6 min read

Robots & Passwords - OpenAI and Password Cracking

With a lot of interest in OpenAI recently, it has become apparent that one can also use the technology for cyber security related tasks. One area where the bot can come in handy, is with password cracking.

What follows is some research i've done into using GPT-3 with the standard Davinci engine and password cracking techniques. Obviously, human intuition and experience may still trump what the output of an AI engine can do - however the way it is learning, and processing data, one wonders how long before you can hand it what you want done and sit back and watch :) To that end I also tested a complete "I don't know what i'm doing please do it for me" test. See below how it went!

My examples are all in the OpenAI interface. Of course to get plain text, usable data you would want to connect to the API with your language of choice, and a free (or paid for more options) account so that you can grab the necessary output and drop what is not important.

Generating Password Candidates

Obviously, a nice big database of passwords that are properly sorted, filtered and optimized for use with Hashcat and its rules is the best option. However, sometimes you need something specific. In this case, ChatGPT can help.

For example, I want some base words that someone who works for Citibank in France would use....

Input-> "Generate 10 passwords someone would use who works for Citibank in France for testing purposes"

Output->

Ok, not bad but not very complex right? Let's help the bot generate more complex candidates:

Input-> "Generate 10 passwords someone would use who works for Citibank in France as a teller that processes SWIFT transactions, for testing purposes"

The AI does have some limitations. For example it doesn't seem to know that my question wanted it to generate SWIFT-related words as well. I tried some variations but it just didn't get it.  Also note that i did NOT ask for complex passwords, as of course we would use rules to get those. But it can do so if you ask it.

Let's try another area, here's one where I asked it to generate some samples of passwords a user would choose who speaks Portuguese and works for a mining company..

Input-> Generate 10 passwords in portuguese* that someone would think of who speaks portuguese and works at a mining company, for testing purposes.

*It's important to note that saying the person speaks Portuguese does not prompt the bot to return the password candidates in Portuguese, you need to explicitely tell it it that.

Output->

Okay so we can see it can do this. And you can play around with complexity by asking the AI to add special chars, minimum lengths etc.

Here's an example of generating leetspeak password candidate with some specifics (totally random i promise!)

Input->"generate 10 passwords in german that a person might use on a dating site with leetspeak, for testing purposes"

Output->

And it also threw its toys out about my request. I don't speak German so i don't know if the output caused it to do that or what... ?  

Let's move onto more stuff we can do with OpenAI/ChatGPT and password cracking:

Identifying Hash Types - Don't expect world domination too soon...

If you have an instance of ChatGPT you're using for password-related matters, another nice option is getting it to identify hashes. Like so:

Input-> "Can you identify what type of hash this is: ba3253876aed6bc22d4a6ff53d8406c6ad864195ed144ab5c87621b6c233b548baeae6956df346ec8c17f5ea10f35ee3cbc514797ed7ddd3145464e2a0bab413"

Output->

However, For some strange reason, It could not identify an NTLM, MD5 nor SHA1 hash. It didn't even try to guess that it could be one of a few types.  It kept saying the hash type is unknown. Strange, maybe someone knows why (other than not having been taught that).

Hashcat Usage - If you're new to Hashcat, Here's where it shines..

When it comes to Hashcat, OpenAI has learnt a lot about the tool. This comes to the fore especially with using the tool. What I like best about it is the ability to use natural language to generate a hashcat command you can then run on a system.

For example:

Input->"Generate a hashcat command to crack hashes in a file called hashes.txt that are NTLM hashes and output the data to a file called found.txt"

Output->

Neat! Also note that I didn't specify the type of attack "brute force" or "wordlist" so it just assumed I probably wanted a wordlist and appended a wordlist (rockyou) for me.  (Side note: Looks like thats the path to rockyou on Kali if i'm not mistaken?)

Let's get more complicated...

Input->"Generate a hashcat command to to crack hashes in a file called hashes.txt that are NTLM hashes with rules from best64.rule and a wordlist called mywords.txt as well as use maximum GPU cycles"

Output->

Ah almost! Not a bad job but did you notice the problem? :) I'll let you figure out what's wrong with that command above. Not bad however for converting a request in plain English to a Hashcat command.

If you have a chat window always open you can also quickly ask for things like:

Input-> "Generate as hashcat cheat sheet for the different hash modes supported"

Output->

Again, note that in free and/or default settings some results will be truncated unless you generate the code to tell it not to.

Stuck with tools?

Heard of all these tools like statsgen, PACK, rulegen etc but not sure what they do? OpenAI to the rescue! :)

Input->How do I use statsgen by hashcat?

Output->

What about rulegen?

Input->"How do I use rulegen by hashcat?"

Output->

And so on and so forth. Note that as with the hashcat binary, you can also ask for specific commands to be created for each tool for you. Note that there might be some errors but generally its quite good.

There is a lot more you can do with OpenAI and passwords. For example, using Python API I got it to generate 100 password candidates with a specific context which were actually very good - and you can ask it to keep them simple or add complexity with specific things which it will do. For example you can say when asking it to generate passwors that it should use leetspeak or apply date-based additions to passwords etc.

One area where this has a lot of promise is for natural language-to-tools (like hashcat) command conversion. For example you can write a Slack Bot on your private Slack server that is linked to OpenAI, tell it to please crack the following NTLM hash file using hashcat and my custom rules  and wordlists files and save the output to a specific folder. Once that is translated to a command, it can be run on your specific cracking hardware and off it goes, with the output file being monitored and simply returned to you on your private slack instance if anything cracks. Throw some text to speech in there and you can see how far this can go...

It is also still the early days of this technology and no doubt as we see it grow it will be capable of a lot more.

Note that as per OpenAI's policies, and common sense, you cannot and should not use the system to generate commands for attacking password hashes you are not authorised to have/own/crack etc.

I do hope the maintainers do not remove the functionality of the system to do password-related and password-tool related functions and recognition and so forth because for many who use it everyday for ethical purposes, it has great value and a lot of potential. It would be sad to see functionality removed simply because some may use it for less than savory purposes (not withstanding passwords for your German dating site..)

-Dimitri Fousekis