Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Craking Serv-u passwords stored in .ini file.

From: "M. D." <nekromancer () lycos com>
Date: Fri, 03 Sep 2004 07:40:10 +0000
Hi Michael,

I'm not referring to any high-tech about MD5 collisions. Simply to good old password "cracking" by hashing and 
comparing.
In the specific case of Serv-u, and according to the link I provided, the password is salted with a nicely shown salt 
of 2 characters (the 2 first characters in the string stored in the .ini file), so using any cracker that allows you to 
specify the first 2 characters of the passwords to try will really help a lot.
If you use Lepton's Crack you have the functionality to prepend these 2 characters to all the words in a dictionary (or 
to anything generated by the bruteforce mode), hash that and compare. LCrack also support the "cracking" of pure MD5 
hashes, not the MD5 implementation of Linux passwords (use John for that until we decide to add support for it to 
LCrack).

I just look at the fact that people DO use stupid passwords if they are not enforced to use good ones. My experience is 
that with a good dictionary, some permutations and tricks, and bruteforcing of the short ones, more than 30% of 
passwords in use by normal users are cracked (and I'm being very conservative with my figures...), THE ALGORITHM USED 
DOESN'T MATTER ;-)

I never said anything about MD5 being a weak algorithm, or anything about the relative security of Serv-u. Now I'll say 
something ;-)
In the link I provided in the first post you can read:

========================================================
1) A random salt of (2) letters is created using the characters a..z
(lowercase)

2) The salt of (2) letters (i.e. "ab") are appended to the beginning of
the password entered by the user (i.e. "jlmess" becomes "abjlmess")

3) The "new" password of "abjlmess" is now encrypted using MD5
encryption (i.e. "751C9D206E2C118C9B597A4640AFA8A1")

4) Now the salt of (2) letters (i.e. "ab") is appended to the front of
the MD5 hash created above (i.e. "ab751C9D206E2C118C9B597A4640AFA8A1")
========================================================

This is vulnerable to a dictionary or bruteforce attack in which you prepend the salt. You get the salt from the first 
2 characters of the string in the .ini file (for example "ab"), then your attack will hash the following words:

     abacapulco
     ...many words...
     abzero

And the hash obtained from these words will be directly compared to the hash in the .ini file minus the first 2 
characters.
This is not much stronger than not using salt at all. It's not a very clever implementation of a salt (in fact I think 
it sucks, but I'm too polite to say that ;-)

Of course you need a password cracker that allows you to specify the first 2 characters as FIXED, and this is exactly 
what you can do with LCrack, either by the use of the REGEX functionality or by using the prepending functionality in 
the latest revision (both can't be used at the same time).

It would have been much stronger, for example, the following:

1) hash the password, with or without prepending the salt, doesn't matter. I'm not using it in this example:
     password: test
     MD5 hash: 098F6BCD4621D373CADE4E832627B4F6

2) append the salt to the hash:
     new "password": ab098F6BCD4621D373CADE4E832627B4F6

3) hash the resulting string:
     new MD5 hash: BDF3BAAC3C947956A57CFA97310B5DE0

4) append the salt to the last hash if you like, but I don't see any particular reason to do so

OK, that's it for now.
Enjoy.

Nekromancer


Michael V Scovetta wrote:


Nekro--

Maybe I'm just ignorant here, but if you are referring to the recent
collision attacks on MD5, how does such an attack compromise serv-u
security? Being able to create two strings that hash to the same value
is orders of magnitude easier than finding a string that hashes to some
particular hash value. 

From what I see, the serv-u hash security is weak not because of the
weakness of MD5 or any other hashing algorithm, but rather because a
simple dictionary attack (performaed 26^2 times) would be more effective
than attempting a preimage attack on the final hashed value.

If there's something here that I'm not getting, please let me know.

Regards,

Michael Scovetta



Dear colleagues,

Googling around shows THIS:

http://www.cat-soft.com/serv-u-list/08%2014-Apr-99%20To%2005-Aug-02/msg0
9499.html

With that information and any good MD5 hash cracker (Lepton's Crack
comes to mind, but feel free to chose any other, I'm a bit biased being
one of the authors ;-) I think that you can try to bruteforce these
passwords.
Hope this info helps.
Cheers,

Nekromancer



-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: