Gathering and Cracking MD5 Hashes

As I mentioned in my post over at TekDefense, the number of data dumps put out has increased heavily, mostly because of the Anonymous #OpIsreal stuff. With that in mind I figured this would be a great time to talk about my process for finding, gathering, and cracking hashes. I should note that I am a hobbyist in this arena, so don’t take my word as gospel here. Test my methods and develop a solution that fits your needs.

Finding Hashes

There are many methods for finding database dumps, here are a few:

  • PasteLert: Created by Andrew Mohawk, PasteLert will index Pastebin and alert you to items that match whatever query you have. I have it alert for anything matching the MD5 for 123456 as this is the most common password.
  • DumpMon: Dumpmon monitors for data dumps and reports them via twitter
  • PastebinDorks: PastebinDorks is another great Twitter account to follow for interesting pastes.

All of these sources are great, just monitor them and watch for the links to the data breaches

Collecting the Hashes

Usually the files or URLs that have hashes in them also contain other data. The following screenshot is an example of the typical format:

4-9-2013 3-24-56 PM

The way this is formatted, we could pull out the MD5s with the cut command in Linux. For others though, the format is so inconsistent that we would not be able to grab the MD5s easily. A tool I created (tekCollect) can grab them with ease. Download tekCollect here. tekCollect can grab specified data types from a file or URL. In this case I will use the URL option:

[email protected]:~/workspace/Automater# ./tekCollect.py -u http://pastebin.com/r
aw.php?i=S6wCigZ5 -t MD5
59101d2acb7cdca8d7c98e352d6c9aae
02f679c21391498bcaf57cb6557971d5
c58893a76460232c87964bae8c377ac9
94f82a0a2cff100088a30cf21e41c171
6603f8a8c488a1c711cf0ee962eb95bf
efa92594115ae50298c1dd62e7e7c4d2
378f6abfbd84c8193ae55bea03b53353
48b345f1f0fa0dec405ff326f97f42e1
e33404ec91666f3202c9453d68a27122
8c9470528fddb355d4b69e5efd8ba373
fd2ea7b90d9472ab0105d397952dc48e
2aeba10361a4cd4ad21a82cec540ad0b
50c6734ea53ea6a0c9a11ec0cfc6f0d3
698a2254130aa105df48fe2efa72cca5
1142b9cb231590a18ec4dd7171888fba
0122c0cdd39f2e74855c099505464842
c9a23c09c48009f7666f1380ce5384e4
d8818583ff93ad4e011289e9aef494bf
afa7bf27ba3fffc9327ed8e6f92215d9
c655c48409c2bda89349e1ec1b823aeb
149372cfa4c2acef25d6b6bc994f9527
1790d869e27df56b802290cb4ca50155
aafaf9248a9a516ed3e5f5ced37094e4
6f0312c2af574711251cb32f31c487a3
5d56aefe59f299e4acee2fb969d0980f
4be96cbe0c926116cc8f1dba9235ccde
fe2956cb48faa3227105b94a3cb7f27d
127a5c68d5a9f0bcadce2e2b6549e6fb
8d5d97185b9b285ebc4078e2b23af7b4
683d7793b4df3e7f67d7dc4b92e0e746
c87962996d8357563a62ce90b4f71aa6
e4606352ee8e08a62f057abc70fcc1e3
93018f4fa70dec793121cf95811349ca
45bdc176003729fe5b908e30eb03cc3d
0afd468ad9eeb023011b600ef848f4d7
dd0cb976264b4160e086ab2831423a15
0b2857bc6c8f8a9040b95c46796d29bc

With a -o option on the command, you can have tekCollect output the results out to a file.

Cracking hashes:

My usual process for cracking hashes is to check the hashes against a wordlist, and for those that can’t be found with the wordlist, I attempt to bruteforce them using hashcat masks.

Wordlist option

BackTrack (Kali) comes with a bunch of wordlists. If you need another though I have some available here.

As I am doing my cracking within a VM, and not on a physical machine with hardcore GPUs I use traditional hashcat instead of oclhascat.

When you run hashcat it will hash your wordlist and then compare those hashes to the hashes you want to crack:

hashcat -o crackedhashes.out demohashes.out 1aN0rmusWL.txt

4-9-2013 4-45-58 PM

Using this option in less than 5 seconds we were able to crack 33 of the 413 passwords.

4-9-2013 4-48-49 PM

Now you may be wondering why only 33. The main reason for this is that this was part of #OpIsreal and because of that my dictionary being primarily English will not detect foreign languages. Notice how all the hashes that were found translated to passwords consisting of only numbers.

Bruteforce

No matter how good your wordlists are, you are never going to catch all of the passwords. There may come a time where you will want to bruteforce your way in. What this means is that you’ll need to try every possible combination in an attempt to determine the password. Luckily, running tools like Pipal we are able to understand that most passwords follow certain formats. For instance, we understand that most passwords consist solely of lowercase letters. Using hashcat masks, we can tell hashcat the format we want it to look at.

For this attempt I am going to attempt to bruteforce all combinations of 8 digits:

hashcat -a 3 -o crackedhashes2.out demohashes.out ?d?d?d?d?d?d?d?d

4-9-2013 5-09-29 PM

Now, we have captured 46 more hashes. By experimenting with the hashcat masks, you will be able to bruteforce your way into a good number of these.

Conclusion

Like I said in the beginning of the post, I am not an expert in password cracking, but more of a hobbyist. Using my wordlists and hashcat masks, I am usually able to get 60% to 80% of the passwords from a dump. What is your method and how successful is it?

BsidesROC(ked)!

I had the pleasure of attending BsidesROC this past Saturday in Rochester, NY while visiting family.  The only previous experience I’d had with Bsides was in Las Vegas last summer, and I must say out of the many small conferences I have been to over the last couple of years, these guys did a very impressive job!  The conference consisted of two tracks with a total of 15 talks.

Here’s a rundown of the events:

  • The Rochester chapter of TOOOL was kept very busy with a constant flow of lock pickers, both new and veteran, and managed to sell out of the kits they had available.
  • Interlock, the local hackerspace was also there and had a number of great projects to show off.  I always love seeing hackerspaces at conferences!
  • Hacker Battleship, a unique play on the CTF which was really fun for the 24 who participated.  Someone SQL injected the scoreboard too 😉

There were just over 200 attendees and everything flowed very smoothly.  The event had the feeling of something that just happened there every weekend, and there were flying SHARKS! Albeit without laser beams for the safety of all present of course. 😉

Some other misc stats:

  • The 3D badges took approximately 50 hours to print and were awesome!
  • 3129 DHCP leases were handed out throughout the day.
  • 6 flying sharks and fish, including one flying red angry bird.

Looking forward to next year!

Wireshark Export HTTP objects

In the first episode of SecuraTip, I showed viewers how to extract files from pcaps using a very manual method, and using an automated method with NetworkMiner. The purpose of this was to show the drastic difference between the two methods.

As Doug Burks and CIDSecurity mentioned on Twitter and YouTube there is an easier method for pulling out files from pcaps using Wireshark verse the manual process I showed. Though there is a major limitation that I will speak more of at the end.

CID

DB

Wireshark HTTP object export options

1. Open the pcap with Wireshark.

2. Choose File –> Export Objects –> HTTP

export

*While I chose HTTP for this, you may need to choose a different option like SMB to correspond with the type of traffic you are dealing with.

3. You will now be presented a list of files that you can save out directly from the HTTP sessions.

files

4. Simply press Save As and you know have the file.

Now as you can tell if you have watched the SecuraTip episode, there are some limitations here. For instance we do not see the files 1.txt and 2.txt that we saw when looking at the PCAP with NetworkMiner. The reason for this is that WireShark is just pulling files from HTTP Sessions. 1.txt and 2.txt were in the same pcap but were transferred via FTP instead of HTTP. As far as I know there is not automated way to pull FTP files transferred directly in Wireshark. Please correct me if I am wrong there. NetworkMiner doesn’t care what protocol or service was used, if the file was transferred in the clear, then it will try to extract it.

As we all know, there are many ways to attack any problem in IT. Do you have a different technique other than what is described here or in the video? Let us know.

Black Hat USA 2012 Google Calendar

You asked, and we delivered. We’ve created a Google Calendar for the events at Black Hat USA 2012 – The Briefings, Arsenal, and Executive Briefings.

Each calendar entry contains the full talk description if available.

Here are the links:

HTML Calendar (Opens in Browser)

iCal Version (For importing to devices/iCal/GCal)

XML Version (If That’s Your Thing)

Source document:

Black Hat USA 2012 Schedules

And don’t forget to check out the BSidesLV and DEFCON calendar.

-ChrisAM / @TheChrisAM

ChrisAM’s Picks for BSidesLV and DEFCON Talks 2012

On tonight’s show we will be talking about our choices for talks this year at BSidesLV and DEFCON.

It was very difficult to pick only one talk per time slot. My picks below are of interest to me personally. I do not mean to imply that one topic or speaker is better than any other, but we all have to make a decision for each hour of the conferences. You’ll notice that I am more interested in security policy, incident response, and network defense rather than reverse engineering, and exploitation.

(I will update this post later for continuity and with direct links to each talk description)

BSidesLV:

Wednesday
1100: Ambush – Catching Intruders at Any PointMatt Weeks
1200: When Devices Rat Us OutKen Westin
1400: Big Data’s Fourth V: Or Why We’ll Never Find The Loch Ness MonsterDavi Ottenheimer
1500: Why have we not fixed the ID problemDallas
1600: Shot with your own gun – how appliances are used against youChristopher Campbell
1700: Mirror Mirror – Reflected PDF Attacks using SQL injectionShawn Asmus
1800: Sexy DefenseIan Amit

Thursday
1000: Mainframed – The forgotten FortressPhil Young
1100: Metrics that suck even lessWalt Williams
1200: The leverage of language, or, How I realized Information Theory could save information securityConrad Constantine
1400: The Magic of Symbiotic Security – Creating an ecosystem of security systemsJosh Sokol & Dan Cornell
1500: Lightning Talks
1600: Lightning Talks
1700: Lightning Talks
1800: IPv6 Panel / Drinking Game

Defcon:
Friday
1000: The Christopher Columbus Rule and DHS – Mark Weatherford
1100: Socialized Data: Using social media as a cyber mule – Thor
1200: Not so super notes: How well does US dollar prevent counterfeiting? AND The open cyber challenge platform project
1300: How to Channel Your Inner Henry Rollins – Jayson E. Street AND Bad (and sometimes Good) Tech Policy: It’s not just a DC thing
1400: Changing the security paradigm: taking back your network and bringing pain to the adversary – Shawn Henry
1500: An Inside Look into Defense Industrial Base (DIB) technical security controls: How Private Industry protects our Country’s Secrets – James Kirk
1600: Bypassing Endpoint Security for $20 or Less – Phil Polstra
1700: Anti-Forensics and Anti-Anti-Forensics: Mitigating Techniques for Digital-Forensic Investigations – Michael Perklin

Saturday:
1000: World War 3.0: Chaos, Control & the Battle for the Net – Corman, Kaminsky, Moss, Beckstrom, Gross
1100: Hacking Humanity: Human Augmentation and You – Christian Dameff, Jeff Tully
1200: Botnets Die Hard – Owned and Operated – Aditya Sood, Richard Enbody
1300: The End of the PSTN As You Know It – Jason Ostrom, Karl Feinauer, William Borskey
1400: <ghz or bust: DEF CON – ATLAS
1500: Exchanging Demands – Peter Hannay
1600: Connected Chaos: Evolving the DCG/Hackspace Communication Landscape – Blackdayz, Anarchy Angel, Anch, Dave Marcus, Nick Farr
1700: The DCWG Debriefing – How the FBI Grabbed a Bot and Saved the Internet – Paul Vixie, Andrew Fried

Sunday:
1000: OPFOR 4Ever – Tim Maletic, Christopher Pogue
1100: KinectasploitV2: Kinect Meets 20 Security Tools – Jeff Bryner
1200: Looking Into The Eye Of The Meter – Cutaway
1300: DC RECOGNIZE Awards – Jeff Moss, Jericho, Russ Rogers
1400: Can Twitter Really Help Expose Psychopath Killers’ Traits? – Chris Sumner, Randal Wald
1500: Sploitego – Maltego’s (Local) Partner in Crime – Nadeeom Douba
1600: How to Hack All the Transport Networks of a Country – Alberto Garcia Illera

DEFCON 20 and BSidesLV Google Calendar

I made a Google Calendar with the DEFCON Talks, BSides Talks, as well as the entertainment lineup for DEFCON. I hope you find it useful. I wanted to get the calendar easily on my phone and set reminders for talks I want to see. Please let me know of any corrections that are needed.

Each calendar entry includes the full talk description if available.

Here are the links:

HTML Calendar (Opens in browser)

iCal Version (For importing to devices/iCal/GCal)

XML Version (If that’s your thing)

And the source documents:

DEFCON Schedule

DEFCON Speakers

BSidesLV Schedule

UPDATE (7/19): We’ve created a Google Calendar for the Black Hat USA 2012 schedule.

-ChrisAM / @TheChrisAM

Remove your Google Web History before it’s no longer yours!

SecuraBit highly reccomends all of you who have a Google account to visit EFF’s website that easily walks through how to remove your Google Web History before it vanishes into a blackhole no longer belonging to the account owner. It takes literally 10 seconds to do this and suggest you do the same!

DEFT 7 – A linux distro for forensics and more!

We stumbled across this distribution the other day while building a forensic workstation for the lab. SIFT just didn’t perform the way we wanted and DEFT seems to be rock solid out of the box with version 7 of their distro.

Check them out at http://www.deftlinux.net/2012/01/31/deft-7-ready-for-download/

They have a draft version of their english manual as well. This distro is based on the 3.0 kernel and is snappy as heck even on somewhat older hardware. Outstanding work guys!

Looking for interns!

Are you interested in getting some hands on experience in the IT Security realm? We’re looking for folks with interest in the following areas:

Exploit Development
Malware Analysis
Log Analysis
Forensics
Incident Response
Penetration Testing
And more!

I don’t really know what the proper formal internship thing is all about, but we can offer the following:
-Tax-free income! (Zero income, zero taxes, yay!)
-Hands-on experience in our lab
-Networking
-A hell of a good time if you run into any of us at a security conference

If you’re interested leave a comment here, or email us at feedback at securabit dot com

Ok, maybe not THE last password

Well, after the tightly locked lips of Sony, RSA, and others, it’s nice to see a company being up front and honest with the users they store data for.

LassPass is a password manager which integrates with many different browsers and OSes (I haven’t really found many places it won’t run). It allows users to store passwords in a vault, which is then unlocked with a master password. The advantage to this, compared to other solutions, is that the data is then synced to their servers so that the passwords are available in all of those different places you use passwords.

Of course, the downside is that it makes them a big target. According to LastPass, all of the data in the vault is encrypted on the local machine, and then sent to their servers, so the data is encrypted even before it is sent.

But there is that master password, which of course would give an attacker the keys to the kingdom. According to a post on the LastPass blog they aren’t sure that something has actually happened, but they saw something they didn’t like (it sounds like perhaps in netflow data) and as such are now having all users reset their password to protect against the threat of someone brute forcing passwords against any stolen data.

Kudos to LastPass, as they seem to be very up front and honest about it, which is nice, given the recent history of data breaches. So, if you’re a LastPass user, looks like you will have to remember at least one new password.

More coverage:

LastPass blog: LastPass Security Notification

Krebs on Security: LastPass Forces Users to Pick Another Password

The H Security: Potential intrusion suspected in LastPass password service

Ghacks: LastPass Security Breach