Escolar Documentos
Profissional Documentos
Cultura Documentos
(marcell.major@gmail.com)
Hacktivity 2010
INTRODUCTION + AGENDA
Anatomy of password hashing
Source code analysis example (Apache Derby)
Binary analysis examples (Sybase)
Writing your own cracker
Speedup
Knowledge:
programming, cryptography
PASSWORD HASHING
STORING PASSWORDS
User input text
Generate random
bytes
Password
Salt
Format(Password, salt)
Generate hash
Store(hash, salt)
User database in
DB table or file
CHECKING PASSWORD
User database in
DB table or file
Password
Lookup(salt, hash)
Format(Password, salt)
Salt
Generate hash
Generated hash
Stored hash
User logged in
Identical?
No
Kicked out
Apache Derby
Password hashing algorithm before CVE-2009-4269
Client-server
Embedded
derby.authentication.provider=BUILTIN
PASSWORD HASH
ALGORITHM IMPLEMENTATION
protected String encryptPassword(String plainTxtUserPassword)
{
if (plainTxtUserPassword == null)
return null;
MessageDigest algorithm = null;
try
{
algorithm = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException nsae)
{
// Ignore as we checked already during service boot-up
}
algorithm.reset();
byte[] bytePasswd = null;
bytePasswd = StringUtil.toHexByte( plainTxtUserPassword,0,plainTxtUserPassword.length());
algorithm.update(bytePasswd);
byte[] encryptVal = algorithm.digest();
String hexString = ID_PATTERN_NEW_SCHEME +
StringUtil.toHexString(encryptVal,0,encryptVal.length);
return (hexString);
}
public static byte[] toHexByte(String str, int offset, int length)
{
byte[] data = new byte[(length - offset) * 2];
int end = offset+length;
for (int i = offset; i < end; i++)
{
char ch = str.charAt(i);
int high_nibble = (ch & 0xf0) >>> 4;
int low_nibble = (ch & 0x0f);
data[i] = (byte)high_nibble;
data[i+1] = (byte)low_nibble;
}
return data;
}
???
ALGORITHM IMPLEMENTATION/2.
text
ASCII HEX
54 65 73
toHexByte
05
74
31 32
0
05
07
03
07
2
04
03
hash
05
04
06
bytePasswd
06
07
07
03
3
4
01
03
02
03
02
CONSEQUENCES
ASCII(A) = 0x41
Sample hashes:
APASS:
BPASS:
CPASS:
DPASS:
EPASS:
FPASS:
GPASS:
HPASS:
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
Only the higher 4 bits used from password characters, except last one
62^8 2 * 10 ^ 14
Nvidia GF 8800 GT 21 days
After toHexByte()
6^8*16 2 * 10 ^ 7
Nvidia GF 8800 GT 0.23 sec
Ratio = 1/8124628
FIX
Apache.org notified in December 2009
Vulnerability CVE-2009-4269
Fix released in May 2010
Derby 10.6.1.0
http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
Bug fixed
BUILTIN authentication:
not recommended in production DBs
BINARY ANALYSIS
REVERSE ENGINEERING
Live analysis (Debugger, Monitoring Tools)
Off-line analysis (Disassembler)
Concept:
Get
SYBASE ASE
Market share: 4.
Cousin of Microsoft SQL Server:
1994: Microsoft bought the source
Main releases:
Password Encryption:
SYB-PROP
SHA-256
LOGIN INFORMATION
SAMPLE
WHERE TO START?
Information gathering
Search for an entry point
User
input
Program output
System call
Known constants
AVAILABLE INFORMATION
http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infoce
nter.dc31654.1502/html/sag1/BCFDGIFC.htm
MEMORY BREAKPOINT
Search for the constant (debugger helps)
Byte order is reversed:
search for 0x67E6096A (h0 in the source)
CALL STACK
RECONSTRUCTION
Steps:
1.
2.
3.
4.
5.
Cracker: sybcrack
http://marcellmajor.com
OpenSSL SHA256 implementation
worauthbf source code (http://soonerorlater.hu)
OFF-LINE Analysis
SYB-PROP HASH
SYB-PROP: HOW?
Old Sybase versions not available
Current version is 15.0.5
using
AFTER DOWNGRADE
INFORMATION?
ENTRY POINT
Debug near the code computing SHA256
After some debugging another call found
Output:
64 bytes
last 28 bytes -> Old hash
Block cipher
Not DES
Not AES
No specific constants found
OFFLINE ANALYSIS
IDA Free 4.9
Symbols included -> function names
password
meta_keysch()
64 bytes
meta_encrypt()
64 bytes
META_ENCRYPT()
Input: 64 bytes
Output: 64 bytes
Last
assembly instructions: ~ 80
function calls:
5
(conditional) jumps:
7
CRYPTO IDENTIFIED
FEAL
string constant
FEAL
in 1987
replacement for DES
Feistel networks
key scheduling
encryption/decryption
of rounds: different
key size: different
Key:
Key
schedule:
Output:
Conclusion: FEAL-8
8 bytes
32 bytes
8 bytes
STRING CONSTANT
FUNCTION META-ENCRYPT
STRING CONSTANT
key
Q:Whydid
nceonthe
jar?A:Be
input
FEAL-8
ENC. ROUNDS
key
blck1
ROUND RESULTS
theflyda
input
FEAL-8
blck2
res_blck1
key
blck3
res_blck2
input
FEAL-8
res_blck3
meta_keysch()
result blocks
res_blck8
META_KEYSCH()
Input: password
Output: 64 bytes
salt byte
MIXING BYTES
input bytes
(expanded password)
salt byte
1.
output bytes
1.
2.
3.
2.
4.
3.
5.
4.
6.
5.
7.
6.
8.
7.
8.
ROUNDS: 8
Initialization:
Rounds:
first round
other rounds
RESULT
META_KEYSCH() ROUNDS
eXpanded Password
XP[ 0 ]
round input block
round salt
XP[ 1*8 + 1 ]
round salt
8 bytes
MIX
1 byte
round salt
MIX
const_str
[ seed % 0x30 ]
round result
RES_BLCK #1
8 bytes
MIX
1 byte
MIX
const_str
[ seed % 0x30 ]
input
FEAL-8
round salt
8 bytes
1 byte
key
XP[ 2*8 + 1 ]
8 bytes
1 byte
XP[ 0*8 + 1 ]
input
key
FEAL-8
round result
round result
RES_BLCK #2
RES_BLCK #3
RESULT BLOCKS
round result
RES_BLCK #4
RECONSTRUCTION
FEAL-8 specification:
Applied cryptography by Bruce Schneier
C source code
http://tirnanog.ls.fi.upm.es/NoSeguro/Servicios/Software/ap_crypt/indice.html
FIX
SOURCE CODE
0xd405c8a83114cf59fe510d92c7e90c37f2741e0a04f70af14d9bd8a21f46
transformation,
permutation
format the
passwords and salt
generate passwords
for testing
generate hashes
Markovchain
brute-force:
full search in the
password space
FUNCTIONALITY
Session handling
Customized character set
Customized permutation rules
CPU
GPU
FPGA
Hardware implementation
COMPARISON OF TECHNOLOGIES
CPU
Single Instruction Multiple Data (SIMD)
Intel x86/x64:
-8/16 * 128 bit XMM registers
-SSE (Streaming SIMD Extensions) instruction set
Data pool
processing
units
PU_1
PU_2
PU_3
PU_4
Result pool
PU_N
GPU
SIMT (Single Instruction Multiple Threads)
Host PC
mainboard
VGA card
mainboard
GPU on-chip
memory
shader cores =
stream cores =
CUDA cores
C_1
C_4
C_2
C_3
C_N
Each one executes the same kernel (code uploaded to the GPU)
# of cores
CUDADBCRACKER
NVIDIA
CUDA
MSSQL, Oracle11g hashes
simultaneously cracks passwords
session handling
Source code/Executable:
http://marcellmajor.com
PROPRIETARY HARDWARE
prototyping
Computing
PROPRIETARY HARDWARE/2.
BUT
Custom crypto algorithms?
Features?
Wordlist,
permutations?
Session handling?
Simultaneous passwords?
CONCLUSION
Reverse engineering is feasible
Security by obscurity: useless
Sample source code helps in development
Every technology has some:
advantages
disadvantages
THANK YOU!