Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by Steve Werby at ISACA San Antonio]

409 views

Published on

By aggregating and creating new dictionaries and manipulating them to guess plaintext and hashed passwords in high profile password exposures, I'll demonstrate which dictionary attacks and password cracking strategies are the most effective. I will also discuss the building of passphrase dictionaries. The password and passphrase cracking will be performed primarily using Amazon EC2 and the time, cost, and resource constraints of EC2 and other options will be analyzed.

Versions of this talk were also presented at Hack3rCon, DerbyCon, and SOURCE Seattle.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by Steve Werby at ISACA San Antonio]

  1. 1. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Building Dictionaries and Destroying Hashes using Amazon EC2 Steve Werby [President | Security Researcher | Security Consultant] Befriend
  2. 2. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 1. Infosec since 1999 2. Former (CISO)3 3. BS Industrial Engineering, MBA, certs 4. Presented at Hack3rCon, SecTor, DerbyCon, ShmooCon, ConSec, SOURCE Conference, LASCON, BSidesDFW, VA SCAN, EDUCAUSE, InfraGard, OWASP, ISSA, AITP, IEEE, …
  3. 3. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 1. Value of password resiliency assessments 2. Freely available assessment tools 3. Assessment methodologies 4. Buy or rent 5. Utilizing EC2 6. Hashing algorithm 7. Passphrases vs. passwords Presentation goals
  4. 4. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Have a question? Ask!  Have a comment? Share!  I’ll ask some questions too.
  5. 5. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  One-way functions (non-reversible)  Outputs a fixed-length string (unique…usually)  Such as MD5, SHA1, NTLM, and WPA 781ab37e7553fef1809efdf8cff656dc 54e18a5ad5152bd439efe9f1ae53506416bf7cf7 Hashes 1. Username: steve, Password: 2012Election 2. Transmitted to server 3. md5(“2012Election”) 4. Output compared to value stored on server 5. If match, successful login
  6. 6. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  String concatenated with password pre-hashing  Salt is rand(a-z) – can be from a larger key space  md5(“w2012Election”)  Stored in password DB as w:2012Election 781ab37e7553fef1809efdf8cff656dc 54e18a5ad5152bd439efe9f1ae53506416bf7cf7 Salts 1. Key space increased by factor of 26 2. Identical password != identical hash 3. Precomputation data storage increased
  7. 7. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Cracking strategies 1. Precompute hashes for a set of strings 2. Enumerate password hash file 3. Search for match in precomputation file Precomputation 781ab37e75 fc93d481c1:hunger fdaa4719ed fdaa3b7c0d:earring ffe81a52d2 fdaa4719ed:ISACA
  8. 8. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Cracking strategies 1. Enumerate a set of strings 2. Hash the strings 3. Search for match in password hash file String enumeration fc93d481c1 ISABY:e715b3aca fdaa4719ed ISABZ:9c74be0d1a ffe81a52d2 ISACA:fdaa4719ed ISACB:0b27cca621
  9. 9. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Number of tests needed  Time per test
  10. 10. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 NTLM: MD5: SHA1: LM: SHA512: 60x 40x 20x 10x x
  11. 11. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Length  Composition  Complexity  Aging  Construction prohibitions  Reuse  Memorization and storage Your password policy? Password policies
  12. 12. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Password aging was intended to reduce the time a bad actor had to guess a password. With modern computing power, this control isn’t logical and results in undesirable user behavior and reduces IT/infosec trust.
  13. 13. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 1. Gain intelligence about user behavior 2. Assess password policies and user education 3. Strengthen argument for… technical controls policy changes algorithm changes 2FA But why do it?
  14. 14. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  John the Ripper  hashcat[-plus|-lite]  Cryptohaze Multiforcer
  15. 15. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Key space = set of strings to enumerate  A-Z = 26, a-z = 26, 0-9 = 10  [A-Z][a-z][a-z][a-z][a-z][a-z][a-z][a-z][0-9]  (26)^1 * (26)^8 * (10)^1  13,537,086,546,263,600 ≈ 13.5 thousand trillion Password1 Key space / brute force attack
  16. 16. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Average adult vocabulary?  Key space = dictionary size alamo Dictionary attack
  17. 17. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Average adult vocabulary?  Key space = dictionary size RockYou exposure analysis
  18. 18. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Transformations like using config file to set rules: Duplication Reversal Appending Repeating  Key space of dictionary attack * transformations Alamo!, omal, aallaammoo Rule attack
  19. 19. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Combines strings from one dictionary with strings from another  Dictionary 1 = 10,000 strings  Dictionary 2 = 50,000 strings  Combinations = 500 million  Vs. ~5.4 trillion for [a-z]^9 key space  Reduces key space by 99.99%  1 day => 8 seconds alamocity Combinator attack
  20. 20. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  It’s Str0ng!  -1 ?u -2 ?l -3 ?d  ?1?2?2?2?2?2?2?2?3  Reduces key space by 99.98%  1 day => 13 seconds Password1 Mask attack
  21. 21. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  It’s Str0ng!  Dictionary + mask  Mask + dictionary  Dictionary  ?1?2?2?2?2?2?2?2?3  Reduces key space by 99.98%  1 day => 13 seconds Password1 Hybrid attack
  22. 22. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  27% of alphabet  But 62% of first letters of English word usage!  -1 TASHWIOtashwio -2 ?u?l  ?1?2?2?2?2?2?2?2  Reduces key space by 73%  1 day => 6.5 hours TASHWIO Work smart, not hard
  23. 23. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  RockYou – 32.6M plaintext  eHarmony – 1.5M unsalted MD5  LinkedIn – 6.5M unsalted SHA1  Gawker – 1.3M unsalted DES Large password leaks
  24. 24. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  First 1 million of 1.5 million eHarmony passwords posted online in June 2012  Unsalted MD5s Analyzing eHarmony’s hashes
  25. 25. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 A CPU isn’t bad, but…
  26. 26. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  27. 27. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 1. Use existing hardware 2. Build a cracking box (GPU-based) 3. Look at cloud service providers My options
  28. 28. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Beefy PSU  Adequate cooling and electrical  CPU and RAM relatively unimportant  Multiple GPUs Build your own
  29. 29. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Had utilized Amazon EC2 service  No capital investment to test it  On-demand  Scalable  Had an option that included GPUs Amazon EC2
  30. 30. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  31. 31. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  32. 32. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  33. 33. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  34. 34. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  35. 35. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  36. 36. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  37. 37. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Type of system  Data transfer  Data storage  Purchase options
  38. 38. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Zelda ($0-ish/hour)  Pathetic Dell Latitude  Yoda ($0.32/hour)  64-bit Ubuntu Server 12.04 LTS  m1.large (7.5GB RAM, 4 EC2 Compute Units)  Xzibit ($2.10/hour)  64-bit Cluster GPU Amazon Linux AMI  cg1.4xlarge (22GB RAM, 33.5 EC2 Compute Units)  Wiggum (TBD)  Yoda (Grand Master) + 5 Jedi Knights The systems
  39. 39. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  51 tests  Group 3 – masking  Group 4 – rules  Group 5 – combinations  Group 6 – hybrid (common prefixes + mask)  Group 7 – hybrid (new dictionary + mask)  Group 8 – hybrid (mask + common suffix)  Group 9 – TASHWIO + mask The tests
  40. 40. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Define sequence of jobs to run  Analyze results (during and after job)  Eliminate or adjust jobs based on results  Create new dictionaries  Create new rules  Re-run jobs using new dictionaries and rules Process
  41. 41. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  No lowercase letters!?  Whoops! Analyzing eHarmony’s hashes
  42. 42. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Do not truncate the password. Do not transform it to uppercase or lowercase. Do not limit the number of characters that can be utilized. Do not limit the user to a weak password.
  43. 43. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Results on Xzibit
  44. 44. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Use long, unpredictable, random salts. Better still use bcrypt or PBKDF2.
  45. 45. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 1. Value of password resiliency assessments – insight 2. Freely available assessment tools – hashcat, Cryprtohaze 3. Assessment methodologies – iterative, intelligent 4. Buy or rent – depends on use case and constraints 5. Utilizing EC2 – fast, easy, flexible 6. Hashing algorithm – bcrypt or PBKF2 7. Passphrases vs. passwords – passphrases…for now Presentation goals recapped
  46. 46. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  $2.10/hour  54% cracked in 1 hour => $2.10  69% cracked in 3 hours => $6.30  77% cracked in 9 hours => $18.90 Cost
  47. 47. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Do not tell your colleagues the cloud is evil because you lack visibility. Or control. Or because you can do security better. They will not care. You will lose credibility. You will be excluded. And you will lose.
  48. 48. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Xzibit – 1.6B/s  Yoda – 6.2M/s  Zelda – 14k/s Peak speeds
  49. 49. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Xzibit = 258 * Yoda  Xzibit = $2.10 / hour  Yoda = $0.32 / hour  1 hour on Xzibit = 258 hours on Yoda  258 * $0.32 = $82.56  Yoda is 3,831% more expensive Is EC2 worth it?
  50. 50. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Use fast algorithm (say what!?)  No salt  [Reused|short|non-random] salt  Roll your own algorithm Split the hash file? Split the password candidates? Workload distribution strategy
  51. 51. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Use fast algorithm (say what!?)  No salt  [Reused|short|non-random] salt  Roll your own algorithm 1M hashes: 833s 100k hashes: 742s 10% of key space 89% of duration Split the password candidates Workload distribution strategy
  52. 52. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  53. 53. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 1. Value of password resiliency assessments – insight 2. Freely available assessment tools – hashcat, Cryprtohaze 3. Assessment methodologies – iterative, intelligent 4. Buy or rent – depends on use case and constraints 5. Utilizing EC2 – fast, easy, flexible 6. Hashing algorithm – bcrypt or PBKF2 7. Passphrases vs. passwords – passphrases…for now What’s next
  54. 54. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012
  55. 55. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Sentences  Strings of words (careful!)  Mnemonics (acronyms)  Transformations similar to password construction Passphrases
  56. 56. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  Crowdsource  Beg for orgs to share them  Wait until they’re leaked  Build our own Acquiring passphrase candidates
  57. 57. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  E-books  Movie scripts  Song lyrics  Tweets  Any file that contains phrases or sentences Acquiring passphrase candidates
  58. 58. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  E-books  Movie scripts  Song lyrics  Tweets  Any file that contains phrases or sentences  Dictator – instructs on what files to get  Miner – acquires files  Hasher – hashes for uniqueness  Hoarder – adds to queue  Grabber – pulls file from queue  Converter – converts to plaintext  Massager – converts to lower Passphrase builder
  59. 59. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  E-books  Movie scripts  Song lyrics  Tweets  Any file that contains phrases or sentences  Splitter 1 – splits by sentence  Splitter 2 – splits by word  Parser – generates strings and acronyms  Recorder – adds to DB  Generator – sort, create acronyms, create output Passphrase builder
  60. 60. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012  E-books  Movie scripts  Song lyrics  Tweets  Any file that contains phrases or sentences  A person who never made a mistake never tried anything new.  apwnmamntan  a person who never  person who never  person who never made  Ranking  Search engine results  Frequency in DB  Matches against leaks Passphrase builder
  61. 61. Steve Werby (@stevewerby) | ISACA San Antonio: Building Dictionaries and Cracking Hashes with Amazon EC2 | October 23, 2012 Q&A Steve Werby steve@befriend.com Twitter: @stevewerby http://www.linkedin.com/in/werby

×