Of Penguins & Coffee

A Digital Wanderer in a Connected World

Categories:

So what can you do with 32 Million Passwords…

So I have a piece of coursework for a CS module I’m taking at Queen’s University Belfast and one of the focal points of it is the recent RockYou! SQL-injection breach that released 32million passwords into the internet, and I thought I’d have a closer look at that list.

I ‘acquired’ the password list from your regular neighbourhood tracker, and thought I could walk through the process of getting a probability-sorted password dictionary.

(The ‘-S 2048K’ memory restriction on the ’sort’ program is to avoid Dreamhost locking out my process for being over-memory)

tar -xvzf UserAccount-passwords.tgz

Having a look at the head of the resultant ‘UserAccount-passwords.txt’ file shows:

$ head UserAccount-passwords.txt

password

mekster11

mekster11

mekster11

progr4sm

khas8950

emilio1

holiday2

caitlin1

purblanca

32million entries in arbitrary order arn’t really that useful, so I sorted them alphabetically first (-d)

sort -d -S 2048K UserAccount-passwords.txt -o UserAccount-passwords.sorted.txt

And getting a head again gave a whole pile of blank lines, so to get rid of them use this handy sed expression

$ sed ‘/^$/d’ UserAccount-passwords.sorted.txt > UserAccount-passwords.sorted.unblanked.txt

So our first ten passwords are now:

$ head UserAccount-passwords.sorted.unblanked.txt

!

!!!!

!!!!!

!!!!!

!!!!!

!!!!!

!!!!!

!!!!!

!!!!!

!!!!!

Loooots of duplicates, so we’ll get rid of them

uniq -cd UserAccount-passwords.sorted.unblanked.txt UserAccount-passwords.uniq.txt

The -d flag means that we only want to know about entries that appear at least twice, and the -c means we only want one line for each password and a count for how often it appears (This reduced the number of lines in the list from 32,603,048 non-blank entries to 2,459,759), giving a first ten of:

$head UserAccount-passwords.uniq.txt

12 !!!!!

67 !!!!!!

3 !!!!!!!

3 !!!!!!!!

8 !!!!!!!!!!

2 !!!”"”Â£Â£Â£

2 !!!$$$

2 !!!???

2 !!!@@@

2 !!”"Â£Â£

Still sorted alphabetically, so sort reverse-numerically to get most popular entries at the top.

sort -nr -S 2048K UserAccount-passwords.uniq.txt -o UserAccount-passwords.uniq.sorted.txt

Giving our top 20 most popular passwords (sorry guys, but this is really depressing)

$ head -20 UserAccount-passwords.uniq.sorted.txt

290729 123456

79076 12345

76789 123456789

59462 password

49952 iloveyou

33291 princess

21725 1234567

20901 rockyou

20553 12345678

16648 abc123

16227 nicole

15308 daniel

15163 babygirl

14726 monkey

14331 lovely

14103 jessica

13984 654321

13981 michael

13488 ashley

13456 qwerty

There really is no hope for us…

More analysis to come when I can be bothered, and potentially some attempts at breaking into a VM with simulated user accounts.

Posted in uni.

Tagged with eee, linux, networking, qub, security.

No comments

By Bolster – 10/03/2010

Shared Items – 10/03/2010

Wireshark Remote Capturing

Google Code University – New Content Added!

Statistics for a changing world: Google Public Data Explorer in Labs

New OK Go’s Music Video Features Awesome Rube Goldberg Machine

Posted in Uncategorized.

No comments

By Bolster – 10/03/2010

Shared Items – 10/03/2010

Wireshark Remote Capturing

Google Code University – New Content Added!

Statistics for a changing world: Google Public Data Explorer in Labs

New OK Go’s Music Video Features Awesome Rube Goldberg Machine

Posted in Uncategorized.

No comments

By Bolster – 10/03/2010

Any Port in a Storm

While working on an IDS Solution for a client, I came across Untangle, and I loved it so much that I pulled out an old box and loaded it up as my office firewall.

One thing that is lacking, from my perspective (at least in the ‘free’ edition) is the firewall interface; Untangle uses an IpTables based firewall, but doesn’t replicate the usual INPUT FOWARD OUTPUT rulebase. I think that in 90% of usecases for Untangle, this isnt a problem, but I found it a little bit alien to have portfowarding hidden in the Networking config pane, and firewall separatly.

Anyway, It’s been a few years since I cared that much about firewalls, and came up against a few issues of simply not remembering what ports to open up in which direction; Untangle’s firewall ships with a default-pass configuration, which is fairly pointless from a security stance.

To make matters more confusing, I set up Untangle in a transparent configuration so that I wouldnt have to reconfigure my office IP addresses to a new subnet, and so avoid dealing with the portforwarding twice (external router, and internal firewall).

So, with that in mind, I set up the following rule.

Allow any > any from 192.168.1.1/24 to 192.168.1.1/24

And that dealt with any internal traffic, but still logged the traffic in the unlikely event anything local is compromised.

Anyway, biggest issue I came across was what traffic to allow out from the Internal network, So I’m leaving myself a list for next time… (Lots of mail ones because I use thunderbird)

DNS – port 53

SSH – port 22

FTP – port 21

HTTP – port 80, 8080

HTTPS – port 443

POP3 – port 110

IMAP – port 143

SMTP – port 25

Secure SMTP (SSMTP) – port 465

Secure IMAP (IMAP4-SSL) – port 585

IMAP4 over SSL (IMAPS) – port 993

Secure POP3 (SSL-POP) – port 995

So each of those rules are, “Allow Internal > External:<ports>”, going the other way is a bad idea!!!

Posted in Instructional.

Tagged with firewall, hardware, linux, networking, security.

No comments

By Bolster – 06/03/2010

Shared Items – 03/03/2010

Recovering Data From Noise

– I’m definitly going to be lookin into this (and yes I’m prepared for the headache-inducing math it will accrue) cus I have an idea about an RF implementation…

A New Wi-Fi Exploit, Limited But Clever

Design Your Own Wordpress Theme Easily With Constructor

Posted in Uncategorized.

No comments

By Bolster – 03/03/2010

(Would have been) An introduction to Google Adwords

So, I was going to do a complete walkthrough for people interested in using Google Adwords for advertising, and its something I was really looking forward to writing.

I would not normally have cared to do such a thing because I’m cheap, but Google sent me out a £75 voucher in January.

(As Always) there was an issue; Google’s coupons are rendered useless if you have ever accessed Adwords before (longer than 14 days ago).

Not ‘Created a Campaign’, Not ‘Filled in Billing Details’, but if you go to www.google.com/adwords and just ‘TryAdwords now’, 14 days later there is no coupon on the planet that will help you.

So, I recieved this coupon half way through January 2010, which is almost exactly a month after I, naievly, clicked on that ‘Access Adwords’ link.

I did nothing with it; checked out the keyword list for this site, but didnt actually create a campaign. Until today. (the coupon expires tomorrow)

After getting all the way through the process, including billing information, I am presented with this;

Oh, great, so basically, to redeem this coupon that you very kindly sent me, I need to hop in my handy DeLorean, go back two weeks before you even sent me the coupon, and give you all my billing and account details all over again.

To top it all, before you can verify a coupon, you have to enter the rest of your billing details, so now I may be getting slapped with a £5 charge for ‘diddly squat’. Thats gonna be a pain to argue about…

I have no doubt that the rest of the Adwords system is fine, this just really annoyed me.

Posted in Off-Topic.

Tagged with advertising, adwords, coupons, google, grievances, marketing.

No comments

By Bolster – 26/02/2010

Shared Items – 24/02/2010

Nice process, but what about the engineering bits?

– Wish I had this article in my QUB Software Engineering module

Pattern matching with Bash (not grep)

– Brilliant article on Bash’s built in pattern matching.

The next generation of ad serving for online publishers

RFID tracking system

Researchers Say Women Secretly Desire Hairy Geeks

– As my partner Beth says; “I’m ahead of the curve”

Posted in Uncategorized.

No comments

By Bolster – 24/02/2010

Shared Items – 17/02/2010

A Screw-In Coffin is Clever and Economical [Patents]

Leaked Government report dismisses QUB’s calls for increasing student fees

– Wow, they were actually pushing this?! Finally something good ‘the government’ has done.

Treat Your Presentation like a Performance to Nail Timing and Delivery [Presentations]

Installing Kernel Security Updates Without Reboot With Ksplice Uptrack On Ubuntu 9.10 Desktop

Posted in Uncategorized.

No comments

By Bolster – 17/02/2010

Shared Items – 10/02/2010

Super Happy Dev Castle – SHDC #0

– This was a brilliant event, I just wish I had planned ahead to have a project to work on !

Install Multiple Linux Distributions Via PXE (The Easy Way)

– This is YAPIWD, yet another project i want to (or wont) do…

Google Wave in Action: Real-World Use Case Studies [Use Cases]

– I never got into google wave that much but i think i may have to revisit it after reading this article!

Internet Nominated For 2010 Nobel Peace Prize

Set Up a Low-Tech, Whole-House Speaker System Through Existing Phone Lines [DIY]

7 Elements of a Successful Freelancer’s Website

– This is more of a ‘NOTE TO SELF’, but hopefully someone else will find a use for it!b

Anonymity and the Internet

– Another great article from Bruce Schneier. And as always, the great security guru is right; Security based of perfect knowledge is as useless as the ‘Perfect Knowledge’ assumptions that Economists made that led us hook line and sinker into the current financial mess.

Posted in Uncategorized.

No comments

By Bolster – 10/02/2010

Shamed

I am shamed. I’ve let this blog slip in the midst of coming back to the real world of Uni.

A week without something useful going up! Terrible… *stands in corner*

Fact is I’ve been experimenting with so many different things that nothing cogent has come out of it yet.

Some of the things I’ve been working on:

Virtual Lab- Walk through of the setup and playing with of a virtual computer lab using VirtualBox including Windows, Ubuntu, FreeBSD, Fedora, and Debian servers/clients
Write up of my automated downloading system and the scripts associated with it
Exploration of Setup of a VPN using the WRT54G or my MyBook
A first-timers walk through of setting up Google Adwords campaigns

And somewhere in between all that I’ve been working and getting back to Uni…

So what can you do with 32 Million Passwords…

Shared Items – 10/03/2010

Shared Items – 10/03/2010

Any Port in a Storm

Shared Items – 03/03/2010

(Would have been) An introduction to Google Adwords

Shared Items – 24/02/2010

Shared Items – 17/02/2010

Shared Items – 10/02/2010

Shamed

About Of Penguins & Coffee

Banners

Categories

Pages

Archives

Recent Comments

Spam Blocked

Meta

Twitter Updates

Education

Funz

Reference

March 2010
M	T	W	T	F	S	S
« Feb
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Subscribe

About Of Penguins & Coffee

Banners

Categories

Tags

Pages

Archives

Recent Comments

Spam Blocked

Meta

Twitter Updates

Education

Funz

Reference