Você está na página 1de 64

Major Marcell

(marcell.major@gmail.com)

Hacktivity 2010

WRITING YOUR OWN PASSWORD


CRACKER

INTRODUCTION + AGENDA
Anatomy of password hashing
Source code analysis example (Apache Derby)
Binary analysis examples (Sybase)
Writing your own cracker
Speedup

Knowledge:
programming, cryptography

PASSWORD HASHING

STORING PASSWORDS
User input text

Generate random
bytes

Password

Salt

Format(Password, salt)
Generate hash
Store(hash, salt)

User database in
DB table or file

CHECKING PASSWORD
User database in
DB table or file

User input text

Password
Lookup(salt, hash)
Format(Password, salt)

Salt

Generate hash

Generated hash

Stored hash

Compare(Generated hash, Stored hash)


Yes

User logged in

Identical?

No

Kicked out

HOW/WHY CRACKING PASSWORDS?


Security audit
Pen-test
Privilege escalation
Get a cracker tool

What if there is no cracker available?

Apache Derby
Password hashing algorithm before CVE-2009-4269

SOURCE CODE ANALYSIS

WHAT IS APACHE DERBY?


Open source Java DB
Small footprint (<3MB)
Version 10.5.3.0 (released August 21, 2009)
Modes of operation:

Client-server
Embedded

Password encryption options:


Cleartext in file
Hashed in DB

derby.authentication.provider=BUILTIN

PASSWORD HASH

ALGORITHM IMPLEMENTATION
protected String encryptPassword(String plainTxtUserPassword)
{
if (plainTxtUserPassword == null)
return null;
MessageDigest algorithm = null;
try
{
algorithm = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException nsae)
{
// Ignore as we checked already during service boot-up
}
algorithm.reset();
byte[] bytePasswd = null;
bytePasswd = StringUtil.toHexByte( plainTxtUserPassword,0,plainTxtUserPassword.length());
algorithm.update(bytePasswd);
byte[] encryptVal = algorithm.digest();
String hexString = ID_PATTERN_NEW_SCHEME +
StringUtil.toHexString(encryptVal,0,encryptVal.length);
return (hexString);
}
public static byte[] toHexByte(String str, int offset, int length)
{
byte[] data = new byte[(length - offset) * 2];
int end = offset+length;
for (int i = offset; i < end; i++)
{
char ch = str.charAt(i);
int high_nibble = (ch & 0xf0) >>> 4;
int low_nibble = (ch & 0x0f);
data[i] = (byte)high_nibble;
data[i+1] = (byte)low_nibble;
}
return data;
}

???

ALGORITHM IMPLEMENTATION/2.
text

ASCII HEX

54 65 73

toHexByte

05

74

31 32

0
05

07

03
07

2
04
03

hash

05

04
06

bytePasswd

06

07

07

03

3
4

01
03

02

03

02

concat( 0x3b60, toHexString( SHA1(bytePasswd) ) )

CONSEQUENCES

ASCII table (source: http://ascii-table.com/)

ASCII(A) = 0x41
Sample hashes:
APASS:
BPASS:
CPASS:
DPASS:
EPASS:
FPASS:
GPASS:
HPASS:

3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
3b60cb484c002b5f9ee655da908c7dc2871fb76f9587

Only the higher 4 bits used from password characters, except last one

CRACKING: BRUTE FORCE


Character-set: 26 upper+ 26 lower + 10 digit
8 character passwords

62^8 2 * 10 ^ 14
Nvidia GF 8800 GT 21 days

After toHexByte()
6^8*16 2 * 10 ^ 7
Nvidia GF 8800 GT 0.23 sec

Ratio = 1/8124628

FIX
Apache.org notified in December 2009
Vulnerability CVE-2009-4269
Fix released in May 2010
Derby 10.6.1.0

http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269

Bug fixed
BUILTIN authentication:
not recommended in production DBs

Sybase ASE (Adaptive Server Enterprise) RDBMS

BINARY ANALYSIS

REVERSE ENGINEERING
Live analysis (Debugger, Monitoring Tools)
Off-line analysis (Disassembler)
Concept:

Get

the big picture


Create a theory/model
Test

SYBASE ASE

Sybase "Adaptive Server Enterprise


Runs on Linux, UNIX, Windows and MacOS X

Market share: 4.
Cousin of Microsoft SQL Server:
1994: Microsoft bought the source
Main releases:

12.5.x (2001) still in use at some companies


15.0.5 latest version, evaluation downloadable

Password Encryption:

SYB-PROP
SHA-256

Live CODE Analysis

SYBASE SHA-256 HASH

LOGIN INFORMATION

SAMPLE

WHERE TO START?
Information gathering
Search for an entry point

User

input
Program output
System call
Known constants

AVAILABLE INFORMATION

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infoce
nter.dc31654.1502/html/sag1/BCFDGIFC.htm

POSSIBLE ENTRY POINT

MEMORY BREAKPOINT
Search for the constant (debugger helps)
Byte order is reversed:
search for 0x67E6096A (h0 in the source)

FINAL INSTRUCTIONS OF HASHING FOUND

CALL STACK

THE CALL OF HASHING FUNCTION FOUND

PYTHON CODE - TEST

RECONSTRUCTION

Steps:
1.
2.
3.
4.

5.

UTF-16 conversion (Big Endian)


Append 0x00 bytes to the length of 510
Append the salt (8 bytes)
Generate SHA-256 hash (32 bytes)
Result = 0xc007 + hex(salt) + hex(hash)

Cracker: sybcrack
http://marcellmajor.com
OpenSSL SHA256 implementation
worauthbf source code (http://soonerorlater.hu)

OFF-LINE Analysis

SYB-PROP HASH

SYB-PROP: HOW?
Old Sybase versions not available
Current version is 15.0.5

using

SYB-PROP is not allowed


old password hashes only in 15.0.0 or 15.0.1

I have no access to old an Sybase DB


Some companies still use Sybase ASE 12.x !

DOWNGRADE VERSION 15.0.5 TO 15.0.[01]

AFTER DOWNGRADE

INFORMATION?

ENTRY POINT
Debug near the code computing SHA256
After some debugging another call found

Output:

64 bytes
last 28 bytes -> Old hash

Block cipher
Not DES
Not AES
No specific constants found

OFFLINE ANALYSIS
IDA Free 4.9
Symbols included -> function names

OUTLINE OF FUNCTION CALLS (MINDMAP)

password

meta_keysch()

64 bytes

meta_encrypt()

64 bytes

META_ENCRYPT()
Input: 64 bytes
Output: 64 bytes

Last

28 bytes -> hash

assembly instructions: ~ 80
function calls:
5
(conditional) jumps:
7

CRYPTO IDENTIFIED

FEAL

string constant

FEAL

Fast data Encipherment Algorithm


NTT

in 1987
replacement for DES
Feistel networks
key scheduling
encryption/decryption

FEAL-4, FEAL-8, FEAL-N, FEAL-NX, FEAL-32X


number

of rounds: different
key size: different

Known vulnerabilities -> not recommend

FEAL VERSION IN SYBASE?


Number of rounds
Key schedule size
FEAL in Sybase:

Key:

Key

schedule:
Output:

Conclusion: FEAL-8

8 bytes
32 bytes
8 bytes

STRING CONSTANT

FUNCTION META-ENCRYPT
STRING CONSTANT

key

Q:Whydid

nceonthe

jar?A:Be

input

FEAL-8

ENC. ROUNDS

key

blck1

ROUND RESULTS

theflyda

input

FEAL-8

blck2

res_blck1

key

blck3

res_blck2

input

FEAL-8

res_blck3

meta_keysch()
result blocks

res_blck8

META_KEYSCH()
Input: password
Output: 64 bytes

assembly instructions: ~450


function calls:
15
(conditional) jumps:
29

META KESCH ROUND SALT

salt byte

MIXING BYTES

input bytes
(expanded password)

salt byte

1.

( rand() >> 8 ) % 0xFF

output bytes

1.

2.

3.

2.

4.

3.

5.

4.

6.

5.

7.

6.

8.

7.

8.

FUNCTION META_KEYSCH OPERATION

ROUNDS: 8
Initialization:

XP -> expand password with 0x1D bytes to 57 bytes


seed number = system time -> 1 byte
PRNG init: stdlib.h / srand(seed);

Rounds:

round salt byte = rand() -> 1 byte


ROUND KEY:

first round

other rounds

MIX( salt byte, XP[first block] )


buffer = XP[ (round 1) * 8 + 1 ]
MIX(salt byte, buffer)

result[ (round -1) * 8 ]

RESULT

first 2 rounds - FEAL(round key, const_str[seed % 0x30 + 1])


other rounds - round key itself

META_KEYSCH() ROUNDS
eXpanded Password
XP[ 0 ]
round input block

round salt

XP[ 1*8 + 1 ]

round input block

round salt
8 bytes

MIX

round input block

1 byte

round salt

MIX

round input block

const_str
[ seed % 0x30 ]

round result

RES_BLCK #1

8 bytes

MIX

1 byte

MIX

const_str
[ seed % 0x30 ]

input

FEAL-8

round salt
8 bytes

1 byte

key

XP[ 2*8 + 1 ]

8 bytes
1 byte

XP[ 0*8 + 1 ]

input
key

FEAL-8

round result

round result

RES_BLCK #2

RES_BLCK #3

RESULT BLOCKS

round result

RES_BLCK #4

RECONSTRUCTION
FEAL-8 specification:
Applied cryptography by Bruce Schneier
C source code

http://tirnanog.ls.fi.upm.es/NoSeguro/Servicios/Software/ap_crypt/indice.html

Reconstruction not accurate


Sybase FEAL-8 implementation:

FIX

key + FIX input -> output?


results(Sybase) results(official specification)
key schedule: only the first 4 bytes identical

WHY NOT WORKING?


Sybase FEAL-8 omitted a step
in the key processing part

U(-2) is not updated,


U(i-3) remains 0

Source: Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone

SOURCE CODE

STRUCTURE OF A SYB-PROP HASH

0xd405c8a83114cf59fe510d92c7e90c37f2741e0a04f70af14d9bd8a21f46

hash: last 28 bytes from meta_encrypt() result

hash type indicator

seed for srand()

OWN PASSWORD CRACKER

HOW A PASSWORD CRACKER OPERATES?


wordlist
SMART
local,
personal ,
company
related

transformation,
permutation

format the
passwords and salt

generate passwords
for testing

generate hashes

Markovchain
brute-force:
full search in the
password space

compare the result hash


with the original one

FUNCTIONALITY

Multiple passwords simultaneously


audit

practice: n*100 passwords

Session handling
Customized character set
Customized permutation rules

CPU
GPU
FPGA
Hardware implementation

COMPARISON OF TECHNOLOGIES

CPU
Single Instruction Multiple Data (SIMD)
Intel x86/x64:
-8/16 * 128 bit XMM registers
-SSE (Streaming SIMD Extensions) instruction set

Data pool

processing
units

PU_1

PU_2

PU_3

PU_4

Result pool

PU_N

GPU
SIMT (Single Instruction Multiple Threads)
Host PC
mainboard

CPU accessible RAM ~ n * 1GB

VGA card
mainboard

GPU accessible Video RAM ~ n * 256MB

GPU on-chip
memory

16/32kB shared MEM

8/16/32kB register MEM

shader cores =
stream cores =
CUDA cores

C_1

C_4

C_2

C_3

C_N

Each one executes the same kernel (code uploaded to the GPU)

CPU VS. GPU

Raw estimate for computing speed :


raw GPU performance/raw CPU performance ~ 3-10
May vary depending on the specific application

# of cores

SAMPLE GPU CRACKER

CUDADBCRACKER
NVIDIA

CUDA
MSSQL, Oracle11g hashes
simultaneously cracks passwords
session handling

Source code/Executable:
http://marcellmajor.com

PROPRIETARY HARDWARE

ASIC (Application Specific Integrated Circuit)


Expensive

setup (>1,000,000 USD)


Up to 6-10 times faster than FPGAs

FPGA (Field Programmable Gate Array)


ASIC

prototyping
Computing

PROPRIETARY HARDWARE/2.

ASIC/FPGA = faster bruteforcing than CPU/GPU

BUT
Custom crypto algorithms?
Features?
Wordlist,

permutations?
Session handling?
Simultaneous passwords?

CONCLUSION
Reverse engineering is feasible
Security by obscurity: useless
Sample source code helps in development
Every technology has some:

advantages
disadvantages

THANK YOU!

Você também pode gostar