We'll use John the Ripper, and as a target we'll use the MilitarySingles.com md5 password hashes that were released by the artist formerly known as lulzsec.
First, let's hack out a quick script that will get relevant tweets for us. And yes, I use a lot of tabs. And I know I can do this cleaner... I'm in a get it done quick mood.
(EDIT: thanks to Supercow1127 and TheShadowFog for pointing out better ways to deal with JSON. See jshon, jsawk, etc).
The script will connect to twitter and get 500 tweets for the term supplied, then barf back all the words from those tweets in a list for us. Next we are going to pass the script some words that might be relevant to our target.
After we sort the list out, we're left with 4400 unique words.
Let's try those words against our hashes and see how many of them are used as passwords. We'll use the --rules option so that it mangles up various permutations of each word.
And here come the passwords.....(scrolled off the screen)
FROM OUR WORD LIST OF 4400 WORDS, WE YIELDED 1978 PASSWORDS!
And that's 1978 uniques. The number of accounts we actually cracked with these 1978 passwords is actually even more than 4400 accounts cause many use the same passwords as each other, and with the mangling rules John tries ~300 mutations of each word in the list (semperfi gives us semperFi, semperfi1, semperfi123, etc).
This is a very small example of what can be done to generate more relevant password lists using twitter/websites/social media to supply you with the related words. Download john, hash your passwords, build a list of words relevant to your organization, and test the security of your passwords. Heck, we haven't even started talking about GPUs and oclhashcat, but we'll leave that for another time.
Until next time, if you're going to hack, hack effectively.
And props to Kevin Young. Thanks for all the lengthy discussions about password security. I truly enjoy picking your brain.
Pretty good! I don't usually read blogs but I guess I'll subscribe lol.
ReplyDeleteHello Everyone !
DeleteUSA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.
All SSN's are Tested & Verified.
**DETAILS IN LEADS/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS
*Price for SSN lead $2
*You can ask for sample before any deal
*If you buy in bulk, will give you discount
*Sampling is just for serious buyers
->Hope for the long term business
->You can buy for your specific states too
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Good lord.... that's pretty damned effective!
ReplyDeleteIt would be interesting to see how effective the words from twitter were by themselves, without the targeted keywords.
ReplyDeleteI agree. The idea that there's an increase in efficiency for single words over a standard random wordlist would be shown out in the differences between targeted twitter searches and random searches. I do think there are other cool things you can do with this sort of thing, such as finding word combinations that people commonly use. Coming up with the password iloveJustinBeiber2010 wouldn't really be that easy by just mangling an entire dictionary of words together, but by searching twitter for strings (I think) you could really increase your chances.
DeleteYes! I think so too, re finding commonly used word combinations. Here's an idea: Identify a subset of users that generates a decent amount of Twitter traffic, and has a strong thematic commonality. That is exactly what you did here. Harvest the content over a 6-month interval. That forms a corpus of all-English language text. Unstructured text analysis programs are common. They aren't so great for inferring complex behavioral trends. But current text analytics algorithms should be more than adequate for finding 2 or 3-word combo's as likely passwords!
DeleteAre you familiar with the Google N-gram Viewer? 2-word combo's are bi-gram's, 3 words are tri-gram's, thus "n-gram". Stray thought: Use the N-gram Viewer to find UserID-password combo's. Use a good text corpus e.g. single military service people's Twitter content.
I'm doing the same with RSS feeds, compiling Country/Topic specific Wordlists is very comfortable that way.
ReplyDeleteLanguage specific dumps of wikipedia, if sorted by wordlength, work very well too.
This was interesting. I have a really large wordlist and I was interested in what words the twitter search found that wasn't already in my wordlist that also resulted in a successful crack of another md5 hash. I got 24,197 of them from my own word list but there were eight that only came from the twitter search terms used in this post and most look like military terms or military slang. Thanks for the interesting diversion.
ReplyDeleteThat is exactly it Joel, thanks for the comment. This is definitely not the way to generate your main wordlists, but it really does turn up great words (or word combinations) that you won't find in a normal wordlist, and that is current and relevant. Its that jargon, slang, etc that help with those more hard to reach passwords.
ReplyDeleteIt might be even more productive at getting industry specific words by adding a bit of recursion. Do your first search and then search again with any words found that are not already in your master wordlist. That way terms you thought of can lead you to jargon or slang that you are not familiar with personally but are to a person in the industry or group.
ReplyDeleteYes, it does work quite well recursively. I was doing a bit of that already, but I figured I'd keep it simple for this post and let others build on it. Nice thinking. ;)
DeleteThis comment has been removed by the author.
ReplyDeleteHello guys,
ReplyDeleteI was wondering if there was any way to make a wordlist using twittter usernames only? I think that could be more than helpful to find passwords made of name+numbers or noun+numbers.
Indeed, I noticed that of all the WPA passphrases that I've managed to crack thanks to gigantic dictionaries, a vast majority of those passwords were actually used as twitter usernames. ex: xavier1401, popolopopopopo etc.
Any ideas?
Cheers
That's a great idea, and I'm sure there's a way. There are lists of facebook usernames floating around that make good password cracking dictionaries as well.
DeleteJoshua
ReplyDeleteQuick one as I am trying to understand this and I am a bit of a rookie. Where did you get the militarysingles hashes from?
The hashes were released publicly by a hacker group claiming to be Lulzsec. When hashes are released publicly (like the linkedin ones this week) you can usually find them by googling around a bit. Get em while they're hot, sometimes they become hard to find later.
DeleteThis comment has been removed by a blog administrator.
ReplyDeleteOK so you used twitter and john the ripper to create a unique password list. Clever, I get it, but where does the Militarysingles.com password hash come into play?
ReplyDeleteThe point of using twitter rather than a standard huge dictionary is to be more targeted. Gotta have a target picked out to be targeted. :)
DeleteHence the military and dating related keywords I searched for....
Well...I suggest replace wget with curl. When do that you can make it in one line for exaple as alias and then you don't have a tempfile.
ReplyDelete"And I know I can do this cleaner... I'm in a get it done quick mood."
DeleteJust wondering, how could you modify this to grab words from a specific twitter log....or even a different website such as facebook, google+ or wikipedia
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteGreat Stuff Joshua
ReplyDeleteMay I suggest to grab your 1400 words, run a calc_stat and then do a --markov220:0:0:12 --stdout > myfile.txt
I had surprisingly good results with the Markov chains.
I've copied this exactly and I get a "no such file or directory" error when I try to run the script? Neat idea btw!
ReplyDeletehis is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the excellent work. Buy twitter followers
ReplyDeleteYour blog is nice keep posting very informative post. Buy Youtube Views
ReplyDeletewow no wonder best engineer are creators of big websites like social media, twitter, people should start sharing on how to create one, you should try this social media boost
ReplyDeleteI cannot thank you enough for the blog post.Really looking forward to read more. Awesome.
ReplyDeletehow can i get Buy keek Free Trial on keek and get followers on keek fast and free
Thank you very much for your kindness and efforts to helping us in many ways. More powers to you.
ReplyDeleteBuy Vine Trial
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
ReplyDeleteLook into my web page :
- Buy Instagram Likespread || Buy keek Package
Now that Twitter has switched their search over to a new system that requires authentication, what do you think would be the easiest method of building this kind of list?
ReplyDeletetwofi.rb:131:in `+': can't convert nil into Array (TypeError)
Deletefrom twofi.rb:131:in `block in '
from twofi.rb:129:in `each'
from twofi.rb:129:in `'
This is a fantastic website and I can not recommend you guys enough. I really appreciate your post. It is very helpful for all the people on the web.
ReplyDeletehello blogger,i really appreciate your highly thought about this matter through your post.Obviously your post is very informative.If you update your Social account, please visit buy facebook likes For facebook Service.
ReplyDeleteGreetings dear,many many thanks for sharing such wonderful information with us.I am eagerly waiting for your next post.Kindly please visit buy real facebook likes site for social information.
ReplyDeleteI must admit I have popped in a read a good number of your blogs but I have no idea how to post a response over there, so I'll tell you now how good you are at describing the stuff your at - I must admit I find it insightful to read your blogging. Keep up the good work. If you want to know more about a sites, please visit our website buy instagram followers
ReplyDeleteI personally like this blog very much and suggest you best paraphrasing website which is perfect and provide authentic information.
ReplyDeleteJharkhand Labour Department Recruitment 2016
ReplyDeleteVery good information, keep sharing this type of posts....
Collections from the design labels such as pas cher trx and other beauty are released after every six months.
ReplyDeleteWith every new launch, a new penny skateboards cheap online technology is developed.
This had led to making TRX For Sale remain competitive in the International market.
The entire pas cher trx packaging process is paid into detail to enhance the collections quality and appearance.
Now everyone can own high-end designer trx france.
TRX Suspension Training Sale being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
The fashion world, with a higher concentration on Discount TRX Sale, needs to provide the best packaging services that the modern world has ever seen.
TRX Suspension Training On Sale plays a major role in creating a brand name that fashion lovers want to identify with.
One can increase their integrity by buy real Facebook post likes. There are three main marketing techniques which are used for this work. The first is the use of keywords. When keywords are searched for regarding a particular topic, the page is going to appear in the top three results and people would be attracted to the page. The second technique is of the use of hashtags which is very popular nowadays to get fans by this interesting way by describing feeling about the page. Henceforth, people would be attracted and would visit the page. Third technique is using one’s interest. People tending to have similar interests in the content of page would definitely be attracted to your page. The page would come into sight on their timeline and they will see it. Before buying likes, one must be certain to have a strong profile image and an amazing cover which totally describes the page.
ReplyDeleteWhat about Ready Password list ?
ReplyDeletePassword Dictionary
PC amusements as blessings are an awesome thought particularly for children who loves to draw, to compose verse. clash royale cheats
ReplyDeleteThese are diversions that can help kids expand their hand and eye coordination and showing kids through intuitive lessons. square quick online
ReplyDeleteSome PC amusements that are fitting for more established children are the pretending diversions. yandere simulator download
ReplyDeleteImpressive web site, Distinguished feedback that I can tackle. Im moving forward and may apply to my current job as a pet sitter, which is very enjoyable, but I need to additional expand. Regards.
ReplyDeleteclash royale free gems
amazing post so thanks for this.
ReplyDeleteInternet explorer support
thanks
ReplyDeleteI recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often. make a website
ReplyDeleteThis is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST BikeRacingGame
ReplyDeleteAre you facing Microsoft Product and services related problems and you want to solve it permanently, than call Microsoft Helpline Number +1-844-229-3909 and get instant support
ReplyDeleteMicrosoft Helpline Number
Microsoft Office Support Number
Microsoft technical Support Number
Microsoft Outlook Support Number
Website - https://www.800-supportissue.com/
Toll-free Number - +1-844-229-3909
Email id - 800suportissue@gmail.com
Hyperbaric Oxygen Therapy (HBOT) is commonly used for overall health and wellness including anti-ageing and beauty, sports endurance and recovery, improving energy levels and in the treatment and management of chronic conditions and disease."
ReplyDeleteAcupuncture in London
|London Acupuncture Therapy
|Colonic Irrigation London
|Colon Hydrotherapy
|Hyperbaric Oxygen Therapy London
|Hypnotherapy
Nice article. It's very helpful to me. Thank you. Please check my secure password.
ReplyDeleteHello Everyone !
ReplyDeleteUSA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.
All SSN's are Tested & Verified.
**DETAILS IN LEADS/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS
*Price for SSN lead $2
*You can ask for sample before any deal
*If you buy in bulk, will give you discount
*Sampling is just for serious buyers
->Hope for the long term business
->You can buy for your specific states too
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Interpages
ReplyDeleteGuest Blogger
Guest Blogging Site
Guest Blogging Website
Guest Posting Site
There’s definately a lot to know about this issue. I really like all the points you made. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. Feel free to visit my website; 토토사이트
ReplyDeleteThis post truly made my day. You can not imagine just how much time I had spent for this info!Thanks! Feel free to visit my website; 배트맨토토
ReplyDeleteI was very pleased to find this site. I wanted to thank you for this great read!! I definitely enjoy every little bit of it and I have you bookmarked to check out new stuff you post. 한국야동
ReplyDeleteit’s really a nice and useful piece of information. I’m happy that you simply shared this helpful information with us. Please keep us informed like this. Thank you for sharing. 야설
ReplyDeleteI’m more than happy to discover this great site. I need to to thank you for ones time for this wonderful read!! I definitely enjoyed every part of it 야동
ReplyDeleteIt’s really a cool and useful piece of info. I’m glad that you shared this useful info with us. Please keep us informed like this. Thanks for sharing. 국산야동
ReplyDeleteAfter looking through a few blog articles on your website,
ReplyDeletewe sincerely appreciate the way you blogged.
We've added it to our list of bookmarked web pages and will be checking back in the near
future. Please also visit my website and tell us what you think.
Great work with hard work you have done I appreciate your work thanks for sharing it.
Text Edit Plus Crack
This is a great post. I like this topic.This site has lots of advantage.I found many interesting things from this site. It helps me in many ways.Thanks for posting this again.
ReplyDeleteBiotech Internships | internships for cse students | web designing course in chennai | it internships | electrical engineering internships | internship for bcom students | python training in chennai | web development internship | internship for bba students | internship for 1st year engineering students
Everything is very open with a really clear explanation of the challenges. It was really informative. Your website is very useful. Many thanks for sharing!
ReplyDelete토토
온라인경마
I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
ReplyDeleteVery interesting blog.
softwarezpro.info
Hide All IP Crack
Wow, amazing block structure! How long
ReplyDeleteHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
In the content!
vstkey.com
PUSH Video Wallpaper Crack
FL Studio Crack
LD Player Crack
Enscape 3D Crack
IDM Crack
PhpStorm Crack
Redshift Render Crack
Wow, amazing block structure! How long
ReplyDeleteHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
In the content!
vstkey.com
Drip Fx VST Crack
Traditional bookstores have always existed on high streets, but in the digital age, the internet is proving to become a serious competitor to traditional brick and mortar stores. This article examines both sides of the coin and provides an appropriate insight into the phenomenon of shopping of books online. 메이저사이트추천
ReplyDeleteThis is really interesting, you are such a great blogger. Visit media foster for creative and professional website design and Digital Marketing Company in Mohali and Also get Digital Marketing Course in Mohali
ReplyDeleteTOP IT Company in Mohali
best SEO Company in Mohali
7 Habits Of Highly Effective Hackers: Using Twitter To Build Password Cracking Wordlist >>>>> Download Now
ReplyDelete>>>>> Download Full
7 Habits Of Highly Effective Hackers: Using Twitter To Build Password Cracking Wordlist >>>>> Download LINK
>>>>> Download Now
7 Habits Of Highly Effective Hackers: Using Twitter To Build Password Cracking Wordlist >>>>> Download Full
>>>>> Download LINK 1M
We provide very affordable packages on car services in Chandigarh.
ReplyDeleteluxury car rental in Chandigarh
luxury wedding cars in Chandigarh
It is a good site post without fail. Not too many people would actually, the way you just did. I am impressed that there is so much information about this subject that has been uncovered and you’ve defeated yourself this time, with so much quality. Good Works! Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work. 먹튀검증커뮤니티
ReplyDeleteIts such as you learn my thoughts! You seem to grasp a lot about this, such as you wrote the book in it or something. I believe that you can do with a few percent to power the message house a bit, but other than that, that is excellent blog. A great read. I will certainly be back. Howdy! Would you mind if I share your blog with my facebook group? There’s a lot of people that I think would really appreciate your content. Please let me know. Thanks Great post. I was checking continuously this blog and I am impressed! Very helpful info specifically the last part 🙂 I care for such information a lot. I was seeking this particular info for a long time. Thank you and best of luck. 먹튀사이트
ReplyDeleteThis is usually a area primarily at risk from mud and additionally damage -- relates to your 은평구출장샵
ReplyDelete서대문구출장샵
마포구출장샵
양천구출장샵
강서구출장샵
금천구출장샵
영등포구출장샵ex inside footwear, which can be regularly dull and also whet, specifically for the period of icy weather so they might deliver those to get a for an extended time!
Such great and nice information about software.
ReplyDeleteThis site gonna help me a lot in finding and using a lot of software.
Kindly make this like content and update us. Thanks for sharing us Sublime Text Crack.
Kindly click on here and visit our website and read more.
광산구출장샵
유성구출장샵
대덕구출장샵
진해구출장샵
마산회원구출장샵
It's a great post. I will check this blog continuously. I hope you have a good day today.먹튀신고
ReplyDeleteExcellent blog.
ReplyDeleteThis website offers
see website
Thanks for sharing the valuable information!
ReplyDelete.
If you are looking to boost your online sales and increase website traffic, then look no further than Boffin Coders, the best SEO company in Mohali! Our team of experts will work tirelessly to optimise your website for maximum visibility and engagement, driving up sales and growing your customer base!
search engine optimization services in mohali