 Alright, let's see what we can do here. So we're going to crack rock you without using rock you. So all I did was took the rock you dictionary, piped it through MD5, so we have a big ass list of MD5 hashes now, and see what we can do. We lost a few hashes in the conversion, but I think we'll be alright. Alright, so most basic, let's do a hash cat. We'll do tack A3, and let's just do five character. So this will do all character classes for five positions, but we're going to start doing one. And then we'll do two, and then we'll do three, then we'll do four, then we'll do five. So that's what this increment flag does. So that is one, two, three, four, five. I think we're doing okay. Alright, almost 300,000 in 27 seconds. Why not? So let's try, we need to grab, so we don't have anything. Let's, we can't do a wakey strip, that would take too long. See if we can find a dictionary. Something small. Let's try like all words of ten letters, not that in a text file. Can I just have a dictionary? Oh yeah, good point, we could use a spell. That's true. Let's grab a wakey strip, because we can use it regardless, and then, do we have a spell? We're going to do a spells dicks go, there we go. So I'm guessing we could probably use the ENUS, let's do that one. Yeah, maybe that's not a good one. Maybe without accents, I don't think that one's even gonna, that one's gonna matter. Let's instead, let's go grab, there we go. Let's grab this one. Some random list of words off a, off a GitHub, it's not gonna be interesting. We're gonna do rocku.hash, and then feed it words.text, and let's see what we get. Actually, let's look at what these even look like. Yeah, this'll, this'll work. Okay, actually it wasn't terrible, so that's good. Let's try doing, let's do an a6 and see what we get. And we'll just add, let's just add two digits. Let's just add, yeah, let's do two digits, and then let's also increment. So we exhaust both of those, so it's gonna fail. Yeah, I mean, I guess that works. We got 2% just off of that, all right, all right. What if we do, if we already incremented two spaces, let's not run that again. Let's do, let's do, let's just do like, what year did this come out? 2009, right? So let's do 2008, or we're gonna have to trim this hash file too, because these load times are a bit ridiculous. All right, so not a whole lot of 2008 passwords. Let's, we're gonna add remove, and we're also gonna do an outfile. We don't need to do an outfile, because we can do a popfile. So what this is gonna do is, so we're gonna take all these words that are in words.text, we're gonna add 2009 to it. Actually, let's just do, let's do 2000 digit, digit. So that should cover everything from 00 to 99, and then we're gonna remove everything that we cracked, because it's gonna go in our popfile anyway. And then after that, we'll roll our popfile back and we'll try some rule-based attacks. So we've only got 13,700,000 more hashes to crack. Okay, not a lot. Let's do a cut-d attack f2on from hashcat.popfile, and we're gonna put that to pop.dict. And let's roll, instead of doing an A6, let's just do, let's do generated rules. And let's do like, let's do like 5,000 of them. We'll move that remove so we don't have to keep doing it every time we want to change a command line or a run line. Probably should have suppressed output. This is a, it hit status, but we're not gonna see anything. We're up over a million now. So that, that got us almost 11%. No, 8, 9%, almost 9%, it's pretty good. And the great thing is, is that if we do that again, we're gonna get a bunch more. But this time we're gonna write this, we'll start writing this out to a file, so we don't slow down at all. We'll call this, rock you dot out. Slowed times are a little bit ridiculous, I think we'll manage. Let's just see what our GPU is doing as well. So down here we'll do like a, a watch tech N5, NVIDIA SMI. So even for MD5, because there's so many hashes, we're still only going at what's the 118, 118 million candidates per second, which is a little bit sad, but you know. So we got 278,000 on that one, or 288,000. So if we do it again, we'll get even more. So you just sit here and you loop this attack. I think after this one we'll just do maybe just an uppercase. I don't know, if you have, if you have an idea, tell me, tell me what you want to try in the chat and we'll, we'll give it a shot and see how many you get. All right, so let's try, let's try upper, just uppercasing everything. Wow, we got nothing. Probably cause we already had an uppercase in our, in our generated rules. Well, what else can we do? Could try, could try doing some truncates. Let's actually do this. No, no, we'll just do the truncate first. So we'll just take one character off the right side of the plain text and see what happens. Normally this is really good if you have a word list that already has like years on the end of it. So if you've already cracked hashes and, you know, somebody's using like password 2019 and then they use password 2020. You trim one to two positions off and then you fill that with digits and get back to it. All right, so let's roll our cracks cause I forgot to do this. We'll roll our cracks back, back into our word list. I already forgot what I called it, pot.dict. And then because we started writing an out file, we're gonna do the same thing for the out file. Actually, we don't need to do that. Yeah, we don't need to do that. All right, so we're gonna take from the left side or sorry, from the right side using tack K, we're gonna truncate the first two positions of the word that's in pot.dict and then we're going to try and run everything for two positions and see what we get. Yep, that'll do it. I was actually getting a lot more than I expected it would. All right, so we're what, 10.48% in. We've only got a lot more to go. All right, so if we truncated two and it did really well, like let's truncate three but instead of adding something, we'll just keep it with the same two positions and see if maybe we can catch some stuff that doesn't have that. So this is a little brute forcey without actually doing a mask attack but I mean, it still kind of makes sense if somebody like prepended, for instance, numbers to a password, if they start with like their birth year or something at the beginning, you know, we could strip those off and then start replacing the first digit or the first character that comes after that. Yeah, see that? We're still getting stuff. So one thing I keep seeing in here is there are a lot of passwords that are just digits. So this would be, to me, tells me that I need to go in brute force. All of these, what is that? Six, seven characters of digits. So after this one finishes, we'll see if we can do that because seven digits will be pretty quick. I mean, technically we could probably even go out to 12 but we'll see what the runtime looks like. So we're gonna strip all this stuff off and then we're just gonna say A3 and we only want digits for, we'll say up to eight. And because there were ones that were less than eight, we're gonna increment this as well. So we'll try one digit, then two digits, then three digits, then four digits. All right, so that was pretty quick and that got us, what, almost seven percent. So let's get rid of this increment and let's do one more. Actually, who cares? Let's just go until it's gonna take too long. So we're gonna waste a little bit of time going over the things we already went over but it was fast enough that it shouldn't really matter too much. I'm really gonna keep getting faster as we keep cracking hashes because it's less workload to do comparisons against. So what we should also see down here is our GPU memory is gonna spike once the attack gets going because we've got all that stuff loaded into the video cards memory. This is kind of a good example of why Rocky was bad in some ways. Like it's good but you could trim all of this crap out because it's going to be rare that you're ever going to see a password that looks like this in a dump today or during a pen test or something. Like if companies had passwords that look like this, their building's probably on fire. Oh, 24% almost, I'll take it. But this also means 24% of this dictionary is crap, right? So we're at, let's see what percent we're at so far. So we're at almost 24%, sorry, almost 25%. That's what 14 divided by four is math. That's what these probably are spammer passwords though or automated accounts. So in a lot of ways, like Twitter for instance or something Reddit would be a good one. When you're doing automated account stuff, you don't really care about the security of the account if all you're gonna do is sit there and upvote each other or do retweets or maybe it's a Twitch bot or something like that. So these are likely, I don't know much about Rockyu, the site other than the dictionary. I mean, it could be telephone numbers, but a five digit telephone number, like we did have a lot of fives, six even. Yep, that's true. Asian countries where sometimes a sentence can be said in a string of numbers, sure. I kind of want it to stop cracking so we can do something else. But you know what, I'm gonna take them. What if, let's do, let's make a word list. We'll just use cool again, that's easy. Don't tell DT, I'm gonna scrape defcon.org. So what are you doing? This is only 12, this is gonna take 30 minutes. I don't wanna wait 30 minutes. We're only doing the default, so it's only gonna go too deep. It won't spider too recursively. All right, screw that, I'm tired of waiting. 31 minutes to finish, I don't wanna sit around for 31 minutes. Okay, but we're at 25%, so that's pretty good. What else can we do? What if, ooh, let's do the pathwell masks. And if you're not familiar with what the pathwell masks are, we will discuss those tomorrow. So this is the top 100 topologies that were observed in corporate networks. Since we have a bunch of them, we'll just do this in a loop. A3 in the mask, and then we'll call it done. Come on, you can do it. Okay, looks like a pretty good result. So this is all going to be the same structure. So you see we've got one upper, what's that, one, two, three, four, five lowers in two digits. So that would be numbers, six, eight characters. So we're cracking eight character passwords in what's our runtime, less than a minute, and the entire attack is gonna complete in about a minute. Oh, we're actually over 25%, because we're missing, what, 200 and yeah, about 200,000 hashes out of this, or no. We're missing like three million. So we're way over 25% at this point, and we're only 45 minutes in. So let's actually even, let's take pack, we'll run pack against our cracks and generate some rules and then run some rules against our cracks and see what happens. Let's actually pause this for a second. What do we call this? Pot.dict, I think, yeah. We're gonna sort this thing before we do this anyway. So let's do, what was that out file? It's like, no, it wasn't hash, it was rocku.out. We'll put those in there, and then we will do a sort, tacku, pot.dict to pot.sorted, pot.sorted to pot.dict. Such a lewd file name. So let's go, we'll let this keep going. So we will resume this with R, and then let's do, let's do mask, no, we don't want mask gen, we want rule gen. So, uh-oh, I don't think pack is, Python three didn't look like it to me. We'll try it, I didn't think so. Okay, uh, apt cache search, Python two, what module named enchant? Probably the pip to install enchant. We're gonna, where are you at pip? Oh no, it's all going to hell. Python two doesn't have, that was pip whl. Let's do it, yeah, it ain't there, man. Let's try install py-py-on-tack-pip. We need to summon, I feel like, support pack to Python three. We did it, what provides enchant now? Python three enchant, no, Python two enchant. What happens if we do that? It's py enchant, let me smart, can't see library. Okay, we've enchant dove. Yeah, it kinda looks like they may have pulled it, but we're working around it, going slowly, but we're still going, okay, okay, we did it. So we want to stats-gen-on-dictionary, so that was pot.dict, do its thing. All right, so we've got, so these aren't gonna help us too much, I mean they might, we could probably run these and get something out of them, but we're kind of unlikely to, but that's a good example of extracting masks out of dumps that you, or not dumps, but cracks that you've done. So we could take these right here and put them in a new file and then start running them. But what I want to do our analysis, no, we don't. Why do we not have our analysis? Because we didn't output them, that's why. So let's write that to masks.out. All right, and then we'll feed that into mask-gen. I wonder what the math he based, so that's on a billion per second. I don't think we're gonna be able to, I don't think we're gonna be able to cover that in this stream. Let's do rule-gen though, and we'll just generate some rules, excuse me. So how does that work for mask-gen, but not for rule-gen? What was it, stats-gen that failed before? I don't remember anymore. I guess I just forgot to redo it. Okay, so let's take a look at our options here. We can make that a little bit smaller. Take the defaults on everything. There we go. We're going through pack, generating some rules. We've cracked about, I want to say, close to 30% of Rocky right now using nothing, but masks, rules, and passwords that we've cracked from those. Pack's gonna take its sweet time, because, you know, so pack needs to run through about four and a half million candidates, so this is gonna take a little bit. So we'll let that run down there, and we'll let our path while masks keep running. The ol' minga special. You know, we have, this card has like 13 gig of video memory, we'd probably be fine. Let's do it, I ain't scared. In that dictionary, you just group massively for pack, so, oh well, it'll get over it. So we're gonna do rocky.hash, what'd you want? You wanted the pot.dict, actually, one, two, three, four, five, six. All right, here we go. So we're auto-generating just shy of a million rules, and we're gonna run that against every, what, because, because I don't want to. What if there is a 65 character password in here? I want it, and I'm not gonna get that with taco. Why no W-4, yeah. That's a good question. Because I'm trying to run pack, that's why. I would like this box to actually remain accessible. I don't, you know what, dude? My armpits smell like free birds right now. Smells delicious. Nope, that's too cl- Oh well, you're throwing prints in there. That's a little close to cheating. We don't want to use, we don't want to use rock you to crack rock you. That's kind of defeats the purpose. If we did that, imagine rock you just came out, right? Like, we're all fawning over the fact that we have 14.3 million hashes and we want to crack them. We wouldn't have that. We wouldn't know what rules rock you was using. It's totally unfair. It's like walking in to do a pen test with a domain admin account and then claiming you own the entire network. Get out of here. Almost at 20, almost at 25, we can do it. Put on your Bon Jovi, let's go. It probably would have been smarter to write the cracks to a file, so this would go a little bit quicker, but it's also a little less interesting because then you just sit there and look at a status screen updating every 20 seconds. See, but this looks like it could actually be an interesting mask to run. So we've got a big string of these. There's some with E. So let's try doing like a lower in six digits. So we'll do A3, we're gonna do lower, two, three, four, five, six. And then just in case there's some that are maybe five, we'll do increment and we're actually gonna write these to rock you dot out because this should run fast enough, it won't matter. All right, so 25, 21. So we were definitely getting cracks. So we started at 25.07, so we got, what, 14, or 0.14% out of that? That's not as good as I thought it would be. This is more, this one was more fun, actually. Let's not even do that yet. Let's roll our cracks back in. This is hot.dict, I'll sort you. Did I just say it's close to the end? We need to roll the old hashes back into though. Okay, does this gonna finish? In nine hours? Oh my God, I nobody got time for that. Once pack's done, well, actually, you know what? If I kill this pack, we'll go faster. So we'll let pack do its thing and then we'll run the pack rules. Now, you know what? I wanna run, what was that? Lower, one, two, three. Where to do this? I think we did. Let's do the opposite of that. So we've got this one, which seems to be doing a thing. One, two, three, four, five, six, lower. Uh-oh, do we break it? I think it's broken. We've run out of memory because pack is trying to do four million rules. Yeah, I need a sad trombone. Shoulda let pack finish. Oh, shit. Well, we didn't do too bad before we crashed. I mean, I can't even scroll. Like, this thing is toast. So we did, what do we have here? 2.9, so we're at three million there and then we trimmed out about three million. So we cracked about, well, I guess that would be almost 50% then, right? So we've cracked half of Rock U in an hour and 19 minutes using nothing but masks and a couple word lists. I think we used the English dictionary. Got a bunch of stuff with some hybrid attacks. Did some mask attacks with digits. Because for whatever reason, Rock U has a million digit passwords. You know, this is a, I have to put new spirits for them. Shit, we're back. Pack did its thing. Really, inopportune time too. I just shoved the food in my mouth. All right, so we're back. All right, so Pack went and took a look at all the words that we had in our word list and I built a rule set out of that and then it sorted that rule set. So we can take this analysis sorted.rule and feed this in using our pot.dict. We should get a shit ton of cracks, see what happens. No, and we don't have to cover those because hash cat defaults to MD5 as it's, well, hash cat, yeah, it defaults to MD5 as the hash type and since we're running MD5s, we don't need to worry about it and because we're still doing dictionary attacks, we don't need to specify a because the default value is to do a dictionary attack. So adding rules to a dictionary is still a dictionary attack. It's just mangled by rules. I mean, at this point, we might just crack everything. I think I just saw my password fly by too. The hell's with the 727s? A bunch of Boeing fans at Rocky. Yeah, I saw that, I think so. Let's do it and if only that were the case. All right, so password.dict and then we're gonna run, we're not gonna run pack again because my analysis rule sorted. I would laugh if this got nothing. The kid did it, 2787, yeah. Good work, Manga, you got nothing. Yeah, I don't know, it's only one word. Why would it have queued? Maybe because it split the workload. No, there's an R. Oh wait, yeah, yeah, yeah, I missed an R. What was that, 2% roughly? 2787 to 3074, almost 3%. Now what if? I don't wanna do the whole thing because that's gonna take way too long. What if S-W-O-R-D, we'll do two to start. No, we'll do one to start. Forgetting all kinds of stuff. I should have done this as increment because these startup times are getting a bit ridiculous. Word pass, no one will ever guess. Oh, we're getting faster, we're up to 500 million, almost 500 million. Yeah, Drossap, Drossap's always a good one. I mean, that did pretty good. Nope, so that doesn't matter because we already specified it here. Let's run it out a few more characters and see what it gets. Something that would have been smart is if we did the lower case O, the upper case O and then a zero and then for I, we do lower I, upper I and a one. Run that file. I did that. We ran the top 100 Pathwell Masks. I'm not doing that. Dude, on a Tesla? All right, after this one, we'll run it. That's gonna take 10 minutes, I don't wanna do that. If you're over there analyzing what the fastest thing you can run to crack as much as you can, you'll be disappointed. So what do we have? So we have A3 incrementing from a minimum of eight with a runtime of 17 seconds. We have one, two, three, four, five, six, seven, eight, nine, 10, 11, okay, incrementment. The tools haven't been updated in a while though. I don't know, I mean, there comes a point where you get used to or you've already generated the things that you need to generate and you've already found other ways of doing something that you don't need to pull the tools back into it. Yeah, no, I still PWM in. I mean, hell, I didn't even catch it when you typed it and typed it myself, so, you know. It's not cheating that much because we're still running the attacks. Yeah, yeah, I know. But there's a very big difference between let's use the rules generated from RockU against RockU versus HCSTAT because you still have to get your baseline in before you do that. It is cheating. That's why we regenerated the rule set down here. Oh, no, no, no, no. But I'm done in about 30 seconds anyway because it's 11 o'clock and I wanna take a break from sitting here. All right, so we did 4.4 million plus half is hard, 14344391 minus 1192525472. So for that 5.8 million, so we did just under 50% in an hour and 40 minutes. It's pretty good. So I'm gonna blow this box away. That was fun. Maybe tomorrow we can do something similar. I'll save the cracks, but we'll see Saturday night's gonna be crazy. Anyway, that's it for now. Thanks guys.