I’m running through the LinkedIn password hashes right now, so I thought I’d do a live blog of the steps I’m doing. As I do each step, I’ll update this blog live. When you reach the end, chances are good I’ll be updating it again in a few hours.
I left a bunch of stuff running over night, and have about 50% of all the passwords cracked. To summarize what I did:
First, I did a dictionary crack of some very large dictionaries. This took seconds, and got a large number of passwords. I’ll rerun the numbers later, but it’s like a third of all the passwords.
Second, I did a brute-force up to 6 characters. It appears LinkedIn has a minimum length of 6, so you won’t find shorter passwords. This took 18 minutes. Going to 7 characters will take 3 days to complete, so I’m letting that run on a separate machine while I do shorter jobs on the main machine.
Third, I did “mutated dictionary” attacks. I used several basic dictionaries, such as the RockYou list, as well as the dictionaries that come with such tools as Cain+Able, John-the-Ripper (JtR), and a list of Facebook names. I ran through all the mutations in the “rules” directory that comes with Hashcat. This found quite a few new passwords not found by the other techniques.
Fourth, I’m doing what Hashcast calls a “hybrid” attack that combines a dictionary either prefixed or followed by a brute-force. For example, right now, I’m runnign a job that does all the words in the RockYou dictionary followed by six lower-case/digits/numbers.
The first jobs took little time, so I rapidly updated this blog post as I did every little thing. Since then, updates have been coming slower as the two computers spend more time crunching numbers.