Brains Over Brawn: Intelligent Password Recovery

CyberMaryland October 11-12 2017 Baltimore, MD

Brains over Brawn: Intelligent Password Recovery

Sean Segreti Security Consultant – KoreLogic whoami

● Security consultant – penetration tester

● Fortune 500 and government clients

● Spoken at USENIX and BSides conferences

● Graduate of UMD & CMU in ECE

2 whoami DEFCON - Crack Me If You Can Password Cracking Contest

DARPA Cyber Fast Track: PathWell

KoreLogic Password Recovery Service

3 Why Talk about Passwords?

4 How we compromise systems

● 0-day, new unpublished exploits. < 2 %

● Web Application flaws ~ 10%

● Malware/Phishing ~ 13%

● Guessing/cracking credentials ~ 75%

5 How Useful is Intelligent Cracking?

● We performed a pro bono project ~1 year ago for a law firm ● Needed help cracking a password-protected PDF file

● The law firm used a commercial cracking tool for 81 days unsuccessfully

● We cracked it in 30 minutes on one machine

Effective guessing strategies are crucial

6 Agenda

● A brief history of password cracking

● Cracking in 2017

● What blue teams can do

7 A Brief History

8 A Brief History

● The first computer password – 1961

9 A Brief History

● The first computer password – 1961

● MIT’s Compatible Time-Sharing System (CTSS)

10 A Brief History

● The first computer password – 1961

● MIT’s Compatible Time-Sharing System (CTSS)

● First password breach – 1962

11 A Brief History

● The first computer password – 1961

● MIT’s Compatible Time-Sharing System (CTSS)

● First password breach – 1962

● Software bug in CTSS reveals password store

Alan Scherr

12 A Brief History

● The first computer password – 1961

● MIT’s Compatible Time-Sharing System (CTSS)

● First password breach – 1962

● Software bug in CTSS reveals password store

● First accidental password breach – 1966

13 A Brief History

● The first computer password – 1961

● MIT’s Compatible Time-Sharing System (CTSS)

● First password breach – 1962

● Software bug in CTSS reveals password store

● First accidental password breach – 1966

● CTSS “quote of the day”

14 A Brief History

● The first computer password – 1961

● MIT’s Compatible Time-Sharing System (CTSS)

● First password breach – 1962

● Software bug in CTSS reveals password store

● First accidental password breach – 1966

● CTSS “quote of the day”

● Password hashing introduced

15 Terminology Hash: A one-way function which is considered impossible to invert

16 Simple Hash Examples

17 More Hash Examples

MD4 HMAC-SHA512 (key = $pass) PostgreSQL Windows 8+ phone PIN/Password MD5 HMAC-SHA512 (key = $salt) MSSQL(2000) Citrix Netscaler Half MD5 phpass MSSQL(2005) RACF SHA1 scrypt MSSQL(2012) GRUB 2 SHA-384 PBKDF2-HMAC-MD5 MSSQL(2014) Radmin2 SHA-256 PBKDF2-HMAC-SHA1 MySQL323 ArubaOS SHA-512 PBKDF2-HMAC-SHA256 MySQL4.1/MySQL5 SAP CODVN B (BCODE) SHA-3(Keccak) PBKDF2-HMAC-SHA512 Oracle H: Type (Oracle 7+) SAP CODVN F/G (PASSCODE) SipHash Skype Oracle S: Type (Oracle 11+) SAP CODVN H (PWDSALTEDHASH) iSSHA-1 RipeMD160 WPA/WPA2 Oracle T: Type (Oracle 12+) Lotus Notes/Domino 5 Whirlpool iSCSI CHAP authentication, MD5(Chap) Sybase ASE Lotus Notes/Domino 6 GOST R 34.11-94 IKE-PSK MD5 EPiServer 6.x < v4 Lotus Notes/Domino 8 GOST R 34.11-2012 (Streebog) 256-bit IKE-PSK SHA1 EPiServer 6.x > v4 PeopleSoft GOST R 34.11-2012 (Streebog) 512-bit NetNTLMv1 Apache $apr1$ PeopleSoft Token md5($pass.$salt) NetNTLMv1 + ESS ColdFusion 10+ 7-Zip md5($salt.$pass) NetNTLMv2 hMailServer RAR3-hp md5(unicode($pass).$salt) IPMI2 RAKP HMAC-SHA1 nsldap, SHA-1(Base64), Netscape LDAP SHA RAR5 md5($salt.unicode($pass)) Kerberos 5 AS-REQ Pre-Auth etype 23 nsldaps, SSHA-1(Base64), Netscape LDAP SSHA AxCrypt md5($salt.$pass.$salt) DNSSEC (NSEC3) SSHA-512(Base64), LDAP {SSHA512} AxCrypt in memory SHA1 md5($salt.md5($pass)) Cram MD5 CRC32 WinZip md5(md5($pass)) PostgreSQL CRAM (MD5) LM TrueCrypt md5(strtoupper(md5($pass))) MySQL CRAM (SHA1) NTLM Android FDE < v4.3 md5(sha1($pass)) SIP digest authentication (MD5) Domain Cached Credentials (DCC), MS Cache Android FDE (Samsung DEK) sha1($pass.$salt) Kerberos 5 TGS-REP etype 23 Domain Cached Credentials 2 (DCC2), MS Cache 2 eCryptfs sha1($salt.$pass) SMF (Simple Machines Forum) MS-AzureSync PBKDF2-HMAC-SHA256 VeraCrypt sha1(unicode($pass).$salt) phpBB3 descrypt, DES(Unix), Traditional DES MS Office <= 2003 sha1($salt.unicode($pass)) vBulletin < v3.8.5 BSDiCrypt, Extended DES MS Office 2007 sha1(sha1($pass)) vBulletin > v3.8.5 md5crypt $1$, MD5(Unix) MS Office 2010 sha1(md5($pass)) MyBB bcrypt $2*$, Blowfish(Unix) MS Office 2013 sha1($salt.$pass.$salt) IPB (Invison Power Board) sha256crypt $5$, SHA256(Unix) PDF 1.1 - 1.3 (Acrobat 2 - 4) sha256($pass.$salt) WBB3 (Woltlab Burning Board) sha512crypt $6$, SHA512(Unix) PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 sha256($salt.$pass) Joomla < 2.5.18 OSX v10.4, OSX v10.5, OSX v10.6 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 sha256(unicode($pass).$salt) Joomla > 2.5.18 OSX v10.7 PDF 1.4 - 1.6 (Acrobat 5 - 8) sha256($salt.unicode($pass)) Wordpress OSX v10.8, OSX v10.9, OSX v10.10 PDF 1.7 Level 3 (Acrobat 9) sha512($pass.$salt) PHPS AIX {smd5} PDF 1.7 Level 8 (Acrobat 10 - 11) sha512($salt.$pass) Drupal7 AIX {ssha1} Password Safe v2 sha512(unicode($pass).$salt) osCommerce AIX {ssha256} Password Safe v3 sha512($salt.unicode($pass)) xt:Commerce AIX {ssha512} Lastpass + Lastpass sniffed HMAC-MD5 (key = $pass) PrestaShop Cisco-PIX 1Password, agilekeychain HMAC-MD5 (key = $salt) Django (SHA-1) Cisco-ASA 1Password, cloudkeychain HMAC-SHA1 (key = $pass) Django (PBKDF2-SHA256) Cisco-IOS Bitcoin/Litecoin wallet.dat HMAC-SHA1 (key = $salt) Mediawiki B type Juniper Netscreen/SSG (ScreenOS) Blockchain, My Wallet HMAC-SHA256 (key = $pass) Redmine Juniper IVE Keepass 1 (AES/Twofish) and Keepass 2 (AES) HMAC-SHA256 (key = $salt) OpenCart Android PIN 18 Hashing assumptions

19 Hashing assumptions

● Preimage resistance

● It should be hard to find a given hash’s preimage

20 Hashing assumptions

● Preimage resistance

● It should be hard to find a given hash’s preimage

● Second preimage resistance

● Given a preimage, it should be hard to find another with the same hash

21 Hashing assumptions

● Preimage resistance

● It should be hard to find a given hash’s preimage

● Second preimage resistance

● Given a preimage, it should be hard to find another with the same hash

● Collision resistant

● It should be hard to find any two preimages with the same hash

● “Birthday attack”

22 A Brief History

● Password hashing introduced

● Multics: “scramble_” – 1972

● UNIX Crypt(1) – 1974

● Data Encryption Standard (DES) – 1979

23 Hashing Mishaps

● Early VAX systems running VMS – 1978

● CRC32 based hashes relatively easy to find collisions for two different words

● “penetration” and “prepituitary” both have the same hash “BF6A229E”

● UNIX DES – 1979

● EFF shows that the 56-bit key can be brute-forced – 1999

● Microsoft LANMAN – Early 1990s

● Split into two case-insensitive 7+ character DES hashes 24 A Brief History (Continued)

● Early mainstream cracking tools – 1980-2000

● Rainbow tables – 1980

● Computer Oracle & Password System (COPS) – 1989

● UNIX Crack – 1990

● Cracker Jack – 1993

25 Simple Dictionary Cracking

26 Simple Dictionary Cracking