Showing posts from 2008

More Language Issues

But this time it's with English. I've been working on several conference papers, (hence the scarcity of posts here), and one problem I keep running into time after time is the lack of standard terminology when it comes to password cracking. Here are some examples of that: 1) What exactly is a passphrase? Would 'manbearpig' count as a passphrase? How about 'superdude'? What about passwords created by the first letters of a phrase. For example, "To be or not to be" = '2bo!2b' Should the above example be called a password or a passphrase? Can the term password and passphrase be used interchangeably?  2) What exactly is covered by the term 'Brute Force Attack'? If you try all combinations where the first four characters are lowercase letters, and the last two characters are numbers, is it a brute force attack? Side note, I'm a fan of the term 'targeted brute force attack' for the above option. I've seen 'indexed attack&#

How do you say "Excuse Me" in Canadian?

As a follow up to my earlier post on secure coding, I just wanted to talk about another thing that has been giving me fits: Coding foreign language support. Normally this isn't something most people have to deal with, but a lot of the password lists I'm parsing and cracking are non-English. First some background. The standard default scheme to hold character information, (such as an 'a') is ASCII otherwise known as the "American Standard Code for Information Interchange" (might show up in a game of Trivial Pursuit). As you can tell from its name, ASCII wasn't designed to be able to represent non-English characters. In fact, it can only represent 128 different characters, including control characters (such as return, space, etc). To add support for multiple languages, (while being backward compatible with ASCII), another standard was developed. It's called UTF-8, otherwise known as Unicode Transformation Format, (You'll never need to know the full n

The Limits of Rainbow Tables

In a standard offline password cracking attack you have a hash that you are trying to crack, (for example 7c6a180b36896a0a8c02787 eeafb 0e4c), and you need to guess the password that generated it, (in the above case it would be 'password1'). To do this you make a lot of guesses, hash them and then compare the guess's hash to the hash you are trying to crack. If they match, you have "cracked" the password. What this means is that you often spend a majority of your time generating hashes. Since the MD5 hash of 'password1' will always hash to 7c6a180b36896a0a8c02787 eeafb 0e4c though, some smart people thought it would be a great idea to make all our guesses, hash them, and then save the results. That way when we want to crack a password, we just do a lookup on our table of precomputed hashes. A defense against this is to use a password "salt" which is a random value added to the password before it is hashed. For example if you salted the password

Quantum Snake Oil

Seeing things like this happen makes me sad about the security industry: Massive Quantum Network Unveiled I could devote an entire blog just to debunking Quantum Cryptography. Back in 2005 I worked with a team to evaluate if Quantum Cryptography was a technology that was worth investing in. My recommendation was a resounding no. Since then I have to say that my answer hasn't changed. First some background. To get a general understanding of Quantum crypto, you need to know that it works on the idea of probability. If Bob sends a message to Alice she will only be able to receive 50% of that message. If Mallory is sitting in the middle and intercepts the message, he also only gets 50% of the message, but due to the fact that Bob is sending photons instead of 1's and 0's Mallory can not resend the entire message to Alice. So the best Mallory can do is send 50% of the message on, and then fill in the other 50% with random gibberish. This means that Alice will only be able to get

Password Cracking Geekiness

Since I'm stuck in the terminal on my way to Boston I figure I might as well be contrarian and post about something besides the stupidity of Airport security.  On that note though, why we as a society haven't risen up and revolted against having to take our shoes off I will never know... There are really two approaches to dictionary attacks in password cracking.  It's kind of appropriate that John the Ripper (JtR) and Cain and Able (C&A) take different sides in that divide considering their user-bases get along about as well as Mac and Windows users.   As you probably know, in a standard dictionary attack you take dictionary words and mangle them in a predefined way.  For example you take the dictionary word "password" and turn it into "P@ssWord99".  Where the two approaches differ though is in what order they apply the mangling rules to dictionary words. The first approach, which JtR takes, runs through the rules in order.  It applies each individua

Secure Programming

I write most of my code in C and occasionally C++. I know Perl, (or Java), would be better in many cases but all my programming classes, (the school kind), require C so that's what I'm banging out most of the time. Add to that the fact that most password cracking programs are written in C/C++, ( JtR written in C), (L0 phCrack written in C), ( rcrack written in C++), (Access Data's PRTK's cracking engine is written in C), so C tends to be my language of choice. Well, today I came smack up against the fact that the strnstr () function isn't widely supported across platforms. Yes, I know the "n" functions aren't much better than the other string functions. Heck, I've had more than enough segfaults even when I thought I was using them correctly. At the same time though, they are "easy" to use and supported everywhere, (with the exception of strnstr ). I know about the "l" functions, but once again they are mainly used on OpenBS

Don't say I didn't warn you...

Statement of Goals For a long time I've kept an e-mail list of friends where we would discuss security issues, both computer related and not. With my password cracking webpage starting to see some traffic , I figure I might as well move some of my ramblings from bar napkins to the internet . Not that's an improvement mind you, but I'm always worried about finding myself in an echo chamber and I would really like some feedback. That, and the remote-exploit forums aren't always the best place to post random ideas. What You Can Expect Infrequent posts first of all... But most of my posts will also probably center around my current research in password cracking. I'm interested in network security and debunking bad crypto as well, though I know enough to realize I personally can't do good crypto . On that same note, I'm willing to admit that there's a lot about computer security I don't know so please take everything I write with a grain of salt.