficiently
2. Configure guessing method systematically
8
![Page 9: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/9.jpg)
Outline
● State of the art
● How software password-cracking tools work
● Our efficient techniques for guess numbers
● Our techniques for systematic configuration
9
![Page 10: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/10.jpg)
Probabilistic Models
Markov Models [Narayanan and Shmatikov, CCS 2005]
Probabilistic Context-Free Grammars [Weir et al., S&P 2009]
Neural Networks [Melicher et al., Usenix Security 2016]
Guess #
Configuration [CCS 2015]
10
![Page 11: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/11.jpg)
Probabilistic Models
Markov Models [Narayanan and Shmatikov, CCS 2005]
Probabilistic Context-Free Grammars [Weir et al., S&P 2009]
Neural Networks [Melicher et al., Usenix Security 2016]
Guess #
Configuration [CCS 2015]
11
![Page 12: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/12.jpg)
Probabilistic Models
Markov Models [Narayanan and Shmatikov, CCS 2005]
Probabilistic Context-Free Grammars [Weir et al., S&P 2009]
Neural Networks [Melicher et al., Usenix Security 2016]
Guess #
Configuration [CCS 2015]
12
![Page 13: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/13.jpg)
Guess-Efficient Wall-Clock Time Slow
Probabilistic Models
Markov Models [Narayanan and Shmatikov, CCS 2005]
Probabilistic Context-Free Grammars [Weir et al., S&P 2009]
Neural Networks [Melicher et al., Usenix Security 2016]
13
![Page 14: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/14.jpg)
Software Tools
John the Ripper
Hashcat
14
![Page 15: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/15.jpg)
chicago
chicago1
chicago2
chicago3
chicago6
chicago9
chicdogchicagos
CHICAG
chicaga
Chicago
CHICAGO
CHIcago
Software Tools
15
![Page 16: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/16.jpg)
Guess-Inefficient Wall-Clock Time Fast
Software Tools
John the Ripper
Hashcat
16
![Page 17: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/17.jpg)
Software Tools
John the Ripper
Hashcat
Guess #
Configuration [S&P 2019]
17
![Page 18: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/18.jpg)
Outline
● State of the art
● How software password-cracking tools work
● Our efficient techniques for guess numbers
● Our techniques for systematic configuration
18
![Page 19: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/19.jpg)
Mangled Wordlist Attack
Wordlist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
19
Super1
Rulelist Guesses
![Page 20: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/20.jpg)
Mangled Wordlist Attack
Wordlist Rulelist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Guesses
20
Super1
Password1
![Page 21: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/21.jpg)
Mangled Wordlist Attack
Wordlist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Super1
Password1
Chicago1
21
Rulelist Guesses
![Page 22: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/22.jpg)
Mangled Wordlist Attack
Wordlist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Super1
Password1
Chicago1
Super
P4ssword
Chic4go
22
Rulelist Guesses
![Page 23: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/23.jpg)
Mangled Wordlist Attack
Wordlist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Super1
Password1
Chicago1
Super
P4ssword
Chic4go
super
password
chicago
23
Rulelist Guesses
![Page 24: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/24.jpg)
Example Wordlists and Rulelists
Wordlist Rulelist
PGS (≈ 20,000,000)
Linkedin (≈ 60,000,000)
HIBP (≈ 500,000,000)
Korelogic (≈ 5,000)
Megatron (≈ 15,000)
Generated2 (≈ 65,000)
109 - 1015
guesses
+ Hackers’ private word/rule lists
24
![Page 25: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/25.jpg)
Outline
● State of the art
● How software password-cracking tools work
● Our efficient techniques for guess numbers
● Our techniques for systematic configuration
25
![Page 26: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/26.jpg)
Guesses
Super1
Password1
Chicago1
Super
P4ssword
Chic4go
super
password
chicago
Is This Password in the Guesses?
26
Chic4go
![Page 27: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/27.jpg)
Is This Password in the Guesses?
Wordlist Rulelist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Guesses
Super1
Password1
Chicago1
Super
P4ssword
Chic4go
super
password
chicago
27
![Page 28: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/28.jpg)
We can work backwards!
Insight
28
![Page 29: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/29.jpg)
Insight: Invert Rules
Password
29
Chic4go
![Page 30: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/30.jpg)
Insight: Invert Rules
Rulelist
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Password
30
Chic4go
![Page 31: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/31.jpg)
Insight: Invert Rules
Rulelist
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Password
31
Chic4go
![Page 32: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/32.jpg)
Preimages
Chicago
Chic4go
Insight: Invert Rules
Rulelist
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Password
Chic4go
32
![Page 33: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/33.jpg)
33
![Page 34: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/34.jpg)
*05 O03 d '7
Switch the first and the sixth char;
Delete the first three chars;
Duplicate the whole word;
Truncate the word to length 7;
34
Chic4goPreimages?
![Page 35: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/35.jpg)
Where in the Stream?
Wordlist Rulelist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Guesses
Super1
Password1
Chicago1
Super
P4ssword
Chic4go
35
![Page 36: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/36.jpg)
Where in the Stream?
Wordlist Rulelist
Super
Password
Chicago
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Guesses
Super1
Password1
Chicago1
Super
P4ssword
Chic4go
36
![Page 37: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/37.jpg)
Counting Guesses For Each Rule
Super
Password
Chicago
Wordlist Rule Guesses
Reject if no “a”;
Replace a→ 42
37
![Page 38: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/38.jpg)
● Fast Guess Number Estimation
Our First Contribution
38
![Page 39: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/39.jpg)
Fast Guess Number Estimation
39
Enumeration Our Approach
Size ~ 3 PB ~ 10 GB
Preprocessing > 2 years < 1 day
Mean Lookup ??? < 1 second
Linkedin + SpiderLab Guesses
![Page 40: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/40.jpg)
Outline
● State of the art
● How software password-cracking tools work
● Our efficient techniques for guess numbers
● Our techniques for systematic configuration
40
![Page 41: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/41.jpg)
Software Tools Depend On
● Order of rules
● Contents of the rulelist
● Order of words
● Contents of the wordlist
41
![Page 42: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/42.jpg)
WordlistRulelist
New configuration
Insight: Data-Driven Configuration
42
Password Set
![Page 43: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/43.jpg)
Data-Driven Configuration
● Order of rules
● Contents of the rulelist
● Order of words
● Contents of the wordlist
43
![Page 44: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/44.jpg)
● Should the rules be in a different order?
● Key idea: Order by # cracks per guess
Rule Ordering
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
1. Replace “a” → “4”
2. Lowercase all
3. Append “1”
44
![Page 45: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/45.jpg)
Rule Ordering Results
45
Ideal
Data-driven
Original
![Page 46: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/46.jpg)
Rule Ordering Results
46
Ideal
Data-driven
Original
![Page 47: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/47.jpg)
Rule Ordering Results
47
Ideal
Data-driven
Original
47
![Page 48: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/48.jpg)
● Should other words be in the wordlist?
● Key idea: Add frequent preimage “misses”
Word Completeness
Preimages Rulelist
1. Append “1”
2. Replace “a” → “4”
3. Lowercase all
Oakland1
O@kl@nd
oakland
Oakland
48
![Page 49: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/49.jpg)
Word Completeness (Sample Results)
Category Examples
Set-specific bfheros; ilovmyneopets”””
49
![Page 50: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/50.jpg)
Word Completeness (Sample Results)
Category Examples
Set-specific bfheros; ilovmyneopets”””
Meaningful MaSterBrain; la la la
50
![Page 51: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/51.jpg)
Word Completeness (Sample Results)
Category Examples
Set-specific bfheros; ilovmyneopets”””
Meaningful MaSterBrain; la la la
Short strings a2; a23; 7a; b2; q2
51
![Page 52: Reasoning Analytically About Password-Cracking Software · 2019. 5. 23. · Attack Model 80d561388725fa74f2d03cd16e1d687c 1. h(“123456”) = e10adc3949ba59abbe56e057f20f883e 2.](https://reader036.fdocuments.us/reader036/viewer/2022071516/613830a30ad5d20676491acb/html5/thumbnails/52.jpg)
Analytical Tools
Guess Number Configuration Tools
https://github.com/UChicagoSUPERgroup/
Takeaway
Reasoning Analytically About Password-Cracking Software
Enze “Alex” Liu, Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur 52