Upload
cronnin20044967
View
227
Download
0
Embed Size (px)
Citation preview
8/10/2019 Writing your own password cracker.
1/64
8/10/2019 Writing your own password cracker.
2/64
8/10/2019 Writing your own password cracker.
3/64
PASSWORD HASHING
8/10/2019 Writing your own password cracker.
4/64
STORING PASSWORDS
Password Salt
User input text
User database in
DB table or file
Generate random
bytes
Generate hash
Format(Password, salt)
Store(hash, salt)
8/10/2019 Writing your own password cracker.
5/64
CHECKING PASSWORD
Password
Salt
User input text User database in
DB table or file
Generate hash
Format(Password, salt)
Compare(Generated hash, Stored hash)
Lookup(salt, hash)
Stored hashenerated hash
Identical?
User logged in Kicked out
Yes
No
8/10/2019 Writing your own password cracker.
6/64
8/10/2019 Writing your own password cracker.
7/64
Apache Derby
Password hashing algorithm before CVE-2009-4269
SOURCE CODE ANALYSIS
8/10/2019 Writing your own password cracker.
8/64
WHAT IS APACHE DERBY?
Open source Java DB
Small footprint (
8/10/2019 Writing your own password cracker.
9/64
PASSWORD HASH
8/10/2019 Writing your own password cracker.
10/64
ALGORITHM IMPLEMENTATIONprotected String encryptPassword(String plainTxtUserPassword){
if (plainTxtUserPassword == null)return null;
MessageDigest algorithm = null;
try
{
algorithm = MessageDigest.getInstance("SHA-1");} catch (NoSuchAlgorithmException nsae)
{// Ignore as we checked already during service boot-up
}
algorithm.reset();
byte[] bytePasswd = null;bytePasswd = StringUtil.toHexByte( plainTxtUserPassword,0,plainTxtUserPassword.length());
algorithm.update(bytePasswd);byte[] encryptVal = algorithm.digest();
String hexString = ID_PATTERN_NEW_SCHEME +
StringUtil.toHexString(encryptVal,0,encryptVal.length);return (hexString);
}
public staticbyte[] toHexByte(String str, int offset, int length)
{byte[] data = new byte[(length - offset) * 2];
int end = offset+length;
for (int i = offset; i < end; i++)
{
char ch = str.charAt(i);
int high_nibble = (ch & 0xf0) >>> 4;int low_nibble = (ch & 0x0f);
data[i] = (byte)high_nibble;
data[i+1] = (byte)low_nibble;
} return data;
}
???
8/10/2019 Writing your own password cracker.
11/64
ALGORITHM IMPLEMENTATION/2.
T e s t 1 2
ASCII HEX
text
54 65 73 74 31 32
toHexByte
05 04
06 05
07 03
07 04
03
01
03 02
05 06 07 07 03
03 02
ytePasswd
hash concat( 0x3b60, toHexString( SHA1(bytePasswd) ) )
0
1
2
3
4
5
i
8/10/2019 Writing your own password cracker.
12/64
8/10/2019 Writing your own password cracker.
13/64
CRACKING: BRUTE FORCE
Character-set: 26 upper+ 26 lower + 10 digit
8 character passwords
62^8 2 * 10 ^ 14
Nvidia GF 8800 GT 21 days
After toHexByte()
6^8*16 2 * 10 ^ 7
Nvidia GF 8800 GT 0.23 sec
Ratio = 1/8124628
8/10/2019 Writing your own password cracker.
14/64
FIX
Apache.org notified in December 2009Vulnerability CVE-2009-4269
Fix released in May 2010
Derby 10.6.1.0http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
Bug fixed
BUILTIN authentication:not recommended in production DBs
8/10/2019 Writing your own password cracker.
15/64
Sybase ASE (Adaptive Server Enterprise) RDBMS
BINARY ANALYSIS
8/10/2019 Writing your own password cracker.
16/64
REVERSE ENGINEERING
Live analysis (Debugger, Monitoring Tools) Off-line analysis (Disassembler)
Concept:
Get the big picture
Create a theory/model
Test
8/10/2019 Writing your own password cracker.
17/64
SYBASE ASE
Sybase "Adaptive Server EnterpriseRuns on Linux, UNIX, Windows and MacOS X
Market share: 4.
Cousin of Microsoft SQL Server:
1994: Microsoft bought the source
Main releases: 12.5.x (2001) still in use at some companies
15.0.5 latest version, evaluation downloadable
Password Encryption: SYB-PROP
SHA-256
8/10/2019 Writing your own password cracker.
18/64
Live CODE Analysis
SYBASE SHA-256 HASH
8/10/2019 Writing your own password cracker.
19/64
LOGIN INFORMATION
8/10/2019 Writing your own password cracker.
20/64
8/10/2019 Writing your own password cracker.
21/64
WHERE TO START?
Information gathering
Search for an entry point
User input
Program output
System call
Known constants
8/10/2019 Writing your own password cracker.
22/64
AVAILABLE INFORMATION http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infoce
nter.dc31654.1502/html/sag1/BCFDGIFC.htm
http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htmhttp://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc31654.1502/html/sag1/BCFDGIFC.htm8/10/2019 Writing your own password cracker.
23/64
8/10/2019 Writing your own password cracker.
24/64
MEMORY BREAKPOINT
Search for the constant (debugger helps) Byte order is reversed:
search for 0x67E6096A (h0 in the source)
8/10/2019 Writing your own password cracker.
25/64
FINAL INSTRUCTIONS OF HASHING FOUND
8/10/2019 Writing your own password cracker.
26/64
CALL STACK
8/10/2019 Writing your own password cracker.
27/64
THE CALL OF HASHING FUNCTION FOUND
8/10/2019 Writing your own password cracker.
28/64
PYTHON CODE - TEST
8/10/2019 Writing your own password cracker.
29/64
8/10/2019 Writing your own password cracker.
30/64
OFF-LINE Analysis
SYB-PROP HASH
8/10/2019 Writing your own password cracker.
31/64
SYB-PROP: HOW?
Old Sybase versions not available
Current version is 15.0.5
using SYB-PROP is not allowed
old password hashes only in 15.0.0 or 15.0.1
I have no access to old an Sybase DB
Some companies still use Sybase ASE 12.x !
8/10/2019 Writing your own password cracker.
32/64
DOWNGRADE VERSION 15.0.5 TO 15.0.[01]
8/10/2019 Writing your own password cracker.
33/64
AFTER DOWNGRADE
8/10/2019 Writing your own password cracker.
34/64
8/10/2019 Writing your own password cracker.
35/64
8/10/2019 Writing your own password cracker.
36/64
OFFLINE ANALYSIS
IDA Free 4.9
Symbols included -> function names
8/10/2019 Writing your own password cracker.
37/64
64 bytes64 bytes
OUTLINE OF FUNCTION CALLS (MINDMAP)
meta_keysch() meta_encrypt()
password
8/10/2019 Writing your own password cracker.
38/64
META_ENCRYPT()
Input: 64 bytes
Output: 64 bytes
Last 28 bytes -> hash
assembly instructions: ~ 80
function calls: 5
(conditional) jumps: 7
8/10/2019 Writing your own password cracker.
39/64
CRYPTO IDENTIFIED
string constant
FEAL
8/10/2019 Writing your own password cracker.
40/64
FEAL
Fast data Encipherment AlgorithmNTT in 1987 replacement for DES
Feistel networks
key scheduling encryption/decryption
FEAL-4, FEAL-8, FEAL-N, FEAL-NX, FEAL-32X
number of rounds: different
key size: different
Known vulnerabilities -> not recommend
8/10/2019 Writing your own password cracker.
41/64
FEAL VERSION IN SYBASE?
Number of rounds
Key schedule size
FEAL in Sybase:
Key: 8 bytes
Key schedule: 32 bytes
Output: 8 bytes
Conclusion: FEAL-8
8/10/2019 Writing your own password cracker.
42/64
STRING CONSTANT
8/10/2019 Writing your own password cracker.
43/64
FUNCTION META-ENCRYPT
Q Whydid
TRING CONSTANT
theflyda nceonthe
blck1 blck2 blck3
meta_keysch()
result blocks
ENC. ROUNDS
ROUND RESULTS
res_blck1 res_blck2 res_blck3
jar A Be
FEAL-8
FEAL-8 FEAL-8
res_blck8
key
key key
input
input input
8/10/2019 Writing your own password cracker.
44/64
8/10/2019 Writing your own password cracker.
45/64
META KESCH ROUND SALT
salt byte
8/10/2019 Writing your own password cracker.
46/64
MIXING BYTES
1. 2. 3. 4. 5. 6. 7. 8.
input bytes
(expanded password)
salt byte
( rand() >> 8 ) % 0xFF
1. 2. 3. 4. 5. 6. 7. 8.
utput bytes
8/10/2019 Writing your own password cracker.
47/64
FUNCTION META_KEYSCH OPERATION ROUNDS: 8
Initialization: XP -> expand password with 0x1D bytes to 57 bytes
seed number = system time -> 1 byte
PRNG init: stdlib.h / srand(seed);
Rounds: round salt byte = rand() -> 1 byte
ROUND KEY:
first round
MIX( salt byte, XP[first block] )
other rounds
buffer = XP[ (round 1) * 8 + 1 ] result[ (round -1) * 8 ]MIX(salt byte, buffer)
RESULT
first 2 rounds - FEAL(round key, const_str[seed % 0x30 + 1])
other rounds - round key itself
8/10/2019 Writing your own password cracker.
48/64
round result
META_KEYSCH() ROUNDS
XP[ 0 ] XP[ 0*8 + 1 ] XP[ 1*8 + 1 ] XP[ 2*8 + 1 ]
MIX MIX
MIX
round salt
1 byte
8 bytes
FEAL-8 FEAL-8
keyey
const_str
[ seed % 0x30 ]
input
input
RES_BLCK 1 RES_BLCK 2 RES_BLCK 3 RES_BLCK 4
round input block
round result
MIX
const_str
[ seed % 0x30 ]
round result
round salt
1 byte
round salt
1 byte
round salt
1 byte
8 bytes
8 bytes 8 bytes
RESULT BLOCKS
eXpanded Password
round input block round input block round input block
round result
8/10/2019 Writing your own password cracker.
49/64
RECONSTRUCTION
FEAL-8 specification:
Applied cryptography by Bruce Schneier
C source codehttp://tirnanog.ls.fi.upm.es/NoSeguro/Servicios/Software/ap_crypt/indice.html
Reconstruction not accurate
Sybase FEAL-8 implementation:
FIX key + FIX input -> output?
results(Sybase)
results(official specification)
key schedule: only the first 4 bytes identical
8/10/2019 Writing your own password cracker.
50/64
WHY NOT WORKING?
Sybase FEAL-8 omitted a step
in the key processing part
Source: Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone
U
(-2)
is not updated,
U
(i-3)
remains 0
8/10/2019 Writing your own password cracker.
51/64
8/10/2019 Writing your own password cracker.
52/64
STRUCTURE OF A SYB-PROP HASH
0xd405c8a83114cf59fe510d92c7e90c37f2741e0a04f70af14d9bd8a21f46
seed for srand()
hash type indicator
hash: last 28 bytes from meta_encrypt() result
8/10/2019 Writing your own password cracker.
53/64
OWN PASSWORD CRACKER
8/10/2019 Writing your own password cracker.
54/64
HOW A PASSWORD CRACKER OPERATES?
format the
passwords and salt
generate hashes
compare the result hash
with the original one
generate passwords
for testing
wordlist
transformation,
permutation
SMART
local,
personal ,
company
related
brute-force:
full search in the
password space
Markov-
chain
8/10/2019 Writing your own password cracker.
55/64
FUNCTIONALITY
Multiple passwords simultaneously
audit practice: n*100 passwords
Session handling
Customized character set
Customized permutation rules
8/10/2019 Writing your own password cracker.
56/64
8/10/2019 Writing your own password cracker.
57/64
CPU
Data pool
Result pool
PU_1 PU_2 PU_3 PU_4 PU_N
processing
units
Single Instruction Multiple Data (SIMD)
Intel x86/x64:
-8/16 * 128 bit XMM registers
-SSE (Streaming SIMD Extensions) instruction set
8/10/2019 Writing your own password cracker.
58/64
8/10/2019 Writing your own password cracker.
59/64
CPU VS. GPU Raw estimate for computing speed :
raw GPU performance/raw CPU performance ~ 3-10 May vary depending on the specific application
of cores
8/10/2019 Writing your own password cracker.
60/64
SAMPLE GPU CRACKER
CUDADBCRACKER
NVIDIA CUDA
MSSQL, Oracle11g hashes
simultaneously cracks passwords
session handling
Source code/Executable:
http://marcellmajor.com
8/10/2019 Writing your own password cracker.
61/64
PROPRIETARY HARDWARE
ASIC (Application Specific Integrated Circuit) Expensive setup (>1,000,000 USD)
Up to 6-10 times faster than FPGAs
FPGA (Field Programmable Gate Array) ASIC prototyping
Computing
8/10/2019 Writing your own password cracker.
62/64
PROPRIETARY HARDWARE/2.
ASIC/FPGA = faster bruteforcing than CPU/GPUBUT
Custom crypto algorithms?
Features?Wordlist, permutations?
Session handling?
Simultaneous passwords?
8/10/2019 Writing your own password cracker.
63/64
CONCLUSION
Reverse engineering is feasible
Security by obscurity: useless
Sample source code helps in development
Every technology has some:
advantages
disadvantages
8/10/2019 Writing your own password cracker.
64/64