Password cracking - correlation of words in various languages to build wordlists [hashrunner 2013 writeup]

I initially wanted to fully involve in hashrunner, but being in the last week of a job, finishing migrations and the preparation of a local CTF, I got overwhelmed and only put like 2-3 hours on it.

I did put at first a Radeon 7970, and an i7-920 at work for uncracked md4 hashes when I could, on many rulesets and wordlists, regular, huge, compilations and that did crack some hashes.

However, I’ve mostly been involved in wordlist pattern research, translation of cracked words and wordlist creation based on these. Not the first time I did that, as demonstrated in a previous local hackerspace talk seen here.

First, I’ve been tasked to find something similar to Umlungu that is a slang word borrowed from Zulu language to racially refer to white people. However, as I learnt from a recent african travel, there are so many bantu languages and they’re very similar...could be swahili, swati, xhosa or others.. Did a small search on the word and derivated words, apartheid-related in various southern african languages, based on Google searches, Wikipedia, some african contacts and my recent african learnings. I came with a 40-50 words list, and gave it to someone to process it with mangling rules, case toggling, masks, generic combination and hybrid attacks without luck.

Later, someone cracked 2 more passwords based on the words Andriamanitra & Makaako; I wondered what language these words could be. I could see right on spot that one was in malagasy language and the other one was more obscure but after some googling, narrowed it to tagalog/cebuano (both filipino languages) and both were god-related. Did a Google search with both terms and got only...3 results and one of them had a complete list of god-related names and words in so many exotic languages. sftp came to the conclusion that keccak was mostly based on exotic words; not surprising, knowing keccak is kinda exotic by itself. More cracks came, like “Tabaldak”-based passwords, which is an Abenaki deity, Ulunguve, …

That contest taught me how to think better in order to discover more cracks in contests. However, that doesn’t necessarily apply to real passwords lists, unless they are huge and you need more contexts to crack into.

Also, weeks later, I learnt we could use Google Docs to “script” translation of various words in formulas such as stated in this link. Very interesting, yet approximate to grow exponentially your wordlists in other languages. Something even better could be to also grab the alternatives a manual translation would yield on gTranslate.