KoreLogic Blog
PathWell Topologies 2014-04-04 20:55

As previously discussed at multiple conference and in this blog, KoreLogic worked on the PathWell project for the DARPA Cyber Fast Track program. PathWell identifies and blocks common passwords based upon common password topologies and learned user behavior.

Watch a presentation on PathWell, or download the slides here.

The PathWell software is not yet public, but people have frequently asked us to publish the list of the most popular topologies within enterprises that we compiled during that research. So, that is what we are doing today. The topologies listed below are not based on public password leaks, but instead on sanitized, merged real data from environments that are known to enforce password complexity. If you create your own topologies based off the common "RockYou" word list, yours will look different. In an enterprise environment, users are forced to follow password policy with concern to length, makeup, etc. Password expiration is almost always enforced as well. But as previously mentioned by KoreLogic, these policies actually introduce vulnerabilities. By using password topologies in your cracking program, you can abuse the human nature aspect of password creation.

These topologies can easily be plugged into a password cracking program such as HashCat or oclHashcat.

As a test, take the first 100 topologies listed below, and run them against your password hashes from a corporate environment. Without ever supplying a wordlist, or ruleset, you might able to crack anywhere from 60% to 90% of all user passwords. Depending on your users and your specific policies, of course.

This data is based on a decade of password hash collection and cracking in corporate environments. We also use these topologies as part of our PRS (Password Recovery Service). This is in addition to years of research into word selection, rule generation, etc.

Enough talk, here are the first 100 topologies, in order of likelihood of success across a variety of different enterprise networks. This is obviously just a sample of all topologies we have discovered over time. But it's a great start.
?u?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d?d
?u?l?l?l?d?d?d?d
?l?l?l?l?l?l?l?d
?u?l?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d
?u?l?l?l?l?l?d?d?d?d
?u?l?l?l?l?d?d?d?d
?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?d
?u?l?l?l?l?d?d?d
?u?l?l?d?d?d?d?s
?l?l?l?l?l?l?l?l
?u?l?l?l?l?l?d?d?d
?l?l?l?l?l?l?l?d?d
?l?l?s?d?d?l?d?d?l
?l?l?l?l?l?l?l?l?d
?u?l?l?l?l?l?d?d?s
?u?l?l?l?l?l?l?d?d?d?d
?u?l?l?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?d?s
?u?l?l?l?l?l?l?l?l?d
?u?l?l?l?l?l?d?d?d?d?s
?l?l?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d?d?d
?l?l?l?l?l?d?d?d
?u?l?l?l?d?d?d?d?s
?u?l?l?l?l?l?l?l?d?d?d?d
?u?l?l?l?l?l?s?d?d
?u?u?u?u?u?u?d?l
?l?l?l?l?d?d?d?d
?d?d?u?l?l?l?l?l?l?l
?u?l?l?s?d?d?d?d
?u?l?l?l?l?d?d?s
?u?l?l?l?l?l?l?d?s
?d?d?u?l?l?l?l?l?l
?l?l?l?l?s?d?d?d
?l?l?l?l?l?l?l?l?l?d
?l?l?l?l?l?d?d?d?d
?l?l?l?l?l?l?l?l?l?l
?l?l?l?l?l?l?d?d?d
?u?l?l?l?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?l?l?d
?d?d?d?d?d?d?u?l
?u?l?l?l?l?l?l?l?d?d?d
?u?l?l?l?l?l?l?d?d?s
?u?u?u?u?u?u?d?s
?u?u?d?l?l?l?d?d?d?u
?u?l?l?l?l?s?d?d
?u?l?l?l?l?l?s?d
?l?l?l?s?d?d?d?d
?l?l?l?l?l?l?d?d?d?d
?u?l?l?l?l?l?l?l?d?d?s
?d?d?u?l?l?l?l?l
?u?l?l?l?l?l?l?l?d?s
?u?l?l?l?l?d?d?d?s
?u?l?l?l?l?d?d?d?d?s
?u?l?l?l?s?d?d?d?d
?u?l?l?l?l?s?d?d?d
?u?l?l?l?l?l?l?d?d?d?d?s
?u?l?l?l?d?d?d?s
?l?l?l?l?s?d?d?d?d
?l?l?l?l?l?l?s?d?d
?l?l?l?l?l?l?d?d?s
?d?d?d?d?u?l?l?l
?d?d?d?d?d?d?d?d
?u?l?l?l?l?l?l?s?d
?u?l?d?d?d?d?d?d
?l?l?l?l?l?l?s?d
?u?d?l?l?l?l?l?l?l?d
?l?l?l?l?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l?l?l?d
?l?l?l?l?l?d?d?s
?l?l?l?l?d?d?d?s
?u?l?l?l?l?l?l?l?l?d?d?d?d
?u?u?u?u?u?u?u?u
?u?l?l?l?s?d?d?d
?u?l?l?l?l?l?l?s?d?d
?u?l?l?l?l?l?d?d?d?s
?l?l?l?l?l?s?d?d
?u?l?l?l?l?s?d?d?d?d
?u?l?l?l?d?d?d?d?d
?u?l?l?d?d?d?d?d?d
?u?l?l?d?d?d?d?d
?l?l?l?l?l?l?l?l?l?d?d
?l?l?l?l?l?l?l?d?d?s
?l?l?l?l?l?l?l?d?d?d
?l?l?l?l?l?l?d?s
?l?l?l?d?d?d?d?s
?u?u?u?l?l?l?d?d?d?d
?u?l?l?l?l?l?s?d?d?d
?u?l?l?l?l?l?l?l?s?d
?l?l?l?l?l?l?l?l?s?d
?l?l?l?l?l?l?l?d?d?d?d
?u?l?l?l?l?l?s?d?d?d?d
?l?l?l?l?l?l?l?d?s
?l?l?l?l?d?d?d?d?s
?d?d?d?d?u?l?l?l?l
?u?u?d?l?l?l?d?d?d?d

1 comments Posted by Rick at: 20:55 permalink

Hank wrote at 2014-07-07 12:23:

Note, updated the Youtube link above to a newer version of the presentation, and added the slides.

Comments are closed for this story.