Purple Rain Attack

There comes a time in every pentest that you just simply run out of password cracking attacks to try, and you find yourself completely stumped. You've consulted your notes, performed analysis of the password policy and current cracked results, and have read your Hash Crack manual cover to cover with still no results. It's time to begin the experimentation phase and there is no better place to start than "random" password generation. One of the biggest problems is your own internal bias and constrained thinking based on past successes, but having a routine in your back pocket to break that mold might just save you face on your next engagement. This is where the Purple Rain attack comes to the rescue to assist you in breaking that mold. An additional benefit of this attack is it can run essentially autonomous for a near infinite amount of time, really only limited by the dictionary you supply. This is a perfect go-to attack if you have no time to run through the gauntlet of cracking techniques and would appreciate a "fire-and-forget" solution for the set of hashes pulled from your next pentest engagement.

What's the Purple Rain attack going to do for you? It's gonna give you password patterns and rule sets that you'd NEVER come up with on your own. It is very useful at chaining together usable patterns and passwords, and when left on it's own, supplied with a simple dictionary, could easily crack 75% of the LinkedIn dataset in 24hrs. Are ALL the patterns and passwords going to be useful? No. Are you going to run this attack many times and NOT crack the critical hashes you need? Yes. BUT one day, at some point, this attack will run and these magical cracked hashes will start slowly trickling down from the password gods filling your terminal. Then you will look back at this article and appreciate this attack's genius and the people behind the tools that allow this cracking method to happen.

Why call it Purple Rain? It's a play on words since we will be using the PRINCEprocessor Hashcat utility and the artist Prince's number #1 hit track. This write up will assume you are attacking fast hashes like NTLM and that you have tried everything up to 7 characters (so we tell PRINCE only generate 8 char candidates --pw-min=8). Lastly, you will need a cracking rig setup worthy of music royalty, so go check out the Budget Cracking Rig or the recently released Portable Cracking Rig instructions to build your own. Also follow us on Twitter @netmux.

Want to have passwords that can survive the Purple Rain attack? Go take a look at the One-Time Grid: Random Password Book for random password generation, creation, and storage. You can't hack my password manager if they are stored offline.

Hashcat

PRINCEprocessor Hashcat Utility

List of Possible Dictionaries

Purple Rain Attack Command:

shuf dict.txt | pp64.bin --pw-min=8 | hashcat -a 0 -m #type -w 4 -O hashes.txt -g 300000

There are two excellent writeups when it comes to the PRINCE (PRobability INfinite Chained Elements) attack and random rules generation that were the inspiration for Purple Rain. I highly recommend you check out Matt Weir's post about the PRINCE processor and its function <HERE>. I also highly recommend you check out @evilmog's writeup on "raking" (random password candidate generation) techniques and setting up your own environment to harvest results using random rule generation in hashcat <HERE>. The quick synopsis is PRINCE, based on an input wordlist, will generate chains of the input words by combining them randomly (read more <HERE>). Coupled with Hashcat's random rules generation option "-g" you can enhance PRINCE's password candidate generation output.

So there are two ways you can go about selecting an input dictionary for your Purple Rain attack: Targeted wordlist or General Purpose wordlist. If you've created a custom dictionary based on your target then you can start with a "Targeted" dictionary. If you havent, you can move on to using a good "General Purpose" dictionary like rockyou.txt dataset. I would just discourage using a very large dictionary when using PRINCE, i.e. +500 MB in size. You could also go as short as the top 10 million passwords list. For your dictionary needs check out weakpass.com's excellent resources. Lastly, throw a shuffle command "shuf" to your dictionary before piping it into the PRINCEprocessor. This shuffle will ensure each time you start a Purple Rain attack the PRINCEprocessor will not run the same chained word creations. To see what I am talking about just try the following commands multiple times and compare the output:

pp64.bin --pw-min=8 < dict.txt | head -20

shuf dict.txt | pp64.bin --pw-min=8 | head -20

When selecting rule's I suggest first starting with Hashcat's included dive.rule. This will at least combine known password variations and mutations with PRINCEprocessor's randomly generated password candidates, and since the dive.rule is sorted in probability order you might get lucky early. Next I would move onto Hashcat's random rule generation option using a minimum of 50,000 random rules working your way up to as much as 1,000,000 rules. If you don't want to mess with incrementing the number of random rules I would suggest using 300,000 each time, which would look like '-g 300000' on the command line. Be aware, the larger the random ruleset you attempt to generate, the longer it will take Hashcat to startup since Hashcat is on-the-fly generating these rules each time. As a side note, the PRINCEprocessor also comes with it's own ruleset prince_generated and prince_optimized so it wouldn't hurt to give them a go as well.

Let's talk through the complete Purple Rain attack command structure:

shuf dict.txt | pp64.bin --pw-min=8 | hashcat -a 0 -m #type -w 4 -O hashes.txt -g 300000

shuf : shuffle our dictionary before piping into PRINCEprocessor

dict.txt : Targeted or General Purpose dictionary of your choosing

pp64.bin : PRINCEprocessor utility from Hashcat

--pw-min=8 : tells PRINCE to generate minimum length of 8+ character passwords

hashcat -a 0 : starts Hashcat in Straight mode in order to take stdin input

-m #type : specify hash mode number, for instance -m 1000 is NTLM

-w 4 : tells Hashcat to use highest workload setting

hashes.txt : your file containing hashes to crack

-g 300000 : tells Hashcat to generate 300,000 random rules

*I suggest limiting runtimes to 1hr - 24hrs before restarting the same attack.

**Collect successful random rules --debug-mode=1 --debug-file=success_purplerain.rules

ADVANCED COMMAND SYNTAX

Do you also want to pick your dictionary at random? Then point at your dict/ directory:

ls dict/ | sort -R | shuf 'dict/' `tail -1` | pp64.bin --pw-min=8 | hashcat -a 0 -m #type -w 4 -O hashes.txt -g 300000

*FYI those are backticks around tail -1 command

How about wanting to shuffle in multiple dictionaries to add diversity?

cat dict1.txt dict2.txt | shuf | pp64.bin --pw-min=8 | hashcat -a 0 -m #type -w 4 -O hashes.txt -g 300000

ADVANCED TWEAKING OPTIONS

PRINCEprocessor:

--elem-cnt-min & --elem-cnt-max : allows for increasing the number of chained words/elements from the input dictionary.

Hashcat Random Rules Generation:

--generate-rules-func-min & --generate-rules-func-max : allows for increasing or decreasing the number of rule functions per generated rule.

Here are some easy steps to get a simple Purple Rain attack test up and running.

First let's shuffle and take the first 30,000 passwords from the rockyou dictionary:

shuf rockyou.txt | head -30000 > test_rockyou.txt

Then we will md5 the test_rockyou.txt into file (this will take time):

while read line; do echo -n $line | md5sum; done < test_rockyou.txt | awk -F " " '{print$1}' > hashes.txt

Next we will create a small dictionary to run against our new test hashes:

hashcat -a 3 -i ?a?a?a --stdout >> test_dict.txt

Also we will grab the google top 20,000 english words dictionary from <HERE> and add it:

cat google-20k.txt >> test_dict.txt

Ok now let the Purple Rain attack run for 1hr with the dive.rule first:

shuf test_dict.txt | pp64.bin | hashcat -a 0 -m 0 -w 4 -O hashes.txt -r dive.rule

Pretty impressive as you watch it run you can see the candidates its generating in Hashcat.

Now we will let a Purple Rain attack run with 200,000 randomly generated rules for 8hrs:

shuf test_dict.txt | pp64.bin | hashcat -a 0 -m 0 -w 4 -O hashes.txt -g 200000

Hopefully after this 8hr run you will get a true appreciation for how much this attack is self-feeding and continues to churn along. You will begin to see in this run how wild some of the password candidates this attack generates. Remember, non-deterministic output is your friend!

Hopefully you have found this useful and store this nifty attack away in your notes. This attack also works really well for novice password crackers in that you can fire it up and let it run unattended and still achieve great results. Also you can find more attacks like this and useful resources inside the Hash Crack: Password Cracking Manual v3. Remember, that when in a cracking rut, random experimentation can open your eyes to new possibilities and unforeseen patterns. Also stay tuned for an upcoming release of a new Portable Cracking Rig build which packs a punch for your next pentest engagement for just a $1,000. Cause how many people actually have money for a $15,000 8 GPU rig? Also follow us on Twitter @netmux for continued updates and posts.

Lastly, remember that all of these tools took someone's hard work to create and distribute, so when you see a DONATE button give what you can. Without the community none of this would be possible and we ALL would not benefit.