Writing your own password cracker

8/10/2019 Writing your own password cracker.

1/64


2/64


3/64

PASSWORD HASHING


4/64

STORING PASSWORDS

Password Salt

User input text

User database in

DB table or file

Generate random

bytes

Generate hash

Format(Password, salt)

Store(hash, salt)


5/64

CHECKING PASSWORD

Password

Salt

User input text User database in

DB table or file

Generate hash

Format(Password, salt)

Compare(Generated hash, Stored hash)

Lookup(salt, hash)

Stored hashenerated hash

Identical?

User logged in Kicked out

Yes

No


6/64


7/64

Apache Derby

Password hashing algorithm before CVE-2009-4269

SOURCE CODE ANALYSIS


8/64

WHAT IS APACHE DERBY?

Open source Java DB

Small footprint (


9/64

PASSWORD HASH


10/64

ALGORITHM IMPLEMENTATIONprotected String encryptPassword(String plainTxtUserPassword){

if (plainTxtUserPassword == null)return null;

MessageDigest algorithm = null;

try

{

algorithm = MessageDigest.getInstance("SHA-1");} catch (NoSuchAlgorithmException nsae)

{// Ignore as we checked already during service boot-up

}

algorithm.reset();

byte[] bytePasswd = null;bytePasswd = StringUtil.toHexByte( plainTxtUserPassword,0,plainTxtUserPassword.length());

algorithm.update(bytePasswd);byte[] encryptVal = algorithm.digest();

String hexString = ID_PATTERN_NEW_SCHEME +

StringUtil.toHexString(encryptVal,0,encryptVal.length);return (hexString);

}

public staticbyte[] toHexByte(String str, int offset, int length)

{byte[] data = new byte[(length - offset) * 2];

int end = offset+length;

for (int i = offset; i < end; i++)

{

char ch = str.charAt(i);

int high_nibble = (ch & 0xf0) >>> 4;int low_nibble = (ch & 0x0f);

data[i] = (byte)high_nibble;

data[i+1] = (byte)low_nibble;

} return data;

}

???


11/64

ALGORITHM IMPLEMENTATION/2.

T e s t 1 2

ASCII HEX

text

54 65 73 74 31 32

toHexByte

05 04

06 05

07 03

07 04

03

01

03 02

05 06 07 07 03

03 02

ytePasswd

hash concat( 0x3b60, toHexString( SHA1(bytePasswd) ) )

0

1

2

3

4

5

i


12/64


13/64

CRACKING: BRUTE FORCE

Character-set: 26 upper+ 26 lower + 10 digit

8 character passwords

62^8 2 * 10 ^ 14

Nvidia GF 8800 GT 21 days

After toHexByte()

6^8*16 2 * 10 ^ 7

Nvidia GF 8800 GT 0.23 sec

Ratio = 1/8124628


14/64

FIX

Apache.org notified in December 2009Vulnerability CVE-2009-4269

Fix released in May 2010

Derby 10.6.1.0http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269

Bug fixed

BUILTIN authentication:not recommended in production DBs


15/64

Sybase ASE (Adaptive Server Enterprise) RDBMS

BINARY ANALYSIS


16/64

REVERSE ENGINEERING

Live analysis (Debugger, Monitoring Tools) Off-line analysis (Disassembler)

Concept:

Get the big picture

Create a theory/model

Test


17/64

SYBASE ASE

Sybase "Adaptive Server EnterpriseRuns on Linux, UNIX, Windows and MacOS X

Market share: 4.

Cousin of Microsoft SQL Server:

1994: Microsoft bought the source

Main releases: 12.5.x (2001) still in use at some companies

15.0.5 latest version, evaluation downloadable

Password Encryption: SYB-PROP

SHA-256


18/64

Live CODE Analysis

SYBASE SHA-256 HASH


19/64

LOGIN INFORMATION


20/64


21/64

WHERE TO START?

Information gathering

Search for an entry point

User input

Program output

System call

Known constants


22/64

AVAILABLE INFORMATION http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infoce

nter.dc31654.1502/html/sag1/BCFDGIFC.htm
http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htm


23/64


24/64

MEMORY BREAKPOINT

Search for the constant (debugger helps) Byte order is reversed:

search for 0x67E6096A (h0 in the source)


25/64

FINAL INSTRUCTIONS OF HASHING FOUND


26/64

CALL STACK


27/64

THE CALL OF HASHING FUNCTION FOUND


28/64

PYTHON CODE - TEST


29/64


30/64

OFF-LINE Analysis

SYB-PROP HASH


31/64

SYB-PROP: HOW?

Old Sybase versions not available

Current version is 15.0.5

using SYB-PROP is not allowed

old password hashes only in 15.0.0 or 15.0.1

I have no access to old an Sybase DB

Some companies still use Sybase ASE 12.x !


32/64

DOWNGRADE VERSION 15.0.5 TO 15.0.[01]


33/64

AFTER DOWNGRADE


34/64


35/64


36/64

OFFLINE ANALYSIS

IDA Free 4.9

Symbols included -> function names


37/64

64 bytes64 bytes

OUTLINE OF FUNCTION CALLS (MINDMAP)

meta_keysch() meta_encrypt()

password


38/64

META_ENCRYPT()

Input: 64 bytes

Output: 64 bytes

Last 28 bytes -> hash

assembly instructions: ~ 80

function calls: 5

(conditional) jumps: 7


39/64

CRYPTO IDENTIFIED

string constant

FEAL


40/64

FEAL

Fast data Encipherment AlgorithmNTT in 1987 replacement for DES

Feistel networks

key scheduling encryption/decryption

FEAL-4, FEAL-8, FEAL-N, FEAL-NX, FEAL-32X

number of rounds: different

key size: different

Known vulnerabilities -> not recommend


41/64

FEAL VERSION IN SYBASE?

Number of rounds

Key schedule size

FEAL in Sybase:

Key: 8 bytes

Key schedule: 32 bytes

Output: 8 bytes

Conclusion: FEAL-8


42/64

STRING CONSTANT


43/64

FUNCTION META-ENCRYPT

Q Whydid

TRING CONSTANT

theflyda nceonthe

blck1 blck2 blck3

meta_keysch()

result blocks

ENC. ROUNDS

ROUND RESULTS

res_blck1 res_blck2 res_blck3

jar A Be

FEAL-8

FEAL-8 FEAL-8

res_blck8

key

key key

input

input input


44/64


45/64

META KESCH ROUND SALT

salt byte


46/64

MIXING BYTES

1. 2. 3. 4. 5. 6. 7. 8.

input bytes

(expanded password)

salt byte

( rand() >> 8 ) % 0xFF

1. 2. 3. 4. 5. 6. 7. 8.

utput bytes


47/64

FUNCTION META_KEYSCH OPERATION ROUNDS: 8

Initialization: XP -> expand password with 0x1D bytes to 57 bytes

seed number = system time -> 1 byte

PRNG init: stdlib.h / srand(seed);

Rounds: round salt byte = rand() -> 1 byte

ROUND KEY:

first round

MIX( salt byte, XP[first block] )

other rounds

buffer = XP[ (round 1) * 8 + 1 ] result[ (round -1) * 8 ]MIX(salt byte, buffer)

RESULT

first 2 rounds - FEAL(round key, const_str[seed % 0x30 + 1])

other rounds - round key itself


48/64

round result

META_KEYSCH() ROUNDS

XP[ 0 ] XP[ 0*8 + 1 ] XP[ 1*8 + 1 ] XP[ 2*8 + 1 ]

MIX MIX

MIX

round salt

1 byte

8 bytes

FEAL-8 FEAL-8

keyey

const_str

[ seed % 0x30 ]

input

input

RES_BLCK 1 RES_BLCK 2 RES_BLCK 3 RES_BLCK 4

round input block

round result

MIX

const_str

[ seed % 0x30 ]

round result

round salt

1 byte

round salt

1 byte

round salt

1 byte

8 bytes

8 bytes 8 bytes

RESULT BLOCKS

eXpanded Password

round input block round input block round input block

round result


49/64

RECONSTRUCTION

FEAL-8 specification:

Applied cryptography by Bruce Schneier

C source codehttp://tirnanog.ls.fi.upm.es/NoSeguro/Servicios/Software/ap_crypt/indice.html

Reconstruction not accurate

Sybase FEAL-8 implementation:

FIX key + FIX input -> output?

results(Sybase)

results(official specification)

key schedule: only the first 4 bytes identical


50/64

WHY NOT WORKING?

Sybase FEAL-8 omitted a step

in the key processing part

Source: Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone

U

(-2)

is not updated,

U

(i-3)

remains 0


51/64


52/64

STRUCTURE OF A SYB-PROP HASH

0xd405c8a83114cf59fe510d92c7e90c37f2741e0a04f70af14d9bd8a21f46

seed for srand()

hash type indicator

hash: last 28 bytes from meta_encrypt() result


53/64

OWN PASSWORD CRACKER


54/64

HOW A PASSWORD CRACKER OPERATES?

format the

passwords and salt

generate hashes

compare the result hash

with the original one

generate passwords

for testing

wordlist

transformation,

permutation

SMART

local,

personal ,

company

related

brute-force:

full search in the

password space

Markov-

chain


55/64

FUNCTIONALITY

Multiple passwords simultaneously

audit practice: n*100 passwords

Session handling

Customized character set

Customized permutation rules


56/64


57/64

CPU

Data pool

Result pool

PU_1 PU_2 PU_3 PU_4 PU_N

processing

units

Single Instruction Multiple Data (SIMD)

Intel x86/x64:

-8/16 * 128 bit XMM registers

-SSE (Streaming SIMD Extensions) instruction set


58/64


59/64

CPU VS. GPU Raw estimate for computing speed :

raw GPU performance/raw CPU performance ~ 3-10 May vary depending on the specific application

of cores


60/64

SAMPLE GPU CRACKER

CUDADBCRACKER

NVIDIA CUDA

MSSQL, Oracle11g hashes

simultaneously cracks passwords

session handling

Source code/Executable:

http://marcellmajor.com


61/64

PROPRIETARY HARDWARE

ASIC (Application Specific Integrated Circuit) Expensive setup (>1,000,000 USD)

Up to 6-10 times faster than FPGAs

FPGA (Field Programmable Gate Array) ASIC prototyping

Computing


62/64

PROPRIETARY HARDWARE/2.

ASIC/FPGA = faster bruteforcing than CPU/GPUBUT

Custom crypto algorithms?

Features?Wordlist, permutations?

Session handling?

Simultaneous passwords?


63/64

CONCLUSION

Reverse engineering is feasible

Security by obscurity: useless

Sample source code helps in development

Every technology has some:

advantages

disadvantages


64/64

Documents

Writing your own password cracker