Documente Academic
Documente Profesional
Documente Cultură
(marcell.major@gmail.com)
Hacktivity 2010
INTRODUCTION + AGENDA
Anatomy of password hashing Source code analysis example (Apache Derby) Binary analysis examples (Sybase) Writing your own cracker Speedup
PASSWORD HASHING
STORING PASSWORDS
User input text Password Format(Password, salt) Generate hash Store(hash, salt) Generate random bytes Salt
CHECKING PASSWORD
User input text User database in DB table or file Lookup(salt, hash) Format(Password, salt) Generate hash Salt Generated hash Stored hash
Password
No
User logged in
Kicked out
Client-server Embedded
derby.authentication.provider=BUILTIN
PASSWORD HASH
ALGORITHM IMPLEMENTATION
protected String encryptPassword(String plainTxtUserPassword) { if (plainTxtUserPassword == null) return null; MessageDigest algorithm = null; try { algorithm = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException nsae) { // Ignore as we checked already during service boot-up } algorithm.reset(); byte[] bytePasswd = null; bytePasswd = StringUtil.toHexByte( plainTxtUserPassword,0,plainTxtUserPassword.length()); algorithm.update(bytePasswd); byte[] encryptVal = algorithm.digest(); String hexString = ID_PATTERN_NEW_SCHEME + StringUtil.toHexString(encryptVal,0,encryptVal.length); return (hexString); } public static byte[] toHexByte(String str, int offset, int length) { byte[] data = new byte[(length - offset) * 2]; int end = offset+length; for (int i = offset; i < end; i++) { char ch = str.charAt(i); int high_nibble = (ch & 0xf0) >>> 4; int low_nibble = (ch & 0x0f); data[i] = (byte)high_nibble; data[i+1] = (byte)low_nibble; } return data; }
???
ALGORITHM IMPLEMENTATION/2.
text T e s t 1 2
i 0 05 1
ASCII HEX
toHexByte
54 65 73
05 04 06
74
31 32
07
03
07 04 03 01 03 02
2
3 4 5
bytePasswd
hash
05
06
07
07
03
03
02
CONSEQUENCES
ASCII(A) = 0x41
Sample hashes:
APASS: BPASS: CPASS: DPASS: EPASS: FPASS: GPASS: HPASS: 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587 3b60cb484c002b5f9ee655da908c7dc2871fb76f9587
Only the higher 4 bits used from password characters, except last one
After toHexByte()
6^8*16 2 * 10 ^ 7 Nvidia GF 8800 GT 0.23 sec
Ratio = 1/8124628
FIX
Apache.org notified in December 2009 Vulnerability CVE-2009-4269 Fix released in May 2010 Derby 10.6.1.0
http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
BINARY ANALYSIS
REVERSE ENGINEERING
Live analysis (Debugger, Monitoring Tools) Off-line analysis (Disassembler) Concept:
Get
SYBASE ASE
Market share: 4. Cousin of Microsoft SQL Server: 1994: Microsoft bought the source Main releases:
12.5.x (2001) still in use at some companies 15.0.5 latest version, evaluation downloadable SYB-PROP SHA-256
Password Encryption:
LOGIN INFORMATION
SAMPLE
WHERE TO START?
Information gathering Search for an entry point
User
AVAILABLE INFORMATION
http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infoce nter.dc31654.1502/html/sag1/BCFDGIFC.htm
MEMORY BREAKPOINT
Search for the constant (debugger helps) Byte order is reversed: search for 0x67E6096A (h0 in the source)
CALL STACK
RECONSTRUCTION
Steps:
1. 2. 3. 4.
5.
UTF-16 conversion (Big Endian) Append 0x00 bytes to the length of 510 Append the salt (8 bytes) Generate SHA-256 hash (32 bytes) Result = 0xc007 + hex(salt) + hex(hash)
Cracker: sybcrack
http://marcellmajor.com OpenSSL SHA256 implementation worauthbf source code (http://soonerorlater.hu)
OFF-LINE Analysis
SYB-PROP HASH
SYB-PROP: HOW?
Old Sybase versions not available Current version is 15.0.5
using
I have no access to old an Sybase DB Some companies still use Sybase ASE 12.x !
AFTER DOWNGRADE
INFORMATION?
ENTRY POINT
Debug near the code computing SHA256 After some debugging another call found
Output:
OFFLINE ANALYSIS
IDA Free 4.9 Symbols included -> function names
password
meta_keysch()
64 bytes
meta_encrypt()
64 bytes
META_ENCRYPT()
Input: 64 bytes Output: 64 bytes
Last
CRYPTO IDENTIFIED
FEAL
string constant
FEAL
Key:
Key
schedule: Output:
Conclusion: FEAL-8
STRING CONSTANT
FUNCTION META-ENCRYPT
STRING CONSTANT
Q:Whydid
input
theflyda
nceonthe
jar?A:Be
key
FEAL-8
input input
ENC. ROUNDS
key
FEAL-8
key
FEAL-8
blck1
blck2
blck3
res_blck3
ROUND RESULTS
res_blck1
res_blck2
res_blck8
META_KEYSCH()
Input: password Output: 64 bytes
salt byte
MIXING BYTES
salt byte
( rand() >> 8 ) % 0xFF
input bytes
(expanded password)
1.
2.
3.
4.
5.
6.
7.
8.
output bytes
1.
2.
3.
4.
5.
6.
7.
8.
ROUNDS: 8 Initialization:
XP -> expand password with 0x1D bytes to 57 bytes seed number = system time -> 1 byte PRNG init: stdlib.h / srand(seed); round salt byte = rand() -> 1 byte ROUND KEY:
Rounds:
first round
other rounds
RESULT
first 2 rounds - FEAL(round key, const_str[seed % 0x30 + 1]) other rounds - round key itself
META_KEYSCH() ROUNDS
eXpanded Password
XP[ 0 ] XP[ 0*8 + 1 ]
round input block
XP[ 1*8 + 1 ]
round input block
XP[ 2*8 + 1 ]
round salt
round salt
8 bytes 1 byte
8 bytes 1 byte
round salt
8 bytes 1 byte
round salt
8 bytes 1 byte
MIX
MIX
MIX
MIX
FEAL-8
FEAL-8
round result
round result
round result
round result
RES_BLCK #1
RES_BLCK #2
RES_BLCK #3
RES_BLCK #4
RESULT BLOCKS
RECONSTRUCTION
FEAL-8 specification: Applied cryptography by Bruce Schneier C source code
http://tirnanog.ls.fi.upm.es/NoSeguro/Servicios/Software/ap_crypt/indice.html
FIX
key + FIX input -> output? results(Sybase) results(official specification) key schedule: only the first 4 bytes identical
SOURCE CODE
0xd405c8a83114cf59fe510d92c7e90c37f2741e0a04f70af14d9bd8a21f46
transformation, permutation
generate passwords for testing Markovchain brute-force: full search in the password space
generate hashes
FUNCTIONALITY
COMPARISON OF TECHNOLOGIES
CPU
Single Instruction Multiple Data (SIMD)
Intel x86/x64: -8/16 * 128 bit XMM registers -SSE (Streaming SIMD Extensions) instruction set
Data pool
processing units
PU_1
PU_2
PU_3
PU_4
PU_N
Result pool
GPU
SIMT (Single Instruction Multiple Threads)
Host PC mainboard
VGA card mainboard GPU on-chip memory
GPU accessible Video RAM ~ n * 256MB 16/32kB shared MEM 8/16/32kB register MEM
C_1
C_2
C_3
C_4
C_N
Each one executes the same kernel (code uploaded to the GPU)
Raw estimate for computing speed : raw GPU performance/raw CPU performance ~ 3-10 May vary depending on the specific application
# of cores
CUDADBCRACKER
NVIDIA
Source code/Executable:
http://marcellmajor.com
PROPRIETARY HARDWARE
prototyping Computing
PROPRIETARY HARDWARE/2.
CONCLUSION
Reverse engineering is feasible Security by obscurity: useless Sample source code helps in development Every technology has some:
advantages
disadvantages
THANK YOU!