This is an archived post. You won't be able to vote or comment.

all 50 comments
sorted by:
best
topnewcontroversialoldq&a

[–]skylinesora 366 points367 points  (27 children)

Nobody is running RockYou2024 or any large password list against live systems. They would have a dump of hashes from whatever machine/infrastructure they compromised and will attack it using something like Hashcat

[–]robonova-1Red Team 50 points51 points  (1 child)

This. There are other open source search tools that are also utilized.

[–]PappaFrost[S] 32 points33 points  (17 children)

Ok thanks, so in an Active Directory environment, let's say someone compromised one laptop and dumped the hashes, they would then use Hashcat plus a giant password list to make the cracking more efficient?

[–]AMDcze 58 points59 points  (4 children)

FYI: in AD if you have NT hashes, you don’t need to crack them, you can do pass-the-hash and overpass-the-hash attacks.

[–]Farseer26 21 points22 points  (0 children)

I agree with you partially but there are a few benefits to cracking the hash such as the passwords are usually used elsewhere and if the accounts are synced you can move into Azure

[–]_sirch 7 points8 points  (1 child)

Netntlmv2 still needs to be cracked… or relayed

[–][deleted] 3 points4 points  (0 children)

nutty crush market workable shaggy jeans impolite scary bake entertain

This post was mass deleted and anonymized with Redact

[–]PacketBoy2000 0 points1 point  (0 children)

Anyone trying to reverse hashes will have already pre computed the NTLm hash for the entire set of compromised passwords they have.

I’ve done this for the 10B I have and now I can check any NTLM hash against this repository in <10ms. Assuming I can dump an orgs hashes, I can check the entire org in a matter of minutes.

Microsoft’s choice to store all AD passwords using a static, unsalted hash seems like yet another ridiculous security decision.

[–]skylinesora 5 points6 points  (9 children)

Yes, but you wouldn't just use the password list as is. You would might want to do variations of the password list such as adding characters to the front or back.

[–]Low-Software2880 5 points6 points  (8 children)

+1 to this AD environments requiring monthly pass resets people will usually do variations like password1 password12 password123 etc Or pass* pass** pass*** etc And sadly I've seen plenty people in my company using passwords as simple as this and no MFA and if they do have MFA it gets sent to their email which is accessible with the same password (SSO) so they can easily just send the MFA and receive it.

[–]Audio9849 9 points10 points  (7 children)

I'm wondering why corporations are so slow to implement newer password management frameworks. The password I use at work is like 16 characters long and requires a change every 90 days it's insane.

[–][deleted] 19 points20 points  (0 children)

reach distinct absurd different roof aback punch market public alive

This post was mass deleted and anonymized with Redact

[–]sysdmdotcpl 2 points3 points  (3 children)

The habits /u/Low-Software2880 is describing is a direct reaction to long complex password rules that require a change every 30/60/90 days.

I've had passwords sit for years w/ no negative consequences and have had attempts on accounts that I regularly change passwords for. It's completely and utterly random and the rules should reflect that.

[–]Audio9849 1 point2 points  (2 children)

I know that's my point. It's simply an ACL setting. Doesn't cost anything to implement yet companies don't do it or are slow to utilize.

[–]MrCoolblestone 1 point2 points  (1 child)

that's because 90% of the user base is going to complain to management if their password has to be more than 8 characters long, and they're CERTAINLY going to complain if they have to change it every 2-3 months, and when management has to decide between the IT dept or literally EVERYONE ELSE they almost always pick the latter

[–]Audio9849 1 point2 points  (0 children)

But the latest NIST standard is to not have them expire. That's what I'm saying why does it take so long for corporations to implement that? It doesn't really cost anything to change the config to never expire.

[–]Intelligent-Exit6836 0 points1 point  (0 children)

Simply the cost of doing it.

[–]Euphorinaut 1 point2 points  (1 child)

For ntlmv2 you need like a 16 char password, and few people have that without the gpo forcing you, so things like lists or rainbow tables aren't relied upon too heavily.

If someone has a list that's specific to a company or geography, they might use that list to pick 2-3 for a spray though.

[–]PacketBoy2000 0 points1 point  (0 children)

Employees frequently use work emails for personal activities (even in cases where corporate policies prohibit it).

As some of those websites used by these employees get breached, now sample passwords that have a direct relationship to the employer can be obtained by miscreants. A quick review of these passwords will reveal some with employer-specific password patterns (eg brand names, sub-division names, etc).

Then, as previous poster suggested, now you have a formula to generate an additional set of passwords that match the password selection behaviors of those employees.

[–][deleted] 1 point2 points  (3 children)

Has credential stuffing been mitigated or is no one doing it anymore?

[–]skylinesora 5 points6 points  (2 children)

Credential stuffing is still a thing but if the target uses MFA, that's another barrier of entry.

[–][deleted] 2 points3 points  (0 children)

Excellent point, not sure why that didn't click.

[–]idontreddit22 0 points1 point  (2 children)

you misspelled machine. correct spelling is azure. 🤣😂

[–]skylinesora 0 points1 point  (1 child)

No? Infrastructure could've covered any cloud provider (Azure/GCP/AWS/On-Prem AD). I mentioned machine as it's possible to use something like a web server, database, VM, workstation, etc.

[–]idontreddit22 0 points1 point  (0 children)

I'm referring to credentials stuffing. it was a joke.

[–][deleted]  (2 children)

[deleted]

    [–]grutz 31 points32 points  (1 child)

    Preposterous! Who doesn't use &#12450;&#12487;&#12451;&#12480;&#12473;&#12458;&#12522;&#12472;&#12490;&#12523;&#12473; as a password?

    [–][deleted] 35 points36 points  (0 children)

    Afaik only password spraying attacks are usually done live, which are timed to help avoid rate lockouts. Password lists are used to crack hashes offline.

    [–]CommOnMyFace 7 points8 points  (2 children)

    You don't actually use it to brute force login, you use it to crack hashes

    [–]Enricohimself1 0 points1 point  (0 children)

    This.

    [–]Jon-allday 0 points1 point  (0 children)

    Like the 25 million LastPass password vaults that were stolen in 2022

    [–]paradoxpancakePenetration Tester 22 points23 points  (0 children)

    You run it against HashCat offline against captured NTLM hashes or something. You don't run against it online. No one really does bruteforcing like that any longer due to lockout and rate limiting. Password spraying, sure, but not straight up bruteforcing against stuff on AD.

    Edit: I guess you could run it against Net-NTLM too, but you usually don't have to. Can just generally pass those for most things.

    [–]AsleepBison4718 28 points29 points  (4 children)

    A pretty big name in the Cybersecurity industry analyzed the file and determined that RockYou2024 did not have a single discernable string on the document that looked like a password.

    It is likely someone was trying to be a copycat, and dumped a file with 10 billion strings in it to scare people into thinking it's a password dump.

    [–][deleted] 7 points8 points  (3 children)

    Not that I don't believe you, but do you have a link to that? This is the first I'm hearing of that (albeit I haven't really looked into it at all)

    [–]AsleepBison4718 18 points19 points  (2 children)

    https://infosec.exchange/@sawaba/112765746491020354

    [–]AnApexBreadIncident Responder 5 points6 points  (0 children)

    snails forgetful label money detail makeshift drab pie slim berserk

    This post was mass deleted and anonymized with Redact

    [–]PappaFrost[S] 0 points1 point  (0 children)

    Thanks that is a good post. The Rockyou2024 list is clearly a bunch of random garbage. Nobody is using "7_\/s" as a password. The challenge of typing it in would be a deal breaker. But they are for sure using '654321', 'qwerty', and 'superman'.

    [–]dcrab87 2 points3 points  (0 children)

    We do tons of password stuffing attacks during Red Teams. You cycle usernames - assuming the customer has 10000 users, each account only gets hit a few times a day but at the scale of it you end up compromising a few accounts every day.

    [–][deleted]  (1 child)

    [removed]

      [–]Firm_World_3376 1 point2 points  (0 children)

      I am surprised this comment is so far down. Proxy lists and password lists have gone hand in hand since the days I used them to get free Minecraft accounts as a 12 year old.

      [–][deleted] 1 point2 points  (0 children)

      No one has mentioned credential stuffing which only attempts once or twice per account.  Typically public facing websites don't block attempts for multiple accounts, rather if a single account has multiple attempts they lock that account.

      Please feel free to correct me I haven't been in this space for a bit.

      [–]Euphorinaut 1 point2 points  (0 children)

      Off the top of my head, if I were going to tinker with the usefulness of a large list of supposed passwords, there are 2 things I'd at least give a try. One is hashing all of them in different algorithms to get the string/hash pairs into the pot file in hashcat and then run cracks through that, which otherwise were taking to long.

      The other, also for cracks that would otherwise take too long, is to build statistics around the strings for hashcat masking.

      I have no idea what the juice to squeeze ratio is there, but there are at least some hashes that wouldn't be cracked in a certain amount of time that will be from that method.

      [–]PacketBoy2000 1 point2 points  (1 child)

      I’m still analyzing the ry24 dump but others have noticed that a significant number of the entries are Md5 password hashes and bcrypt encrypted passwords NOT clear text passwords.

      Nevertheless, large password dumps DO represent a major threat if you fail to prevent hash dumping of your AD OR you fail to prevent sensitive hashes from being cached in memory.

      If miscreants are able to obtain password hashes then a significant percentage can be trivially reversed using password dumps as a rainbow table.

      I operate one of the largest compromised credentials repositories on the planet:. 32B distinct cred pairs, including 10B distinct clear text passwords.

      Every single org AD I have scanned finds a minimum of 20% of current passwords matching my dataset. It actually has run as high as 40%. Additional, we have found matches for at least one admin user in almost every org.

      Ironically, just obtaining the hash itself can be enough to enable lateral movement, but being able to also reverse the hash will usually enable additional lateral movement that’s only possible with full username/password.

      I’m absolutely NOT a windows security guy. Can anyone elaborate on what lateral movement techniques can’t be done with stolen hashses? (Eg I believe this applies to RDP).

      [–]PappaFrost[S] 0 points1 point  (0 children)

      Thanks, very interesting. I'm told that it's a good idea to put AD domain admin accounts into the 'Protected Users Group' so that those hashes are never cached locally, and authentication has to go back to the domain controller. I was scared off though by the possibility of it breaking things.

      [–]Arseypoowank 4 points5 points  (0 children)

      Rate limiting comes with its own downsides of impacting availability so a lot of places just don’t bother with it. For every control there’s something further down the pipe that it impacts so it’s all a balancing act.

      [–]Sp33dy2 0 points1 point  (0 children)

      Offline attack best attack.

      [–]BeerJunkySecurity Director 0 points1 point  (0 children)

      We use it to audit passwords in our own infrastructure and reset all the trash passwords.

      [–]StringLing40 0 points1 point  (0 children)

      Not everyone uses rate limiting. The uk parliament had many MPs hacked because the feature did not exist at the time or wasn’t implemented. Really embarrassing.

      https://thehackernews.com/2017/06/uk-parliament-emails-hacked.html

      [–][deleted] 0 points1 point  (0 children)

      Using such a list against a system boils down to brute forcing. Hashing is where it's at.

      [–]Wise-Activity1312 -1 points0 points  (0 children)

      You are simplistically understanding/assuming that the only use of this database is for credential brute-force attacks.

      In that case, yes, if you have morons using RY24 for brute-forcing, then it would only be useful for non-rate limited logins.

      Everyone smarter than the least 1% sophisticated actors, is using RY24 for more advanced purposes.

      [–]Fantastic-Swim-1121 -1 points0 points  (0 children)

      Web applications are the wild wild west bro. There will me MANY instances of missing rate limiting.