Major Marcell ([email protected]) Hacktivity 2010 WRITING YOUR OWN PASSWORD CRACKER INTRODUCTION + AGENDA Anatomy of password hashing  Source code analysis example (Apache Derby)  Binary analysis examples (Sybase)  Writing your own cracker  Speedup  Knowledge: programming, cryptography PASSWORD HASHING STORING PASSWORDS User input text Generate random bytes Password Salt Format(Password, salt) Generate hash Store(hash, salt) User database in DB table or file CHECKING PASSWORD User database in DB table or file User input text Password Lookup(salt, hash) Format(Password, salt) Salt Generate hash Generated hash Stored hash Compare(Generated hash, Stored hash) Yes User logged in Identical? No Kicked out HOW/WHY CRACKING PASSWORDS? Security audit  Pen-test  Privilege escalation  Get a cracker tool…  What if there is no cracker available? Apache Derby Password hashing algorithm before CVE-2009-4269 SOURCE CODE ANALYSIS WHAT IS APACHE DERBY? Open source Java DB  Small footprint (<3MB)  Version 10.5.3.0 (released August 21, 2009)  Modes of operation:  Client-server  Embedded   Password encryption options: Cleartext in file  Hashed in DB  derby.authentication.provider=BUILTIN PASSWORD HASH ALGORITHM IMPLEMENTATION protected String encryptPassword(String plainTxtUserPassword) { if (plainTxtUserPassword == null) return null; MessageDigest algorithm = null; try { algorithm = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException nsae) { // Ignore as we checked already during service boot-up } algorithm.reset(); byte[] bytePasswd = null; bytePasswd = StringUtil.toHexByte( plainTxtUserPassword,0,plainTxtUserPassword.length()); algorithm.update(bytePasswd); byte[] encryptVal = algorithm.digest(); String hexString = ID_PATTERN_NEW_SCHEME + StringUtil.toHexString(encryptVal,0,encryptVal.length); return (hexString); } public static byte[] toHexByte(String str, int offset, int length) { byte[] data = new byte[(length - offset) * 2]; int end = offset+length; for (int i = offset; i < end; i++) { char ch = str.charAt(i); int high_nibble = (ch & 0xf0) >>> 4; int low_nibble = (ch & 0x0f); data[i] = (byte)high_nibble; data[i+1] = (byte)low_nibble; } return data; } ??? ALGORITHM IMPLEMENTATION/2. text T ASCII HEX 54 65 73 toHexByte 05 e s t 1 74 31 32 0 05 07 1 03 07 2 04 03 hash 05 i 04 06 bytePasswd 2 06 07 07 03 3 4 01 03 02 03 02 5 concat( 0x3b60, toHexString( SHA1(bytePasswd) ) ) … CONSEQUENCES  ASCII table (source: http://ascii-table.com/) ASCII(A) = 0x41 Sample hashes: APASS: BPASS: CPASS: DPASS: EPASS: FPASS: GPASS: HPASS: …  3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 Only the higher 4 bits used from password characters, except last one CRACKING: BRUTE FORCE Character-set: 26 upper+ 26 lower + 10 digit  8 character passwords  62^8 ≈ 2 * 10 ^ 14 Nvidia GF 8800 GT – 21 days  After toHexByte() 6^8*16 ≈ 2 * 10 ^ 7 Nvidia GF 8800 GT – 0.23 sec  Ratio = 1/8124628 FIX Apache.org notified in December 2009 Vulnerability CVE-2009-4269  Fix released in May 2010 Derby 10.6.1.0  http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269 Bug fixed  BUILTIN authentication: not recommended in production DBs  Sybase ASE (Adaptive Server Enterprise) RDBMS BINARY ANALYSIS REVERSE ENGINEERING Live analysis (Debugger, Monitoring Tools)  Off-line analysis (Disassembler)  Concept:   Get the big picture  Create a theory/model  Test SYBASE ASE  Sybase "Adaptive Server Enterprise“ Runs on Linux, UNIX, Windows and MacOS X Market share: 4.  Cousin of Microsoft SQL Server: 1994: Microsoft bought the source  Main releases:     12.5.x (2001) – still in use at some companies 15.0.5 – latest version, evaluation downloadable Password Encryption:   “SYB-PROP” “SHA-256” Live CODE Analysis SYBASE “SHA-256” HASH LOGIN INFORMATION SAMPLE WHERE TO START? Information gathering  Search for an entry point   User input  Program output  System call  Known constants AVAILABLE INFORMATION  http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infoce nter.dc31654.1502/html/sag1/BCFDGIFC.htm POSSIBLE ENTRY POINT MEMORY BREAKPOINT Search for the constant (debugger helps)  Byte order is reversed: search for 0x67E6096A (h0 in the source)  FINAL INSTRUCTIONS OF HASHING FOUND CALL STACK THE CALL OF HASHING FUNCTION FOUND PYTHON CODE - TEST RECONSTRUCTION  Steps: 1. 2. 3. 4. 5.  UTF-16 conversion (Big Endian) Append 0x00 bytes to the length of 510 Append the salt (8 bytes) Generate SHA-256 hash (32 bytes) Result = 0xc007 + hex(salt) + hex(hash) Cracker: “sybcrack” http://marcellmajor.com  OpenSSL SHA256 implementation  worauthbf source code (http://soonerorlater.hu)  OFF-LINE Analysis “SYB-PROP” HASH SYB-PROP: HOW? Old Sybase versions not available  Current version is 15.0.5   using “SYB-PROP” is not allowed  old password hashes only in 15.0.0 or 15.0.1 I have no access to old an Sybase DB  Some companies still use Sybase ASE 12.x !  DOWNGRADE VERSION 15.0.5 TO 15.0.[01] AFTER DOWNGRADE INFORMATION? ENTRY POINT Debug near the code computing SHA256  After some debugging another call found   Output: 64 bytes  last 28 bytes -> Old hash Block cipher  Not DES  Not AES  No specific constants found  OFFLINE ANALYSIS IDA Free 4.9  Symbols included -> function names  OUTLINE OF FUNCTION CALLS (MINDMAP) password meta_keysch() 64 bytes meta_encrypt() 64 bytes META_ENCRYPT() Input: 64 bytes  Output: 64 bytes   Last    28 bytes -> hash assembly instructions: ~ 80 function calls: 5 (conditional) jumps: 7 CRYPTO IDENTIFIED FEAL string constant FEAL  Fast data Encipherment Algorithm  NTT in 1987  replacement for DES  Feistel networks  key scheduling  encryption/decryption  FEAL-4, FEAL-8, FEAL-N, FEAL-NX, FEAL-32X  number of rounds: different  key size: different  Known vulnerabilities -> not recommend FEAL VERSION IN SYBASE? Number of rounds  Key schedule size  FEAL in Sybase:   Key:  Key schedule:  Output:  Conclusion: FEAL-8 8 bytes 32 bytes 8 bytes STRING CONSTANT FUNCTION META-ENCRYPT STRING CONSTANT key “Q:Whydid” “nceonthe” “jar?A:Be” … input FEAL-8 ENC. ROUNDS key blck1 ROUND RESULTS “theflyda” input FEAL-8 blck2 res_blck1 key blck3 res_blck2 … input FEAL-8 … res_blck3 meta_keysch() result blocks … res_blck8 META_KEYSCH() Input: password  Output: 64 bytes     assembly instructions: ~450 function calls: 15 (conditional) jumps: 29 META KESCH – ROUND SALT salt byte MIXING BYTES input bytes (expanded password) salt byte 1. ( rand() >> 8 ) % 0xFF output bytes 1. 2. 3. 2. 4. 3. 5. 4. 6. 5. 7. 6. 8. 7. 8. FUNCTION META_KEYSCH OPERATION   ROUNDS: 8 Initialization:     XP -> expand password with 0x1D bytes to 57 bytes seed number = system time -> 1 byte PRNG init: “stdlib.h” / srand(seed); Rounds:    round salt byte = rand() -> 1 byte ROUND KEY:  first round  other rounds MIX( salt byte, XP[first block] ) buffer = XP[ (round – 1) * 8 + 1 ] MIX(salt byte, buffer) result[ (round -1) * 8 ] RESULT   first 2 rounds - FEAL(round key, const_str[seed % 0x30 + 1]) other rounds - round key itself META_KEYSCH() ROUNDS eXpanded Password XP[ 0 ] round input block round salt XP[ 1*8 + 1 ] round input block round salt 8 bytes MIX round input block 1 byte round salt MIX round input block const_str [ seed % 0x30 ] round result RES_BLCK #1 8 bytes MIX 1 byte MIX const_str [ seed % 0x30 ] input FEAL-8 round salt 8 bytes 1 byte key … XP[ 2*8 + 1 ] … 8 bytes 1 byte XP[ 0*8 + 1 ] input key FEAL-8 round result round result RES_BLCK #2 RES_BLCK #3 RESULT BLOCKS round result RES_BLCK #4 … RECONSTRUCTION FEAL-8 specification: “Applied cryptography” by Bruce Schneier  C source code  http://tirnanog.ls.fi.upm.es/NoSeguro/Servicios/Software/ap_crypt/indice.html Reconstruction not accurate  Sybase FEAL-8 implementation:   FIX key + FIX input -> output?  results(“Sybase”) ≠ results(“official specification”)  key schedule: only the first 4 bytes identical WHY NOT WORKING? Sybase FEAL-8 omitted a step  in the key processing part  U(-2) is not updated, U(i-3) remains 0 Source: “Handbook of Applied Cryptography” by Menezes, van Oorschot and Vanstone SOURCE CODE STRUCTURE OF A SYB-PROP HASH 0xd405c8a83114cf59fe510d92c7e90c37f2741e0a04f70af14d9bd8a21f46 hash: last 28 bytes from meta_encrypt() result hash type indicator seed for srand() OWN PASSWORD CRACKER HOW A PASSWORD CRACKER OPERATES? wordlist SMART local, personal , company related transformation, permutation format the passwords and salt generate passwords for testing generate hashes Markovchain brute-force: full search in the password space compare the result hash with the original one FUNCTIONALITY  Multiple passwords simultaneously  audit practice: n*100 passwords Session handling  Customized character set  Customized permutation rules  CPU GPU FPGA Hardware implementation COMPARISON OF TECHNOLOGIES CPU Single Instruction Multiple Data (SIMD) Intel x86/x64: -8/16 * 128 bit XMM registers -SSE (Streaming SIMD Extensions) instruction set Data pool processing units PU_1 PU_2 PU_3 PU_4 Result pool … PU_N GPU SIMT (Single Instruction Multiple Threads) Host PC mainboard CPU accessible RAM ~ n * 1GB VGA card mainboard GPU accessible Video RAM ~ n * 256MB GPU on-chip memory 16/32kB shared MEM 8/16/32kB register MEM shader cores = stream cores = CUDA cores C_1 C_4 C_2 C_3 … C_N Each one executes the same kernel (code uploaded to the GPU) CPU VS. GPU   Raw estimate for computing speed : raw GPU performance/raw CPU performance ~ 3-10 May vary depending on the specific application # of cores SAMPLE GPU CRACKER  CUDADBCRACKER  NVIDIA CUDA  MSSQL, Oracle11g hashes  simultaneously cracks passwords  session handling  Source code/Executable: http://marcellmajor.com PROPRIETARY HARDWARE  ASIC (Application Specific Integrated Circuit)  Expensive setup (>1,000,000 USD)  Up to 6-10 times faster than FPGAs  FPGA (Field Programmable Gate Array)  ASIC prototyping  Computing PROPRIETARY HARDWARE/2.  ASIC/FPGA = faster bruteforcing than CPU/GPU BUT  Custom crypto algorithms?  Features?  Wordlist, permutations?  Session handling?  Simultaneous passwords? CONCLUSION Reverse engineering is feasible  Security by obscurity: useless  Sample source code helps in development  Every technology has some:   advantages  disadvantages THANK YOU!