You are on page 1of 64

Major Marcell

(marcell.major@gmail.com)

Hacktivity 2010

WRITING YOUR OWN PASSWORD CRACKER

INTRODUCTION + AGENDA
Anatomy of password hashing Source code analysis example (Apache Derby) Binary analysis examples (Sybase) Writing your own cracker Speedup

Knowledge: programming, cryptography

PASSWORD HASHING

STORING PASSWORDS
User input text Password Format(Password, salt) Generate hash Store(hash, salt) Generate random bytes Salt

User database in DB table or file

CHECKING PASSWORD
User input text User database in DB table or file Lookup(salt, hash) Format(Password, salt) Generate hash Salt Generated hash Stored hash

Password

Compare(Generated hash, Stored hash) Yes Identical?

No

User logged in

Kicked out

HOW/WHY CRACKING PASSWORDS?


Security audit Pen-test Privilege escalation Get a cracker tool

What if there is no cracker available?

Apache Derby Password hashing algorithm before CVE-2009-4269

SOURCE CODE ANALYSIS

WHAT IS APACHE DERBY?


Open source Java DB Small footprint (<3MB) Version 10.5.3.0 (released August 21, 2009) Modes of operation:

Client-server Embedded

Password encryption options:


Cleartext in file Hashed in DB

derby.authentication.provider=BUILTIN

PASSWORD HASH

ALGORITHM IMPLEMENTATION
protected String encryptPassword(String plainTxtUserPassword) { if (plainTxtUserPassword == null) return null; MessageDigest algorithm = null; try { algorithm = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException nsae) { // Ignore as we checked already during service boot-up } algorithm.reset(); byte[] bytePasswd = null; bytePasswd = StringUtil.toHexByte( plainTxtUserPassword,0,plainTxtUserPassword.length()); algorithm.update(bytePasswd); byte[] encryptVal = algorithm.digest(); String hexString = ID_PATTERN_NEW_SCHEME + StringUtil.toHexString(encryptVal,0,encryptVal.length); return (hexString); } public static byte[] toHexByte(String str, int offset, int length) { byte[] data = new byte[(length - offset) * 2]; int end = offset+length; for (int i = offset; i < end; i++) { char ch = str.charAt(i); int high_nibble = (ch & 0xf0) >>> 4; int low_nibble = (ch & 0x0f); data[i] = (byte)high_nibble; data[i+1] = (byte)low_nibble; } return data; }

???

ALGORITHM IMPLEMENTATION/2.
text T e s t 1 2
i 0 05 1

ASCII HEX
toHexByte

54 65 73
05 04 06

74

31 32

07

03
07 04 03 01 03 02

2
3 4 5

bytePasswd
hash

05

06

07

07

03

03

02

concat( 0x3b60, toHexString( SHA1(bytePasswd) ) )

CONSEQUENCES

ASCII table (source: http://ascii-table.com/)

ASCII(A) = 0x41
Sample hashes:
APASS: BPASS: CPASS: DPASS: EPASS: FPASS: GPASS: HPASS: 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587

Only the higher 4 bits used from password characters, except last one

CRACKING: BRUTE FORCE


Character-set: 26 upper+ 26 lower + 10 digit 8 character passwords

62^8 2 * 10 ^ 14 Nvidia GF 8800 GT 21 days

After toHexByte()
6^8*16 2 * 10 ^ 7 Nvidia GF 8800 GT 0.23 sec

Ratio = 1/8124628

FIX
Apache.org notified in December 2009 Vulnerability CVE-2009-4269 Fix released in May 2010 Derby 10.6.1.0

http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269

Bug fixed BUILTIN authentication: not recommended in production DBs

Sybase ASE (Adaptive Server Enterprise) RDBMS

BINARY ANALYSIS

REVERSE ENGINEERING
Live analysis (Debugger, Monitoring Tools) Off-line analysis (Disassembler) Concept:

Get

the big picture Create a theory/model Test

SYBASE ASE

Sybase "Adaptive Server Enterprise


Runs on Linux, UNIX, Windows and MacOS X

Market share: 4. Cousin of Microsoft SQL Server: 1994: Microsoft bought the source Main releases:

12.5.x (2001) still in use at some companies 15.0.5 latest version, evaluation downloadable SYB-PROP SHA-256

Password Encryption:

Live CODE Analysis

SYBASE SHA-256 HASH

LOGIN INFORMATION

SAMPLE

WHERE TO START?
Information gathering Search for an entry point

User

input Program output System call Known constants

AVAILABLE INFORMATION

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infoce nter.dc31654.1502/html/sag1/BCFDGIFC.htm

POSSIBLE ENTRY POINT

MEMORY BREAKPOINT
Search for the constant (debugger helps) Byte order is reversed: search for 0x67E6096A (h0 in the source)

FINAL INSTRUCTIONS OF HASHING FOUND

CALL STACK

THE CALL OF HASHING FUNCTION FOUND

PYTHON CODE - TEST

RECONSTRUCTION

Steps:
1. 2. 3. 4.

5.

UTF-16 conversion (Big Endian) Append 0x00 bytes to the length of 510 Append the salt (8 bytes) Generate SHA-256 hash (32 bytes) Result = 0xc007 + hex(salt) + hex(hash)

Cracker: sybcrack
http://marcellmajor.com OpenSSL SHA256 implementation worauthbf source code (http://soonerorlater.hu)

OFF-LINE Analysis

SYB-PROP HASH

SYB-PROP: HOW?
Old Sybase versions not available Current version is 15.0.5

using

SYB-PROP is not allowed old password hashes only in 15.0.0 or 15.0.1

I have no access to old an Sybase DB Some companies still use Sybase ASE 12.x !

DOWNGRADE VERSION 15.0.5 TO 15.0.[01]

AFTER DOWNGRADE

INFORMATION?

ENTRY POINT
Debug near the code computing SHA256 After some debugging another call found

Output:

64 bytes last 28 bytes -> Old hash

Block cipher Not DES Not AES No specific constants found

OFFLINE ANALYSIS
IDA Free 4.9 Symbols included -> function names

OUTLINE OF FUNCTION CALLS (MINDMAP)

password

meta_keysch()

64 bytes

meta_encrypt()

64 bytes

META_ENCRYPT()
Input: 64 bytes Output: 64 bytes

Last

28 bytes -> hash

assembly instructions: ~ 80 function calls: 5 (conditional) jumps: 7

CRYPTO IDENTIFIED

FEAL

string constant

FEAL

Fast data Encipherment Algorithm


NTT

in 1987 replacement for DES Feistel networks key scheduling encryption/decryption


number

FEAL-4, FEAL-8, FEAL-N, FEAL-NX, FEAL-32X


of rounds: different key size: different

Known vulnerabilities -> not recommend

FEAL VERSION IN SYBASE?


Number of rounds Key schedule size FEAL in Sybase:

Key:

Key

schedule: Output:

8 bytes 32 bytes 8 bytes

Conclusion: FEAL-8

STRING CONSTANT

FUNCTION META-ENCRYPT
STRING CONSTANT

Q:Whydid
input

theflyda

nceonthe

jar?A:Be

key

FEAL-8
input input

ENC. ROUNDS

key

FEAL-8

key

FEAL-8

blck1

blck2

blck3

res_blck3

meta_keysch() result blocks

ROUND RESULTS

res_blck1

res_blck2

res_blck8

META_KEYSCH()
Input: password Output: 64 bytes

assembly instructions: ~450 function calls: 15 (conditional) jumps: 29

META KESCH ROUND SALT

salt byte

MIXING BYTES
salt byte
( rand() >> 8 ) % 0xFF

input bytes
(expanded password)

1.

2.

3.

4.

5.

6.

7.

8.

output bytes

1.

2.

3.

4.

5.

6.

7.

8.

FUNCTION META_KEYSCH OPERATION


ROUNDS: 8 Initialization:

XP -> expand password with 0x1D bytes to 57 bytes seed number = system time -> 1 byte PRNG init: stdlib.h / srand(seed); round salt byte = rand() -> 1 byte ROUND KEY:

Rounds:

first round

MIX( salt byte, XP[first block] )

other rounds

buffer = XP[ (round 1) * 8 + 1 ] MIX(salt byte, buffer)

result[ (round -1) * 8 ]

RESULT

first 2 rounds - FEAL(round key, const_str[seed % 0x30 + 1]) other rounds - round key itself

META_KEYSCH() ROUNDS
eXpanded Password
XP[ 0 ] XP[ 0*8 + 1 ]
round input block

XP[ 1*8 + 1 ]
round input block

XP[ 2*8 + 1 ]

round salt

round input block

round input block

round salt
8 bytes 1 byte

8 bytes 1 byte

round salt
8 bytes 1 byte

round salt
8 bytes 1 byte

MIX

MIX

MIX

MIX

const_str [ seed % 0x30 ]


input
key

const_str [ seed % 0x30 ]


input key

FEAL-8

FEAL-8

round result

round result

round result

round result

RES_BLCK #1

RES_BLCK #2

RES_BLCK #3

RES_BLCK #4

RESULT BLOCKS

RECONSTRUCTION
FEAL-8 specification: Applied cryptography by Bruce Schneier C source code

http://tirnanog.ls.fi.upm.es/NoSeguro/Servicios/Software/ap_crypt/indice.html

Reconstruction not accurate Sybase FEAL-8 implementation:

FIX

key + FIX input -> output? results(Sybase) results(official specification) key schedule: only the first 4 bytes identical

WHY NOT WORKING?


Sybase FEAL-8 omitted a step in the key processing part

U(-2) is not updated, U(i-3) remains 0

Source: Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone

SOURCE CODE

STRUCTURE OF A SYB-PROP HASH

0xd405c8a83114cf59fe510d92c7e90c37f2741e0a04f70af14d9bd8a21f46

hash: last 28 bytes from meta_encrypt() result

hash type indicator

seed for srand()

OWN PASSWORD CRACKER

HOW A PASSWORD CRACKER OPERATES?


wordlist
SMART local, personal , company related

transformation, permutation

format the passwords and salt

generate passwords for testing Markovchain brute-force: full search in the password space

generate hashes

compare the result hash with the original one

FUNCTIONALITY

Multiple passwords simultaneously


audit

practice: n*100 passwords

Session handling Customized character set Customized permutation rules

CPU GPU FPGA Hardware implementation

COMPARISON OF TECHNOLOGIES

CPU
Single Instruction Multiple Data (SIMD)
Intel x86/x64: -8/16 * 128 bit XMM registers -SSE (Streaming SIMD Extensions) instruction set

Data pool

processing units

PU_1

PU_2

PU_3

PU_4

PU_N

Result pool

GPU
SIMT (Single Instruction Multiple Threads)
Host PC mainboard
VGA card mainboard GPU on-chip memory

CPU accessible RAM ~ n * 1GB

GPU accessible Video RAM ~ n * 256MB 16/32kB shared MEM 8/16/32kB register MEM

shader cores = stream cores = CUDA cores

C_1

C_2

C_3

C_4

C_N

Each one executes the same kernel (code uploaded to the GPU)

CPU VS. GPU


Raw estimate for computing speed : raw GPU performance/raw CPU performance ~ 3-10 May vary depending on the specific application

# of cores

SAMPLE GPU CRACKER

CUDADBCRACKER
NVIDIA

CUDA MSSQL, Oracle11g hashes simultaneously cracks passwords session handling

Source code/Executable:
http://marcellmajor.com

PROPRIETARY HARDWARE

ASIC (Application Specific Integrated Circuit)


Expensive

setup (>1,000,000 USD) Up to 6-10 times faster than FPGAs

FPGA (Field Programmable Gate Array)


ASIC

prototyping Computing

PROPRIETARY HARDWARE/2.

ASIC/FPGA = faster bruteforcing than CPU/GPU

BUT Custom crypto algorithms? Features?


Wordlist,

permutations? Session handling? Simultaneous passwords?

CONCLUSION
Reverse engineering is feasible Security by obscurity: useless Sample source code helps in development Every technology has some:

advantages
disadvantages

THANK YOU!