Passerby A · 2015/09/01 11:21
0x01 Event Review
Impact Team published the data of adultery website Ashley Madison on August 18, and multiple users have confirmed the authenticity of the data. The leaked data has been widely disseminated via BitTorrent, and someone has set up a website ashley.cynic.al that allows ASHLEY Madison users to verify whether their accounts are in it. The hackers leaked 9.7 gigabytes of data, including emails, hashed passwords, user profile descriptions, weight, height, incomplete credit card transaction data, and more. Two Ashley Madison users have committed suicide as a result of the leak, and Avid Life Media, the cheating website’s parent company, is offering a 500,000 reward to track down the hackers. There are two clues that have been published so far. One is Thadeus Zu (@deuszu), a Twitter user who first published the source code address of Ashley Madison server; Another clue is that the hackers of Ashley Madison may have accidentally left footprints after releasing the second batch of data.
0x02 Main file description of the leak
-
CreditCardTransactions. 7 z save the file with all credit card transactions over the past seven years, contains the name, address, EMAIL address, package contains 2600 EXCEL file, containing more than article 9.600.000 trading records.
-
Am_am.dump. gz this mysql dump file contains about 32 million user data, including first name, last name, address, phone number, relationship, etc. Smoke? Birthdays, aliases, etc.
-
Aminno_member_email.dump. gz contains 32 million email addresses
-
Member_details.dump. gz detailed description of personnel, eye color, weight, height, hair color and other information
-
The member_login.dump.gz folder contains 30 million user names and HASH passwords, which are encrypted using the Bcrypt algorithm.
-
7z swappernet_User_Table.7z Is a dump file of the QA database server, which is not in standard mysql dump format but in CSV format. The userPassword field here is not encrypted using the BCRPT algorithm
-
Ashleymadison.tgz contains all of GitLab Repositories for the related site
The leaked data also contains about 13G of email content of Ashley Madison CEO, but the file seems to be damaged and further confirmation is needed.
0x03 Database Import
Dump = mysqldump = mysqldump
#! Bash $grep 'MySQL dump' *. Dump am_am.dump:-- MySQL dump 10.13 Distrib 5.5.33, For Linux (x86_64) aminno_member.dump:-- MySQL dump 10.13 Distrib 5.5.40-36.1, For Linux (x86_64) aminno_member_email.dump:-- MySQL dump 10.13 Distrib 5.5.40-36.1, For Linux (x86_64) member_details.dump:-- MySQL dump 10.13 Distrib 5.5.40-36.1, Dump :-- MySQL dump 10.13 Distrib 5.5.40-36.1, for Linux (x86_64) member_login.dump:-- MySQL dump 10.13 Distrib 5.5.40-36.1, for Linux (x86_64)Copy the codeThen establish the relevant database and users, try to import.
#! sql --As root MySQL user CREATE DATABASE aminno; CREATE DATABASE am; CREATE USER 'am'@'localhost' IDENTIFIED BY 'loyaltyandfidelity'; GRANT ALL PRIVILEGES ON aminno.* TO 'am'@'localhost'; GRANT ALL PRIVILEGES ON am.* TO 'am'@'localhost';Copy the codeFollow the foreigner’s documentation. Executed in sequence
#! bash $ mysql -D aminno -uam -ployaltyandfidelity < aminno_member.dump $ mysql -D aminno -uam -ployaltyandfidelity < aminno_member_email.dump $ mysql -D aminno -uam -ployaltyandfidelity < member_details.dump $ mysql -D aminno -uam -ployaltyandfidelity < member_login.dump $ mysql -D am -uam -ployaltyandfidelity < am_am.dumpCopy the code
The operation is as shown in the figure above, here the pit comes, his database engine is innoDB by default, import very slow. I don’t know how the foreigner guides it, but if you follow his method, it won’t be over in a few days. I spent the night consulting God A. He told me to go to MYISAM and import faster. Follow the documentation, disable InnoDB, create a new database, table, import again, again slow. Because some data will be indexed when it is imported. Take member_details.dump.gz as an example:
#! Dump: $wc -l member_details.dump: $wc -l member_details.dump: $wc -l member_details.dump: $wc -l member_details.dump: $wc -l member_details.dump: $wc -l member_details.dump Dump $head -n dump # create SQL statement create TABLE 'member_details' (' pnum' int(11)) unsigned NOT NULL, `eye_color` int(11) unsigned NOT NULL DEFAULT '0', `hair_color` int(11) unsigned NOT NULL DEFAULT '0', `dob` date DEFAULT NULL, `profile_caption` varchar(64) DEFAULT NULL, `profile_ethnicity` int(11) unsigned DEFAULT NULL, `profile_weight` int(11) unsigned DEFAULT NULL, `profile_height` int(11) unsigned DEFAULT NULL, `profile_bodytype` int(11) unsigned DEFAULT NULL, `profile_smoke` int(11) unsigned DEFAULT NULL, `profile_drink` int(11) unsigned DEFAULT NULL, `profile_initially_seeking` int(11) unsigned DEFAULT NULL, PRIMARY KEY (`pnum`), KEY `dob` (`dob`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;Copy the codeInnoDB ENGINE=MYISAM ENGINE=InnoDB ENGINE=MYISAM ENGINE=InnoDB
Then calculate 2425-48 = 2377 and execute
#! Bash $tail -n 2377 member_details.dump >member_details.new.dumpCopy the codeFinally, go back to MYSQL and import the data using source.
#! sql soucre member_details.new.dumpCopy the codeAs shown below:
0x04 Simple Data analysis
7z: swappernet_user_table.7z: swappernet_user_table.7z: swappernet_user_table.7z The analysis statement is as follows:
#! bash $ cut -d, -f4 < swappernet_QA_User_Table.txt |wc -l 765607 $ cut -d, -f4 < swappernet_QA_User_Table.txt | sed '/^\s*$/d' |wc -l 765603 $ cut -d, -f4 < swappernet_QA_User_Table.txt | sed '/^\s*$/d' |sort -u |wc -l 387974Copy the code
As shown above, the database passwords are valuable because they are in clear text. Let’s calculate the 50 most commonly used passwords as follows:
[email protected]:~# cut -d, -f4 <swappernet_QA_User_Table.txt |sort|uniq -c |sort -rn|head -50 5882 123456 2406 password 950 pussy 948 12345 943 696969 917 12345678 902 fuckme 896 123456789 818 qwerty 746 1234 734 baseball 710 harley 699 swapper 688 swinger 647 football 645 fuckyou 641 111111 538 swingers 482 mustang 482 abc123 445 asshole 431 soccer 421 654321 414 1111 408 hunter 400 sexy 388 michael 381 lovers 379 threesome 375 sunshine 375 monkey 367 hello 339 jennifer 338 master 336 biteme 335 sexsex 334 fucker 332 shadow 331 shithead 330 123123 327 swappernet 327 fuck 326 6969 325 tigger 325 iloveyou 314 robert 312 george 305 buster 302 statueofliberty 300 1234567Copy the codeI have limited resources here, so I didn’t use the password counted here to run the encrypted password in member_logindump, but a foreigner used rockyou dictionary to run violently and ran out more than 4000 plain passwords, the download address is Link
Reply_mail_last_time, bc_chat_last_time, The bc_mail_last_time and personal properties page does not upload images (photos_public field) and does not verify email addresses (aminno_member_emmail.isVALID) to guess how many real users there are. The SQL statement is as follows
#! sql SELECT COUNT(*) FROM aminno_member LEFT JOIN aminno_member_email ON aminno_member.pnum = aminno_member_email.pnum WHERE (aminno_member.bc_mail_last_time ! = '0000-00-00 00:00:00' OR aminno_member.bc_chat_last_time! = '0000-00-00 00:00:00' OR aminno_member.reply_mail_last_time! = '0000-00-00 00:00:00') AND photos_public! = 0 AND aminno_member_email.isvalid = 1Copy the codeReturn 2,528,767, roughly 2.5 million real users, which is a huge user base.
0x05 Reference Documents
- Analysis shows that women on Ashley Madison are extremely rare
- What can we learn from the 4000 Ashley Madison passwords
- Who hacked Ashley Madison? (Via Twitter and Facebook)
- Aug 21 2015: New torrent from Impact Team!