Geography Based Password Lists for enhanced password cracking success.

Recently adversary academy was on an internal penetration testing engagement. Internally we typically run things like responder to see what kind of hashes are available to collect. Then we pass those hashes off to our hash cracking systems for recovery to plain text. In this particular engagement there are about 200 passwords hashes collected. Using common word lists like “Rockyou” and the “realunique” list in addition to effective Hashcat rulesets some initial access was gained. However the accounts that were cracked were somewhat limited in terms of their access and privilege levels.

After having limited success with common wordlists and rulesets I turned to developing custom rulesets based on things people like in the geographic area that our client was based.

I compiled a list of popular cities, towns, activities, hobbies, sports teams and entertainment found in the geographic area in which our client was based. With a relatively small word list I saw a 33% increase in the number of cracked accounts. Those additional cracked accounts offered further access into the client environment.

Thanks for the credentials!

With the additional access and success of the custom dictionaries I will be incorporating these types of geographic specific dictionaries for all future on site engagements for the following reasons:

• Personal Relevance: People often use words related to their personal lives, including their hometown, places they have visited, or local landmarks. Geographic-specific words can increase the likelihood of guessing these personal passwords.
• Local Knowledge: If the attacker knows the victim’s location, using local words can significantly narrow down the pool of potential passwords, improving the efficiency of the attack.
• Predictable Patterns: People tend to create passwords using patterns that are easy to remember. This might include the names of local streets, cities, or landmarks. An attacker familiar with the local geography can exploit these predictable patterns.
• Publicly Available Information: Geographic information about an individual can often be gleaned from social media, public records, or online profiles. This data can be used to inform and refine password cracking strategies.

If any internal or external teams attempt password cracking for either Kerberoastable accounts or credentials that have been collected through responder I'd suggest creating custom dictionaries in order to gain further access to your target environment..