Bigger isn’t always better, but sometimes it is. If you need a huge word list before you hit those mask attacks, we’ve got you covered. We call it Rocktastic. When you absolutely, positively, got to crack every hash in the room; accept no substitutes.
People and passwords
It’s 2016 and passwords are still a fundamental tenet of a systems security posture. An attacker’s ability to gain credentials is often a key factor to their success.
We humans are basic creatures; creatures of habit and simplicity. For the uninitiated, password selection often follows a psychologically predictable format: familiar base words, upper case characters at the start and digits based on years at the end are all traits that we see often and get interested in. A little too interested, sometimes… enter Neil Lines (@myexploit2600), a man who took things just a little bit too far. Today, we’d like to share some of his insanity with you.
A word list was born
In December 2009, the social game developer RockYou was breached via a simple SQL injection attack. Far worse, all of their user’s 14 million passwords were stored in plain text format. The data hit the wider internet and the rest is history (including RockYou being fined $250,000 by the FTC – ouch). Attackers and security workers the world over have been using that word list ever since.
In keeping with a poor security posture, RockYou didn’t enforce any password complexity, and so unsurprisingly most of the passwords were very basic. Therefore, many of the passwords – while interesting to study – were not particularly useful for cracking password hashes belonging to stronger systems.
Introducing Rocktastic
Neil Lines took the original RockYou word list and went to work. At first, he just removed duplicates but before long, he was adding multiple passwords and permutations based on real world patterns.
Over time, the word list grew. He shared it with a select few individuals and improved the quality of the list, based on their feedback. We all noticed a significant improvement in the success rate of offline dictionary attacks versus other word lists. It’s fair to say that it became a bit of an obsession; a borderline madness.
As with all madness, you can only keep it contained for so long. That’s why we’ve decided to cut a final version of this word list, which we’ve lovingly dubbed ‘Rocktastic‘. It’s a bit of a beast (which, as it goes, is the hostname of our GPU cracking rig… but I digress):
That’s right. There are over a billion words in this well curated word list. We think that if you need much more than that, it’s probably time to start thinking about a mask attack. Plus, someone had to stop Mr Lines from taking the madness any further!
Grab it while it’s hot
Rocktastic is quite weighty, at 2.5 GB compressed and 13 GB uncompressed. Therefore, we’ve decided to distribute it via BitTorrent. Please feel free to download and share. We’d also really appreciate you helping us to keep it seeded for a while!
BitTorrent: https://labs.nettitude.com/torrents/Rocktastic12a.rar.torrent
sha1sum: 38807f82763c78b4e5da7b5d2279ee91781e189d Rocktastic12a.rar