So, What’s in a Password?

This work is licensed under a Creative Commons Attribution 3.0 License.

Rob Gillen

@argodev

Don’t Be Stupid

The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations.

Please remember this basic guideline: With knowledge comes responsibility.

Disclaimer

The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.

Password AttacksA Year in Review

Pixel Federation

In December 2013, a breach of the web-based game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text.

http://haveibeenpwned.com/

Vodafone

In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources.

http://haveibeenpwned.com/

Adobe

The big one. In October 2013, 153 million accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

http://haveibeenpwned.com/

Twitter

February 2013 - This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

https://blog.twitter.com/2013/keeping-our-users-secure

More…

• cvideo.co.il – 10/15/2013 – 3,339 • http://hackread.com/iranian-hackers-hack-israeli-job-site/

• penangmarathon.gov.my – 10/8/2013 – 1,387 • http://www.cyberwarnews.info/2013/10/07/45000-penang-marathon-participants-personal-details-leaked/

• tomsawyer.com – 10/6/2013 – 57,462• http://www.cyberwarnews.info/2013/10/07/software-company-tom-sawyer-hacked-61000-vendors-accounts-leaked/

• ahashare.com – 10/3/2013 – 169,874 • http://www.cyberwarnews.info/2013/10/04/ahashare-com-hacked-complete-database-with-190-000-user-credentials-leaked/

• Unknown Israeli website – 7/30/2013 – 26,064 • http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leak-login-details-of-33895-israelis/

• UK emails – 7/17/2013 – 8,002• http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html

https://shouldichangemypassword.com/all-sources.php

More…

• UK emails (part 2) – 7/17/2013 – 7,514 • http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html

• http://www.pakistanintelligence.com – 5/27/2013 – 75,942 • http://www.ehackingnews.com/2013/05/pakistan-intelligence-job-board-website.html

• McDonalds Taiwan – 3/27/2013 – 185,620 • http://www.cyberwarnews.info/2013/03/28/official-mcdonalds-austria-taiwan-korea-hacked-over-200k-credentials-leaked/

• karjera.ktu.lt – 3/14/2013 – 14,133• http://www.cyberwarnews.info/2013/03/14/14000-student-credentials-leaked-from-ktu-career-center-lithuania/

• avadas.de – 3/9/2013 – 3,344 • http://hackread.com/avast-germany-website-hacked-defaced-20000-user-accounts-leaked-by-maxney/

• angloplatinum.co.za – 3/5/2013 – 7,967 • http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_

https://shouldichangemypassword.com/all-sources.php

More…

• angloplatinum.com – 3/5/2013 – 723 • http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_

• Walla.co.il – 2/19/2013 – 531,526 • http://www.haaretz.com/news/national/anonymous-activists-hack-into-600-000-israeli-email-accounts.premium-1.504093

• Bank Executives – 2/4/2013 – 4,596 • http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/

• bee-network.co.za – 1/29/2013 – 81 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

• omni-id.com – 1/29/2013 – 1,151 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

• moolmans.com – 1/29/2013 – 117 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

https://shouldichangemypassword.com/all-sources.php

More…

• servicedesk.ufs.ac.za – 1/29/2013 – 3,952 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

• servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

• westcol.co.za – 1/29/2013 – 99 • http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

• digital.postnet.co.za – 1/29/2013 – 45,245• http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

• French Chamber of Commerce – 1/29/2013 – 515• http://news.softpedia.com/news/French-Chamber-of-Commerce-and-Industry-Portal-Hacked-by-Tunisian-Cyber-Army-324716.shtml

https://shouldichangemypassword.com/all-sources.php

Types of Attacks

• Algorithm Weaknesses• Implementation Weaknesses• Dictionary Attacks• Brute-Force Attacks• Mask Attacks

Algorithmic Weaknesses

• Collision, Second Pre-Image, Pre-Image• Confirmed:• GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD, RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128, WHIRLPOOL

• Theoretical:• SHA-256/224• SHA-512/384

http://en.wikipedia.org/wiki/Cryptographic_hash_function

Account Hashes

• Windows Hash• EAD0CC57DDAAE50D876B7DD6386FA9C7

• Linux Hash• $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol.xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/KXCNHZ8P7zJDi2HHb1K.xfE.

File Encryption

• MS Office• PDFs• Zip/7z/rar• TrueCrypt

http://www.truecrypt.org/docs/volume-format-specification

How do they work?

• Known file-format/implementation weakness• Header data to indicate encryption• Type, keylength, etc.• Often some small portion to decrypt/validate

• How is it that changing encryption keys is fast?• Your key encrypts “real” key

Is it really cracking?

Password Guessing

char string1[maxPassLength + 1];char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";

for 0 maxLengthfor each char in alphanum…

Slightly Better…

int min = 8;int max = 12;char[] valid =

"ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";

# known rules# first & last must be char# no consecutive-ordered chars/nums# no repeated chars/nums

DEMO: Cracking a Windows HashWith oclHashCat

Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)

(more) Intelligent Password Guessing• What do people usually use?• What can we do to reduce the set of possibilities?• Cull terms/domain knowledge from relevant data• Dating sites, religious sites, others

Best: Already used/real-world passwords

Determine your goals

• Cracking a single, specific pwd?• Cracking a large % of an “acquired set”?

• Mark Burnett, author of Perfect Passwords• List of 6,000,000, culled down to 10,000 most frequently used• Top 10,000 passwords are used by 98.8% of all users• 2,342,603 (that’s 99.6%) unique passwords remaining that are

in use by only .18% of users!https://xato.net/passwords/more-top-worst-passwords/

• Lots of lists…

https://www.grc.com/haystack.htm

PACK

• Password Analysis and Cracking Toolkit• Peter Kacherginsky, PasswordCon, 7/30-7/31

• Intelligent cycle of cracking, analysis, rule generation

http://thesprawl.org/projects/pack/

Statistical Analysis

• Password Length Analysis• Character Set Analysis• Word Mangling Analysis

Example: Length

https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf

DEMO: Statistics on Real PWs

Advanced Analytics

• Levenshtein Edit Distance

http://en.wikipedia.org/wiki/Levenshtein_distance

Levenshtein Edit Distance• Minimum number of changes required to change one string into another• Measure distance b/t actual words and cracked list to optimize the word mangling rules• i.e. XX% of words can be achieved with Levenshtein edit distance of <=2

• Only gen rules that match

http://www.let.rug.nl/~kleiweg/lev/http://www.kurzhals.info/static/samples/levenshtein_distance/

What if I don’t have your Password?• Pass the Hash• Demo

• But We use Smart Cards!?

Avoidance Techniques

• Don’t use “monkey”• Don’t reuse “monkey”• If you must use monkey, require something else as well• Salt is good• Your own salt is better• Utilize memory-hard algorithms• Utilize multiple iterations (a lot)• Your username is half of the equation

References

• http://haveibeenpwned.com/ • https://lastpass.com/adobe/ • https://lastpass.com/linkedin/ • https://lastpass.com/lastfm/• https://shouldichangemypassword.com/all-sources.php

Questions/Contact

Rob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net @argodev