Forensic Image Analysis for Password Recovery

David C. Smith, CISSP, CISMGeorgetown University HCP Forensic Services

A little bit about me...

Information Security Officer, Georgetown University

Co-Owner, HCP Forensic Serviceshttp://www.hcp-fs.com

Computer Science background, working towards masters in IA.

The Idea…

Last year at DC15, I overheard a conversation about the NSA using image analysis to recovery passwords.

Your passwords are “buried” in the machines you use.

You just need to pull out strings and use them as a dictionary, right?

Idea… Feasible?

Core dumps, swap space, memory dumps, logs, deleted temp files, file slack space, Internet history files, and the such.

Ever type your password into the username field?User password1 failed login at …

In this day of absolutely horrible application programming, the better for this attack vector!

What exists out there now?

Once I recovered from my DC15 flight home cold…

Dicop-Workerframe from CPAN Good, not complete but has addressed most of the

issues that I foresaw like duplicates and indexing. Has not seen progress in a while.

But I did not find anything else relevant or at least what I was thinking of.. (strings, regex)

A little elaboration on the idea

Ability to pull all stings from an image.Length

“Score” strings based on:EntropyComplexity and readabilityPassword Profiles

Ignore specific OS “trappings”system_call, Generic volume, SymbolicLink

Extract strings Different ways to extract stings

I went with the GNU strings concept. Length

User defined string lengths [8 to 20]Brute force / rainbow table first!

Multiple combinations of a string1234567890 produces four, 7 letter strings1234567, 2345678, 3456789, 4567890(Total_string_size – Target_size)+1 (10 – 7) +1 = 4

Extract Strings (2) This could lead to a large amount of string data to

process on a per image basis. Some size analysis:

Memory Images Stripping out strings from forensic image ~10.3% of original size. Creating passwords from strings ~394% increase Example 204MB forensic image of memory

24MB of strings 107MB of passwords

Disk Images Stripping out strings from forensic image ~55% to ~80% Creating password from strings ~400% increase Example 75GB forensic image

62 GB of strings 238 GB of passwords

Score Strings

Entropy A measure of the disorder or randomness in a closed

system. Shannon entropy or information entropy is a measure

of the uncertainty associated with a random variable.

I just want to avoid “aaaaaaaa3” as a dictionary word. But I want “ShmooconRocks!” as a dictionary word.

Entropy

sub entropy {my ($hashref, $total, $baselog) = @_;$baselog = 0.693147180559945 unless $baselog; # log(2)return undef unless ( ref $hashref and $total > 0 );my $sum;$sum += $_ * (log($_)/$baselog) for ( map { $_/$total } values %

$hashref );return -$sum; }

ShmooconRocks! entropy = 3.09306920777189200 ShmooconRocks entropy = 2.9312089489103244 shmooconrocks entropy = 2.77736279506417020 aaaaaaaaa3 entropy = 0.46899559358928139

Complexity and readability Readability

Basic password strategies Dictionary word or sport teams, sports, colors, music groups

(1) Dictionary word with a # at the end (1) Two words combined with a #, like sun2shine or blue9sky (2) Quotes “My Half Dead Monkey Died OF WigginG” =

MHFMDOFWG or better, MhDMdofwG! (2) License plate & l33t (leetspeak) QTGRL and /\/\4D5|<1LL$ (2)

Point is – most of the time users have a readable password. Which leads to frequency analysis and base word matching!(1) Researched password analysis – myspace 20k, Schneier, Fredstie report.(2) My analysis from various systems and projects, 400k+ over 10 years.

Complexity and readability (2)

Complexity English uppercase characters [A-Z] English lowercase characters [a-z] Numerals [0-9] Non-alphabetic characters, such as !,$.#%^ Special symbols, such as β∞£€θ♦ - I like the idea of

having ® in my password!

My thoughts are that complexity is going to be a key driver in what I developed as password profiles.

Password profiles Idea of password profiles

Based on user and suspected computer ability or paranoia Standard, Informed, Effort, and AllOut (forced complexity?)

Standard (the masses) Average 7 to 8 characters Rising percentage adding a digit, 1 or 2 to end Small amounts two word combo Good amounts English frequency hits Entropy less than 4, more than 1.4 [a-z] [0-9] [!#$]

Informed (computer professionals, individuals that somehow connect to computer crime as “real”).

Average 9 to 10 characters Two word combos, l33t passwords Still good amounts of English frequency Entropy less that 4, more than 2 [a-z] [0-9] [A-Z] [!@#$%^&*()_+=-]

Don’t forget to check and see if a password policy or forced strong passwords exist!

Scoring Passwords

Password profiles weight the potential password scoring By identifying a profile you score those passwords

higher for the dictionary sort. Why? Because due to space or size requirements you

may only want the top 20% or 30% of potential passwords.

You can still have 100% of passwords with or without the “trash” [low complexity, low entropy, known system strings]

Yes, AllOut Profile rates all passwords high with trash.

Turning Scored Passwords into a Dictionary The primary purpose of scoring passwords

is to reduce the dictionary size to a manageable levelThis can be done by choosing to only keep

the top X% of passwordsOr splitting the password output into multiple

files 1st round output: Top 15% 2nd round output: 15% to 30%

Dictionary formed, now what?

My #1 choice, John the Ripperhttp://www.openwall.com/john/Has LM, Kerberos, Unix crypt(s)Contributed resources include NTLM,

SHA/SHA1, MySQL, Apache + more. Any other password cracker that takes

dictionary (Cain & Abel, ElcomSoft + more). Build your own, if you need it!

Either John or programming choice.

John the Ripper

[root@CB1 Test]# uname -a

Linux CBlack1 2.6.9-55.0.12.plus.c4smp #1 SMP Fri Nov 2 09:10:15 EDT 2007 i686 i686 i386 GNU/Linux

[root@CB1 test]# cat crack.txt

testman:$1$UEq1obkF$atd1uwHWDrNdTVqvgUPKF/

[root@CB1 test]# /usr/local/bin/john -wordlist=PassScan-image-dcsmith8-password-out.txt crack.txt

Loaded 1 password hash (FreeBSD MD5 [32/32])

sys21tem88 (testman)

guesses: 1 time: 0:00:15:29 100% c/s: 4234 trying: sys21tem88

3.9 Million passwords checked before found

Cisco Pix – Cain and Abel

Your Scripts too!#!/usr/bin/perluse Digest::SHA1;use MIME::Base64;

my $targethash = "{SHA}Dyw5fW2lhFlQNepIjVHwvdRfwFA="; # 1 my $passfile = "/work/sha1/PassScan-image-dcsmith9-password-out";

open (SOURCE, $passfile) || die "\nCan't open file $passname: $!"; foreach $line (<SOURCE>) {

checkhash($line); #2 } sub checkhash{my($secret) = @_; $ctx = Digest::SHA1->new; $ctx->add($secret);

$hashedPasswd = '{SHA}' . encode_base64($ctx->digest,''); #3

if ($targethash =~ m/$hashedPasswd/) { #4 print "MATCH! Password is $secret\n"; exit(); } }

root@CB1 Test]# perl SHA1-Dict.plMATCH! Password is why88askwhy

That’s pretty much it…

Version 1 is available at http://www.hcp-fs.com (HCP Forensics) Still fragmented in perl, gen_strings.pl and

gen_passwords.pl. Lots of HD space needed for strings, passwords, and

duplicate removals.

Next version is needed! Port for speed! Combine functionality to allow for one pass processing Still not sure about on-the-fly dup removal

Questions?

Questions? Shmooballs! Shout outs:

My Georgetown security teamTrent BeckettWife, who is nice enough to let me follow

these pursuits.

Ideas Does anyone else brute-force passwords like this:

[a-z] to 10 characters [a-z][0-9] to 8 characters [a-z][0-9][A-Z] to 7 or 8 characters [a-z][0-9][A-Z][SYMBOLS] to 7 characters Sometimes I start them all at the same time

Can they be segmented? Like [a-z][0-9] minus the [a-z] matches [a-z] for 8 characters = 208,827,064,576 (208 billion) [a-z][0-9] for 8 characters = 2,821,109,907,456 (2.8 trillion) Sure it is still 2.6 trillion, but I won’t have to check 208 billion of

them!