Upload
christopher-nicholson
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Forensic Image Analysis for Password Recovery
David C. Smith, CISSP, CISMGeorgetown University HCP Forensic Services
A little bit about me...
Information Security Officer, Georgetown University
Co-Owner, HCP Forensic Serviceshttp://www.hcp-fs.com
Computer Science background, working towards masters in IA.
The Idea…
Last year at DC15, I overheard a conversation about the NSA using image analysis to recovery passwords.
Your passwords are “buried” in the machines you use.
You just need to pull out strings and use them as a dictionary, right?
Idea… Feasible?
Core dumps, swap space, memory dumps, logs, deleted temp files, file slack space, Internet history files, and the such.
Ever type your password into the username field?User password1 failed login at …
In this day of absolutely horrible application programming, the better for this attack vector!
What exists out there now?
Once I recovered from my DC15 flight home cold…
Dicop-Workerframe from CPAN Good, not complete but has addressed most of the
issues that I foresaw like duplicates and indexing. Has not seen progress in a while.
But I did not find anything else relevant or at least what I was thinking of.. (strings, regex)
A little elaboration on the idea
Ability to pull all stings from an image.Length
“Score” strings based on:EntropyComplexity and readabilityPassword Profiles
Ignore specific OS “trappings”system_call, Generic volume, SymbolicLink
Extract strings Different ways to extract stings
I went with the GNU strings concept. Length
User defined string lengths [8 to 20]Brute force / rainbow table first!
Multiple combinations of a string1234567890 produces four, 7 letter strings1234567, 2345678, 3456789, 4567890(Total_string_size – Target_size)+1 (10 – 7) +1 = 4
Extract Strings (2) This could lead to a large amount of string data to
process on a per image basis. Some size analysis:
Memory Images Stripping out strings from forensic image ~10.3% of original size. Creating passwords from strings ~394% increase Example 204MB forensic image of memory
24MB of strings 107MB of passwords
Disk Images Stripping out strings from forensic image ~55% to ~80% Creating password from strings ~400% increase Example 75GB forensic image
62 GB of strings 238 GB of passwords
Score Strings
Entropy A measure of the disorder or randomness in a closed
system. Shannon entropy or information entropy is a measure
of the uncertainty associated with a random variable.
I just want to avoid “aaaaaaaa3” as a dictionary word. But I want “ShmooconRocks!” as a dictionary word.
Entropy
sub entropy {my ($hashref, $total, $baselog) = @_;$baselog = 0.693147180559945 unless $baselog; # log(2)return undef unless ( ref $hashref and $total > 0 );my $sum;$sum += $_ * (log($_)/$baselog) for ( map { $_/$total } values %
$hashref );return -$sum; }
ShmooconRocks! entropy = 3.09306920777189200 ShmooconRocks entropy = 2.9312089489103244 shmooconrocks entropy = 2.77736279506417020 aaaaaaaaa3 entropy = 0.46899559358928139
Complexity and readability Readability
Basic password strategies Dictionary word or sport teams, sports, colors, music groups
(1) Dictionary word with a # at the end (1) Two words combined with a #, like sun2shine or blue9sky (2) Quotes “My Half Dead Monkey Died OF WigginG” =
MHFMDOFWG or better, MhDMdofwG! (2) License plate & l33t (leetspeak) QTGRL and /\/\4D5|<1LL$ (2)
Point is – most of the time users have a readable password. Which leads to frequency analysis and base word matching!(1) Researched password analysis – myspace 20k, Schneier, Fredstie report.(2) My analysis from various systems and projects, 400k+ over 10 years.
Complexity and readability (2)
Complexity English uppercase characters [A-Z] English lowercase characters [a-z] Numerals [0-9] Non-alphabetic characters, such as !,$.#%^ Special symbols, such as β∞£€θ♦ - I like the idea of
having ® in my password!
My thoughts are that complexity is going to be a key driver in what I developed as password profiles.
Password profiles Idea of password profiles
Based on user and suspected computer ability or paranoia Standard, Informed, Effort, and AllOut (forced complexity?)
Standard (the masses) Average 7 to 8 characters Rising percentage adding a digit, 1 or 2 to end Small amounts two word combo Good amounts English frequency hits Entropy less than 4, more than 1.4 [a-z] [0-9] [!#$]
Informed (computer professionals, individuals that somehow connect to computer crime as “real”).
Average 9 to 10 characters Two word combos, l33t passwords Still good amounts of English frequency Entropy less that 4, more than 2 [a-z] [0-9] [A-Z] [!@#$%^&*()_+=-]
Don’t forget to check and see if a password policy or forced strong passwords exist!
Scoring Passwords
Password profiles weight the potential password scoring By identifying a profile you score those passwords
higher for the dictionary sort. Why? Because due to space or size requirements you
may only want the top 20% or 30% of potential passwords.
You can still have 100% of passwords with or without the “trash” [low complexity, low entropy, known system strings]
Yes, AllOut Profile rates all passwords high with trash.
Turning Scored Passwords into a Dictionary The primary purpose of scoring passwords
is to reduce the dictionary size to a manageable levelThis can be done by choosing to only keep
the top X% of passwordsOr splitting the password output into multiple
files 1st round output: Top 15% 2nd round output: 15% to 30%
Dictionary formed, now what?
My #1 choice, John the Ripperhttp://www.openwall.com/john/Has LM, Kerberos, Unix crypt(s)Contributed resources include NTLM,
SHA/SHA1, MySQL, Apache + more. Any other password cracker that takes
dictionary (Cain & Abel, ElcomSoft + more). Build your own, if you need it!
Either John or programming choice.
John the Ripper
[root@CB1 Test]# uname -a
Linux CBlack1 2.6.9-55.0.12.plus.c4smp #1 SMP Fri Nov 2 09:10:15 EDT 2007 i686 i686 i386 GNU/Linux
[root@CB1 test]# cat crack.txt
testman:$1$UEq1obkF$atd1uwHWDrNdTVqvgUPKF/
[root@CB1 test]# /usr/local/bin/john -wordlist=PassScan-image-dcsmith8-password-out.txt crack.txt
Loaded 1 password hash (FreeBSD MD5 [32/32])
sys21tem88 (testman)
guesses: 1 time: 0:00:15:29 100% c/s: 4234 trying: sys21tem88
3.9 Million passwords checked before found
Cisco Pix – Cain and Abel
Your Scripts too!#!/usr/bin/perluse Digest::SHA1;use MIME::Base64;
my $targethash = "{SHA}Dyw5fW2lhFlQNepIjVHwvdRfwFA="; # 1 my $passfile = "/work/sha1/PassScan-image-dcsmith9-password-out";
open (SOURCE, $passfile) || die "\nCan't open file $passname: $!"; foreach $line (<SOURCE>) {
checkhash($line); #2 } sub checkhash{my($secret) = @_; $ctx = Digest::SHA1->new; $ctx->add($secret);
$hashedPasswd = '{SHA}' . encode_base64($ctx->digest,''); #3
if ($targethash =~ m/$hashedPasswd/) { #4 print "MATCH! Password is $secret\n"; exit(); } }
root@CB1 Test]# perl SHA1-Dict.plMATCH! Password is why88askwhy
That’s pretty much it…
Version 1 is available at http://www.hcp-fs.com (HCP Forensics) Still fragmented in perl, gen_strings.pl and
gen_passwords.pl. Lots of HD space needed for strings, passwords, and
duplicate removals.
Next version is needed! Port for speed! Combine functionality to allow for one pass processing Still not sure about on-the-fly dup removal
Questions?
Questions? Shmooballs! Shout outs:
My Georgetown security teamTrent BeckettWife, who is nice enough to let me follow
these pursuits.
Ideas Does anyone else brute-force passwords like this:
[a-z] to 10 characters [a-z][0-9] to 8 characters [a-z][0-9][A-Z] to 7 or 8 characters [a-z][0-9][A-Z][SYMBOLS] to 7 characters Sometimes I start them all at the same time
Can they be segmented? Like [a-z][0-9] minus the [a-z] matches [a-z] for 8 characters = 208,827,064,576 (208 billion) [a-z][0-9] for 8 characters = 2,821,109,907,456 (2.8 trillion) Sure it is still 2.6 trillion, but I won’t have to check 208 billion of
them!