So recently there has been lots of news about the linkedin password hashes being leaked which was finally confirmed on the linkedin blog.

Many of the hashes first 5 chars are obfuscated with zeros so it’s understood these are the passwords already cracked, presumably the simple ones?

1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.
Evidence for this is that the SHA1 hash of ‘password’ does not appear in the list, but the same hash with the first five characters set to 0 is.
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present
000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present
Same story for ‘secret’:
e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 is not present
00000a1ba31ecd1ae84f75caaa474f3a663f05f4 is present
And for ‘linkedin’:
7728240c80b6bfd450849405e8500d6d207783b6 is not present
0000040c80b6bfd450849405e8500d6d207783b6 is present

A bit of googling points to the SHA1.txt here contianing unique hashes so we’ll not be able to run pipal against the list.

First thing to do once you have the list is remove the lines starting with 00000 as they’re the obfuscated hashes.

1
grep -v '00000' SHA1.txt > SHA1_crackable.txt

Then fire off hashcat against the list. the first thing i tried was throwing a few simple dictionary at it but as the simple passwords have already been cracked I don’t think we’ll do too well.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
phillips321@KubuntuDesktop:$ ./oclHashcat-plus64.bin -m 100 /home/phillips321/SHA1_crackable.txt /home/phillips321/all -r rules/best64.rule -o /home/phillips321/SHA1_crackable_wordlist.txt
oclHashcat-plus v0.08 by atom starting...
Hashes: 2621881
Unique digests: 2621881
Bitmaps: 21 bits, 1048576 entries, 0x000fffff mask, 4194304 bytes
Rules: 78
GPU-Loops: 64
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m0100_a0.Cayman.64.kernel (1064060 bytes)
Scanning dictionary /home/phillips321/all: 473506574 bytes (49.32%), 44230618 words, 3449988204 keyScanned dictionary /home/phillips321/all: 960087678 bytes, 79922599 words, 6233962722 keyspace, starting attack...
[s]tatus [p]ause [r]esume [q]uit =>                    
Status.......: Exhausted
Rules.Type...: File (rules/best64.rule)
Input.Mode...: File (/home/phillips321/all)
Hash.Target..: File (//home/phillips321/SHA1_crackable.txt)
Hash.Type....: SHA1
Time.Running.: 32 secs
Time.Left....: 0 secs
Time.Util....: 32667.7ms/7391.7ms Real/CPU, 29.2% idle
Speed........:   162.7M c/s Real, 32978.7k c/s GPU
Recovered....: 12791/2621881 Digests, 0/1 Salts
Progress.....: 6233962722/6233962722 (100.00%)
Rejected.....: 919367982/6233962722 (14.75%)
HW.Monitor.#1: 42% GPU, 47c Temp
Started: Thu Jun  7 10:18:31 2012
Stopped: Thu Jun  7 10:19:08 2012
phillips321@KubuntuDesktop:$

Only 12791 recovered. That’s less than 1%!

Next option is to try some simple brute force attacks, first of all we’ll try 8 char lower case:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
phillips321@KubuntuDesktop:$ ./oclHashcat-plus64.bin -a 3 -m 100 /home/phillips321/SHA1_crackable.txt ?l?l?l?l?l?l?l?l -o /home/phillips321/linkedin_brute8lower.txt
oclHashcat-plus v0.08 by atom starting...
Hashes: 2621881
Unique digests: 2621881
Bitmaps: 21 bits, 1048576 entries, 0x000fffff mask, 4194304 bytes
GPU-Loops: 64
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m0100_a3.Cayman.64.kernel (443896 bytes)
[s]tatus [p]ause [r]esume [q]uit =>
Status.......: Exhausted
Input.Mode...: Mask (?l?l?l?l?l?l?l?l)
Hash.Target..: File (/home/phillips321/SHA1_crackable.txt)
Hash.Type....: SHA1
Time.Running.: 8 mins, 54 secs
Time.Left....: 0 secs
Time.Util....: 534922.5ms/84.8ms Real/CPU, 0.0% idle
Speed........:   390.4M c/s Real,   390.5M c/s GPU
Recovered....: 19172/2621881 Digests, 0/1 Salts
Progress.....: 208827064576/208827064576 (100.00%)
Rejected.....: 0/208827064576 (0.00%)
HW.Monitor.#1: 63% GPU, 55c Temp
Started: Thu Jun  7 10:30:51 2012
Stopped: Thu Jun  7 10:39:49 2012
phillips321@KubuntuDesktop:/$

19172 cracked, that’s a little better. How about all uppercase?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
phillips321@KubuntuDesktop:/$ ./oclHashcat-plus64.bin -a 3 -m 100 /home/phillips321/SHA1_crackable.txt ?u?u?u?u?u?u?u?u -o /home/phillips321/linkedin_brute8upper.txt
oclHashcat-plus v0.08 by atom starting...
Hashes: 2621881
Unique digests: 2621881
Bitmaps: 21 bits, 1048576 entries, 0x000fffff mask, 4194304 bytes
GPU-Loops: 64
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m0100_a3.Cayman.64.kernel (443896 bytes)
[s]tatus [p]ause [r]esume [q]uit =>
Status.......: Exhausted
Input.Mode...: Mask (?u?u?u?u?u?u?u?u)
Hash.Target..: File (/home/phillips321/SHA1_crackable.txt)
Hash.Type....: SHA1
Time.Running.: 6 mins, 23 secs
Time.Left....: 0 secs
Time.Util....: 383179.5ms/100.3ms Real/CPU, 0.0% idle
Speed........:   545.0M c/s Real,   560.5M c/s GPU
Recovered....: 1751/2621881 Digests, 0/1 Salts
Progress.....: 208827064576/208827064576 (100.00%)
Rejected.....: 0/208827064576 (0.00%)
HW.Monitor.#1: 80% GPU, 59c Temp
Started: Thu Jun  7 10:42:54 2012
Stopped: Thu Jun  7 10:49:19 2012
phillips321@KubuntuDesktop:/$

Only 1751 recovered, I guess UPPERCASE passwords are not as popular as lowercase ones.

Next attempt is to attempt to crack using a bit more of a sensible charset.
First character we’ll try for upper,lower,special and numeric.
Second-Seventh we’ll try for lower
Eighth we’ll try for special

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
phillips321@KubuntuDesktop:/$ ./oclHashcat-plus64.bin -a 3 -m 100 /home/phillips321/SHA1_crackable.txt -1 ?l?u?s?d -o /home/phillips321/linkedin_brute8.txt ?1?l?l?l?l?l?l?s
oclHashcat-plus v0.08 by atom starting...
Hashes: 2621881
Unique digests: 2621881
Bitmaps: 21 bits, 1048576 entries, 0x000fffff mask, 4194304 bytes
GPU-Loops: 64
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m0100_a3.Cayman.64.kernel (443896 bytes)
[s]tatus [p]ause [r]esume [q]uit =>
Status.......: Exhausted
Input.Mode...: Mask (?1?l?l?l?l?l?l?s)
Hash.Target..: File (/home/phillips321/SHA1_crackable.txt)
Hash.Type....: SHA1
Time.Running.: 28 mins, 8 secs
Time.Left....: 0 secs
Time.Util....: 1688242.2ms/131.7ms Real/CPU, 0.0% idle
Speed........:   573.6M c/s Real,   587.0M c/s GPU
Recovered....: 1569/2621881 Digests, 0/1 Salts
Progress.....: 968450957760/968450957760 (100.00%)
Rejected.....: 0/968450957760 (0.00%)
HW.Monitor.#1: 92% GPU, 62c Temp
Started: Thu Jun  7 11:18:41 2012
Stopped: Thu Jun  7 11:46:52 2012
phillips321@KubuntuDesktop:/$

Only 1569 cracked, we’ll try the same again but end with a digit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
phillips321@KubuntuDesktop:/$ ./oclHashcat-plus64.bin -a 3 -m 100 /home/phillips321/SHA1_crackable.txt -1 ?l?u?s?d -o /home/phillips321/linkedin_brute8_2_.txt ?1?l?l?l?l?l?l?d
oclHashcat-plus v0.08 by atom starting...
Hashes: 2621881
Unique digests: 2621881
Bitmaps: 21 bits, 1048576 entries, 0x000fffff mask, 4194304 bytes
GPU-Loops: 64
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m0100_a3.Cayman.64.kernel (443896 bytes)
[s]tatus [p]ause [r]esume [q]uit =>
Status.......: Exhausted
Input.Mode...: Mask (?1?l?l?l?l?l?l?d)
Hash.Target..: File (/home/phillips321/SHA1_crackable.txt)
Hash.Type....: SHA1
Time.Running.: 11 mins, 51 secs
Time.Left....: 0 secs
Time.Util....: 711484.6ms/38.0ms Real/CPU, 0.0% idle
Speed........:   412.5M c/s Real,   403.5M c/s GPU
Recovered....: 25443/2621881 Digests, 0/1 Salts
Progress.....: 293469987200/293469987200 (100.00%)
Rejected.....: 0/293469987200 (0.00%)
HW.Monitor.#1: 75% GPU, 57c Temp
Started: Thu Jun  7 11:59:02 2012
Stopped: Thu Jun  7 12:10:56 2012
phillips321@KubuntuDesktop:/$

25443 passwords cracked using this bruteforce charset.

So in total we have the following cracked passwords:

  • 12791 from wordlist
  • 19172 from lowercase
  • 1751 from uppercase
  • 1569 from ?l?u?d?s first char and ?s last char
  • 25443 from ?l?u?d?s first char and ?d last char

Combined that is 59895 cracked hashes (just over 2%)

1
2
phillips321@KubuntuDesktop:~$ cat linkedin_* | sort -u | wc -l
59895

Lets just hope the full, un-obfuscated, hashes are released at some point.

4 Responses to linkedin SHA1 password cracking on GPU

  • Erethon says:

    Long time reader, as always nice write up!

    I know this is an old post, but I just noticed this “typo”. You use “grep -v ‘00000’” which will exclude all lines containing the “00000” string. As you mention we only want to remove lines starting with “00000”, so you should use “grep -v ‘^00000′”.

    Keep up the good work.

  • chimera says:

    thanks once more YES you are right It has helped me I must have missed this I am a happy man now 😉

  • chimera says:

    Thanks a lot phillips321 for such a good writeup I would kindly request that you guide me on where can I learn about oclHashcat+ rules I don’t seem to get a good guide or documentation for example the -r option I don’t know when,how and why to use it thanks in advance

Leave a Reply