New leak : rootkit.com

EDIT : this is all wrong, I fucked up everything while trying to check the short MD5s. I’m not at 99% at all !

 

The rootkit.com database has just leaked. I found out this morning on xorl blog. I thought this was Christmas, as there was finally a large password leak of security minded people, which would be useful to hone cracking techniques.
The leak itself is quite nice, with around 81500 accounts, most of them being raw MD5s. There are also around 10k short hashes, 4 bytes each. The two most common are b3a39596 and 5f4dcc3b. As the md5 of password is 5f4dcc3b5aa765d61d8327deb882cf99, I believe they are truncated raw MD5 hashes. They are uncrackable because of the false positive rate. For example, “hiswife5” is a good cleartext for b3a39596, but doesn’t look like a password many people will use.
The password base in itself is terrible. In just 3 hours, on a single computer and while working I found 99% of the passwords. This either means that the password selection is horrible on this site, or that it is average and that my wordlists and rules have gotten better. All in all, I am really disappointed with this.
By the way, it seems genuine, as there are people I know in the list whose password is correct.

I will not publish any classic analysis of this. If correlating with the other details in the database prove interesting I will make a new post. The only funny thing I found is the password sobrecarguemos7, which seems to have been used by a bot to create 51 accounts.

Advertisements

5 thoughts on “New leak : rootkit.com

  1. The correct password for the 51 accounts is “москва” (Moscow written in russian letters), however the truncated hash for “sobrecargemos7” begins the same way:

    26d3477368f809b3de1c3bfeda5ac40f:sobrecarguemos7
    26d3477311c5c172208dfc46b832d4a5:москва

    • Yes, I just realized that I ran the code that attacked the short md5s against all md5s, resulting in tons of false positives …

      • Who needs the actual password if the comparison is made with this truncated string and `москва` will go instead of `sobrecargemos7` or `hiswife5` instead of anything else?
        Yes, it may be not the one a user initially entered when registering/changing password but the system will take it as a valid one.

        pof – do you have many Russian words in your dictionary? 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s