10min DIY: Crack Passwords| GAN on RockYou 🔓

🎯Motivation

Cyber security professionals (analysts, investigators, engineers, architects, consultants) can benefit from using simple data science models to help them spot out suspicious activites. The goal of every post is to give the high level steps needed and the commented code to perform an end-end data science exercise of high threat detection value.

🚪Intro

Dictionary-based Password Attack is an attack undertaken by utilizing a password cracking tool (like hashcat, john the reaper, thc hydra) that will leverage a dictionary to feed passwords to the system and see if they work. These tools can perform multiple password manipulation techniques using guessing rules (like concatenation and leet (1337) transformations).

Ref=https://csrc.nist.gov/glossary/term/password_cracking Ref:https://attack.mitre.org/techniques/T1110/002/

Reminder: Make sure your passwords are not on a leaked list by checking haviebeenpwned and using a password manager (like keepass).

📊Dataset

Back in 2009, a company named RockYou was hacked. They stored all of their 32.5M accounts’ 14M unique passwords unencrypted (yes, really).

Ref: https://ieee-dataport.org/documents/rockyou

🏋️‍♂️10 min exercise

Lets quickly teach a deep learning model how humans create passwords by feeding it millions of leaked ones, and let it automatically generate human-like passwords. It has been proven that deep learning doesnt need domain knowledge rules or assumptions on the Markovian structure of the passwords, and can outperform other password generating techniques. We do our exercise in 6 simple steps.

Follow through by clicking open in collab here (you will NEED a GPU):

1- 👩🏽‍🔬Data Acquisition. We get our hands on the Rockyou dataset, this will take a few seconds.

PS: You can skip to step 4 by downloading the ready train and test subsets.
If you wish: you can use the following leaked passwords datasets: linkedin, exploit.in, hashesleaks.

2- 🕵️Data Selection. We filter only passwords with 10 characters or fewer. Thats about 90% of the dataset.

3- 👩‍💻Data Processing. We randomize the order of the passwords in the data. We split the data into 80/20 train and test subsets.

4- 🥼Choosing a model. We make use of the PassGAN model and its implementation on GitHub. In their paper the authors show that this GAN consistently outperforms HashCat Best64, HashCat gen2, JTR Spiderlab rules, Markov Model, PCFG, and FLA in guessing real passwords.

If you wish: try a conditional GAN that is conditioned on some words you know are more important than other, based on social engineering toolkit or intelligence conclusions. You can also evaluate the GAN against some RNN and Markov-based approaches, like (Melicher et al, 2016).
Ref: https://arxiv.org/pdf/1709.00440.pdf
Ref: https://github.com/brannondorsey/PassGAN

5- 🚴Training the GAN. During the training procedure, the discriminator D processes passwords from the training dataset, as well as password samples produced by the generator G. Based on the feedback from D, G fine-tunes its parameters to produce password samples that are distributed similarly to the samples in the training set. (Hitaj, 2018)

!python PassGAN/train.py --output-dir PassGAN/output --training-data PassGAN/data/rockyou-train.txt

General GAN model diagram (Melicher et al, 2016)

PassGAN’s Architecture.

If you wish: hyper parameter tune batch size, num of iterations, ratio of discriminator iterations to generator iterations, model dimensionality, gradient penalty coefficient, output sequence length, size of the input noise vector, optimizer hyper params (adam’s learning rate, coefficient b1, and b2)

6- 🔬Evaluating Results. Once the training procedure is complete, we use generator G to generate password guesses. We can do qualitative analysis by eyeballing it and analyzing its quality, or we can compare it head to head to other password guessing techniques numerically.

Sample of passwords generated by PassGAN that are not in the testing dataset

After eyeballing, even the results that are not “correct” guesses are of high quality and make good password guesses, suggesting that GAN generalizes better than simple rules.

I hope you enjoyed this short exercise and were able to get your hands dirty with some straight forward cyber data science. Dont hesitate to ask any questions. And let me know what should the next DIY exercise be.

Until next time👋

Ref:
* (Melicher et al, 2016) https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_melicher.pdf
* (Dan et al, 2020) https://www.nature.com/articles/s41524-020-00352-0