Your SlideShare is downloading. ×
0
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Salt Cryptography & Cracking Salted Hashes by fb1h2s

9,361

Published on

Salt Cryptography & Cracking Salted Hashes by fb1h2s @ null Pune Meet, August, 2010

Salt Cryptography & Cracking Salted Hashes by fb1h2s @ null Pune Meet, August, 2010

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,361
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
99
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • www.garage4hackers.com
  • Transcript

    • 1. FB1H2S aka Rahul Sasi www.fb1h2s.com www.garage4hackers.com Garage 4 Hackers http://www.garage4hackers.com Cracking Salted Hashes Web Application Security: The Do and Don'ts of Cryptography.
    • 2. <ul><li>Cryptography </li></ul><ul><li>Advantages </li></ul><ul><li>Drawbacks </li></ul><ul><li>Hash Functions </li></ul><ul><li>Advantages </li></ul><ul><li>Salted Hash Functions </li></ul><ul><li>Difficulties in cracking </li></ul>www.fb1h2s.com www.garage4hackkers.com An Introduction Garage 4 Hackers http://www.garage4hackers.com
    • 3. <ul><li>This paper would be an advisory of the strong ways of using Cryptography Functions. </li></ul><ul><li>And the Various possible way for cracking them in a Hacker perspective. </li></ul>Garage 4 Hackers http://www.garage4hackers.com www.fb1h2s.com www.garage4hackkers.com
    • 4. Application that doesn’t use cryptography hashes: <ul><li>Consider this Piece of code from a login form. </li></ul><ul><li>How this java script application works . </li></ul><ul><li>What the salt value “ CC6AB28BA9FAD121184B09E00F1DD6E7” is, was the current session id. </li></ul><ul><li>There would be no way for the program to verify the password value. </li></ul><ul><li>Unless, in the Back end Data Base, passwords are unencrypted and stored. </li></ul><ul><li>Point No1: Always encrypt and save your sensitive data in database. . </li></ul>onclick=&quot;javascript:document.frm.id.value='user'; document.frm.passwd.value='value'; this.form.passwd.value=(hex_md5('CC6AB28BA9FAD121184B09E00F1DD6E7'+this.form.passwd.value)); this.form.submit(); www.fb1h2s.com www.garage4hackkers.com
    • 5. So now what if the data are Encrypted , IS it secured ?? www.fb1h2s.com www.garage4hackkers.com
    • 6. Hash Functions: Cracking The Salted Hashes: <ul><li>“ I recently came across this huge data base of an Email service provider and I will take this paper the way I went to crack those hashes” </li></ul><ul><li>The few possible way to crack hashed passwords are: </li></ul><ul><li>The algorithm used for hashing should have some flaws and hashes should be reversible </li></ul><ul><li>Or that you will have to Brute force the hashes with a wordlist of Dictionary or Rainbow tables. </li></ul><ul><li>Or simply if you have UPDATE Privileges on that Data Base Update it with a know password’s hash value. </li></ul><ul><li>“ All this is possible only if you know what algorithm the hashes are build on ” </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 7. So what is that you could do to figure out the Hashing Algorithm used?? <ul><li>Answer: All algorithms generate a fixed length hash value. </li></ul><ul><li>So based on the Output you could estimate what algorithm was used. </li></ul><ul><li>Am putting in few cheat sheets for figuring out the hash algorithms based on hashes. </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 8. www.fb1h2s.com www.garage4hackkers.com
    • 9. www.fb1h2s.com www.garage4hackkers.com
    • 10. My hashes were 13 char long and no where in the cheat sheet, but I was able to figure it out using few programming tutorial websites. <ul><li>The hashes I had were: Php Crypt Function Hashes. </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 11. A simple walk through of of the Php crypt function: <ul><li>It’s is a hash algorithm which takes in a “String” and a “salt” and encrypts the hashes. </li></ul><ul><li>And by default it uses “DES” to encrypt hashes. </li></ul><ul><li>Consider Ex: </li></ul>www.fb1h2s.com www.garage4hackkers.com <?php $password = crypt('password'); ?> Hashes: laAsfestWEiq1 Here password hashes generated would be on basis of a random 2 digit salt. Or we could provide our on salt. <?php $password = crypt('password',’salt’); ?> Hashes: sih2hDu1acVcA And the password verification code would be as follows:   if (crypt($user_password, $password) == $password) {    echo &quot;Correct Password&quot;; } ?>
    • 12. <ul><li>In either of the cases the salt is appended with the Hashes, property of DES. </li></ul><ul><li>Well as I mentioned above the security of salt cryptography is on the fact that the salt is unknown to the cracker </li></ul><ul><li>Well with this basic piece of Information, all the hashes were cracked easily. </li></ul><ul><li>All I have to do was load a common passwords dictionary and add it with the constant salt, and get my work done </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 13. Slated Hashes. <ul><li>Salt/Hash algorithm with Constant Salt: </li></ul><ul><li>Example: </li></ul><ul><li>In this program a constant salt is used therefore the salt is not saved in the database. </li></ul><ul><li>So our dumped hashes won’t be having the salt value. </li></ul>www.fb1h2s.com www.garage4hackkers.com $password = &quot;password&quot;; //user input $salt = &quot;salted&quot;; $password = md5($salt.$password); //saved in db md5(saltedpassword) Hashes: 1423de37c0c1b63c3687f8f1651ce1bf Salt: salted
    • 14. For verifying such algorithms we need to try the following things. <ul><li>Try to create a new user using the target application. </li></ul><ul><li>Dump the data again and verify what algorithm is used using the above mentioned methods. </li></ul><ul><li>Consider the new password added was “password” md5(‘password’)== “5f4dcc3b5aa765d61d8327deb882cf99”, instead if the updated value was “1423de37c0c1b63c3687f8f1651ce1bf” that says a salt is used and is a constant one as it dsn’t seem to be added with the final hashes. </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 15. Cracking the salt: <ul><li>Now for breaking this, the only thing you could do is to bruteforce the hashes for figuring out what the salt is. </li></ul><ul><li>For ex: </li></ul><ul><li>Conclusion: </li></ul><ul><li>Never use a constant salt for all hashes: </li></ul><ul><li>If your PHP application is storing Sensitive values and you want to encrypt and store its salted hashes then Crypt() function is not the right option nor depending on any constant salt functions is the right choice. </li></ul>www.fb1h2s.com www.garage4hackkers.com We know : Md5(‘password’)== “5f4dcc3b5aa765d61d8327deb882cf99” Now question is Md5(‘password’ + “????WHAT????”) === “1423de37c0c1b63c3687f8f1651ce1bf”
    • 16. Salt/Hash algorithm with Random Salt: <ul><li>If random salt is used for each hash, which is necessary for application whose source is publicly available, then it would be necessary to store the salt along with the hashes. </li></ul><ul><li>-ve point is it’s possible to extract the salt from the hashes. </li></ul><ul><li>But + point is, that cracker need to build hash tables with each salt for cracking each hash </li></ul><ul><li>We could extract the salt, but as different hash will be having a different salt, it’s impossible to crack all hashes at a stretch. </li></ul>www.fb1h2s.com www.garage4hackkers.com $password = user_input(); //user i $salt = rand(5); &quot;; $password = md5($salt.$password); //saved in db md5(saltedpassword) Hashes: 6f04f0d75f6870858bae14ac0b6d9f73:14357 (Hash:Salt) Salt: 14357
    • 17. A Scenario for the Requirement for a new tool. <ul><li>Tool: One such tools documentation would be. </li></ul><ul><li>The whole Idea of such a system comes from the concept of torrents, where if you want something you have to share something. </li></ul><ul><li>Here if you want to crack something you will have to share your processing speed. </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 18. How it should work <ul><li>You download the Cracker tool Client </li></ul><ul><li>You have an admin hash to crack that of wordpress, you add the hash along with salt to cracker Client. </li></ul><ul><li>Cracker client sends the hash to Crack server. </li></ul><ul><li>Crack server accepts you as part of the distributed cracking Netwrok. </li></ul><ul><li>Crack server updates you with the new set of hashes, algorithm, and permutations you have to carry out. </li></ul><ul><li>Logic is when someone is doing work for you, will have to work for them too. </li></ul><ul><li>There by your work will be carried out by many different computers. </li></ul><ul><li>More on this tool is mentioned on the paper. </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 19. Finding an unknown Hash Algorithm: <ul><li>Consider a situation where the hashes are multiple encrypted with different hash algorithms, fro example: </li></ul><ul><li>So in such kind of situation were multiple hashing algorithm is used and algorithm is unknown, and it would be really hard to find what the hashes. </li></ul><ul><li>Now you need an algorithm brute forcer </li></ul>www.fb1h2s.com www.garage4hackkers.com <?php $password = sha1('password'); // de4he6la fe4oe6late4he6lade4he6lade4he6la $final_password= md5($password) Final Password Hashes: 1423de37c0c1b63c3687f8f1651ce1bf
    • 20. Algorithm_Bruter <ul><li>So I came up with this script, which takes in a known “password” and its “hashes” and then moves it through many different commonly used hash algorithms and tries to find a match, predicting what algorithm it used in the back end. </li></ul><ul><li>You could check out the script here. </li></ul><ul><li>http://www.fb1h2s.com/algorithmbruter.php </li></ul><ul><li>This could be used in an above mentioned situations. </li></ul>www.fb1h2s.com www.garage4hackkers.com
    • 21. Algorithm_Bruter.php www.fb1h2s.com www.garage4hackkers.com
    • 22. Thank You <ul><li>Greetz to all NULL, Andhra Hackers, Garage4H hackers members. </li></ul>www.fb1h2s.com www.garage4hackkers.com

    ×