Friday, June 12, 2009

Cracking Web Hosting Talk

I'm working on completely redoing my tools page so hopefully I'll be able to start posting some new dictionaries, password cracking programs and scripts sometime this weekend. Enough site news, on to the post!

I've talked previously about cracking password lists from and the finnish78k list. Now I would like to discuss another list that I've been working on. Back in March, a site called "Web Hosting Talk" was compromised via a flaw in their backup server. The attacker then distributed a list containing user information, (usernames, e-mail addresses, and password hashes), to several file sharing sites.

I wasn't able to obtain a copy of this list, (and trust me, I tried), but I'm actually pretty happy about that as it means WHT was able to yank most copies of it offline quickly. What I wasn't happy about was the "advice" WHT gave their users regarding changing their passwords...

"Passwords are hashed with salt. It would be an unprecedented event to reverse engineer our passwords. I change my password periodically though, so maybe today is a good day for that."

That's like saying, "The building is on fire, but I can't imagine it burning down. Occasionally when there is a fire burning out of control I go outside. This might be a good time for you to grab some lunch, or whatever..."

Now there are a couple of things they could have done.
A) Force users to change their passwords when they logged on again
B) If the user logs on to the site from a different IP address then they normally do, prompt them with a "secret" question, or send them an e-mail with a new password. <--More secure, but a pain in the butt from a system admin side of things
C) Warn users they need to not only change their password, but change it on other sites they may have used it on <-Yah it's bad PR, but it's necessary

Honestly for a site like WHT, they probably should have gone with both options A and C, as B might have been overkill for the value of the site, (aka someone could log on a make a couple of posts or read private messages, but it's not like they store financial or medical data ... at least for a user to see).

So if I wasn't able to find that list, what have I been cracking? Well, when WHT reopened they apparently missed a backdoor the attacker had left in their system. About a week or two after the initial attack the hacker released another list containing all the user data. This time though the attacker also included Credit Card numbers, expiration dates, and the CCV number on the back, (which online retailers are not supposed to store). That's the list I actually stumbled upon. Full disclosure: when I found out I had downloaded stolen CC info I deleted those files as quickly as possible and had visions of FBI agents kicking down my door for the next week. Luckily the user info was stored in a different file.

The list contained 202111 unique user/password combos. The attacker also included a file talking about the attack which contained one very interesting fact, (among all the swearing and racist comments). In the time between the initial attack and the most recent one, only 1348 users, (counting system administrators), changed their password. That's less than 1% or the userbase (0.6% to be precise). To put this in perspective, according to the link above the list also included 2,218 credit cards, (the site was storing 9,561 credit cards but the hacker kept the rest of them to him or herself).

Assuming that this password hash was "impossible to reverse engineer" this wouldn't be a problem. The question of course was, how true is that statement? The first step was to find out what forum software WHT uses. A quick Google search revealed they use vBulletin. The next step was to figure out the function that was used to hash the passwords. Once again Google provided me with the answer:
  • MD5(MD5(Password).Salt)
Modifying the password cracker that I had used previously to attack's passwords, (I'll try to post it this weekend), I was ready to go. Of course, how should I test it? I mean WHT could have changed the hashing function to make it almost impossible to figure out. I could spend days/weeks trying to crack those passwords only to find out I was hashing it wrong... So I loaded up the password list and entered the guess "password" since I guarantee that a site with 200k+ users and no password creation policy at least one of the users is going to pick "password".

And .... nothing.

I didn't crack a single one. Feeling slightly less smug, I tried "Password123!", "password123", "monkey", "football", well you get the idea. Still nothing. At this point I was feeling really sheepish and had all sorts of scenarios going through my head. A couple of days later though I realized that the problem was I wasn't converting the first hash of the guess to its ASCII representation before rehashing it. Once I made that change, I reloaded all the password hashes, crossed my fingers and tried "password" again.

Yup, that did it. Watching several hundred cracked hashes flash across the screen was a sight to see. I had accomplished the "unimaginable" and reverse engineered their password hash using only Google and my horrible programming skills. Of course since then I've found out that I wasn't the only one. There already exists a 3rd party patch for John the Ripper. Also, over at, there is an entire forum devoted to cracking vbulletin and other forum hashes.

All I can think of is the image to the right. "Unimaginable! I do not think that word means what you think it means..."

Of course, once I started to launch my actual attack reality set in. But this post grows long and it's a Friday night so that will be left for another day ;)

No comments: