password cracking research at fsu
TRANSCRIPT
Password Cracking Research at FSUSudhir Aggarwal, Matt Weir, Breno de MedeirosFlorida State UniversityDepartment of Computer ScienceE-Crimes Investigative Technologies LabTallahassee, Florida 32306October 21, 2010
Our Research
Assist Law Enforcement
Develop better ways to model how people actually create passwords
Investigate how we can make passwords more secure
FORENSICS
CRACKING PASSWORDS
I’M CRACKING PASSWORDS
The Plan
1.Obtaining the Data-sets
2.Probabilistic Password Cracking Improvements
3.Pass-Phrase Cracking
Two Types of Password Cracking
Online
- The system is still operational
- You may only be allowed a few guesses
Offline
- You grabbed the password hash
- Computer forensics setting
Cracking Passwords
Generate a password guess
- password123
Hash the guess
- A5732067234F23B21
Compare the hash to the password hash you are trying to crack
5
Dictionary based attacks
Password-cracking dictionaries may contain entries that are not natural language words, e.g., ‘qwerty’Dictionary based attacks derive multiple password guesses from a single dictionary entry by application of fixed rules, such as ‘replace a with @’ or ‘add any two digits to the end’Novel approach: Infer a probabilistic grammar for ‘mangling rules’ from a password dataset
6
Existing Password Crackers
John the RipperCain & AbleL0phtcrackAccess Data’s PRTKetc...
7
Focus of ResearchMost of our research focuses on how to make better password guesses
- Hash neutral. Aka you would create the same guesses regardless if you are attacking a Truecrypt or a WinRAR encrypted file
We are also exploring implementing faster hashing algorithms using GPUs.
- Target program specific. Aka the hashing that Truecrypt and WinRAR uses is different
Obtaining the Datasets
Obtaining Real PasswordsOriginally we were concerned that one of the main problems with our research would be collecting valid data-sets to train/test against
In reality, that hasn’t been much of a problem for web-based passwords
Hackers Like to Brag
The Most Recent List
RockYou.com was recently hacked
Over 32 Million, (yes million), plaintext passwords were publicly released.
The Soap Opera Around the Rockyou Hack
The vulnerability originally was publicly posted on the website www.darkc0de.com
It appears that multiple hackers used it to break into the site.
According to the security firm Imperva, many of the webmail accounts associated with those passwords have been taken over by spammers
The Soap Opera (Continued)
One Slovakian hacker named Igigi claimed credit for the attack, and set up a blog detailing other website hacks
He also started giving interviews to various news publications
He now has a facebook fan page with over 600 members...
Probabilistic Password Cracking
Rule Centric View of Password Cracking
Rules
Dictionaries
Ad-hocIdeas
YearsZip Codes
User Behavior
Ad-hocIdeas
Rule Based Optimizations
1.Append 4 Digits
Rules
User Behavior
Rule Based Optimizations
1.Append 1234
2.Append 4 Digits
Rules
1234
User Behavior
Rule Based Optimizations
1.Append 1234
2.Append 0000-1233
3.Append 1235-9999Rules
1234
User Behavior
Optimize
Exclude
Rule Based Optimizations
1.Append 1234
2.Append 1950-2010
3.Append 0000-1233
4.Append 1235-9999Rules
1234
User Behavior
Optimize
Exclude
Dates
Rule Based Optimizations1.Append 1234
2.Append 1950-2010
3.Append 0000-1233
4.Append 1235-1949
5.Append 2011-9999 Rules
1234
User Behavior
Optimize
Exclude
Dates
Exclude
Rule Based Optimizations
1. Append 1234
2. Append 1950-2010
3. Append 0000-1233
4. Append 1235-1949
5. Append 2011-9999
6. Capitalize the first letter, Append 1234
7. Capitalize the first letter, Append 1950-2010
8. Capitalize the first letter, Append 0000-1233
9. Capitalize the first letter, Append 1235-1949
10. Capitalize the first letter, Append 2011-999
11. Replace ‘a’ with an ‘@’, Append 1234
12. Replace ‘a’ with an ‘@’, Append 1950-2010
13. Replace ‘a’ with an ‘@’, Append 0000-1233
14. Replace ‘a’ with an ‘@’, Append 1235-1949
15. Replace ‘a’ with an ‘@’, Append 2011-9999
16. Uppercase the last letter, Append 1234
17. Uppercase the last letter, Append 1950-2010
18. Uppercase the last letter, Append 0000-1233
19. Uppercase the last letter, Uppercase the last letter, Append 1235-1949
20. Uppercase the last letter, Uppercase the last letter, Append 2011-9999
Finding the Correct Order
Which should we try first?
p@ssword1234
password8732
Probabilistic CrackingSome words are more likely than others
- password, monkey, football
Some mangling rules are more likely than others
- 123, 007, $$$, Capitalize the first letter
New Idea: Probabilities should be the focus Create a context-free grammar representing word mangling rules
Derive this grammar from a training set of passwords
Define probabilities for rewrite rules
Generate passwords in highest probability order
Two Stages
Training
- Construct the grammar
Cracking
- Use the grammar to create password guesses
Training our CrackerOur password cracker is trained on known password lists
This way we can quickly create attacks based on a target’s profile
28
Password StructuresPossibly, the most naive structure that can be inferred from passwords is the sequence of the character classes used
- Letters = L
- Digits = D
- Symbols = S
password12! --> LDS “simple structure”
29
The Context-Free Assumption
Context-free grammars lead to efficient algorithms, but simple structures are “too lossy” to allow for capturing sufficiently fine-grained human behavior in password choice in a context-free way
“97” as a password element (a date) is more likely than would be expected by the independent probabilities of ‘9’ and ‘7’
Some password lengths are preferred
30
Learning the Base structures
Extend the character class symbols to include length information
- password$12$ = L8S1D2S1
Base structures, while still very simple, empirically capture sufficient information to derive useful context-free grammar models from password datasets
31
Learning the Grammar (continued)
The next step is to learn the probabilities of digits and special characters
We record the probabilities of different length strings independently
Picks up rules such as 007, 1234, !!, $$, !@#$
32
Assigning Probability to Dictionary Words
By default we just assign a probability to each dictionary word of 1/nL
nL is the number of dictionary words of length L
Probabilistic Context-free Grammars
Derive the production rules from the training set
Derive the probabilities from the training set
S → L4D2 .50S → D1L3D1 .25S → L4D1S1 .25D2 → 99 .50D2 → 98 .30D2 → 11 .20L4 → pass .10S →* pass11 .5 x .1 x .2 = .01
Training our Cracker
35
Now to the CrackingAfter training, grammar can be distributed for purposes of password cracking (e.g., base structures can be distributed and the replacement tokens also)
Size of grammar when trained on the MySpace set
1,589 base structures (with probabilities)
4,410 digit components (with probabilities)
144 symbol components (with probabilities)
36
Requirements For the Next Function
Generate all possible guesses with no duplicates
Generates the guesses in probability order
Reasonable memory requirements
Comparable time requirements to existing methods
Able to support distributed password cracking
Pre-Terminal StructuresEssentially the base structure with all the productions except for the dictionary words replaced with terminals
S1 D2L3
%L399
D2D2
Prob. S1S1
Prob.
99 50% $ 60%
12 30% % 40%
33 20%
38
Size of Potential Search Space
Structure Number of Structure in the MySpace Training Set
Base 1,589
Pre-Terminal 34 trillion
Generating GuessesPop the top value and check the guesses: $dog99, $cat99, etc.
Create children of the popped value: $L333 (9.5%) and !L399 (6.5%) and push them into the p-queue
Pop the next top value
Continue until queue is empty
$L399 11%1
$L31 9% 1
L399$ 8% 1
L4 7% 1
L4$L4 7% 1
Targeted AttacksAssign higher probabilities to certain replacements
- Kids names
- Birth Years
- Zip Codes
Creating an Efficient AlgorithmAny password cracker algorithm must be:
- Fast
- Parallelizable
This is where we have spent a lot of our time
The MySpace List
Split it into a training list and a test list
-Training List: 33,561-Test List: 33,481
Results
Results
Cracked as Many Passwords as John the Ripper
Real World Results -MySpace List
Passwords Cracked Over Time
The Finnish List
Hackers broke into several sites via SQL injection15,699 Plain Text29,853 MD5 Hashes
Finnish List
Cracking Pass-PhrasesOne approach
1.Use an input dictionary of phrases
- It’s fun to try the impossible!
- ifttti
- itsfun2trytheimpossible
Cracking Pass-Phrases
2.Use a Mad Libs Approach
- Proper-Noun verbs a Noun
- Proper-Noun loves Proper-Noun
Cracking Pass-Phrases3.Use a full probabilistic approach
- Probabilistic Context Free Grammars originally were used for speech recognition
- Essentially this would be a smart brute-force options
Questions/Comments?Matt’s Research Blog
- http://www.reusablesec.blogspot.com
E-Mail Address
Dictionary Based Rainbow Tables
Original ResearchPrevious Rainbow Tables only supported brute force attacks
Developed a new indexing function for dictionary based attacks:
- Generic- Fast
Wrote and released the tool drcrack along with custom tables
Keyboard Combo TableNTLM 1-3 Keyboard Combos, NTLM 4 Keyboard Combo
Custom dictionary has 658 keyboard combos
Combines them to attack strong +15 character passwords
If you want the user to create a 15 character password some of them are going to use qwertyuiopasdf
Problems with collisions
Double Basic Rule
Supports NTLM
Creates a password and then doubles it
Password12Password12
Once again, attacking the users
Some users just type eight character passwords in twice
PassphrasesStill working on this one
Just use a passphrase input dictionary
Example passphrase
- !!It’s fun to do the impossible!
Eventually plan to add support for grammar generation
- Proper-noun + Verbs + a + Noun
Not Better, Just DifferentDoes not replace existing rainbow tables
Bruteforce attacks are still wonderful, don’t let anyone tell you differently
With rcracki’s hybrid tables you can use targeted brute force against fairly long passwords
Still for longer passwords, dictionary attacks may be the only feasible option