State of The Blog: 2010

By -
I know most people normally do this at the beginning of January, but like so much else I'm running behind ;) What I really wanted to do was give you readers, (all 10 or so of you now), an update on where I'm at, my goals for the following 6 months, and why my update schedule might be kind of wacky.

Goal 1: Graduate
Yes, I have been researching password cracking since August 2007, and as much as I love college, it's time to move on to the real world. Or I hope it's time, as I still have that pesky dissertation to write. Getting that done is my #1 priority right now, and to be honest I don't know how that will impact this blog. The dissertation itself will mostly cover my work developing a probabilistic password cracker, though I'll also be covering some of my other tools such as my dictionary based rainbow tables. I'm a little ashamed I haven't posted more about my probabilistic password cracker here since I've become a true believer in it. It's just that I've kind of enjoyed using this blog as an excuse to research other things, (there's only so much time I can spend talking about parsing grammars). With every addition I make to it, it gets meaner and nastier, and quite honestly I need to take the time to clean up the latest version and post it online. Here is a quick rundown of using a probabilistic approach:
  • This is a way to create password guesses. Aka, it works against salted hashes and full hard-drive encryption. It's not a rainbow table, and instead is designed to work with traditional password cracking tools.
  • Instead of using standard word mangling rules, it assigns probabilities to the various ways people create passwords. These range from dictionary words, ('password' is more common than 'zebra'), word mangling rules, (people tend to uppercase the first letter), specific replacements/additions, (aka dates are very common), etc. It even takes into account the password length, (aka people generally make passwords between 6 and 8 characters long).
  • It then uses these probabilities to create very fine grained word mangling rules on the fly based on probability order. By fine grained, I mean it will literally create millions of rules if you give it the chance.
  • The algorithm it uses is very fast, and extremely parallelizable, which is necessary for a password cracker.
  • Because of this, it becomes conceptually easy to create a customized attack profile for an individual target, (or group). You can create a custom dictionary for them based on kids names, important dates, files found on their computer, and then just give those values a higher probability. If there's a password creation policy for the site? No problem, just exclude rules that don't meet it, and/or only train the password cracker on similar passwords that meet those rules. The main problem going forward with all of this has been developing the GUI believe it or not.
  • I'm currently adding support for brute force as well, (hence my focus on brute force techniques over the last couple of posts). This way it will automatically switch between limited brute force and dictionary based attacks depending on the current probability of the guess it is working on.
I've been running it in head to head comparisons against existing password crackers, and it has been beating the socks off of them. In short, it generally will crack more passwords with less guesses than existing methods.

Goal 2: Get Some Work Done with Pass-Phrases
This actually was the original goal of my research. The main problem up till now is I haven't had many examples of pass-phrases, (beyond the 'AliceLovesJoe' variety). With the RockYou list though, that has changed, and I look forward to adding support for pass-phrases to my probabilistic cracker. There's a couple of attack methods I plan to test, ranging from a mad-libs approach to using pass-phrase input dictionaries.

Goal 3: Finish Up Some of These Dangling Posts
Going through my archives, there's a horrible amount of posts where I started talking about something, such as the ZFO dataset gathered from people in the security community, and never got around to posting any follow-ups. I realize that's something I need to change.

Goal 4: Work on a GPU Assisted Password Cracker
Most of the work is being done by another graduate student, which means this actually might get done and be relatively bug free. I'm very excited about this, as it will help move a lot of my research from the theoretical to actual implementation where it will help law enforcement officials. We're using OpenCL right now, (I know CUDA currently is faster, but OpenCL is much more portable), and we're initially targeting TrueCrypt, (though hopefully once we get the basic framework finished we can add additional encryption types).

Goal 5: No More Public Speaking for the Next Six Months
I really need to focus on actually doing stuff vs. talking about it. I'm also cutting down on the conferences I'm attending, though I'm making an exception for Shmoocon since I love that one. BTW, anyone interested in doing the Ghost in the Shellcode competition? My hacking skills are really lame, but I still love hacking competitions.

Goal 6: Finish up my Paper on NIST's use of Password Entropy
An academic publication on the investigation of the effectiveness of using entropy to justify password creation policies. While I have a lot of preliminary data already, I don't want to spoil my objectivity by posting my initial conclusions quite yet. The hardest part is the fact that password entropy is used as an average value across the entire password set, so finding the best way to fairly map the effectiveness of a real attack against it is tricky. Aka if following NIST's calculations it would take an attacker two years to crack a password via an online attack, but I find that an attacker could crack 5% of the passwords in an hour, what does that mean exactly?

Conclusion:
It should be an interesting year ;)

Comments

Post a Comment

Popular posts from this blog

Tool Deep Dive: PRINCE

By -
Image
Tool Name: PRINCE (PRobability INfinite Chained Elements) Version Reviewed: 0.12 Author: Jens Steube, (Atom from Hashcat) OS Supported: Linux, Mac, and Windows Password Crackers Supported:  It is a command line tool so it will work with any cracker that accepts input from stdin Blog Change History: 1/4/2015: Fixed some terminology after talking to Atom 1/4/2015: Removed a part in the Algorithm Design section that talked about a bug that has since been fixed in version 0.13 1/4/2015: Added an additional test with PRINCE and JtR Incremental after a dictionary attack 1/4/2015: Added a section for using PRINCE with oclHashcat Brief Description:   PRINCE is a password guess generator and can be thought of as an advanced Combinator attack . Rather than taking as input two different dictionaries and then outputting all the possible two word combinations though, PRINCE only has one input dictionary and builds "chains" of combined words. These chains can have 1 to N wo
Read more

The RockYou 32 Million Password List Top 100

By -
But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi
Read more

Cracking the MySpace List - First Impressions

By -
Image
Alt Title: An Embarrassment of Riches Backstory: Sometime around 2008, a hacker or disgruntled employee managed to break into MySpace and steal all the usernames, e-mails, and passwords from the social networking site. This included information covering more than 360 million accounts. Who knows what else they stole or did, but for the purposes of this post I'll be focusing only on the account info. For excellent coverage of why the dataset appears to be from 2008 let me refer you to the always superb Troy Hunt's blog post on the subject . Side note, most of my information about this leak also comes from Troy's coverage. This dataset has been floating around the underground crime markets since then, but didn't gain widespread notoriety until May 2016 when an advertisement offering it for sale was posted to the "Real Deal" dark market website. Then on July 1st, 2016, another researcher managed to obtain a copy and then posted a public torrent of then entir
Read more