Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Aug 2010 01:32:42 -1000
From: Charles Weir <cweir@...edu>
To: john-users@...ts.openwall.com
Subject: Crack Me If You Can Challenge Writeup

I had the pleasure recently in competing alongside the john_user's
group in KoreLogic's Crack Me If You Can Challenge. I'd like to start
off by first thanking KoreLogic who not only devoted their time to set
up the contest, but also staffed the contest booth throughout the
challenge, (and put up with our crazy submissions). I'd also like to
thank Solar for organizing all of us, and from what I can tell from
the timestamps on the e-mails he sent out, devoting a sleepless
weekend to this contest.

Overview:
Since I was attending Defcon at the time, I along with Fyord
represented the john_users group. The downside of this was that it was
very hard for me to keep up with what the rest of the team was doing
since I was hesitant to check my webmail on the secure wireless setup,
and my AT&T data coverage was spotty at best, (since several thousand
other people were checking their I-Phones at the same time). That
being said, I had a great time hanging around the Kore booth and
finding out what techniques other people were using. I really valued
everyones' inputs since, as was pointed out several times to me,
(rightfully so), all of my past work on password cracking has been
conducted on web-passwords. Getting a chance to talk to people who
have audited corporate passwords was an amazing opportunity for me.

Hardware:
Primary Computer:
2.2 GHz Intel Core 2 Duo Mac Laptop with 1 GB of Ram.
This is the computer I did most of my cracking on, and I left it
running in my hotel room throughout most of the contest. Unfortunately
I was not staying at the Riviera so with a few exceptions I was only
able to check  it when I came back at night and in the morning before
I left. This meant I was limited in my ability to tweak my attacks to
to take into account the patterns that appeared in the cracked
passwords.

Secondary Computer:
Asus EEE Netbook, 1 GB of Ram.
This was the computer I carried around with me at the conference. I
ran short cracking sessions on it when I had some free time, but power
(electrical) was an issue. I also frequently stopped my cracking
session when I needed to do something else, (like demo  tools with
other people, or try to help some friends out in the OpenCTF
competition).

BTW, if you are bored at Defcon, you are doing something wrong ;)

Password Cracking Overview:
I managed to download the password hashes sometime around 1:00am
Thursday night. I started by focusing on standard pw cracking attacks
using common dictionaries, such as password.lst. I also mostly focused
on the NTLM password hashes. In short, I was pretty much duplicating
everyone else's work... Sometime around 2:30am Friday according to my
notes I switched to the Crypt-MD5 hashes and ran JtR's password.lst
using the single mode ruleset, (the reason for this is I desperately
wanted to get some sleep and figured it was a worthwhile attack to run
through the night) . I stopped that attack at 9:20am after completing
only 1.15% of the cracking session. At that point I had cracked 603 of
4716 (12.78%) of the Crypt-MD5 hashes. On a side note, I was only
making around 6000 guesses a second against the Crypt-MD5 hashes. I'm
not sure if that was 6000 g/s against all of the hashes, or if I was
only making about unique 2 g/s. Needless to say, I wasn't making much
progress...

Before I left to attend the conference Friday morning, I launched
another attack using the single mode ruleset and the various InsidePro
"From Queue" dictionaries. I also created a wordlist containing all of
the extracted lower-alpha characters from the passwords the
john_user's team had cracked, and uploaded it to the team's server.
Aka I created an input dictionary by extracting the words, (in a
fairly naive manner), from the cracked passwords.I also created an
input dictionary of all of the usernames, but this turned out to be
not very useful. The Kore folks admitted later that they didn't think
about matching passwords up with usernames until after they had
created all of the hashes.

I arrived back at my room that evening around 7:00PM ish, and while
getting ready to head out to the EFF charity benefit party, (did I
mention there's a few things to do at Defcon), I finally got around to
using my probabilistic password cracker against the NTLM password
hashes. For the training list, I used the MySpace passwords, and for
input dictionaries I selected dic-0294, and a list of 500 common
passwords. I let this attack run for the next couple of hours while I
attended a couple of the nightly Defcon events.

After I got back around 1:30am Saturday morning I decided to retrain
my probabilistic cracker on the passwords our team had already
cracked. Normally I don't like doing this, (training on a set I'm
attempting to crack), since it's like drinking your own bathwater. The
cracker gets better at cracking passwords you've already cracked, but
worse at cracking passwords you haven't seen. That being said, I
almost immediately started cracking a lot more NTLM password hashes.
It was actually pretty cool to witness.  At around 3:00 am I received
an invitation to join the HashCat group on their IRC server and spent
a while talking to them. They were very classy, and even offered me
some of their rulesets. I declined to use them though during the
contest since I didn't want to take unfair advantage of their
generosity... I also didn't have a Windows computer to run Hashcat off
of, but I prefer the first explanation ;)

I got off to a slow start Saturday morning, but I ended up running my
probabilistic cracker against NTLM passwords using the re-trained
ruleset, and using the input dictionary I had previously created from
cracked passwords. Throughout the day I also ran attacks on my EEE PC
using custom JtR rules such as adding 2010 inside words, (aka
pa2010ssword). I created these rules based on patterns I saw in the
cracked passwords. It was also at this point when I realized I should
have used SRaveau's Wikipedia dictionary sooner. It cracked quite a
few NTLM passwords I hadn't managed to crack before. I should also
mention that I ran shorter cracking sessions against some of the other
password hashes, such as DES, using my EEE PC.

Saturday afternoon I went back to my hotel room and switched to
Crypt-Sha passwords, since I realized I was pretty much duplicating
the work everyone else had done with the NTLM password hashes.Once
again, I was using my probabilistic cracker. I returned shortly before
11:00 pm but I pretty much just let my attacks keep running. I was
still cracking around 1 Crypt-Sha hash a minute, and I was uploading
my results until the the contest ended. And that was that.

Lessons Learned and Mistakes Made:

1) I believe the key to this contest was analyzing the cracked
passwords and creating custom rulesets based on them. The HashCat and
CrackHeads groups did this amazingly well, (I have no idea what
InsidePro's strategy was).

2) While JtR has the most powerful built-in rule creation system,
based on the listserv posts, it looks like our team had a hard time
taking advantage of it.

3) From my conversations with other people at the conference, JtR's
config files/rules are pretty much universally
hated/feared/misunderstood. It's almost comical since many of the
people I talked to are fluent in several programming/scripting
languages.

4) I discovered numerous improvements I need to make to my
probabilistic cracker, (which is one of the many reasons why I
competed in this challenge). Right now my probabilistic cracker is
designed to be trained on a list of plaintext passwords that resemble
the target. This limits its effectiveness when retraining it on a set
of passwords it currently is attacking. I need to modify the training
program to include an option where it will be more effective when
trained on a partially cracked set of passwords. One example of this
is to ignore password length, (aka we were much more likely to crack
shorter passwords earlier on which meant the probabilistic cracker
focused on shorter passwords when it was retrained).

5) There's a lot of work left to be done weaponizing my probabilistic
cracker, such as reducing the memory usage, and adding support for
insertion rules, (aka pa2010ssword).

6) I'm really envious of team CrackHeads's use of Amazon EC2 clusters.
I wish I had thought of that!

7) Rather than starting my probabilistic cracker from the most
probable password first, I should have started from a less probable
starting point to avoid duplicating everyone else's work. That's one
serous downside with using it since it doesn't play well with other
types of password cracking attacks, (aka avoid duplicating work).

I'm almost certainly going to expand on this writeup later, but I
wanted to get something out in a somewhat reasonable time. Thanks once
again to everyone, and hopefully we'll get a chance to do better next
year!

Matt Weir
http://reusablesec.blogspot.com

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ