Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


Whats to see in BlackStar?

On November 2nd 2012, the Ghostshell hacker group released a rather large dump of records from various Russian companies. The original link is http://pastebin.com/yXN7uc6r, but in case it disappears, here is the gist of it:
blackstar

So being the inquisitive sort, I figured let me take a look at this dump and see what I could see. First off I had to get the data, a combination of wget and links helped with that. Then I started looking around. Now please bear in mind, this is what I found. In all probablity I missed some items just due to the sheer amount of data to work through. With that out of the way..

Email addresses
I wondered about the email addresses in use according to these dumps. I found a total of 234498 email addresses, there are of course a lot of .ru domains (duh) and the normal contenders:
Top 20 email domains:
    374 pochta.ru
    376 yandex.com
    385 ukr.net
    593 gawab.com
    636 mawpinkow.konin.pl
    654 o2.pl
    892 yahoo.co.uk
    893 yahoo.com
    900 hotmail.com
   1021 ourstorereviews.org
   1550 ya.ru
   3717 inbox.ru
   4502 list.ru
   5426 aol.com
   5692 bk.ru
   5917 gold-standard.ru
  11233 rambler.ru
  28006 yandex.ru
  39156 gmail.com
  73466 mail.ru


Then I thought, what about the always interesting .edu / .gov / .mil addresses?
      1 astillero.gba.gov
      1 az4871.spb.edu
      1 cc.tpu.edu
      1 crimea.edu
      1 dhe.tpu.edu
      1 fnsm.tpu.edu
      1 gatech.edu
      1 indiana.edu
      1 nowy.lorenz.edu
      1 nw.ksaa.edu
      1 ruvkmooeki.edu
      1 supersada.edu
      1 us.army.mil
      1 yrbkmooehf.edu
      2 seo.lorenz.edu
      2 sjsu.edu
      6 istu.edu
     10 phystech.edu


What about funny stuff? Things like:
      1 ringl68b02-platinum-gmail.com
      1 ringwlanhccvmmuxc-platinum-gmail.com
      1 ringwljy2399-platinum-gmail.com
      1 ringwxmhwadhvih-platinum-gmail.com
      7 googlemails.net

      1 mazila-firefox.org.ua
      1 mozilla-firefox-ru.ru

      1 freeemailyahoo.com
      1 yyahoo.es

      1 adobe-acrobat-reader.ru
      1 adobe-reader-acrobat.ru

      1 findpharmasolutions2010.co.cc
      1 makizpharma.ru
      1 mdpharmacy.net
      1 pharmaceuticalprocesssystems.co.cc
      1 pharmacy-city.com
      1 pharmacy-ed.info
      1 pharmagarant.ru
      1 pharmateca.ru
      1 polpharma.ru
      1 resopharma.fr
      1 xenopharmacophilia.com
      2 canonpharma.ru
      3 conventpharma.ru
      3 friendpharmacy.com
      4 pharmalin.com

As a case in point, lets look at yyahoo.es:
Yyahoo.es Server Details
IP address: 46.105.140.156
Server Location: France
ISP: Ovh Systems

IP address :    46.105.140.156
IP country code:    FR
IP address country:     France
IP address state:     n/a
IP address city:     n/a
IP address latitude:     46.0000
IP address longitude:     2.0000
ISP of this IP :     Ovh Systems
Organization:     Servidores vps
Host of this IP:      parking1.cathedralsoft.com


..so not looking as if yahoo has anything to do with that domain. Here is the sorted and counted list of email domains (here) if you want to take a look.

Unencrypted passwords
The next step was to see if there were any passwords in the dumps. But here i mean plaintext passwords, you know, when the company or site did not even do hashing but just wrote it straight to a database field. Well I found 52393 unique passwords, needless to say there were many repeats before I did the sort. The list is here, but I also ran a dictionary analyzer (pipal) against it:
Top 10 base words
qwerty = 35 (0.07%)
password = 25 (0.05%)
alex = 21 (0.04%)
melto = 17 (0.03%)
skills = 13 (0.02%)
pass = 13 (0.02%)
mama = 12 (0.02%)
olga = 12 (0.02%)
qwert = 11 (0.02%)
qwer = 10 (0.02%)

Password length (length ordered)
1 = 9 (0.02%)
2 = 19 (0.04%)
3 = 137 (0.26%)
4 = 573 (1.09%)
5 = 627 (1.2%)
6 = 3217 (6.14%)
7 = 2874 (5.49%)
8 = 4245 (8.1%)
9 = 4833 (9.22%)
10 = 32520 (62.07%)
11 = 1174 (2.24%)
12 = 839 (1.6%)
13 = 499 (0.95%)
14 = 295 (0.56%)
15 = 162 (0.31%)
16 = 150 (0.29%)
17 = 54 (0.1%)
18 = 54 (0.1%)
19 = 15 (0.03%)
20 = 40 (0.08%)
21 = 6 (0.01%)
22 = 14 (0.03%)
23 = 2 (0.0%)
24 = 5 (0.01%)
26 = 4 (0.01%)
27 = 2 (0.0%)
28 = 2 (0.0%)
30 = 1 (0.0%)
32 = 3 (0.01%)
33 = 1 (0.0%)
34 = 5 (0.01%)
35 = 1 (0.0%)
36 = 1 (0.0%)
37 = 2 (0.0%)
38 = 2 (0.0%)
40 = 2 (0.0%)
53 = 1 (0.0%)
57 = 1 (0.0%)
58 = 1 (0.0%)
67 = 1 (0.0%)

Password length (count ordered)
10 = 32520 (62.07%)
9 = 4833 (9.22%)
8 = 4245 (8.1%)
6 = 3217 (6.14%)
7 = 2874 (5.49%)
11 = 1174 (2.24%)
12 = 839 (1.6%)
5 = 627 (1.2%)
4 = 573 (1.09%)
13 = 499 (0.95%)
14 = 295 (0.56%)
15 = 162 (0.31%)
16 = 150 (0.29%)
3 = 137 (0.26%)
17 = 54 (0.1%)
18 = 54 (0.1%)
20 = 40 (0.08%)
2 = 19 (0.04%)
19 = 15 (0.03%)
22 = 14 (0.03%)
1 = 9 (0.02%)
21 = 6 (0.01%)
34 = 5 (0.01%)
24 = 5 (0.01%)
26 = 4 (0.01%)
32 = 3 (0.01%)
27 = 2 (0.0%)
38 = 2 (0.0%)
28 = 2 (0.0%)
37 = 2 (0.0%)
23 = 2 (0.0%)
40 = 2 (0.0%)
30 = 1 (0.0%)
33 = 1 (0.0%)
53 = 1 (0.0%)
35 = 1 (0.0%)
36 = 1 (0.0%)
58 = 1 (0.0%)
67 = 1 (0.0%)
57 = 1 (0.0%)

          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
          |                                                            
        |||                                                            
      |||||                                                            
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||  
000000000011111111112222222222333333333344444444445555555555666666666
012345678901234567890123456789012345678901234567890123456789012345678

One to six characters = 4582 (8.75%)
One to eight characters = 11701 (22.33%)
More than eight characters = 40692 (77.67%)

Only lowercase alpha = 5949 (11.35%)
Only uppercase alpha = 324 (0.62%)
Only alpha = 6273 (11.97%)
Only numeric = 2055 (3.92%)

First capital last symbol = 16 (0.03%)
First capital last number = 8376 (15.99%)

Months
march = 4 (0.01%)
april = 2 (0.0%)
may = 16 (0.03%)
july = 3 (0.01%)
august = 1 (0.0%)
september = 1 (0.0%)
october = 1 (0.0%)

Days
None found

Months (Abreviated)
jan = 23 (0.04%)
feb = 5 (0.01%)
mar = 142 (0.27%)
apr = 31 (0.06%)
may = 16 (0.03%)
jun = 19 (0.04%)
jul = 28 (0.05%)
aug = 7 (0.01%)
sept = 2 (0.0%)
oct = 9 (0.02%)
nov = 55 (0.1%)
dec = 10 (0.02%)

Days (Abreviated)
mon = 48 (0.09%)
wed = 9 (0.02%)
fri = 15 (0.03%)
sat = 22 (0.04%)
sun = 19 (0.04%)

Includes years
1975 = 11 (0.02%)
1976 = 19 (0.04%)
1977 = 24 (0.05%)
1978 = 20 (0.04%)
1979 = 28 (0.05%)
1980 = 36 (0.07%)
1981 = 21 (0.04%)
1982 = 27 (0.05%)
1983 = 23 (0.04%)
1984 = 42 (0.08%)
1985 = 25 (0.05%)
1986 = 25 (0.05%)
1987 = 34 (0.06%)
1988 = 24 (0.05%)
1989 = 18 (0.03%)
1990 = 11 (0.02%)
1991 = 18 (0.03%)
1992 = 8 (0.02%)
1993 = 4 (0.01%)
1994 = 11 (0.02%)
1995 = 3 (0.01%)
1996 = 2 (0.0%)
1997 = 8 (0.02%)
1998 = 4 (0.01%)
1999 = 2 (0.0%)
2000 = 14 (0.03%)
2001 = 16 (0.03%)
2002 = 7 (0.01%)
2003 = 7 (0.01%)
2004 = 13 (0.02%)
2005 = 24 (0.05%)
2006 = 20 (0.04%)
2007 = 23 (0.04%)
2008 = 20 (0.04%)
2009 = 29 (0.06%)
2010 = 52 (0.1%)
2011 = 61 (0.12%)
2012 = 29 (0.06%)
2013 = 2 (0.0%)
2014 = 2 (0.0%)
2015 = 4 (0.01%)
2017 = 2 (0.0%)
2018 = 2 (0.0%)
2019 = 2 (0.0%)
2020 = 5 (0.01%)

Years (Top 10)
2011 = 61 (0.12%)
2010 = 52 (0.1%)
1984 = 42 (0.08%)
1980 = 36 (0.07%)
1987 = 34 (0.06%)
2012 = 29 (0.06%)
2009 = 29 (0.06%)
1979 = 28 (0.05%)
1982 = 27 (0.05%)
1985 = 25 (0.05%)

Colours
black = 10 (0.02%)
blue = 3 (0.01%)
green = 11 (0.02%)
orange = 1 (0.0%)
pink = 3 (0.01%)
red = 46 (0.09%)
white = 4 (0.01%)
violet = 1 (0.0%)
indigo = 1 (0.0%)

Single digit on the end = 1493 (2.85%)
Two digits on the end = 1607 (3.07%)
Three digits on the end = 16176 (30.87%)

Last number
0 = 619 (1.18%)
1 = 3021 (5.77%)
2 = 2774 (5.29%)
3 = 2932 (5.6%)
4 = 2791 (5.33%)
5 = 2819 (5.38%)
6 = 2651 (5.06%)
7 = 2738 (5.23%)
8 = 2825 (5.39%)
9 = 2691 (5.14%)

 | |                                                                   
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
 |||||||||                                                             
||||||||||                                                             
||||||||||                                                             
||||||||||                                                             
||||||||||                                                             
0123456789

Last digit
1 = 3021 (5.77%)
3 = 2932 (5.6%)
8 = 2825 (5.39%)
5 = 2819 (5.38%)
4 = 2791 (5.33%)
2 = 2774 (5.29%)
7 = 2738 (5.23%)
9 = 2691 (5.14%)
6 = 2651 (5.06%)
0 = 619 (1.18%)

Last 2 digits (Top 10)
88 = 573 (1.09%)
23 = 545 (1.04%)
11 = 489 (0.93%)
12 = 436 (0.83%)
77 = 402 (0.77%)
45 = 370 (0.71%)
56 = 356 (0.68%)
89 = 353 (0.67%)
21 = 334 (0.64%)
55 = 328 (0.63%)

Last 3 digits (Top 10)
123 = 296 (0.56%)
111 = 114 (0.22%)
777 = 103 (0.2%)
234 = 96 (0.18%)
345 = 86 (0.16%)
321 = 86 (0.16%)
456 = 83 (0.16%)
789 = 71 (0.14%)
984 = 62 (0.12%)
011 = 59 (0.11%)

Last 4 digits (Top 10)
1234 = 64 (0.12%)
2011 = 47 (0.09%)
2345 = 46 (0.09%)
3456 = 45 (0.09%)
2010 = 43 (0.08%)
1984 = 36 (0.07%)
1980 = 30 (0.06%)
1987 = 27 (0.05%)
2009 = 26 (0.05%)
1979 = 24 (0.05%)

Last 5 digits (Top 10)
23456 = 41 (0.08%)
12345 = 35 (0.07%)
54321 = 12 (0.02%)
56789 = 12 (0.02%)
23123 = 10 (0.02%)
34567 = 10 (0.02%)
11111 = 9 (0.02%)
45678 = 7 (0.01%)
77777 = 7 (0.01%)
55555 = 6 (0.01%)

US Area Codes
234 = NE Ohio: Canton, Akron (OH)
345 = Cayman Islands (--)
321 = Florida: Brevard County, Cape Canaveral area; Metro Orlando (FL)
456 = Inbound International (--)
984 = E North Carolina: Raleigh (NC)

Character sets
mixedalphanum: 33894 (64.69%)
loweralphanum: 7361 (14.05%)
loweralpha: 5949 (11.35%)
numeric: 2055 (3.92%)
mixedalpha: 1455 (2.78%)
upperalphanum: 535 (1.02%)
upperalpha: 324 (0.62%)
loweralphaspecial: 129 (0.25%)
loweralphaspecialnum: 91 (0.17%)
mixedalphaspecialnum: 66 (0.13%)
specialnum: 46 (0.09%)
upperalphaspecial: 20 (0.04%)
mixedalphaspecial: 17 (0.03%)
upperalphaspecialnum: 11 (0.02%)
special: 1 (0.0%)

Character set ordering
othermask: 25614 (48.89%)
stringdigit: 10588 (20.21%)
allstring: 7728 (14.75%)
stringdigitstring: 3357 (6.41%)
alldigit: 2055 (3.92%)
digitstringdigit: 1910 (3.65%)
digitstring: 944 (1.8%)
stringspecialstring: 118 (0.23%)
stringspecialdigit: 44 (0.08%)
stringspecial: 24 (0.05%)
specialstring: 8 (0.02%)
specialstringspecial: 2 (0.0%)
allspecial: 1 (0.0%)

Hashcat masks (Top 10)
?l?l?l?l?l?l: 1252 (2.39%)
?l?l?l?l?l?l?l?l?l: 1058 (2.02%)
?l?l?l?l?l?l?l?l: 1037 (1.98%)
?l?l?l?l?l?l?l: 972 (1.86%)
?d?d?d?d?d?d: 788 (1.5%)
?d?d?d?d?d?d?d?d: 500 (0.95%)
?l?l?l?l?l: 401 (0.77%)
?l?l?l?l?l?l?l?l?l?l: 354 (0.68%)
?l?l?l?l: 266 (0.51%)
?d?d?d?d?d?d?d: 225 (0.43%)

Encrypted passwords
Lastly, I looked for passwords hashes. I found three types MD5 / SHA1 / MYSQL, more specifically:
MD5
3555 blackstar-encode-1.hash (get it here)
SHA1
2389 blackstar-encode-2.hash (get it here)
MYSQL
4262 blackstar-encode-3.hash (get it here)
  10206 total

I had a quick run through the hashes to see what I could quickly crack:
MD5
1261 left of 3555
SHA1
1131 left of 2389
MYSQL
486 left of 4262
7328 out 10206 done, 71% done

I will do the dictionary analysis when I get to more then 80% on them. But if you want the dictionary file of progress so far, get it here.

More coming as I get through more of the hashes.

Update - 12-Dec-2012:
I have moved all new progress to a page specifically for hashdumps and cracking them. Please go there for the latest progress and dictionary.