Cracking Zynga

Working on a personal project collecting breach DBs, I had come across the Zynga dump. On September 12th, 2019, Zynga publicly acknowledged the data breach had happened. The company developed games including Farmville, Zynga Poker, Words With Friends, Mafia Wars, CafĂ© World, and Empires & Allies etc… The breach contains 206,267,210 records including duplicates and 150,363,954 records without duplicates.
The following information was leaked:

  • Username
  • Email
  • Hash
  • Salt
  • First Name
  • Last Name
  • Phone Number

Looking at the entries it was said that passwords were hashed with SHA1 and a salt, these would be in the [SALT] &[CRYPTED_CUSTOM_PASSWORD] columns . Trying to test some of the passwords with hashcat it seemed none of them would crack, even ones I had known passwords for. Digging a little deeper, I found that it was a variation of SHA1 called ‘SHA1DASH’. In order to crack SHA1DASH with hashcat , you would need to take the [CRYPTED_CUSTOM_PASSWORD] + [SALT] values and combine them in a file and add 2 dashes to either sides of the salt with a colon delimiter.
Example:
if your password was e9a77fa0bae1829afd957d2f85fc9f205b42025a and salt was afe18967b17fa732b2b4879aa77a326fbc16eaf7 it would look like this:
e9a77fa0bae1829afd957d2f85fc9f205b42025a:--afe18967b17fa732b2b4879aa77a326fbc16eaf7--

Essentially it’s:
e9a77fa0bae1829afd957d2f85fc9f205b42025a = sha1(–afe18967b17fa732b2b4879aa77a326fbc16eaf7–plaintextpassword–)
Using the hashcat examples wiki we’re going to use ‘120sha1($salt.$pass) for our mode. The other thing you will need to do is create a rule file. In this rule file simply put: $-$- inside the file and save it as zynga.rule , this appends — to the end of the passwords candidates. You will also need a good wordlist/dictionary to crack with. If you are combining other cracking rules make sure the zynga.rule is last.
You can either put these hashes in a file or crack them inline if you’re only doing a couple.

.\hashcat64.exe -m 120 -a0 -w4 'e9a77fa0bae1829afd957d2f85fc9f205b42025a:--afe18967b17fa732b2b4879aa77a326fbc16eaf7--' .\zynga.dic -r .\zynga.rule

You’ll notice that the cracked password will have appended to it, make sure you remove the extra dashes from the password in your potfile or use something like this in powershell:

foreach($line in [System.IO.File]::ReadLines(".\hashcat.potfile"))
{
$line = $line -replace '[--]',''
Set-Content .\new-hashcat.potfile -Value $line
}

Happy cracking.