Friday, June 13, 2008

MS Cache and John the Ripper

Chalk this one up to knowledge remembered, forgotten, and then remembered again!

Lately I have been playing with using our MPI John the Ripper cluster to increase the crack rate of MS Cache passwords. With a very long list of passwords, some of which I knew would be easy to crack, I set out and started the process on 20 nodes. After a few days and ZERO cracks I started to wonder what the hell was going on.

The answer is one I knew many years ago when cachedump first came on the scene. The MS Cache encryption routine's salt includes the lower case username as part of the salt! Because some of the cachedump tools take the username out of the registry as-is and don't convert the case you'll run JTR for days with an invalid salt. No cracks for you!

So we can do a couple of things here:
  • Remember this next time and manually lowercase the usernames

  • Tell the authors to modify the tools we use to grab the cache hashes

  • Patch the tools ourselves (if we have the sources) and give them to the author

  • Modify the cracking program to always lowercase the usernames

John The Ripper's source code is really easy to fix and the quickest to do so a simple diff against mscash_fmt.c:

--- mscash_fmt.c 2008-06-13 15:56:07.000000000 -0700
+++ mscash_fmt-lower.c 2008-06-13 15:55:49.000000000 -0700
@@ -16,6 +16,7 @@
*/

#include
+#include

#include "arch.h"
#include "misc.h"
@@ -158,6 +159,9 @@

l = strlen(ciphertext);
strncpy(out, ciphertext + 2, l - PLAINTEXT_LENGTH + 1);
+ for(l=0; l < strlen(out); l++) {
+ out[l] = tolower(out[l]);
+ }
return out;
}


And now I don't have to remember this every time! JTR will remember for me and with a cluster of 20 nodes all running around 600,000 cracks a second maybe SOMETHING will crack. :)

Friday, June 06, 2008

NTLM, DefCon and Java!

John Heasman just posted a rocking method of obtaining NTLM hashes out of an enterprise by turning a Java applet into a web server! Check it out!

This year I'll be presenting at DefCon on the history of NTLM attacks, how they work and why we need to get rid of it. I'll release a tool that will combine as many hacks as I can get working to use captured users and their authentication tokens. There's been a lot of talk in the past few years about browser security and it's mostly hinged around using Javascript as a port scanner, sending attacks through the browser, attacking the platforms, etc. Few have been talking about an Enterprise-class risk and since that's what I get paid to think about I'm gonna blow it open. :) Come to DefCon and have a great time!

SyScan was great, a little small but helpful to bring the confidence up speaking to people who have no clue who I am! I learned quite a bit about my speaking style which helped firm up ideas about the DefCon presentation. I presented a combination of Web Security Mistakes including how to get a free MacWorld pass and spoke more about the future of PokeHashBall.

We stayed a few extra days to soak up the culture and soak the sweat into our clothes some more since this was our first trip to Hong Kong. The MongKok Computer Center was interesting but didn't seem to really have the deals I was expecting. I didn't get to any of the other computer centers however. Maybe next trip!

We went through Narita airport on the way back so I stopped at Duty Free and bought a bottle of Suntory Whiskey, the kind Bill Murray is hawking in the movie "Lost In Translation". For relaxing times, make it Santory time. . .



They have some of the greatest commercials.