 Welcome back, everyone. Today we're talking about password cracking. And we're going to try to use a kind of a special way to create a word list for password cracking. Password cracking, I'm going to use hash cap. But for the creation of the special word list, I'm going to use a memory dump from a suspect system. I noticed that whenever people get these memory dumps, either in CTFs or even in law enforcement, they don't tend to use the memory dumps to their maximum potential. So if you've ever done memory dump analysis before, if you've seen a video on this channel before, we talked about volatility and using volatility to parse out memory. But there's a lot of other ways that you can use the data that's available in memory. And one of those is potentially to create a word list. Why would we want to use memory to create a word list? Well, let's just think about what is in random access memory in a system, anything that the user loads, anything that the user types, including passwords, websites, URLs, like things like that, credit card numbers, all of those types of things. If the user has interacted with that data or interacted with those strings, then they might be available in memory, as long as the user did it within the last session. So for example, if I turn on my computer, and then to log into my computer, I type my password, then I get into Windows or Linux or whatever it is. Now that password that I've typed in is available in memory, at least for a limited period of time, because it had to go into memory. So that way the computer could check that the password was correct. Now anything else I type or anywhere else I go in that session, will also be resident in memory until basically until I shut my system down again. Okay, so we can take advantage of this because the user is typing their passwords, basically all day long, logging into websites, you know, getting usernames, things like that. And we can use that information to try to basically build word lists or username lists and kind of target our attacks against the user's data using those word lists. Okay, so one way to do that is, for example, I have this memory dump, it's uncompressed. If you have the compressed version, make sure you decompress it first. I have a decompressed memory image of a Linux system. Now for the same system, I've already dumped the user's password hash from the hard drive. Now, if you don't have access to the hard drive, because maybe it's encrypted or something like that, you might be able to get the user's password hash also from RAM. I just dumped this password, password hash directly from the disk. So if I do cat hash dot text, we have the username and then basically the password hash. So we have our hash that we want to crack. And we have a memory dump in Linux. And I'm using Linux here, we can use a tool called strings. And strings is fairly powerful. Basically, it does exactly what it says, it will go through and look for anything that looks like words or phrases. Okay, so it will search through all of the data, and then pull out anything that it can identify as a string. And you can configure how it identifies a string or what it considers a string by looking into the strings configuration, I'm just going to accept the strings default here. But I would be configuring strings based on what I know about the user. So if they speak a specific language, I would try to pull out different types of strings based on that language for English strings works fairly well just just by default. And I don't have any special considerations here. So I'm just going to use the default. So just the tool strings. If we type dash h, we can see the help menu for that. You can see that there's lots of different options, including things like white space, how many characters, how many bytes you want to match things like that. So we can run strings. And then just give it the decompressed memory image. And I'm just going to run head. So you can see what kind of stuff comes out. So emil is the first string that it finds. And that is the file header for the lime memory image type. Okay, so that's actually a file header. But it's still detecting it as a string, and it's going to pull that out. And then we found a string false, BIOS disk, aired mode, mo, something not found, not a boot disk. So notice we also pulled out 34ca4. And this is just some possibly random data that we have in here, we can do xxd, easy or zero one lime, and then also pipe that through head to see kind of what's going on. You notice that we have emil for the header, and then the rest of that data must have been further down than just the first 10 lines. All right. So strings literally does what it says. It tries to pull out any strings that it finds, and it can try to find phrases that are connected together, like not a BIOS disk, for example. Is it perfect? No, you're never going to get perfect strings out of it unless it's a very well formatted file. But it really does the job. So strings is a great tool to have and to know about. Now, what I'm going to do is run strings, and then easy zero zero one line my memory image. And I'm going to count the number of strings that we get out. All right, so we got a result of it looks like 36 million. That is a lot of strings, a lot of password options. But, you know, it's way less than trying to brute force, right? So brute force is going to try a lot more options than that probably before you get anything. And the chance that one of these is the actual user's password is relatively high. Okay, so we can run through this predefined word list very quickly. And we might be able to get something out, but we can actually do better than this. I just dumped all of the different strings and then counted how many they were. So instead of just dumping all of the strings, I'm going to do strings easier zero one, just like last time, except I'm going to use the Linux command sort. And then I'm going to pipe that to unique, you in IQ. Okay, so then what we have is get all of the strings out of the memory image, and then any string you get sort them basically alphabetically, and then get the only the unique values out of that we have to use sort and unique together if we want to get just the unique values. Now, what should happen is any duplicates that we had in this number up here, we should remove those duplicates. Now, what that will do is greatly should greatly reduce our word list. So if we have a greatly reduced word list with no duplicates, then all of a sudden you can run through that really quickly. And still the chance of having the user's password in there is very, very high. So I'm going to save that out, pipe that out to word list.txt. Okay, that process takes quite a bit longer. So it has to dump basically all the strings, but and then get the entire list before it can be sorted and then sent to unique. So I'm going to clip that out. But it did take, you know, about a minute and a half, two minutes for this memory dump. All right, next is to see how many lines we now have in the word list that we got. And hopefully it's less than 36 million, we got about 12 million, right? So we got a pretty good reduction in the number of possibilities. This is the possible passwords we have. So we got a bunch of different characters here. Now we could definitely optimize this. So for example, this is probably a tab, tab, tab. So all of this was detected as a string, but there's a lot of tabs in there. So if we remove things like tabs, if we don't expect tabs to be in passwords, then we could definitely optimize this a little bit more, like all of these would be gone. So then in tail, we got things just like a bunch of Zs and stuff like that, which, you know, could be valid passwords. But that's the kind of word list we have. Now, the hope is that inside this memory dump, we actually did have strings that the user had typed like their passwords. And then we have that in the word list now and one of those 12 million options. So now all we have to do is actually boot up a hash cat and give it the password, password list, at least. So I have a hash cat and opt hash cat, hash cap, and then we need to do dash h. So I have a hash from a Linux user. So I know I need to search for grep, Shah 512. And then we should find, for example, the Unix 512. And that's Shah 512 crypt. And then the option that we need is 1800. So this is the type of hash that I want to crack. With hash cat, you have to give it the type of hash that you want to crack. So now I have slash opt, hash cat, hash cat. And then I need to give it dash m 1800. So that's that type of hash that we're looking to crack dash a zero, basically normal cracking mode. And then I am going to give it the hash dot text file, the dump of the hash that I got from the hard drive, hash dot text, and then the word list that I'm going to use that we created from the memory image. Okay, now, why would we actually do it this way instead of using something like rock you word list that's already been created. I know for a fact that people attempted to crack this hash with the rock you word list, and they, they just couldn't get it, like it, there was nothing in rock you. Now, maybe if they were doing some sort of transforms, it might have worked. But let's take a look at what our word list gets us. So passwords, number of passwords were the dictionary was basically loaded properly. Whenever you're running this, make sure that hopefully you at least have a GPU, even if it's not optimized, like, mine's not optimized, but at least it's using the DPU it can detect it. So you can see, it might be a little bit small, but my GPU is at 100% basically cranking through those. You definitely want that one of your cracking passwords instead of your CPU. Going crazy. Right now I have very low CPU load, the GPU is fully used. Again, this GPU is not for password cracking, but it can still do the job. And we're now done. So here's our hash value plus the password cracked 1800. It took one minute and 30 seconds with a laptop GPU from VINVIDIA, like not optimized at all. Just that's it. The reason that this is so fast isn't because of the hardware. It's absolutely that fast because we had a word list that was focused on the individual user that we were looking for. Right. So it was from their RAM dump, the user typed that password, we were able to get that out of the memory dump, and then build our word list from that, and then crack very quickly because of that. That's the first thing I would be doing, especially if I have RAM, going through and getting all the strings and using that as a user and a password list for whatever different attacks I was trying. Again, if you have something like the Rock You list, which is kind of the standard, the de facto standard for password cracking, you would not have gotten this password quickly. I think I had the first person get the password after like three days maybe, and I think they were using a really beefed up system to brute force it. But if you have a RAM dump, then generate your password word lists from that RAM dump, it will help you immensely most of the time. Right. So that's all I wanted to show is that password cracking, if you have a RAM dump, it's very easy to make a word list from that. Again, using strings, you can customize how many words are extracted, remove things like tabs if you want to optimize. But just for using some default Linux commands, building our word list, and then using hash cat, we were able to crack the password in one minute. So it's definitely worth the time to build those lists yourself and customize them to your specific problem. So I hope that was useful. I know a lot of investigators are starting at least to get RAM dumps. And this is one of the reasons why RAM dumps are so, so useful. So always try to get a RAM dump if you can and build word lists from them. Don't just only use tools like volatility to parse everything out, also just use kind of more basic systems to build up word lists that you might be interested in. Okay. So I hope that was helpful. Thank you very much.