Wednesday, July 29, 2009

EliteHackers Data-set

If you haven't already heard, ZF0 just released their 5th installment of hacking the hackers, and boy is it a doozy. I was almost expecting to see my username/password show up there since it looks like the Cain&Able forum was hacked about a month ago. Still Mitnick, Kaminsky, and several other high profile hackers were completely 0wned.

I downloaded the data dump and have been perusing through it. Coming in at whopping 400+ pages long, it will make good reading on the airplane. Of course the part that really interested me was their coverage of cracking user passwords from the website. Apparently they grabbed around 24 thousand password hashes from the site and managed to crack 43% of them, (of course they assigned it a N00b score of 87% since they multiplied it by x2 to make it look better. I guess it's like assigning a "proof" to describe the alcohol content of liqueur). That being said, since they were salted hashes, that's pretty good. Unfortunately ZF0 only posted 1,000 of the cracked passwords and almost no un-cracked hashes which will make analysis of the set tricky; Kind of like reading a mystery novel told from the point of view of an untrustworthy narrator. That being said there should be enough data to be able to make some educated guesses about their actual attack pattern and input dictionaries they were using.

It should be an interesting Defcon. I'll post more on this when I have a chance.

Tuesday, July 28, 2009

Defcon 17

Just packing everything up and getting ready to head to Vegas. I'll be closing out the conference 4PM Sunday with my talk:

Cracking 400,000 Passwords, or How to Explain to Your Roommate Why the Power Bill is a Little High
Remember when was hacked in January and over 300,000 usernames and passwords were disclosed? Don't worry though, the hacker only tried to crack a third of them, (dealing with big password lists is a pain), and of those he/she only broke 24%. Of course the cracked password weren't very surprising. Yes, we already know people use "password123". What's interesting though is figuring out what the other 76% of the users were doing. In this talk I'll discuss some of my experiences cracking passwords, from dealing with large password lists, (95% of the list cracked so far), salted lists, (Web Hosting Talk), and individual passwords, (TrueCrypt is a pain). I'll also be releasing the tools and scripts I've developed along the way.
The talk itself is going to mostly focus on what these attacks mean to the defender and some of the different optimizations an attacker can use to increase their chances of cracking passwords given limited resources. Hopefully it should be a fairly fun talk. A preview copy of my slide deck can be found here.

Sunday, July 19, 2009

Pass-Phrase Input Dictionary

I could write some elaborate five thousand word post about this, but the following is fairly self explanatory. I created an input dictionary of all the phrases in wikiquotes for use in cracking pass-phrases. You can download it off my tools site here. The final wordlist has around 187k phrases in it. I limited the phrases to a maximum size of 140 characters since anything longer than a twitter quote probably won't be used in real life. On that note, anyone have any good ideas how to spider all the twitter postings?

A couple of things: First of all I only used the primary quotes, not the derivations, since it's fairly hard to automatically parse them out without bringing in a ton of garbage as well. Second, talking about garbage, I'm parsing user generated data so there are still some "artifacts" in the wordlist. Third, I left capitalization and punctuation in the actual quotes. If anyone wants a list with those removed please let me know. Also if you want a list that only contains the first letter of every word, I can do that as well.  Enjoy.

Friday, July 17, 2009

Keyboard Dictionaries

By far the most popular download from my dictionary based rainbow tables has been the input dictionary I created based on keyboard combos. It's been downloaded close to 2000 times which means about 1995 more people have downloaded it than read this blog ;) So of course I'm looking to improve on it. The original dictionary was created thanks to an abundance of free time and my own personal lack of carpal tunnel syndrom as I typed each entry into it. The problem of course was that I've since found out that there were many keyboard combos that I missed.

So that's why God, (or at least Solar Designer), created external moduals for John the Ripper. One of them simulates a keyboard layout so if you type

./john -stdout -external=keyboard

It will start to output different strings based on how close the keys are on your actual keyboard. Me being the lazy person I am of course decided to pipe the output of that into a file to create a new and improved "keyboard dictionary". The problem is I left it running and after a while started to wonder why it hadn't stopped. Checking on it, I found that the file it had been creating filled up over 18 gigs of disk space. That's not acceptable.

I really don't have anything else to offer right now, but I just wanted to give you a status update and let you know it's a problem I'm working on ;)