12-22-2014, 01:58 PM
After talking to many people about PRINCE, explaining how it works and what's the idea behind, I've decide to write a little demonstration/tutorial to show how it can be used in a real-life scenario. I hope it will help everyone who is interessted in using PRINCE to get started.
I've selected the Linkedin dump as my demonstration hashlist because it has been taken many times when it comes to any kind of analysis of password guessing, so it became a bit of a reference. It consists of a big number of unique hashes, therefore we can actually see whats happening in realtime just by looking at the cracked hashes while it is cracking. We can see how the patterns are self-created and it proofes that the generated password candidates actually match real-life passwords.
PRINCE was designed for attacking slow hashes. Therefore I'll use "only" CPU hashcat for the demonstration. There will be no GPU involved. The CPU that I am using is an Intel i7-4770K. I've decide to use CPU for this fast hash as it matches the speed for a slow hash using a GPU environment. To be exact, the cracking rate for the demonstration is around 5MH/s, which is roughly as slow as a modern single GPU cracking a $1$ hash (1000 times iterated and salted hash).
To reproduce locally, you need:
In this demonstration we do not make use of the personal aspects optimizer. We assume we have no clue what the password could be.
1. Create a fifo
While oclHashat (GPU) supports reading from stdin, Hashcat (CPU) does not. But you can workaround this missing feature simply by creating a named pipe.
Because of the named pipe we need two shells next.
2. Run princeprocessor in the first shell
3. Run hashcat in the second shell (Replace the XXX with your CPU architecture)
4. Let it run for 24 hours
Easy, isn't it? And that's just with rockyou wordlist. I selected rockyou just to make it reproduceable. With one of my personal wordlists (that I am not going to share, sorry) I was able to get into the 75% range in the same time. If your first results with PRINCE are not that good, don't get demotivated. It takes a bit of experience on how to prepare/filter the input wordlist, using optional rules or how to use the optional princeprocessor parameters like --elem-cnt-min and --elem-cnt-max. I'm going to explain them in a later tutorial.
About efficiency: During the 24 hours a total of ~230 billion password candidates have been generated and tested. If you think 230 billion is a lot, it's not. It's not even the half of the brute-force keyspace of a 7-bit length 6 password. To get a better feeling for this, just think of testing the same keyspace against a TrueCrypt volume (TrueCrypt 5.0+ PBKDF2-HMAC-RipeMD160 + AES). It would take less than 3 days by using two 290x and oclHashcat v1.31.
PRINCE is not only about efficiency, it's also about an infinite runtime. Actually, the infinite runtime was one of the major goals when I designed the algorithm. Instead of stopping the demonstration after 24 hours you can continue to run princeprocessor and it will continue to crack the remaining hashes, on and on, and it will never* stop.
* = Based on your input wordlist. With rockyou.txt wordlist at least not within your lifetime
--
atom
I've selected the Linkedin dump as my demonstration hashlist because it has been taken many times when it comes to any kind of analysis of password guessing, so it became a bit of a reference. It consists of a big number of unique hashes, therefore we can actually see whats happening in realtime just by looking at the cracked hashes while it is cracking. We can see how the patterns are self-created and it proofes that the generated password candidates actually match real-life passwords.
PRINCE was designed for attacking slow hashes. Therefore I'll use "only" CPU hashcat for the demonstration. There will be no GPU involved. The CPU that I am using is an Intel i7-4770K. I've decide to use CPU for this fast hash as it matches the speed for a slow hash using a GPU environment. To be exact, the cracking rate for the demonstration is around 5MH/s, which is roughly as slow as a modern single GPU cracking a $1$ hash (1000 times iterated and salted hash).
To reproduce locally, you need:
- hashlist: Linkedin (version with leading zeros, contains 3521180 unique hashes)
- wordlist: rockyou.txt
- hashcat v0.48: https://hashcat.net/misc/hashcat-0.48-linkedin.7z (modified version to crack the Linkedin hashes)
- princeprocessor v0.16: https://github.com/jsteube/princeprocess...or-0.16.7z
In this demonstration we do not make use of the personal aspects optimizer. We assume we have no clue what the password could be.
1. Create a fifo
While oclHashat (GPU) supports reading from stdin, Hashcat (CPU) does not. But you can workaround this missing feature simply by creating a named pipe.
Quote:$ mkfifo fifo
Because of the named pipe we need two shells next.
2. Run princeprocessor in the first shell
Quote:$ ./pp64.bin -o fifo < rockyou.txt
3. Run hashcat in the second shell (Replace the XXX with your CPU architecture)
Quote:$ ./hashcat-cliXXX.bin -m 100 -o linkedin.out linkedin.hash fifo
4. Let it run for 24 hours
Quote:Recovered.: 2223916/3521180 hashes
Easy, isn't it? And that's just with rockyou wordlist. I selected rockyou just to make it reproduceable. With one of my personal wordlists (that I am not going to share, sorry) I was able to get into the 75% range in the same time. If your first results with PRINCE are not that good, don't get demotivated. It takes a bit of experience on how to prepare/filter the input wordlist, using optional rules or how to use the optional princeprocessor parameters like --elem-cnt-min and --elem-cnt-max. I'm going to explain them in a later tutorial.
About efficiency: During the 24 hours a total of ~230 billion password candidates have been generated and tested. If you think 230 billion is a lot, it's not. It's not even the half of the brute-force keyspace of a 7-bit length 6 password. To get a better feeling for this, just think of testing the same keyspace against a TrueCrypt volume (TrueCrypt 5.0+ PBKDF2-HMAC-RipeMD160 + AES). It would take less than 3 days by using two 290x and oclHashcat v1.31.
PRINCE is not only about efficiency, it's also about an infinite runtime. Actually, the infinite runtime was one of the major goals when I designed the algorithm. Instead of stopping the demonstration after 24 hours you can continue to run princeprocessor and it will continue to crack the remaining hashes, on and on, and it will never* stop.
* = Based on your input wordlist. With rockyou.txt wordlist at least not within your lifetime
--
atom