Vlatko Kosturjak discusses weaknesses found in a Cisco SHA256 password hash implementation. He describes how he was able to determine the hash was using an insecure custom charset and no salt or iterations. This allowed him to crack the hash using rainbow tables. He created tools to convert Cisco configuration files to the John the Ripper format and cracked multiple passwords. His recommendations include implementing stronger cryptography, avoiding password reuse, and working with security researchers to improve implementations.
2. Agenda
● True story – my perspective
● I got this hash...
– What it is?
– Is it vulnerable?
– How I can crack it?
● Recommendations
● Summary
● Questions
4. Let's start with the hashes! :)
http://www.openwall.com/lists/john-dev/2013/03/15/10
5. Somewhere in the galaxy...
http://www.openwall.com/lists/john-dev/2013/03/06/5
6. Let's look closer!
Same hash for same password different user?
● Password reuse identification
● Password frequency
● Memory-time trade off vulnerability
● Rainbow tables
● Lookup
● Pot file
● Database
● On-line
8. Finding what it is..
● “...My only advise is to just pretend you found this hash and
have no clue where it came from. Now try the first two things
that you should do when you find a 43 character hash with
uppercase and lowercase letters, numbers, dot, and
forward slash. Hmm that might be too much info...”
Sc00bz64 on john-dev
● Formats
– Crypt
– Hex
– Base64
– ...
9. So, what it is?
In short, please!
● BASE64 with custom charset
– ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXY
Zabcdefghijklmnopqrstuvwxyz
● SHA256
● No salt
● No iteration
● Length
– 1-25 characters
10. Cisco SHA256 implementation
● First implementation in PHP
– http://pastebin.com/1yCLwyVY
● First implementation in Perl
– http://www.openwall.com/lists/john-dev/2013/03/16/12
– https://gist.github.com/kost/5177541
● Time to crack! :)
https://twitter.com/k0st/status/312988851138355201
11. First C implementation as new
format type in john
http://www.openwall.com/lists/john-dev/2013/03/16/7
https://github.com/kholia/JohnTheRipper/tree/cisco-type-4
12. Wait a minute?
● It is Base64 with custom iteration
– Decode it!
– And encode it correctly
● How john likes it ;)
● What that means?
– No need for new john format
– SHA256 exists already
● CPU
● GPU
17. Password types
sorted by recommendations
Password type Method
5 MD5
4 SHA256 (no salt)
7 Decode
0 Plaintext
18. Recommendations
● Implementators
– Think about implementation of your crypto
● Even big guys missed it
– Implement basic checks
● Users
– Don't use type 4, use 5
– Don't use 7/0/4 in short ;)
– Password reuse is problem
– Don't mix same passwords with different password types
19. Summary
● Crypto implementations can be bad
– Nothing new
● “Improving” crypto is two way direction
● Working together
– Less time – more rock
– There are smart people out there
● John-dev
● Nmap-dev
● Metasploit
● ...
20. Thanks for your time
Questions?
https://twitter.com/k0st
BM-2D972vHJXV8nwaFG6vUfEmy5tFjrE97edN