When Brute Force Doesn’t Work … Try Hobbies!

When Brute Force Doesn’t Work … Try Hobbies!

When it comes down to it, I’m a C programmer with a default to Linux commands. I use Windows, but deep down, I only want to use Linux commands, and the command line. And so the heroes of our industry include the mighty Dennis Ritchie, Ken Thompson, Brian W. Kernighan, Steve Bourne and Bill Joy. I learn C programming using Kernighan and Ritchie book:

My first book was a ‘C for Electronic Engineers’, and it was the subject that I taught at the time.

And it was in the Bell Labs in the 1970s that the Unix operating system was created by Ken Thompson and Dennis Richie:

In 2014, Leah Neukirchen discovered a ‘/etc/passwd’ file from BSD 3 Linux dumps, and set about trying to crack them.

The hashed passwords used crypt — and which is a very slow hashing method using DES encryption, and where it will take over two years to search for 7 character exhaustive search, even with GPUs. For example, we can rank different hashing methods, and see the DES is an extremely slow hash cracking method [here]:

Ulta fast:
Murmur:	        545,716 hashes per second

Fast: 
SHA-1:          134,412
SHA-256:        126,323
MD5:            125,741
SHA-512:         76,005
SHA-3 (224-bit): 72,089

Medium speed:
LDAP (SHA1):	13,718
MS DCC:	         9,582
NT Hash:         7,782
MySQL:	         7,724
Postgres (MD5):	 7,284

Slow:
PBKDF2 (SHA-256): 5,026
Cisco PIX:        4,402
MS SQL 2000:      4,225
LDAP (MD5):       4,180
Cisco Type 7:     3,775
PBKDF2 (SHA1):	  2,348

Ulta-slow:
LM Hash:          733
APR1:             234
Bcrypt:           103
DES:               88
Oracle 10:         48

Most of the passwords in the dump were easy to crack with John The Ripper and Hashcat, as they were either a short password or were contained within a standard dictionary. But one of them was a whole lot more difficult — Ken Thompson’s. Since 2014, Leah had been running a brute force attack, and his password just seemed to be difficult to crack./

Finally, Leah shared the challenge with The Unix Heritage Society, and a reply from Nigel Williams soon came in:

From: Nigel Williams <[email protected]>
Subject: Re: [TUHS] Recovered /etc/passwd files

ken is done:

ZghOT0eRm4U9s:p/q2-q4!

took 4+ days on an AMD Radeon Vega64 running hashcat at about 930MH/s
during that time (those familiar know the hash-rate fluctuates and
slo/ws down towards the end).

It was … p/q2-q4! …. Pawn moves from q2 (Queen’s Row 2) to q4 (Queen’s Row 4), and is a standard opening move:

And so it was, it was guessable all along, especially considering Ken’s love of chess:

So when brute force is slow, try some hobbies. I tip my hat to Dennis Ritchie, Ken Thompson, Brian W. Kernighan, Steve Bourne and Bill Joy … some of the most significant people who really built the Internet.

The string of “p/q2-q4!” has a high entropy as it has eight characters with a mixture of numbers, letters and additional characters, but, because it’s a chess move, it could have been easily guessed. Oh, I love this industry!

If you’re interested, here’s my first book on C: