password

How I cracked 30 staff accounts during my lunchbreak

The incident

A few weeks back at work we had an isolated incident in my where a password was inadvertently exposed by a staff member, luckily it was only exposed internally and to a limited number of staff so there was no real harm done, apart from some slight embarrassment for the person who’s password we saw. A password reset fixed the issue-at-hand. However, It got me wondering about password security.

At $dayjob we store passwords in a directory system called LDAP, it serves as a database for all user accounts, groups and a variety of other directory related things, when staff join the organisation we add them to the database and then the newbies can log into our various systems. When a user changes their password, something we ask them to do when they first log on, the password is immediately hashed and then stored in the LDAP database. What this means is that the password is never exposed to HR, IT or any other staff. If we did look into the LDAP database all we can see is a string of random characters, something like: aHR0cDovL2JpdC5seS8ydk0wVWIyIGZvciBtb3JlIGluZm8K

The reason why i’m explaining this is because when the password was exposed by the unknowing staff member, I actually got to see a plaintext password and I noticed that the password was a dictionary word with two numbers on the end of it, something like: Jacket01. Now although this technically is an alpha-numeric password with capitalisation, it doesn’t take too much computing power (or guessing) to crack the password hash if it ever were exposed, in fact using a dictionary word with 3 random characters at the end of the word takes 9 seconds using my Mac with no GPU processing.

The idea

I then became a little curious and decided to setup a test of our password security (well, our staff passwords). I took all of the password hashes we have in LDAP, found a dictionary wordlist I had lying around and ran a password cracking tool called hashcat over all of the the hashes. I wanted to see how good (or bad) we were at having secure passwords. Out of about 440 hashes that I pulled from our LDAP tree I was able to discover 30 or so passwords which are too weak to consider safe, and needed changing. (That happened a few weeks ago).

The test I ran was using a dictionary wordlist with some variation rules applied, it does things like adds capitalisation on letters, numbers to the start &/or end of the word and tries things like replacing letters with numbers, for example: the letter o is replaced with a numeric 0 so the word ‘password’ becomes ‘passw0rd’. This means that for each word in the wordlist i’ve used, i’m able to test a number of variations, each as separate passwords attempts. This means that from a wordlist of about 16,000 words I’m able to create 480,000 individual passwords. If i was to use a larger wordlist (easily done) or use a longer list of variations (probably not necessary), I could  likely guess more passwords.

This is why having strong password entropy is important.

What makes a good password?

Having good password entropy (password strength) makes a good password. It doesn’t just mean having an alphanumeric password, it means having a password that is difficult to predict and would require a lot of computing power to brute-force. This means making it long enough and unpredictable enough to guess with a basic wordlist.

However, unless you use a password manager, and even then the password you use to unlock your password manager needs to be rememberable enough for you to recall it. A useful tip when trying to create a password that is memerable for you, yet difficult to crack is to use multiple words that you can remember, string them together and then add some capitalisation and replace some characters with numbers and special characters. Check out the below graphic, courtesy of kxcd.

Image from KXCD

correct horse battery staple

There’s a neat website which can generate passwords for you using the method above: https://www.xkpasswd.net


 Setting up the test

So, how did I actually crack 30 passwords? Well, you probably don’t need to go to the lengths I did however, I wanted results in minutes/hours rather than days/weeks, so I rushed it and took advantage of AWS’s EC2, in particular the GPU instances.

Note: everything in this section assumes you kind of know what you’re doing and if you get stuck, you’re capable of searching stackoverflow 🙂 It also assumes you have a list of hashes you want to crack and a dictionary wordlist used to seed hashcat.

1 – Spin up the VM

Login to your AWS console and spin up a g2.8xlarge GPU instance, Make sure you specify Ubuntu 16.04 LTS (HVM). You don’t need any large disk space, so just accept the defaults. Make sure that your security group allows you access to the VM via SSH and make sure you’re giving it a public/elastic IP.

Grab the public IP address of your VM and ssh into is as the ubuntu user:

$ ssh [email protected]

2 – Setup drivers to get maximum performance

You could totally skip this, but if you’re paying $3/hour for a VM then it makes sense to spend 1 minute getting the maximum performance out of the GPUs.

$ sudo add-apt-repository ppa:graphics-drivers
$ apt-get update && apt-get install nvidia-opencl-dev nvidia-cuda-dev p7zip-full linux-image-extra-virtual nvidia-opencl-dev nvidia-cuda-dev nvidia-370
$ apt-mark hold nvidia-370
$ echo options nouveau modeset=0 | sudo tee -a /etc/modprobe.d/nouveau-kms.conf

Now you want to open up /etc/modprobe.d/blacklist-nouveau.conf with your favorite text editor and make sure it looks like:

blacklist nouveau
blacklist lbm-nouveau
options nouveau modeset=0
alias nouveau off
alias lbm-nouveau off

Update initramfs and reboot:

$ sudo update-initramfs -u
$ sudo reboot

Check to make sure you’ve loaded the nvidia kernel modules, this should return something:

$ lsmod | grep nvidia

Fine tune the GPUs:

sudo nvidia-smi -pm 1
sudo nvidia-smi -acp 0
sudo nvidia-smi — auto-boost-permission=0
sudo nvidia-smi -ac 2505,875

3 – Install hashcat

Go to: https://hashcat.net/hashcat and download the latest binaries (link at time of writing: https://hashcat.net/files/hashcat-3.6.0.7z)

$ wget https://hashcat.net/files/hashcat-3.6.0.7z
$ 7z x hashcat-3.6.0.7z

So now, prepare your wordlist and your hashes, each file should be a plain text file containing one word or hash per line. (I’m talking about two separate files here). Upload your wordlist and your hashes onto the server, let’s say in your home directory as wordlist.txt and hashes.txt.

If you don’t have a wordlist, it should be pretty easy to find one on any of the torrent websites out there. If you’re desperate, post a comment below and Ill share one with you privately.

So now you’ve got your server, your wordlist and your hashes, along with hashcat ready to go. I’d recommend opening up a screen or tmux session to kick off the cracking process:

$ tmux
$ cd hashcat-3.6.0/
$ ./hashcat64.bin -a 0 ~/hashes.txt -r rules/best64.rule ~/wordslist.txt -w 4

Just a word of warning: You may need to adjust the flags and if all of your hashes are of the same type, you should tell Hashcat by using the -m flag. (eg: -m 500 for MD5CRYPT)

Disberse Saves Charities Money By Using Blockchain To Verify Donations

The Start Network, an amalgam of 42 national and international aid agencies, reported on July 11, 2017, that it is researching blockchain-based models for delivering humanitarian aid with fund management and distribution platform Disberse.

Among the project’s goals are to increase the rapidity of aid distribution and to infallibly trace transactions from donor to recipient. Ultimately, the blockchain technology would act as a monitoring system to ensure those in need receive the funds in question while simultaneously mitigating exchange rate-based losses.

In the current banking systems, high fees and transaction longevity present inefficiencies that can be costly to both the organizations providing aid and the individuals who need it. These issues are complicated by volatile exchange rates in countries wherein economic infrastructure is severely lacking, which is often the case in places marred by humanitarian crises.

Disberse combats the loss in exchange rates and intermediary fees. It completed a pilot program with UK-based charity Positive Women by which it reduced losses at delivery points for a Swaziland aid project to a null. Funds were tracked as they traveled from the UK to four Swazi schools by way of a non-governmental organization; the project’s savings were enough to pay the annual fees for an additional three students.

 

Source: Disberse Saves Charities Money By Using Blockchain To Verify Donations – ETHNews.com

Golf Clap – 6 Hours & 45 Minutes Of Deep – March 2014

Props to Texas for the heads up on this one. A perfect one for my at work playlist.

Tracklisting:

Casino Times – Heart Strings
Vincenzo – Where You Are
Session Victim – Cow Palace
Johnny Fiasco – Aurora Borealis
Climbers – Equal Responsibility
John Mood – A Basement Romance
Shakes Milano – Awake (Vincenzo Remix)
Chaos In The CBD – Mariana Trench
Burnin Tears – Heartcore
Tom Flynn – With Flowers
NY House Authority – Apt1A (Nicholas Witness Remix)
Ian Pooley & Spencer Parker – Feel The Same
Pepe Bradock – Path Of Most Resistance
Iron Kurtis – Goma (Sansoda Remix)
Jimpster – Dangly Panther
Demarkus Lewis – Wipe Ur Mouth
HNNY – Kela
Cloud 9 – Do You Want Me Baby (Dusky Remix)
Washerman – It Ain’t Right Baby
Powel – Cloud City
Kyodai – Do You Wanna (Nacho Marco Remix)
Chris Malinchak – Leaving Tomorrow
Kink – Fish Feeling
Jimpster – Porchlight
Disco Kid ft. Malisha Bleau – Never Ever (Studioheist Remix)
Robert Babicz – What A Day
Ananda Project – Secret Sky
Franc Spangler – Forever & A Day
Les Macons De La Musique – No Time To Lose (Johnny Fiasco Remix)
Kerri Chandler – Climax 4
Desos – Girl You Look Good Tonight (Alex Agore Remix)
DJ Steaw – Sky Hunt
Fred Everything & Olivier Desmet – Tonight
Alex Agore – Take Me
Roland Nights – Breezin
Lovebirds – The Night
Atjazz & Julian Gomes – Overshadowed
The System – You Are In My System (Kerri Chandler Remix)
Omar S. – Thank You For Letting Me Be Myself
Mountal – Don’t Look Back
Chris Malinchak – These Dreams
Kenny Carvajal – Motor City
Copy Paste Soul – Blink
Acid Andee & Manjane – Untitled
Johnny Fiasco – Let’s Call This
Fred Everything & Giom – A Better World
Willie Graff & Tuccillo – Sunday Morning
Terrence Parker – Love’s Got Me High (Jimpster Remix)
Son.Sine – Upekah
Frederico Y Alvaro – Blue Fish
Tboy – No Cure
Quarion – Turn Off The Light
Garrett David – The Pressure
Sai – Blue Lingerie
Sek – Hide & Seek
Dirtytwo – Trapped
Dirtytwo – The Remedy
Skeleton Army – Can’t U C
Maindy – Time 2 Think
Danny J Lewis – Smash The Ceiling
Darko Kustura – Tricks On Memory
Joey Negro – Let Your Body Rock (Kyodai Dub)
Nick Nikolov – Come Down
Deetron – Can’t Love You More
Lovebirds – Keep Coming – (Axel Bowman Remix)
Andres – New For U
Robert Babicz – Astor (Shur-I-Kan Remix)
Yousef ft. Alexander East – Think Twice (Fred Everything Remix)
Shyam – Motion In My Mind (Darko Kustura Remix)
Stuffa – Keep On
Romanthony – Ministry of Love (Andres Remix)
Be – All The Thrills
Miguel Campbell – In Motion
Deep Future – Limping Fox
Darko Kustura – Times Ahead

www.facebook.com/golfclapdet
www.twitter.com/golfclapdet