Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP...
-
Upload
christopher-nicholson -
Category
Documents
-
view
220 -
download
0
Transcript of Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP...
![Page 1: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/1.jpg)
Forensic Image Analysis for Password Recovery
David C. Smith, CISSP, CISMGeorgetown University HCP Forensic Services
![Page 2: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/2.jpg)
A little bit about me...
Information Security Officer, Georgetown University
Co-Owner, HCP Forensic Serviceshttp://www.hcp-fs.com
Computer Science background, working towards masters in IA.
![Page 3: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/3.jpg)
The Idea…
Last year at DC15, I overheard a conversation about the NSA using image analysis to recovery passwords.
Your passwords are “buried” in the machines you use.
You just need to pull out strings and use them as a dictionary, right?
![Page 4: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/4.jpg)
Idea… Feasible?
Core dumps, swap space, memory dumps, logs, deleted temp files, file slack space, Internet history files, and the such.
Ever type your password into the username field?User password1 failed login at …
In this day of absolutely horrible application programming, the better for this attack vector!
![Page 5: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/5.jpg)
What exists out there now?
Once I recovered from my DC15 flight home cold…
Dicop-Workerframe from CPAN Good, not complete but has addressed most of the
issues that I foresaw like duplicates and indexing. Has not seen progress in a while.
But I did not find anything else relevant or at least what I was thinking of.. (strings, regex)
![Page 6: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/6.jpg)
A little elaboration on the idea
Ability to pull all stings from an image.Length
“Score” strings based on:EntropyComplexity and readabilityPassword Profiles
Ignore specific OS “trappings”system_call, Generic volume, SymbolicLink
![Page 7: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/7.jpg)
Extract strings Different ways to extract stings
I went with the GNU strings concept. Length
User defined string lengths [8 to 20]Brute force / rainbow table first!
Multiple combinations of a string1234567890 produces four, 7 letter strings1234567, 2345678, 3456789, 4567890(Total_string_size – Target_size)+1 (10 – 7) +1 = 4
![Page 8: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/8.jpg)
Extract Strings (2) This could lead to a large amount of string data to
process on a per image basis. Some size analysis:
Memory Images Stripping out strings from forensic image ~10.3% of original size. Creating passwords from strings ~394% increase Example 204MB forensic image of memory
24MB of strings 107MB of passwords
Disk Images Stripping out strings from forensic image ~55% to ~80% Creating password from strings ~400% increase Example 75GB forensic image
62 GB of strings 238 GB of passwords
![Page 9: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/9.jpg)
Score Strings
Entropy A measure of the disorder or randomness in a closed
system. Shannon entropy or information entropy is a measure
of the uncertainty associated with a random variable.
I just want to avoid “aaaaaaaa3” as a dictionary word. But I want “ShmooconRocks!” as a dictionary word.
![Page 10: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/10.jpg)
Entropy
sub entropy {my ($hashref, $total, $baselog) = @_;$baselog = 0.693147180559945 unless $baselog; # log(2)return undef unless ( ref $hashref and $total > 0 );my $sum;$sum += $_ * (log($_)/$baselog) for ( map { $_/$total } values %
$hashref );return -$sum; }
ShmooconRocks! entropy = 3.09306920777189200 ShmooconRocks entropy = 2.9312089489103244 shmooconrocks entropy = 2.77736279506417020 aaaaaaaaa3 entropy = 0.46899559358928139
![Page 11: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/11.jpg)
Complexity and readability Readability
Basic password strategies Dictionary word or sport teams, sports, colors, music groups
(1) Dictionary word with a # at the end (1) Two words combined with a #, like sun2shine or blue9sky (2) Quotes “My Half Dead Monkey Died OF WigginG” =
MHFMDOFWG or better, MhDMdofwG! (2) License plate & l33t (leetspeak) QTGRL and /\/\4D5|<1LL$ (2)
Point is – most of the time users have a readable password. Which leads to frequency analysis and base word matching!(1) Researched password analysis – myspace 20k, Schneier, Fredstie report.(2) My analysis from various systems and projects, 400k+ over 10 years.
![Page 12: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/12.jpg)
Complexity and readability (2)
Complexity English uppercase characters [A-Z] English lowercase characters [a-z] Numerals [0-9] Non-alphabetic characters, such as !,$.#%^ Special symbols, such as β∞£€θ♦ - I like the idea of
having ® in my password!
My thoughts are that complexity is going to be a key driver in what I developed as password profiles.
![Page 13: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/13.jpg)
Password profiles Idea of password profiles
Based on user and suspected computer ability or paranoia Standard, Informed, Effort, and AllOut (forced complexity?)
Standard (the masses) Average 7 to 8 characters Rising percentage adding a digit, 1 or 2 to end Small amounts two word combo Good amounts English frequency hits Entropy less than 4, more than 1.4 [a-z] [0-9] [!#$]
Informed (computer professionals, individuals that somehow connect to computer crime as “real”).
Average 9 to 10 characters Two word combos, l33t passwords Still good amounts of English frequency Entropy less that 4, more than 2 [a-z] [0-9] [A-Z] [!@#$%^&*()_+=-]
Don’t forget to check and see if a password policy or forced strong passwords exist!
![Page 14: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/14.jpg)
Scoring Passwords
Password profiles weight the potential password scoring By identifying a profile you score those passwords
higher for the dictionary sort. Why? Because due to space or size requirements you
may only want the top 20% or 30% of potential passwords.
You can still have 100% of passwords with or without the “trash” [low complexity, low entropy, known system strings]
Yes, AllOut Profile rates all passwords high with trash.
![Page 15: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/15.jpg)
Turning Scored Passwords into a Dictionary The primary purpose of scoring passwords
is to reduce the dictionary size to a manageable levelThis can be done by choosing to only keep
the top X% of passwordsOr splitting the password output into multiple
files 1st round output: Top 15% 2nd round output: 15% to 30%
![Page 16: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/16.jpg)
Dictionary formed, now what?
My #1 choice, John the Ripperhttp://www.openwall.com/john/Has LM, Kerberos, Unix crypt(s)Contributed resources include NTLM,
SHA/SHA1, MySQL, Apache + more. Any other password cracker that takes
dictionary (Cain & Abel, ElcomSoft + more). Build your own, if you need it!
Either John or programming choice.
![Page 17: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/17.jpg)
John the Ripper
[root@CB1 Test]# uname -a
Linux CBlack1 2.6.9-55.0.12.plus.c4smp #1 SMP Fri Nov 2 09:10:15 EDT 2007 i686 i686 i386 GNU/Linux
[root@CB1 test]# cat crack.txt
testman:$1$UEq1obkF$atd1uwHWDrNdTVqvgUPKF/
[root@CB1 test]# /usr/local/bin/john -wordlist=PassScan-image-dcsmith8-password-out.txt crack.txt
Loaded 1 password hash (FreeBSD MD5 [32/32])
sys21tem88 (testman)
guesses: 1 time: 0:00:15:29 100% c/s: 4234 trying: sys21tem88
3.9 Million passwords checked before found
![Page 18: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/18.jpg)
Cisco Pix – Cain and Abel
![Page 19: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/19.jpg)
Your Scripts too!#!/usr/bin/perluse Digest::SHA1;use MIME::Base64;
my $targethash = "{SHA}Dyw5fW2lhFlQNepIjVHwvdRfwFA="; # 1 my $passfile = "/work/sha1/PassScan-image-dcsmith9-password-out";
open (SOURCE, $passfile) || die "\nCan't open file $passname: $!"; foreach $line (<SOURCE>) {
checkhash($line); #2 } sub checkhash{my($secret) = @_; $ctx = Digest::SHA1->new; $ctx->add($secret);
$hashedPasswd = '{SHA}' . encode_base64($ctx->digest,''); #3
if ($targethash =~ m/$hashedPasswd/) { #4 print "MATCH! Password is $secret\n"; exit(); } }
root@CB1 Test]# perl SHA1-Dict.plMATCH! Password is why88askwhy
![Page 20: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/20.jpg)
That’s pretty much it…
Version 1 is available at http://www.hcp-fs.com (HCP Forensics) Still fragmented in perl, gen_strings.pl and
gen_passwords.pl. Lots of HD space needed for strings, passwords, and
duplicate removals.
Next version is needed! Port for speed! Combine functionality to allow for one pass processing Still not sure about on-the-fly dup removal
![Page 21: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/21.jpg)
Questions?
Questions? Shmooballs! Shout outs:
My Georgetown security teamTrent BeckettWife, who is nice enough to let me follow
these pursuits.
![Page 22: Forensic Image Analysis for Password Recovery David C. Smith, CISSP, CISM Georgetown University HCP Forensic Services.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649cf45503460f949c30f6/html5/thumbnails/22.jpg)
Ideas Does anyone else brute-force passwords like this:
[a-z] to 10 characters [a-z][0-9] to 8 characters [a-z][0-9][A-Z] to 7 or 8 characters [a-z][0-9][A-Z][SYMBOLS] to 7 characters Sometimes I start them all at the same time
Can they be segmented? Like [a-z][0-9] minus the [a-z] matches [a-z] for 8 characters = 208,827,064,576 (208 billion) [a-z][0-9] for 8 characters = 2,821,109,907,456 (2.8 trillion) Sure it is still 2.6 trillion, but I won’t have to check 208 billion of
them!