password cracking guest lecture

d3a07d34487e3a9b8db108edc4a3411eIT ADVISORY

d3a07d34487e3a9b8db108edc4a3411e

Marc Smeets

Password crackingMarc Smeets10 December, 2012AUDIT & ADVISORY / INFORMATION PROTECTION SERVICES

Introduction

Why I am standing here

KPMG is one of the ‘big four’ audit and advisory firms

IT Security & Control team (45 fte in NL large global network) IT Security & Control team (45 fte in NL, large global network)

Security testing/ethical hacking, IT auditing (we crack password, we hack websites and we report the client how to improve)we hack websites and we report the client how to improve)

Why you are here

Learn about password cracking

Ask hard questions

1© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.

Potential research projects

Agenda

The horror called passwords

Recap of password hashing and cracking Recap of password hashing and cracking

Advanced techniques

What we do

Demo

Research projects


Why passwords?The horror called passwords

Why passwords?

How to store passwords? How to store passwords?

How to remember passwords?

How to make passwords stronger?


Passwords and IT audit requirementsThe horror called passwords

ISO27001, HIPPA, PCI DSS, SOx

“The usage of strong passwords should be enforced”

“Do not use vendor default passwords” Do not use vendor default passwords

“Require a minimum password length of at least seven characters.”characters.

“Passwords should contain lower and upper case numbers and letters”

Passwords should contain at least lower and upper case letters, a number a special character, have a minimum length of 8 characters,


not be the same as the 5 previous passwords and changed every 90 days

What is a hash?Recap of password hashing and cracking

Hash: one way representation of data, no (mathematical) way back from hash to datahash to data

It solves the issue of verifying a password without actually knowing it

Clear text password (+ salt) go into hashing function

R lt i th h h hi h t t d

Clear text

Crypto

Salt

Result is the hash, which may get stored in a database

Many implementations:Hashed

Cryptohash function

Many implementations:

MD5, SHA, LM, NTLM, MYSQL, Oracle, BSD crypt, many others

Hashed password

Storage on system


BSD crypt, many othersStorage on system username:salt:hash

What can possibly go wrong?Recap of password hashing and cracking

Hashing is a secure principle. What can possibly go wrong?

Images of bad password implementation removedimplementation removed


Cracking the hashRecap of password hashing and cracking

A hash is supposed to be one way. So how do we find the password?

Offline brute force on the hash

Dictionary with common words/passwordsy p

Educated dictionary with info from the environment

Pre computation tables > Rainbow tables Pre-computation tables -> Rainbow tables

Look for crypto errors and errors in the hashing implementation

Online brute force login

Overwrite the hash table with known hashes


Cracking the hash – brute force and dict.Recap of password hashing and cracking

Simple operations that can be automated. Many implementations.

John the Ripper Cain & Abel


Cracking the hash – crypto and impl. errorsRecap of password hashing and cracking

Weak hash algorithms are easier to crack

Example: Windows Lan Manager hashing

What is wrong with LM hashing? What is wrong with LM hashing?

NTLM is used if password has more than 14 characters

Windows stored(*) LM next to NTLM on the system. What do you prefer to crack? ;-)

* D f lt til Wi d Vi t /2008


* Default until Windows Vista/2008


Other known weak password hashing mechanisms (b t f d ti i ti )(but found many times in corporations):

Oracle (<11g)

Cisco routers/switches with ‘password 7’

Single unsalted MD5Single unsalted MD5



Weak implementations don’t even need hash cracking

Example: pass-the-hash Computation and storage of hash

Password

Communication with hash

Steal hash


Cracking the hash – rainbow tablesRecap of password hashing and cracking

Pre computation tables: t ll ibl d t th i t blpre compute all possible passwords, store them in tables,

perform lookup on the hash and find accompanying password.

Rainbow tables: optimised pre computation Rainbow tables: optimised pre computation

Time-memory trade off

http://kestas.kuliukas.com/RainbowTables/


Cracking the hash (cont.)Recap of password hashing and cracking

Hashing algorithms are getting better and better

Password cracking tools and techniques are getting better

We go from CPUs to more powerful architecturesNew kids on the blockNew kids on the block


Who are the new kids?The new kids on the block

Cell architecture

FPGA / ASIC

Cloud computing Cloud computing

Graphics cards

Welcome to: Computer Architecture 101 :-)p )


Cell architectureThe new kids on the block

Cell Broadband Engine Architecture

Goal: bridge between regular CPU and high performance computers used for future Video demands


Cell architecture The new kids on the block

New CPU consists of RISC (PowerPC) architecture + coprocessors

1x main processor: Power Processing Element (PPE)

8x fully functional co processors called the Synergistic 8x fully-functional co-processors called the Synergistic Processing Elements (SPEs). 1 not used when using custom OS

High speed bus in betweenHigh speed bus in between


Cell architecture – password crackingThe new kids on the block

PS3 has Cell and runs Linux

7 Cores you can use

Compilers exist for your code to run (ppu gcc and spu gcc) Compilers exist for your code to run (ppu-gcc and spu-gcc)


Cell architecture – password crackingThe new kids on the block

PS3 has Cell and runs used to run Linux

7 Cores you can use

Compilers exist for your code to run (ppu gcc and spu gcc) Compilers exist for your code to run (ppu-gcc and spu-gcc)

Different way of programming

10 + 1 = 11: Single Instruction, Single Data

{10,11,12,13} + 1 = {11,12,13,14} : Single Instr., Single Data set{ } { } g g

{10,11,12,13}+{1,2,3,4}={11,13,15,17}: Sing. Instr., Multiple Data set


If you reprogram your routine, this rocks!

Cell architecture – supercomputerThe new kids on the block

US Air Force’s implementation


Cell architecture - disadvantagesThe new kids on the block

Cell architecture is limited to 7 extra cores

Cell architecture is not dead, but also not lively developed

Cost of current implementations is therefore not dropping hard Cost of current implementations is therefore not dropping hard

Programming interface is somewhat hard

Amount of implementations of password cracking tools is limited*

* MD5 implementation by Nick Breese http://www.blackhat.com/presentations/bh-


europe/08/Breese/Presentation/bh-eu-08-breese.pdf

FPGA / ASICThe new kids on the block

Cell architecture

FPGA / ASIC


Graphics cards



Field Programmable Gate of Arrays

A bunch of reprogrammable components on a board that perform logical operations

Mid 80’s: invented to easily create prototypes of new hardware



Field Programmable Gate of Arrays

A bunch of reprogrammable components on a board that perform logical operations

Mid 80’s: invented to easily create prototypes of new hardware

Consists of:

Logical blocks that can be programmed for a taskg p g

Ways for I/O


Programmable inter connections -> create sets of logical blocks for a greater task


ASIC = Application Specific Integrated Circuit.

Basically a function on a chip (MP3, GSM, switch port)

ASICS are becoming overly complicated ASICS are becoming overly complicated

ASIC ~= FPGA but faster, more expensive and less reprogrammable


FPGA / ASIC – password crackingThe new kids on the block

Create your hash algorithm in Hardware Abstraction Language

Push to board along with creation of interconnections

Setup I/O Setup I/O

Blast at enormous speed (this is hardware!)

DES cracking famous exampleg p


FPGA / ASIC - disadvantagesThe new kids on the block

Expensive

This is hardware, most software programmers are scared of hardware and wires

Need to reprogram for each algorithm, or have more sets of FPGA


Cloud computingThe new kids on the block

Cell architecture

FPGA / ASIC


Graphics cards



Co-location -> Managed hosting -> ‘IT resources’ as a service

“A style of computing where massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies”Internet technologies

In essence the next step of outsourcing of ITIn essence mainframe computing all over again, over Internet



Co-location -> Managed hosting -> ‘IT resources’ as a service

“A style of computing where massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies”Internet technologies

In essence the next step of outsourcing of ITIn essence mainframe computing all over again, over Internet

Software as a service (Salesforce.com)( )

Platform as a service (Google & Amazon)


Infrastructure as a service (Terremark)

Cloud computing – password crackingThe new kids on the block

So, just buy ‘resources’ as you need. We want to crack passwords:




1. prepare infrastructure and enable at Amazon

2 upload hashes 2. upload hashes

3. start cracking

4. add more systems if needed

5. finish and close




1. prepare infrastructure and enable at Amazon

2 upload hashes 2. upload hashes

3. start crackingOther solution is cloudcracker com

4. add more systems if needed

5. finish and close

Other solution is cloudcracker.com(LM/NTLM, MD5, MSCHAPv2, SHA512, WPA/WPA2

6. Pay Amazon $50,000 for a 11 character password [a-z] (CPU)Use EC2 Spot Prizes: Bitweasil’spresentation Blackhat Las Vegas 2012


6. Pay Amazon $2.00 for a common WPA PSK (with Tesla Fermi)p g

Cloud computing – disadvantagesThe new kids on the block

Not so good:

Do you / the client really want to upload password hashes to a cloud?

Cryptohaze Cloud Cracking

Cheap resources become expensive for cracking *p p g

Cloud resources are a bit different, may need minor reprogramming

To counter this cloud services are becoming ‘upload and wait’-services


GPU The new kids on the block

Cell architecture

FPGA / ASIC


Graphics cards


GPU – history of graphicsThe new kids on the block

In the old days:

Text mode -> mixing text and bitmaps

For each refresh draw complete bitmap. When moving (game), all data from bitmap (framebuffer) needs to move within the memory. p ( ) yCPU intervention, big penalty for CPU

BLITTER (Block Image Transfer) = coprocessor than handles the


movement of the bitmap in memory (Atari 8-bit)

GPU – history of graphics (cont.)The new kids on the block

In the 90’s:

API for 2D acceleration: WinG and DirectDraw (Windows 95)

Define graphics object, and it’s movement -> ‘draw it’ Define graphics object, and it s movement > draw it

Rasterization of polygons (collection of triangles) to 2D (bitmap)

3D = 2D with extra dimension

API for 3D: OpenGL & DirectX



Post 2000:

We want realistic colouring (pixel shading)

We want realistic surface (bump mapping and anti aliasing) We want realistic surface (bump mapping and anti aliasing)

We want it fast (acceleration)

We make the entire graphics pipelineprogrammable for pixels and vertices



Post 2000:







Post 2000:





Single Instruction, Multiple Data

Highly parallel


GPU – Hardware layoutThe new kids on the block

ALU / CORE: Arithmetic Logic unit: digital circuit doing the logic

Control: dispatcher, keeping track of operations and memory p p g p ylocations. On GPU a thread dispatcher also exists for thread creation and finishing


DRAM and cache: fast and extra fast memory

GPU – Hardware layoutThe new kids on the block

Multiprocessor

All cores/threads

Thread dispatcher

SIMD -> Single Instruction on Multiple Threads

One instruction on all(!) threads, just don’t branch( ) j

Multithread programming is hard, thread dispatcher takes care of a lot


GPU – Hardware comparisonThe new kids on the block

CPU: 4-16 cores at 3GHz

Cell: 7 cores at 3.2GHz

Nvidia GTX295: 240 cores per GPU (2 GPU’s) at 576MHz Nvidia GTX295: 240 cores per GPU (2 GPU s) at 576MHz

ATI Radeon HD 7970: 2048 cores at 1GHz

Nvidia Fermi: 512 cores at 700MHz

Nvidia Tesla C2050 (High performance computing, no display ( g p p g p ycapability): 448 cores at 1.15GHz


GPU – Password crackingThe new kids on the block

API is via CUDA or FireStream

Reprogramming your code relatively easy

Paralleling your functions/threads is also made easy Paralleling your functions/threads is also made easy

OpenCL: GPU + CPU

CUDA and OpenCL are heavily(!!) developed, getting stablep y( ) p g g

Hardware is heavily(!!) developed, prices drop


Many tools already exist

GPU - Disadvantages The new kids on the block

Support of hashes is very limited

Yes a lot of tools, but they mostly do MD5, SHA1 and NTLM

Hard to scale your hardware

Power, motherboard, casing, etc

No/limited support for distributed crackingpp g


Existing tools not stable and hard to automate

Recent changesg


Recent changes

Ways for distributing of cracking power

Cryptohaze (proper network distribution built-in)

oclHashcat plus oclHashcat-plus

Virtual Open Cluster + oclHashcat-plus

Advances in cracking

21% reduction in SHA1 calculations


Putting the theory together

Wrap-up

What we do

What we really want What we really want


Wrap-upPutting the theory together

Some new architectures with awesome power and limitations

But we do password cracking: But, we do password cracking:

Brute force is only part of the game

cracking strategy, dictionary, rainbow tables and then brute force

It needs to be stable

Useless if we still can’t crack the 9 character NTLM


What we doPutting the theory together

Local cracking on pen testers laptop

Central lab facilities

GPU cracking server GPU cracking server

CPU cracking cluster


What we do – cracking clusterPutting the theory together

John the ripper

Allows for brute force and dictionaries

Patched with tons of hash algorithms Patched with tons of hash algorithms

Patched with Multi Process Instruction

~70 CPU cores over 1 server and 30 desktops


What we do – cracking clusterPutting the theory together


What we do – what we really wantPutting the theory together

+ =+ =


Research projects

Distributed Password Cracking Platform – the final step

Feasibility of attacks on weak SSL ciphers

Building a more resilient TOR Building a more resilient TOR

We encourage different ideas and topics

To give you an idea, in the past we have supervised Security of g y p p ysoftware update mechanisms, RFID in garbage disposal systems, Smart Metering systems, Security of browsers, Security of car alarms, GPU password cracking, Synergy of Social Networks,


Passive LAN information gathering, DMA in Metasploit, etc.

Questions

Questions?


Marc Smeets MSc CISSP CISAKPMG IT [email protected]


password cracking guest lecture

Technology