It's been a busy, busy, week with working a couple of HCP case that look like they may go to trial. Mickey and I have been compiling a ton of analysis to support our technical argument. It is fairly interesting, developing metrics post-mortem to demonstrate that a service was delivered as promised.
I had planned on getting into a fairly technical post of risk assessment and specifically how to plan and implement. I mean, anyone can find NIST 800-53 and a checklist, but is that really a risk assessment? So, there will me more on that.
Lastly, Rainbow tables. I have been developing a huge secret stash and am willing to trade / swap information ideas and knowledge for table lookups. I currently got LM-all, md5 1-7 az09+symbols14, Cisco Pix 1-7 az09+symbols14, ntlm 1-7 az09+symbols14, and about 10GB of WPA and WPA2 hashes. Plus 5GB+ of targeted dictionaries.
-Dave
Sunday, September 16, 2007
Monday, September 10, 2007
Out of cycle post - Books
Normally, I just post on the weekends but I was pretty excited about a book I just finished. I FINALLY got around to finishing Reversing: Secrets of Reverse Engineering by Eldad Eialm and was blown away with the content. I had been wanting to get deeper in reverse engineering and the ability to dissect malware, so this was great.
Additionally, I have been wanted to write a book on digital forensic investigation, but focused on the whole range of investigation. Basic forensics, media reconstruction, password cracking, interview skills, and investigation techniques. Maybe some of the reporting and chain of custody stuff.
I really liked Real Digital Forensics, but my book would be more about building a security service, whether it is in higher ed like Georgetown's Information Security Office or a small digital forensics company like HCP Forensics.
Additionally, I have been wanted to write a book on digital forensic investigation, but focused on the whole range of investigation. Basic forensics, media reconstruction, password cracking, interview skills, and investigation techniques. Maybe some of the reporting and chain of custody stuff.
I really liked Real Digital Forensics, but my book would be more about building a security service, whether it is in higher ed like Georgetown's Information Security Office or a small digital forensics company like HCP Forensics.
Sunday, September 9, 2007
Locating passwords
I have been thinking about passwords - your passwords. I have your drive image, but can not break your password with conventional methods.
At Defcon 15, I heard about this attack that is used by your favorite government agencies. The idea is this: you type your passwords in all the time and there is the possibility that they get written to swap, temp files, dr watson logs, or the such. So, why not scan your entire drive to look for "password like" strings to build a dictionary?
It has been done on a smaller scale - it's an old trick to find good stuff in the memory dump logs, but I have also found passwords in logs, such as: Wrong password for user "secretStrongP@ssw0rd".
So, I started writing some perl and c++ to process strings in images and dealing with the encoding. Pretty interesting initial results, when looking for passwords with a strong password and basic entropy filters on . I also did some searching and found a current project that has some progress - Dicop-workerframe.
Good stuff, and definitely food for thought, dude. I'll post some of my work and results shortly.
-Dave
PS - Visit my forensic company, HCP Forensic Services. We are really starting to grow and have very successful in getting the job right in the minimal amount of time. Are all contracts like that, though?
At Defcon 15, I heard about this attack that is used by your favorite government agencies. The idea is this: you type your passwords in all the time and there is the possibility that they get written to swap, temp files, dr watson logs, or the such. So, why not scan your entire drive to look for "password like" strings to build a dictionary?
It has been done on a smaller scale - it's an old trick to find good stuff in the memory dump logs, but I have also found passwords in logs, such as: Wrong password for user "secretStrongP@ssw0rd".
So, I started writing some perl and c++ to process strings in images and dealing with the encoding. Pretty interesting initial results, when looking for passwords with a strong password and basic entropy filters on . I also did some searching and found a current project that has some progress - Dicop-workerframe.
Good stuff, and definitely food for thought, dude. I'll post some of my work and results shortly.
-Dave
PS - Visit my forensic company, HCP Forensic Services. We are really starting to grow and have very successful in getting the job right in the minimal amount of time. Are all contracts like that, though?
Monday, September 3, 2007
SHA1 Password Cracking
I looked online for a bit, but could not find any real reference to cracking SHA1 passwords. Well, there are some like John the Ripper with the SHA1 patch.
I found a few posts asking how to pen test LDAP SHA1 databases, but other than JTR not much.
So - here you go:
Netscape LDAP SHA1 passwords are stored in base64 with {SHA} prepended e.g.
{SHA}v83z5sps70VUO/u1dQnJKuyaOfs=, which is my personal super secret password. With a little perl, it is easy to decode them to the SHA1 values we know and love, like: bfcdf3e6ca6cef45543bfbb57509c92aec9a39fb.
Key perl statements from ascii to SHA1 base64 and hex:
#! /usr/bin/perl
#
use Digest::SHA1;
use MIME::Base64;
my $secret = $ARGV[0];
$ctx = Digest::SHA1->new;
$ctx->add($secret);
$hashedPasswd = '{SHA}' . $ctx->hexdigest,'';
print 'userPassword: ' . $hashedPasswd . "\n";
$ctx = Digest::SHA1->new;
$ctx->add($secret);
$hashedPasswd = '{SHA}' . encode_base64($ctx->digest,'');
print 'userPassword: ' . $hashedPasswd . "\n";
Now you can use JTR and my choice - rainbow tables. Breaking the load over 4 or 5 machines I built out the SHA1 1-8 lowercase [a-z] [0-9], plus 14 symbols tables in about a week.
It's about 26GB and will cover most bad user passwords.
rtgen sha1 loweralpha-numeric-symbol14 1 8 x39x 2400 40000000 x00
(Replace x39x) with your table number. I took it from 0-39 for my tables.
For a nice 6GB, you can get lowercase [a-z][0-9] for 1 to 7 characters, which will cover a lot.
rtgen sha1 loweralpha-numeric 1 8 x10x 2400 40000000 x00
(Replace x10x) with your table number, 1-10.
I stripped out the username and userpassword attributes from LDAP and stored them into a protected file, converting the base 64 password into hex.
davesmith:bfcdf3e6ca6cef45543bfbb57509c92aec9a39fb
Next, I stripped out the SHA1 hash to be stored in my working file - hashs.txt.
Crack away!
rcrack sha1*.rt -l hashs.txt
So now, I see all of the weak passwords created by users, which is always tragic fun. Match the cracked hashes to the usernames by matching in the original file - and you have pen tested your LDAP access.
I found a few posts asking how to pen test LDAP SHA1 databases, but other than JTR not much.
So - here you go:
Netscape LDAP SHA1 passwords are stored in base64 with {SHA} prepended e.g.
{SHA}v83z5sps70VUO/u1dQnJKuyaOfs=, which is my personal super secret password. With a little perl, it is easy to decode them to the SHA1 values we know and love, like: bfcdf3e6ca6cef45543bfbb57509c92aec9a39fb.
Key perl statements from ascii to SHA1 base64 and hex:
#! /usr/bin/perl
#
use Digest::SHA1;
use MIME::Base64;
my $secret = $ARGV[0];
$ctx = Digest::SHA1->new;
$ctx->add($secret);
$hashedPasswd = '{SHA}' . $ctx->hexdigest,'';
print 'userPassword: ' . $hashedPasswd . "\n";
$ctx = Digest::SHA1->new;
$ctx->add($secret);
$hashedPasswd = '{SHA}' . encode_base64($ctx->digest,'');
print 'userPassword: ' . $hashedPasswd . "\n";
Now you can use JTR and my choice - rainbow tables. Breaking the load over 4 or 5 machines I built out the SHA1 1-8 lowercase [a-z] [0-9], plus 14 symbols tables in about a week.
It's about 26GB and will cover most bad user passwords.
rtgen sha1 loweralpha-numeric-symbol14 1 8 x39x 2400 40000000 x00
(Replace x39x) with your table number. I took it from 0-39 for my tables.
For a nice 6GB, you can get lowercase [a-z][0-9] for 1 to 7 characters, which will cover a lot.
rtgen sha1 loweralpha-numeric 1 8 x10x 2400 40000000 x00
(Replace x10x) with your table number, 1-10.
I stripped out the username and userpassword attributes from LDAP and stored them into a protected file, converting the base 64 password into hex.
davesmith:bfcdf3e6ca6cef45543bfbb57509c92aec9a39fb
Next, I stripped out the SHA1 hash to be stored in my working file - hashs.txt.
Crack away!
rcrack sha1*.rt -l hashs.txt
So now, I see all of the weak passwords created by users, which is always tragic fun. Match the cracked hashes to the usernames by matching in the original file - and you have pen tested your LDAP access.
Subscribe to:
Posts (Atom)