CyberMaryland October 11-12 2017 Baltimore, MD Brains over Brawn: Intelligent Password Recovery Sean Segreti Security Consultant – KoreLogic whoami ● Security consultant – penetration tester ● Fortune 500 and government clients ● Spoken at USENIX and BSides conferences ● Graduate of UMD & CMU in ECE 2 whoami DEFCON - Crack Me If You Can Password Cracking Contest DARPA Cyber Fast Track: PathWell KoreLogic Password Recovery Service 3 Why Talk about Passwords? 4 How we compromise systems ● 0-day, new unpublished exploits. < 2 % ● Web Application flaws ~ 10% ● Malware/Phishing ~ 13% ● Guessing/cracking credentials ~ 75% 5 How Useful is Intelligent Cracking? ● We performed a pro bono project ~1 year ago for a law firm ● Needed help cracking a password-protected PDF file ● The law firm used a commercial cracking tool for 81 days unsuccessfully ● We cracked it in 30 minutes on one machine Effective guessing strategies are crucial 6 Agenda ● A brief history of password cracking ● Cracking in 2017 ● What blue teams can do 7 A Brief History 8 A Brief History ● The first computer password – 1961 9 A Brief History ● The first computer password – 1961 ● MIT’s Compatible Time-Sharing System (CTSS) 10 A Brief History ● The first computer password – 1961 ● MIT’s Compatible Time-Sharing System (CTSS) ● First password breach – 1962 11 A Brief History ● The first computer password – 1961 ● MIT’s Compatible Time-Sharing System (CTSS) ● First password breach – 1962 ● Software bug in CTSS reveals password store Alan Scherr 12 A Brief History ● The first computer password – 1961 ● MIT’s Compatible Time-Sharing System (CTSS) ● First password breach – 1962 ● Software bug in CTSS reveals password store ● First accidental password breach – 1966 13 A Brief History ● The first computer password – 1961 ● MIT’s Compatible Time-Sharing System (CTSS) ● First password breach – 1962 ● Software bug in CTSS reveals password store ● First accidental password breach – 1966 ● CTSS “quote of the day” 14 A Brief History ● The first computer password – 1961 ● MIT’s Compatible Time-Sharing System (CTSS) ● First password breach – 1962 ● Software bug in CTSS reveals password store ● First accidental password breach – 1966 ● CTSS “quote of the day” ● Password hashing introduced 15 Terminology Hash: A one-way function which is considered impossible to invert 16 Simple Hash Examples 17 More Hash Examples MD4 HMAC-SHA512 (key = $pass) PostgreSQL Windows 8+ phone PIN/Password MD5 HMAC-SHA512 (key = $salt) MSSQL(2000) Citrix Netscaler Half MD5 phpass MSSQL(2005) RACF SHA1 scrypt MSSQL(2012) GRUB 2 SHA-384 PBKDF2-HMAC-MD5 MSSQL(2014) Radmin2 SHA-256 PBKDF2-HMAC-SHA1 MySQL323 ArubaOS SHA-512 PBKDF2-HMAC-SHA256 MySQL4.1/MySQL5 SAP CODVN B (BCODE) SHA-3(Keccak) PBKDF2-HMAC-SHA512 Oracle H: Type (Oracle 7+) SAP CODVN F/G (PASSCODE) SipHash Skype Oracle S: Type (Oracle 11+) SAP CODVN H (PWDSALTEDHASH) iSSHA-1 RipeMD160 WPA/WPA2 Oracle T: Type (Oracle 12+) Lotus Notes/Domino 5 Whirlpool iSCSI CHAP authentication, MD5(Chap) Sybase ASE Lotus Notes/Domino 6 GOST R 34.11-94 IKE-PSK MD5 EPiServer 6.x < v4 Lotus Notes/Domino 8 GOST R 34.11-2012 (Streebog) 256-bit IKE-PSK SHA1 EPiServer 6.x > v4 PeopleSoft GOST R 34.11-2012 (Streebog) 512-bit NetNTLMv1 Apache $apr1$ PeopleSoft Token md5($pass.$salt) NetNTLMv1 + ESS ColdFusion 10+ 7-Zip md5($salt.$pass) NetNTLMv2 hMailServer RAR3-hp md5(unicode($pass).$salt) IPMI2 RAKP HMAC-SHA1 nsldap, SHA-1(Base64), Netscape LDAP SHA RAR5 md5($salt.unicode($pass)) Kerberos 5 AS-REQ Pre-Auth etype 23 nsldaps, SSHA-1(Base64), Netscape LDAP SSHA AxCrypt md5($salt.$pass.$salt) DNSSEC (NSEC3) SSHA-512(Base64), LDAP {SSHA512} AxCrypt in memory SHA1 md5($salt.md5($pass)) Cram MD5 CRC32 WinZip md5(md5($pass)) PostgreSQL CRAM (MD5) LM TrueCrypt md5(strtoupper(md5($pass))) MySQL CRAM (SHA1) NTLM Android FDE < v4.3 md5(sha1($pass)) SIP digest authentication (MD5) Domain Cached Credentials (DCC), MS Cache Android FDE (Samsung DEK) sha1($pass.$salt) Kerberos 5 TGS-REP etype 23 Domain Cached Credentials 2 (DCC2), MS Cache 2 eCryptfs sha1($salt.$pass) SMF (Simple Machines Forum) MS-AzureSync PBKDF2-HMAC-SHA256 VeraCrypt sha1(unicode($pass).$salt) phpBB3 descrypt, DES(Unix), Traditional DES MS Office <= 2003 sha1($salt.unicode($pass)) vBulletin < v3.8.5 BSDiCrypt, Extended DES MS Office 2007 sha1(sha1($pass)) vBulletin > v3.8.5 md5crypt $1$, MD5(Unix) MS Office 2010 sha1(md5($pass)) MyBB bcrypt $2*$, Blowfish(Unix) MS Office 2013 sha1($salt.$pass.$salt) IPB (Invison Power Board) sha256crypt $5$, SHA256(Unix) PDF 1.1 - 1.3 (Acrobat 2 - 4) sha256($pass.$salt) WBB3 (Woltlab Burning Board) sha512crypt $6$, SHA512(Unix) PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 sha256($salt.$pass) Joomla < 2.5.18 OSX v10.4, OSX v10.5, OSX v10.6 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 sha256(unicode($pass).$salt) Joomla > 2.5.18 OSX v10.7 PDF 1.4 - 1.6 (Acrobat 5 - 8) sha256($salt.unicode($pass)) Wordpress OSX v10.8, OSX v10.9, OSX v10.10 PDF 1.7 Level 3 (Acrobat 9) sha512($pass.$salt) PHPS AIX {smd5} PDF 1.7 Level 8 (Acrobat 10 - 11) sha512($salt.$pass) Drupal7 AIX {ssha1} Password Safe v2 sha512(unicode($pass).$salt) osCommerce AIX {ssha256} Password Safe v3 sha512($salt.unicode($pass)) xt:Commerce AIX {ssha512} Lastpass + Lastpass sniffed HMAC-MD5 (key = $pass) PrestaShop Cisco-PIX 1Password, agilekeychain HMAC-MD5 (key = $salt) Django (SHA-1) Cisco-ASA 1Password, cloudkeychain HMAC-SHA1 (key = $pass) Django (PBKDF2-SHA256) Cisco-IOS Bitcoin/Litecoin wallet.dat HMAC-SHA1 (key = $salt) Mediawiki B type Juniper Netscreen/SSG (ScreenOS) Blockchain, My Wallet HMAC-SHA256 (key = $pass) Redmine Juniper IVE Keepass 1 (AES/Twofish) and Keepass 2 (AES) HMAC-SHA256 (key = $salt) OpenCart Android PIN 18 Hashing assumptions 19 Hashing assumptions ● Preimage resistance ● It should be hard to find a given hash’s preimage 20 Hashing assumptions ● Preimage resistance ● It should be hard to find a given hash’s preimage ● Second preimage resistance ● Given a preimage, it should be hard to find another with the same hash 21 Hashing assumptions ● Preimage resistance ● It should be hard to find a given hash’s preimage ● Second preimage resistance ● Given a preimage, it should be hard to find another with the same hash ● Collision resistant ● It should be hard to find any two preimages with the same hash ● “Birthday attack” 22 A Brief History ● Password hashing introduced ● Multics: “scramble_” – 1972 ● UNIX Crypt(1) – 1974 ● Data Encryption Standard (DES) – 1979 23 Hashing Mishaps ● Early VAX systems running VMS – 1978 ● CRC32 based hashes relatively easy to find collisions for two different words ● “penetration” and “prepituitary” both have the same hash “BF6A229E” ● UNIX DES – 1979 ● EFF shows that the 56-bit key can be brute-forced – 1999 ● Microsoft LANMAN – Early 1990s ● Split into two case-insensitive 7+ character DES hashes 24 A Brief History (Continued) ● Early mainstream cracking tools – 1980-2000 ● Rainbow tables – 1980 ● Computer Oracle & Password System (COPS) – 1989 ● UNIX Crack – 1990 ● Cracker Jack – 1993 25 Simple Dictionary Cracking 26 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac 27 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace abacus amen apple avert ... 28 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace abacus amen apple avert ... 29 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert ... 30 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert 360e2ece07507675dced80ba867d6dcd ... 31 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert 360e2ece07507675dced80ba867d6dcd ... Matches 297ee0aabc73ab6fc23bb819c8e42fac ? 32 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert 360e2ece07507675dced80ba867d6dcd ... Matches 297ee0aabc73ab6fc23bb819c8e42fac Yes ? 33 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert 360e2ece07507675dced80ba867d6dcd ... Matches 297ee0aabc73ab6fc23bb819c8e42fac Yes Cracked! ? 34 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert 360e2ece07507675dced80ba867d6dcd ... Matches No 297ee0aabc73ab6fc23bb819c8e42fac Yes Cracked! ? 35 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert 360e2ece07507675dced80ba867d6dcd ... Fetch a new Matches guess and No 297ee0aabc73ab6fc23bb819c8e42fac Yes Cracked! try again ? 36 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace ace Hash Function abacus amen apple avert 360e2ece07507675dced80ba867d6dcd ... Fetch a new Matches guess and No 297ee0aabc73ab6fc23bb819c8e42fac Yes Cracked! try again ? 37 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace abacus Hash Function abacus amen apple avert 13f27b1072bbf7719d0d267b083ff91c ... Fetch a new Matches guess and No 297ee0aabc73ab6fc23bb819c8e42fac Yes Cracked! try again ? 38 Simple Dictionary Cracking hash: 297ee0aabc73ab6fc23bb819c8e42fac Dictionary ace amen Hash Function abacus amen apple avert 8bd5b67121d84eecff7a0f2130509521 ... Fetch a new Matches guess and No 297ee0aabc73ab6fc23bb819c8e42fac Yes Cracked! try again ? 39 Simple Dictionary Cracking hash: