ADVANCES IN OPEN-SOURCE

PASSWORD CRACKING

dhiru@openwall.com

Agenda

John the Ripper

Ettercap

Attacks on M$ AD / Kerberos infrastructure

Misc. Stuff

Current and future work

John the Ripper

John the Ripper is a free open-source password cracking software tool (http://www.openwall.com/)

Traditionally supports cracking hashes (LM, FreeBSD, DES crypt etc.)

$ cat lm-hash

user:fda95fbeca288d44aad3b435b51404ee

$ john -format:lm lm-hash

Loaded 1 password hash (LM ...)

HELLO (user)

Jumbo patch

community-enhanced version of JtR, available in almost all Linux distributions

Add tons of formats for cracking hashes as well as “non-hashes”

Hashes: e.g. MD5, LM

“non-hashes” : e.g. PDF or other types of files

Can use GPU to accelerate cracking (Speedups > 150X possible)

Jumbo patch supports cracking

1Password, Clipperz, Apple DMG images, EncFS, EPiServer, GPG private keys, IKE PSK, Apple Keychain, GNOME Keyring, KDE KWallet, KeePass, LastPass, Mozilla Master Passwords, MongoDB, MS-CHAP, MySQL authentication protocol, M$ Office, OpenOffice, PDF, O5LOGON, Password Safe, ZIP, RAR, Apple 10.8 hashes, GRUB 2, PFX, SSH keys, PuTTY keys, PostgresSQL, M$ PST, RACF, etc

Above list *only* includes formats I have worked on

Lot of these formats are faster than commercial products.

Many formats are not even supported by commercial products

Example: cracking password protected

SSH keys

Two-step process

Use one of the many *2john utilities

$ sshng2john.py key-catch22 > ssh-hash

$ john ssh-hash

Loaded 1 password hash (ssh-ng ...)

catch22 (key-catch22)

Example: using GPU

Build GPU-enabled JtR (e.g. make linux-x86-64-opencl)

$ john -fo:keychain -t

Benchmarking: Mac OS X Keychain ...

Raw: 1331 c/s real, 1331 c/s virtual

$ john -fo:keychain-opencl -t # ATI 7970 GPU

OpenCL platform 1: AMD Accelerated Parallel Processing ...

Benchmarking: Mac OS X Keychain ...

Raw: 208537 c/s real, 92758 c/s virtual

Greater than 150X speedup

JtR community

http://www.openwall.com/lists/john-users/

Join “john-users” mailing list for general discussion and help

Join “john-dev” if you are interested in JtR development

#openwall channel on Freenode IRC network

Writing a plug-in (called format) is easy enough (start contributing!)

https://github.com/magnumripper/JohnTheRipper

Ettercap

Ettercap is free, open source network security tool

for doing MiTM attacks.

Allows interception and modifications of packets

on the fly.

Can be extended by writing plug-ins

Example: Facebook password sniffing

Facebook loads login form over HTTP which

POSTs credentials to a HTTPS link.

Modified HTTP dissector (ec_http.c) to replace

“https” with “ http”.

Login form is now posted over HTTP

Ettercap filter functionality can be used to do the

same.

Example: Facebook password sniffing

Only 12 lines of code added to ec_http.c

6 lines to avoid gzip encoding and 6 lines to avoid SSL

Example: works for Flipkart and

Rediffmail too

Ettercap automatically prints credentials sent over

HTTP

Don’t expose / load resources over HTTP

Ettercap: My contributions

MySQL v5 challenge-response

PostgreSQL challenge-response

VNC challenge-response

O5LOGON protocol (used by Oracle DB)

MongoDB challenge-response

Kerberos MiTM etype downgrade attack

MongoDB MiTM fixed salt attack

Ettercap community

https://github.com/Ettercap/

#ettercap-project channel on Freenode IRC

network

Writing a plug-in (called dissector) is easy once the

protocol is understood (use Wireshark)

Attacks on Kerberos and M$ AD

infrastructure

Popular network authentication protocol used to implement SSO

Uses shared secret/symmetric keys (which don’t travel over the network)

Uses timestamp pre-authentication in which timestamp is encrypted with a key (derived from the user password)

We capture encrypted timestamp and mount offline brute-force attack

Kerberos: Key Derivation

The “string-to-key” function used to convert a user

password to a secret key in Kerberos is dependent

upon the encryption type (called etype) being used.

etype functions differ in cost

etype negotiation process can be attacked to

downgrade etype (and make offline attacks faster)

Kerberos: etype downgrade attacks

Downgrade etype 18 (aes256-cts-hmac-sha1-96, very expensive) to etype 23 (rc4-hmac, very fast)

etype 18 brute-force attack, 380 tries per second on CPU, 125K on ATI 7970 GPU

etype 23 brute-force attack, 728K tries per second on CPU

Speedup > 1900X

Kerberos: etype downgrade attacks

These attacks have been talked about previously

but tools were not published (maybe not even

made).

My Ettercap plug-in is the first public tool to make

these attacks practical.

Only 16 lines of code.

Misc : Guaranteed cracking of PDF

files using RC4 40-bit encryption

RC4 40-bit is still popular among banks and income tax department.

https://github.com/kholia/RC4-40-brute-pdf

https://github.com/kholia/qpdf

Should take less than 2 days on AMD FX-8120 (8-core Bulldozer)

Misc : Guaranteed cracking of PDF

files using RC4 40-bit encryption

Three-step process

$ npdf2john test.pdf

test.pdf:$npdf$1*2*40*4*1*16*c56b…

$ RC4-40-brute ‘test.pdf:$npdf$1*2*40*4…’

Key is : 9296c944ee

$ qpdf --key=9296c944e --decrypt test.pdf output.pdf

Current and future work

Dropbox account “hijacker”

Metasploit post script for doing the same

Offline attacks on LastPass password manager

Fake VMware vCenter (and ESX) server for Metasploit project

Fake LDAP server for Metasploit project

Questions