So, What’s in a Password?
This work is licensed under a Creative Commons Attribution 3.0 License.
Rob Gillen
@argodev
Don’t Be Stupid
The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations.
Please remember this basic guideline: With knowledge comes responsibility.
Disclaimer
The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
Password AttacksA Year in Review
Pixel Federation
In December 2013, a breach of the web-based game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text.
http://haveibeenpwned.com/
Vodafone
In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources.
http://haveibeenpwned.com/
Adobe
The big one. In October 2013, 153 million accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.
http://haveibeenpwned.com/
February 2013 - This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
https://blog.twitter.com/2013/keeping-our-users-secure
More…
• cvideo.co.il – 10/15/2013 – 3,339 • http://hackread.com/iranian-hackers-hack-israeli-job-site/
• penangmarathon.gov.my – 10/8/2013 – 1,387 • http://www.cyberwarnews.info/2013/10/07/45000-penang-marathon-participants-personal-details-leaked/
• tomsawyer.com – 10/6/2013 – 57,462• http://www.cyberwarnews.info/2013/10/07/software-company-tom-sawyer-hacked-61000-vendors-accounts-leaked/
• ahashare.com – 10/3/2013 – 169,874 • http://www.cyberwarnews.info/2013/10/04/ahashare-com-hacked-complete-database-with-190-000-user-credentials-leaked/
• Unknown Israeli website – 7/30/2013 – 26,064 • http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leak-login-details-of-33895-israelis/
• UK emails – 7/17/2013 – 8,002• http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html
https://shouldichangemypassword.com/all-sources.php
More…
• UK emails (part 2) – 7/17/2013 – 7,514 • http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html
• http://www.pakistanintelligence.com – 5/27/2013 – 75,942 • http://www.ehackingnews.com/2013/05/pakistan-intelligence-job-board-website.html
• McDonalds Taiwan – 3/27/2013 – 185,620 • http://www.cyberwarnews.info/2013/03/28/official-mcdonalds-austria-taiwan-korea-hacked-over-200k-credentials-leaked/
• karjera.ktu.lt – 3/14/2013 – 14,133• http://www.cyberwarnews.info/2013/03/14/14000-student-credentials-leaked-from-ktu-career-center-lithuania/
• avadas.de – 3/9/2013 – 3,344 • http://hackread.com/avast-germany-website-hacked-defaced-20000-user-accounts-leaked-by-maxney/
• angloplatinum.co.za – 3/5/2013 – 7,967 • http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_
https://shouldichangemypassword.com/all-sources.php
More…
• angloplatinum.com – 3/5/2013 – 723 • http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_
• Walla.co.il – 2/19/2013 – 531,526 • http://www.haaretz.com/news/national/anonymous-activists-hack-into-600-000-israeli-email-accounts.premium-1.504093
• Bank Executives – 2/4/2013 – 4,596 • http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/
• bee-network.co.za – 1/29/2013 – 81 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
• omni-id.com – 1/29/2013 – 1,151 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
• moolmans.com – 1/29/2013 – 117 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
https://shouldichangemypassword.com/all-sources.php
More…
• servicedesk.ufs.ac.za – 1/29/2013 – 3,952 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
• servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
• westcol.co.za – 1/29/2013 – 99 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
• digital.postnet.co.za – 1/29/2013 – 45,245• http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
• French Chamber of Commerce – 1/29/2013 – 515• http://news.softpedia.com/news/French-Chamber-of-Commerce-and-Industry-Portal-Hacked-by-Tunisian-Cyber-Army-324716.shtml
https://shouldichangemypassword.com/all-sources.php
Types of Attacks
• Algorithm Weaknesses• Implementation Weaknesses• Dictionary Attacks• Brute-Force Attacks• Mask Attacks
Algorithmic Weaknesses
• Collision, Second Pre-Image, Pre-Image• Confirmed:• GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD, RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128, WHIRLPOOL
• Theoretical:• SHA-256/224• SHA-512/384
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Account Hashes
• Windows Hash• EAD0CC57DDAAE50D876B7DD6386FA9C7
• Linux Hash• $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol.xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/KXCNHZ8P7zJDi2HHb1K.xfE.
File Encryption
• MS Office• PDFs• Zip/7z/rar• TrueCrypt
http://www.truecrypt.org/docs/volume-format-specification
How do they work?
• Known file-format/implementation weakness• Header data to indicate encryption• Type, keylength, etc.• Often some small portion to decrypt/validate
• How is it that changing encryption keys is fast?• Your key encrypts “real” key
Is it really cracking?
Password Guessing
char string1[maxPassLength + 1];char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";
for 0 maxLengthfor each char in alphanum…
Slightly Better…
int min = 8;int max = 12;char[] valid =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";
# known rules# first & last must be char# no consecutive-ordered chars/nums# no repeated chars/nums
DEMO: Cracking a Windows HashWith oclHashCat
Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
(more) Intelligent Password Guessing• What do people usually use?• What can we do to reduce the set of possibilities?• Cull terms/domain knowledge from relevant data• Dating sites, religious sites, others
Best: Already used/real-world passwords
Determine your goals
• Cracking a single, specific pwd?• Cracking a large % of an “acquired set”?
• Mark Burnett, author of Perfect Passwords• List of 6,000,000, culled down to 10,000 most frequently used• Top 10,000 passwords are used by 98.8% of all users• 2,342,603 (that’s 99.6%) unique passwords remaining that are
in use by only .18% of users!https://xato.net/passwords/more-top-worst-passwords/
• Lots of lists…
https://www.grc.com/haystack.htm
PACK
• Password Analysis and Cracking Toolkit• Peter Kacherginsky, PasswordCon, 7/30-7/31
• Intelligent cycle of cracking, analysis, rule generation
http://thesprawl.org/projects/pack/
Statistical Analysis
• Password Length Analysis• Character Set Analysis• Word Mangling Analysis
Example: Length
https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
DEMO: Statistics on Real PWs
Advanced Analytics
• Levenshtein Edit Distance
http://en.wikipedia.org/wiki/Levenshtein_distance
Levenshtein Edit Distance• Minimum number of changes required to change one string into another• Measure distance b/t actual words and cracked list to optimize the word mangling rules• i.e. XX% of words can be achieved with Levenshtein edit distance of <=2
• Only gen rules that match
http://www.let.rug.nl/~kleiweg/lev/http://www.kurzhals.info/static/samples/levenshtein_distance/
What if I don’t have your Password?• Pass the Hash• Demo
• But We use Smart Cards!?
Avoidance Techniques
• Don’t use “monkey”• Don’t reuse “monkey”• If you must use monkey, require something else as well• Salt is good• Your own salt is better• Utilize memory-hard algorithms• Utilize multiple iterations (a lot)• Your username is half of the equation
References
• http://haveibeenpwned.com/ • https://lastpass.com/adobe/ • https://lastpass.com/linkedin/ • https://lastpass.com/lastfm/• https://shouldichangemypassword.com/all-sources.php
Questions/Contact
Rob [email protected]://rob.gillenfamily.net @argodev