OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Craking Serv-u passwords stored in .ini file.

From: M. D. (nekromancerlycos.com)
Date: Fri Sep 03 2004 - 02:40:10 CDT


Hi Michael,

I'm not referring to any high-tech about MD5 collisions. Simply to good old password "cracking" by hashing and comparing.
In the specific case of Serv-u, and according to the link I provided, the password is salted with a nicely shown salt of 2 characters (the 2 first characters in the string stored in the .ini file), so using any cracker that allows you to specify the first 2 characters of the passwords to try will really help a lot.
If you use Lepton's Crack you have the functionality to prepend these 2 characters to all the words in a dictionary (or to anything generated by the bruteforce mode), hash that and compare. LCrack also support the "cracking" of pure MD5 hashes, not the MD5 implementation of Linux passwords (use John for that until we decide to add support for it to LCrack).

I just look at the fact that people DO use stupid passwords if they are not enforced to use good ones. My experience is that with a good dictionary, some permutations and tricks, and bruteforcing of the short ones, more than 30% of passwords in use by normal users are cracked (and I'm being very conservative with my figures...), THE ALGORITHM USED DOESN'T MATTER ;-)

I never said anything about MD5 being a weak algorithm, or anything about the relative security of Serv-u. Now I'll say something ;-)
In the link I provided in the first post you can read:

========================================================
1) A random salt of (2) letters is created using the characters a..z
(lowercase)

2) The salt of (2) letters (i.e. "ab") are appended to the beginning of
the password entered by the user (i.e. "jlmess" becomes "abjlmess")

3) The "new" password of "abjlmess" is now encrypted using MD5
encryption (i.e. "751C9D206E2C118C9B597A4640AFA8A1")

4) Now the salt of (2) letters (i.e. "ab") is appended to the front of
the MD5 hash created above (i.e. "ab751C9D206E2C118C9B597A4640AFA8A1")
========================================================

This is vulnerable to a dictionary or bruteforce attack in which you prepend the salt. You get the salt from the first 2 characters of the string in the .ini file (for example "ab"), then your attack will hash the following words:

     abacapulco
     ...many words...
     abzero

And the hash obtained from these words will be directly compared to the hash in the .ini file minus the first 2 characters.
This is not much stronger than not using salt at all. It's not a very clever implementation of a salt (in fact I think it sucks, but I'm too polite to say that ;-)

Of course you need a password cracker that allows you to specify the first 2 characters as FIXED, and this is exactly what you can do with LCrack, either by the use of the REGEX functionality or by using the prepending functionality in the latest revision (both can't be used at the same time).

It would have been much stronger, for example, the following:

1) hash the password, with or without prepending the salt, doesn't matter. I'm not using it in this example:
     password: test
     MD5 hash: 098F6BCD4621D373CADE4E832627B4F6

2) append the salt to the hash:
     new "password": ab098F6BCD4621D373CADE4E832627B4F6

3) hash the resulting string:
     new MD5 hash: BDF3BAAC3C947956A57CFA97310B5DE0

4) append the salt to the last hash if you like, but I don't see any particular reason to do so

OK, that's it for now.
Enjoy.

Nekromancer

Michael V Scovetta wrote:
>
> Nekro--
>
> Maybe I'm just ignorant here, but if you are referring to the recent
> collision attacks on MD5, how does such an attack compromise serv-u
> security? Being able to create two strings that hash to the same value
> is orders of magnitude easier than finding a string that hashes to some
> particular hash value.
>
> From what I see, the serv-u hash security is weak not because of the
> weakness of MD5 or any other hashing algorithm, but rather because a
> simple dictionary attack (performaed 26^2 times) would be more effective
> than attempting a preimage attack on the final hashed value.
>
> If there's something here that I'm not getting, please let me know.
>
> Regards,
>
> Michael Scovetta
>
>
>> Dear colleagues,
>>
>> Googling around shows THIS:
>>
>> http://www.cat-soft.com/serv-u-list/08%2014-Apr-99%20To%2005-Aug-02/msg0
>> 9499.html
>>
>> With that information and any good MD5 hash cracker (Lepton's Crack
>> comes to mind, but feel free to chose any other, I'm a bit biased being
>> one of the authors ;-) I think that you can try to bruteforce these
>> passwords.
>> Hope this info helps.
>> Cheers,
>>
>> Nekromancer
>>

--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------