Friday, November 1, 2013

Can someone be targeted using the Adobe breach?

Note: As a professional courtesy to those at Adobe who are doing their absolute best to mitigate this breach, I have partially redacted all full hashes and email addresses from this blogpost, besides those found in the image published by arstechnica.com.

We all know about the recent 153 Million account dump from Adobe. As arstechnica showed, the format looks something like this:

Image source: http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/

As you can see, there's some sort of ID number, the email address, the encrypted password (which from the arstechnica article we now know is 3des) and the password hint.

Password hints are great and all, but they can be unreliable, unclear, or flat out wrong.
HOWEVER, when you have thousands of people using the same password (same encrypted string) looking at all of those password hints together can make the cleartext password painfully obvious.
For example. Let's get the most common encrypted password strings from the dump (with numbers on the left showing how many times they were used):

1911867 EQ7fIp*****=
 446144 j9p+********************==
 345833 L8qbAD**********CatHBw==
 211659 BB4e6X+b*************w==
 201569 j9p*****2ws=
 124248 dQ*****PYvQ=
 113880 7*****Veq8I=
  83409 PMDTbP**********FUvYGA==


Now let's take that first, most common password string, and go get all the users' hints who used that same password. Let's also uniq those and sort them by how popular that actual hint is:


One can reasonable guess what password corrisponds with EQ7fIp******=

Now let's see what else we can do with this. Let's use this same method to see if we can target an individual account in the Adobe dump. Funny enough, there's an entry for an account edwardsnowden@******mail.com.
6**58***-|--|-edwardsnowden@******mail.com-|-B***************CatHBw==-|-|--


Now let's see if any other people in the dump have the exact same password hash as this account, and if so then how many.
[jdustin@localhost passwords]$ grep B***************CatHBw==  cred | wc -l


Okay, let's grab those 207 the lines containing all accounts who used that same password, cut out just their password hints, and then sort them by how often that hint is in the list:
[jdustin@localhost passwords]$ grep B***************CatHBw==  cred | cut -d"|" -f5 | sort | uniq -c | sort -nr | head -n50


So, Metal? 74W on the table of elements? The usual Tung?
"tungsten" perhaps? Your guess is as good as mine. :)




Tuesday, April 23, 2013

Being a good internet citizen

A large percentage of breaches are discovered by having a third party mention to you that you're insecure. I would estimate it to be well over 50%.
Because of that, when I come across things that are vulnerable I typically try to let the company know so they can fix it. Most of these are simple things that are indexed by google that were not meant to be public (see this post on google hacking).

I sometimes get responses, but typically do not. The most common response is a simple thank you email. I've had less nice responses as well, such as people angrily demanding to know what my intentions were. No good deed goes unpunished.


Recently I sent an email to a company to let them know they had a misconfiguration that makes every file on their box viewable (with the permissions of the httpd user) by the entire world. Looked kind of like this:



Plus, everything on their box had been indexed by google. Imagine your backups and config files being freely down-loadable and searchable on google!


Even worse, there wasn't just one domain hosted on this vulnerable box...a reverse lookup of the IP showed that the server was hosting 576 domains!


So I sent them a simple email:

Attention Information Security,
I saw this site on google, and happened to notice that you appear to have a sym link in your document root that points back to / allowing access to your entire system through the webserver.
For example, your passwd file SHOULD NOT be publicly viewable.
http://XXXXXXXXX.com/x.txt/etc/passwd

Please let me know if you have any questions.
Thank you,

I received a response from them, which included this:
It's worth noting that /etc/passwd does not contain any sensitive information, and that although we do not widely publish our configuration, we do not generally consider it to be sensitive as it is relatively trivial to reverse-engineer by experimentation and observation. We conduct regular reviews of our platform's security and take extensive measures to ensure that our servers stay secure.

Huh. Okay.


Note: Names have been redacted to protect the ignorant.

Friday, April 19, 2013

All, I noticed a tweet by HD Moore today giving a shout out to this post written last week by Ed Skoudis. Very good read. Here's a link and an excerpt:

http://pen-testing.sans.org/blog/pen-testing/2013/04/08/when-offense-and-defense-become-one

"at sufficiently advanced technical levels, offense and defense sometimes merge and become one. Offensive techniques can be used to achieve defensive ends; defensive means can be used to achieve offensive ends; and, sometimes, the inherent technical skills of offense and defense are actually identical."


"Consider these examples:
  • Endpoint security suites: Have you ever pondered what these tools really are? With their integrated anti-virus, personal firewall, and host-based Intrusion Prevention Systems, they operate at a fairly low-level of most operating systems, hooking all kinds of system calls so that administrators can maintain control of the machine. Wait... that's a rootkit! The only difference between an endpoint security suite and most rootkits is the level of functionality and who controls it: good guy administrators or bad guys. So, we've got a multi-billion dollar segment of the infosec industry that is actually built on selling commercial rootkits, also known as endpoint security suites."
Ed Skoudis is a very dynamic teacher there at SANS, and I recommend his courses to everyone.

Thursday, January 31, 2013

Habit 1

I gave a presentation at a conference last year, and someone commented that if I have a blog called "the 7 habits of highly effective hackers", I should probably have a list of 7 actual habits on said blog. I guess that's fair.

So here we go starting with habit 1, which I promise will be the only non-technical habit of the 7.

Habit 1: Effective hackers know that the game they play IS the real world.
In a sentence; Effective Hackers understand the repercussions of their actions.
There's something about computer systems that causes many people to act in a way that they never would in real life. Some of us would never read a stranger's physical mail, yet would feel no guilt whatsoever about reading their email. We make silly excuses to justify why our online world is different than our real world. That person should have changed the default password on their router; they're stupid and deserve it. That company knows their environment/product is insecure, if they wanted to keep me out they'd have fixed it.

Think this one over. Although there's no CVE number for it yet, it is now being reported that human beings are vulnerable to having bricks thrown at their heads. All versions are affected, and easy methods for exploiting this weakness have reportedly been in the wild for some time now....Would anyone think that the public disclosure of this knowledge, would in any way justify them throwing bricks, and hurting others? Are we more justified because they should have known better?

This probably all sounds really preachy. I'm actually not trying to tell you that you should feel guilt for hurting others (that's between you and your own conscience). I AM trying to say you should understand the repercussions of your actions. If you post someone's PII on pastebin, someone, A REAL PERSON, will experience real grief over it. When you gain access to someone's network, it could mean real impact for that organization. Real people could lose their jobs over it. I'm not telling you to care, I'm telling you that you MUST understand.
You must do whatever you do with your eyes wide open. Know and accept all possible impacts of every scan, every exploit, every move.

Okay, gotta go. My shirt just got out of the dryer. I'm sure we're all familiar with MITM (Mythbuster In The Middle).




Wednesday, August 22, 2012

Thanks, and UtahSAINT Conference 2012


First off, I'd like to thank all those who have build on my proof of concept, Using twitter to build password cracking wordlist. Some of you have seriously taken it to the next level, and I applaud your efforts.

Including, but not limited to:
http://www.digininja.org/projects/twofi.php
http://blog.hacktalk.net/twitscrape/
http://www.damnsecure.org/?p=833
http://www.nathanv.com/2012/07/18/shell-script-use-twiter-and-bing-to-generate-wordlists/
Nicely done, effective hackers.

Now on to the main reason for this post.
I'll be presenting at the UtahSAINT Conference 2012, this upcoming Oct 9-12 in Saint George UT.
My topic will be "The 7 Habits of Highly Effective Hackers: Effective hacking techniques and countermeasures."

Other speakers include:
Kevin Young- whose unique passphrase cracking techniques helped his team take 2nd place at this year's "crack me if you can" contest at Defcon
Miles Johnson- Security Analyst at Utah State University (and my old mentor)
Special Agent Cheny Engtow- of the FBI
And many more...

If you're attending the conference or just in the area, swing by and say hello.
Until next time...

Wednesday, August 15, 2012

Passively Cable Tapping Cat5



When someone shows off a novel idea/solution they came up with, there are typically about a thousand people who rush in to say "You should have done it this way instead."  Then others who attempt to build on the idea, and make it easier and even cooler. In this post I will attempt the latter.

In the most recent edition of 2600, The Hacker Quarterly, there was a story entitled "BUILDING A CAT-5 CABLE  TAP" that details how to create a passive hardware cable tap using alligator clips. I love seeing stuff like this. The author came up with this idea, made it work, and posted it for all to share.

This past spring while in a server room with a friend/co-worker, we noticed a cable that ran through our cage that belonged to a different group within our company. We joked about cutting it, attaching a RJ45 end to each side, and sticking a hub on it. The conversation progressed to methods for doing this passively, without having to cut the wire. Soon we came to the same idea as the author, and decided we could use alligator clips.

Later on that week I was online reading about wall jacks and decided to give this a try. I picked up a cat5 end for 1.40 at home depot. I stripped a small length of the cat5 outer shielding, and punched the wires down into the wall jack. Make sure you use a tool bit that doesn't cut the wire on one side.







This worked great. The target machine didn't even drop a packet. Basically the exact same thing as using alligator clips, but much less stripping.

My hat is off to the author of the article. I hope you don't mind me expanding a little on your idea.

Wednesday, June 6, 2012

Cracking the 3.5 Million Password Hashes That Were Redacted

The release of millions of SHA1 hashes from linkedin.com has the internet all buzzing today... but then comes the news that 3.5 million of them have the first 5 characters redacted and replaced with 00000.
Well, if we don't have the entire hash we can't crack them... Oh wait, we still have the remaining 36 characters to do a comparison against.
So let's try this:
First, let's get just the hashes that start with the 00000. Looks like there are 3,521,180.


Now, for each line in our word list (WORDS.txt) lets calculate the SHA1 hash, chop off the first 5 characters, and compare that to our hashes list. If the partial hash is there, echo the password to the screen.
For those that can't see that, the command is:
for i in `cat WORDS.txt` ; do grep -q `echo -n $i | sha1sum |  cut -b6-41` SHA1-0s.txt  && echo $i  ; done



And boom, there are thousands of passwords scrolling down the screen.
Enjoy.