Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJ9ii1EqH0CYnUO-4mMhqRDA23ar0m5ZEzRJEMWP7Q-x62w_vw@mail.gmail.com>
Date: Thu, 20 Aug 2015 12:06:40 -0400
From: Matt Weir <cweir@...edu>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Anyone looked at the Ashley Madison data yet?

Some clarification. Most of those NT hashes are for service accounts. There
are only around 180 accounts that appear to be user accounts.

Matt

On Thu, Aug 20, 2015 at 11:27 AM, Matt Weir <cweir@...edu> wrote:

> What's more interesting to me are the 1324 corporate NT hashes that were
> contained in the dump. From a very quick cracking session it looks like
> they were created with a password creation policy in place that required
> all passwords to be at least seven characters long and contain at least one
> uppercase character and one digit. From a research perspective this is very
> useful since I don't know of any other publicly available corporate
> password set like this.
>
> Matt
>
> On Thu, Aug 20, 2015 at 7:15 AM, François <francois.pesce@...il.com>
> wrote:
>
>> Hello guys, @JokFP here.
>>
>> I've got ~300 passwords cracked after 12 hours using single mode cracking.
>> It's not great, but I'm really not spending much CPU money on it.
>>
>> It's not really fast, and passwords found are *really* weak:
>> it looks like there was no password requirement at all. Some of them are 5
>> letters or very common pass from pass lists like "shadow", others are
>> equal
>> to the nickname used.
>>
>> Based on this preliminary results, I'm afraid that launching a top-500
>> passwords attack with no or simple rules (like append 1, append 0-9 etc.)
>> might be probably effective (maybe in the order of hundred of thousand to
>> million accounts compromised).
>>
>> Examples of password found by single mode here: 01050105 101196 111223344
>> 14789a 42ashley 4444bud 774tsews 8519namor 96onepalajj 987654321reppiz
>> aa12358 aaaaaa ABCDEFG alexas Anderson2020 anglesmith1 arzu1299 asd1234
>> asdasd Attili69 ax987 barrios bbuckup beast BENJE22 bin2001 bitefor
>> burrell
>> capriforlife Carloseduardo12587 chocolatudos CLONE69 colby123 coppy400
>> curry daniel DAVID888 DDS0011 dengo87 dennis6792 diogo dkgkd dogbait
>> eddieet ENALIAM evair Gabi1919 GATITO gemmer ghj9635 gj4237 gjb0009 goalin
>> hg5758 HIANZ hotbabe hothot hulkman johnfix jorgegonzalez2015 k612309
>> kanenas krish12 ksj4860 kupal Laurent lebron limaj logan lolilol loyiso
>> maddmaxx Marcelo MARK111 masexi mati142 Matyone mikgarcia mimiacy mono071
>> monte morenosc nicolay777 nidaerep okim3650 pecas pikachu piropiro pyrek89
>> qhdrnTl qwe44444 ram3131 raulromero richarddelk rober roberto roquette
>> rrxxpp S7762639 sergvs sexpots shaan stephanie StlefStlef tazman69 Testing
>> thalish tjh18 udomsin VE2015N vic7781 vox51 wlswogh www2095 xuxiding xxcvb
>> ydw2da yesyouashley z50180 zakizak znlived Zuluboi
>>
>> Francois Pesce
>>
>> On Thu, Aug 20, 2015 at 1:10 AM, Rich Rumble <richrumble@...il.com>
>> wrote:
>>
>> > On Wed, Aug 19, 2015 at 6:33 PM, Solar Designer <solar@...nwall.com>
>> > wrote:
>> > > On Wed, Aug 19, 2015 at 05:25:22PM -0500, Jerry Kemp wrote:
>> > >> Wondering if anyone has looked at the Ashley Madison data dump yet?
>> > >>
>> > >> According to this article:
>> > >>
>> > >> <
>> >
>> http://arstechnica.com/security/2015/08/data-from-hack-of-ashley-madison-cheater-site-purportedly-dumped-online/
>> > >
>> > >>
>> > >> The dump contains 10 Gb of data and passwds are in the bcrypt format.
>> > >
>> > > I haven't looked at the dump, but I tweeted a summary of other tweets:
>> > >
>> > > <solardiz> Ashley Madison is 36.1M bcrypt cost 12 salts so 1
>> > CPU-week/password, says @jmgosney; dozens already cracked with "john
>> > -single", says @JokFP
>> > >
>> > > In other words: strong hashes, but many weak passwords.  The weak
>> > > passwords are slowly, but crackable.  The stronger passwords are only
>> > > potentially crackable in a targeted attack (on a specific user), but
>> > > won't likely be cracked in typical mass password dump cracking fun
>> that
>> > > we've seen for other mass password hash leaks.  This one is different.
>> > > It's probably the largest bcrypt hash leak so far.
>> > >
>> > Small sample appeared in twitter:
>> > https://twitter.com/sambowne/status/633754116804620288
>> >
>>
>
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.