d3a07d34487e3a9b8db108edc4a3411eIT ADVISORY
d3a07d34487e3a9b8db108edc4a3411e
Marc Smeets
Password crackingMarc Smeets10 December, 2012AUDIT & ADVISORY / INFORMATION PROTECTION SERVICES
Introduction
Why I am standing here
KPMG is one of the ‘big four’ audit and advisory firms
IT Security & Control team (45 fte in NL large global network) IT Security & Control team (45 fte in NL, large global network)
Security testing/ethical hacking, IT auditing (we crack password, we hack websites and we report the client how to improve)we hack websites and we report the client how to improve)
Why you are here
Learn about password cracking
Ask hard questions
1© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Potential research projects
Agenda
The horror called passwords
Recap of password hashing and cracking Recap of password hashing and cracking
Advanced techniques
What we do
Demo
Research projects
2© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Why passwords?The horror called passwords
Why passwords?
How to store passwords? How to store passwords?
How to remember passwords?
How to make passwords stronger?
3© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Passwords and IT audit requirementsThe horror called passwords
ISO27001, HIPPA, PCI DSS, SOx
“The usage of strong passwords should be enforced”
“Do not use vendor default passwords” Do not use vendor default passwords
“Require a minimum password length of at least seven characters.”characters.
“Passwords should contain lower and upper case numbers and letters”
Passwords should contain at least lower and upper case letters, a number a special character, have a minimum length of 8 characters,
4© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
not be the same as the 5 previous passwords and changed every 90 days
What is a hash?Recap of password hashing and cracking
Hash: one way representation of data, no (mathematical) way back from hash to datahash to data
It solves the issue of verifying a password without actually knowing it
Clear text password (+ salt) go into hashing function
R lt i th h h hi h t t d
Clear text
Crypto
Salt
Result is the hash, which may get stored in a database
Many implementations:Hashed
Cryptohash function
Many implementations:
MD5, SHA, LM, NTLM, MYSQL, Oracle, BSD crypt, many others
Hashed password
Storage on system
5© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
BSD crypt, many othersStorage on system username:salt:hash
What can possibly go wrong?Recap of password hashing and cracking
Hashing is a secure principle. What can possibly go wrong?
Images of bad password implementation removedimplementation removed
6© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cracking the hashRecap of password hashing and cracking
A hash is supposed to be one way. So how do we find the password?
Offline brute force on the hash
Dictionary with common words/passwordsy p
Educated dictionary with info from the environment
Pre computation tables > Rainbow tables Pre-computation tables -> Rainbow tables
Look for crypto errors and errors in the hashing implementation
Online brute force login
Overwrite the hash table with known hashes
7© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cracking the hashRecap of password hashing and cracking
A hash is supposed to be one way. So how do we find the password?
Offline brute force on the hash
Dictionary with common words/passwordsy p
Educated dictionary with info from the environment
Pre computation tables > Rainbow tables Pre-computation tables -> Rainbow tables
Look for crypto errors and errors in the hashing implementation
Online brute force login
Overwrite the hash table with known hashes
8© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cracking the hash – brute force and dict.Recap of password hashing and cracking
Simple operations that can be automated. Many implementations.
John the Ripper Cain & Abel
9© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cracking the hash – crypto and impl. errorsRecap of password hashing and cracking
Weak hash algorithms are easier to crack
Example: Windows Lan Manager hashing
What is wrong with LM hashing? What is wrong with LM hashing?
NTLM is used if password has more than 14 characters
Windows stored(*) LM next to NTLM on the system. What do you prefer to crack? ;-)
* D f lt til Wi d Vi t /2008
10© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
* Default until Windows Vista/2008
Cracking the hash – crypto and impl. errorsRecap of password hashing and cracking
Other known weak password hashing mechanisms (b t f d ti i ti )(but found many times in corporations):
Oracle (<11g)
Cisco routers/switches with ‘password 7’
Single unsalted MD5Single unsalted MD5
11© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cracking the hash – crypto and impl. errorsRecap of password hashing and cracking
Weak implementations don’t even need hash cracking
Example: pass-the-hash Computation and storage of hash
Password
Communication with hash
Steal hash
12© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cracking the hash – rainbow tablesRecap of password hashing and cracking
Pre computation tables: t ll ibl d t th i t blpre compute all possible passwords, store them in tables,
perform lookup on the hash and find accompanying password.
Rainbow tables: optimised pre computation Rainbow tables: optimised pre computation
Time-memory trade off
http://kestas.kuliukas.com/RainbowTables/
13© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cracking the hash (cont.)Recap of password hashing and cracking
Hashing algorithms are getting better and better
Password cracking tools and techniques are getting better
We go from CPUs to more powerful architecturesNew kids on the blockNew kids on the block
14© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Who are the new kids?The new kids on the block
Cell architecture
FPGA / ASIC
Cloud computing Cloud computing
Graphics cards
Welcome to: Computer Architecture 101 :-)p )
15© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cell architectureThe new kids on the block
Cell Broadband Engine Architecture
Goal: bridge between regular CPU and high performance computers used for future Video demands
16© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cell architecture The new kids on the block
New CPU consists of RISC (PowerPC) architecture + coprocessors
1x main processor: Power Processing Element (PPE)
8x fully functional co processors called the Synergistic 8x fully-functional co-processors called the Synergistic Processing Elements (SPEs). 1 not used when using custom OS
High speed bus in betweenHigh speed bus in between
17© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cell architecture – password crackingThe new kids on the block
PS3 has Cell and runs Linux
7 Cores you can use
Compilers exist for your code to run (ppu gcc and spu gcc) Compilers exist for your code to run (ppu-gcc and spu-gcc)
18© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cell architecture – password crackingThe new kids on the block
PS3 has Cell and runs used to run Linux
7 Cores you can use
Compilers exist for your code to run (ppu gcc and spu gcc) Compilers exist for your code to run (ppu-gcc and spu-gcc)
Different way of programming
10 + 1 = 11: Single Instruction, Single Data
{10,11,12,13} + 1 = {11,12,13,14} : Single Instr., Single Data set{ } { } g g
{10,11,12,13}+{1,2,3,4}={11,13,15,17}: Sing. Instr., Multiple Data set
19© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
If you reprogram your routine, this rocks!
Cell architecture – supercomputerThe new kids on the block
US Air Force’s implementation
20© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cell architecture - disadvantagesThe new kids on the block
Cell architecture is limited to 7 extra cores
Cell architecture is not dead, but also not lively developed
Cost of current implementations is therefore not dropping hard Cost of current implementations is therefore not dropping hard
Programming interface is somewhat hard
Amount of implementations of password cracking tools is limited*
* MD5 implementation by Nick Breese http://www.blackhat.com/presentations/bh-
21© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
europe/08/Breese/Presentation/bh-eu-08-breese.pdf
FPGA / ASICThe new kids on the block
Cell architecture
FPGA / ASIC
Cloud computing Cloud computing
Graphics cards
22© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
FPGA / ASICThe new kids on the block
Field Programmable Gate of Arrays
A bunch of reprogrammable components on a board that perform logical operations
Mid 80’s: invented to easily create prototypes of new hardware
23© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
FPGA / ASICThe new kids on the block
Field Programmable Gate of Arrays
A bunch of reprogrammable components on a board that perform logical operations
Mid 80’s: invented to easily create prototypes of new hardware
Consists of:
Logical blocks that can be programmed for a taskg p g
Ways for I/O
24© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Programmable inter connections -> create sets of logical blocks for a greater task
FPGA / ASICThe new kids on the block
25© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
FPGA / ASICThe new kids on the block
ASIC = Application Specific Integrated Circuit.
Basically a function on a chip (MP3, GSM, switch port)
ASICS are becoming overly complicated ASICS are becoming overly complicated
ASIC ~= FPGA but faster, more expensive and less reprogrammable
26© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
FPGA / ASIC – password crackingThe new kids on the block
Create your hash algorithm in Hardware Abstraction Language
Push to board along with creation of interconnections
Setup I/O Setup I/O
Blast at enormous speed (this is hardware!)
DES cracking famous exampleg p
27© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
FPGA / ASIC - disadvantagesThe new kids on the block
Expensive
This is hardware, most software programmers are scared of hardware and wires
Need to reprogram for each algorithm, or have more sets of FPGA
28© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cloud computingThe new kids on the block
Cell architecture
FPGA / ASIC
Cloud computing Cloud computing
Graphics cards
29© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cloud computingThe new kids on the block
Co-location -> Managed hosting -> ‘IT resources’ as a service
“A style of computing where massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies”Internet technologies
In essence the next step of outsourcing of ITIn essence mainframe computing all over again, over Internet
30© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cloud computingThe new kids on the block
Co-location -> Managed hosting -> ‘IT resources’ as a service
“A style of computing where massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies”Internet technologies
In essence the next step of outsourcing of ITIn essence mainframe computing all over again, over Internet
Software as a service (Salesforce.com)( )
Platform as a service (Google & Amazon)
31© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Infrastructure as a service (Terremark)
Cloud computing – password crackingThe new kids on the block
So, just buy ‘resources’ as you need. We want to crack passwords:
32© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cloud computing – password crackingThe new kids on the block
So, just buy ‘resources’ as you need. We want to crack passwords:
1. prepare infrastructure and enable at Amazon
2 upload hashes 2. upload hashes
3. start cracking
4. add more systems if needed
5. finish and close
33© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Cloud computing – password crackingThe new kids on the block
So, just buy ‘resources’ as you need. We want to crack passwords:
1. prepare infrastructure and enable at Amazon
2 upload hashes 2. upload hashes
3. start crackingOther solution is cloudcracker com
4. add more systems if needed
5. finish and close
Other solution is cloudcracker.com(LM/NTLM, MD5, MSCHAPv2, SHA512, WPA/WPA2
6. Pay Amazon $50,000 for a 11 character password [a-z] (CPU)Use EC2 Spot Prizes: Bitweasil’spresentation Blackhat Las Vegas 2012
34© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
6. Pay Amazon $2.00 for a common WPA PSK (with Tesla Fermi)p g
Cloud computing – disadvantagesThe new kids on the block
Not so good:
Do you / the client really want to upload password hashes to a cloud?
Cryptohaze Cloud Cracking
Cheap resources become expensive for cracking *p p g
Cloud resources are a bit different, may need minor reprogramming
To counter this cloud services are becoming ‘upload and wait’-services
35© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU The new kids on the block
Cell architecture
FPGA / ASIC
Cloud computing Cloud computing
Graphics cards
36© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU – history of graphicsThe new kids on the block
In the old days:
Text mode -> mixing text and bitmaps
For each refresh draw complete bitmap. When moving (game), all data from bitmap (framebuffer) needs to move within the memory. p ( ) yCPU intervention, big penalty for CPU
BLITTER (Block Image Transfer) = coprocessor than handles the
37© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
movement of the bitmap in memory (Atari 8-bit)
GPU – history of graphics (cont.)The new kids on the block
In the 90’s:
API for 2D acceleration: WinG and DirectDraw (Windows 95)
Define graphics object, and it’s movement -> ‘draw it’ Define graphics object, and it s movement > draw it
Rasterization of polygons (collection of triangles) to 2D (bitmap)
3D = 2D with extra dimension
API for 3D: OpenGL & DirectX
38© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU – history of graphics (cont.)The new kids on the block
Post 2000:
We want realistic colouring (pixel shading)
We want realistic surface (bump mapping and anti aliasing) We want realistic surface (bump mapping and anti aliasing)
We want it fast (acceleration)
We make the entire graphics pipelineprogrammable for pixels and vertices
39© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU – history of graphics (cont.)The new kids on the block
Post 2000:
We want realistic colouring (pixel shading)
We want realistic surface (bump mapping and anti aliasing) We want realistic surface (bump mapping and anti aliasing)
We want it fast (acceleration)
We make the entire graphics pipelineprogrammable for pixels and vertices
40© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU – history of graphics (cont.)The new kids on the block
Post 2000:
We want realistic colouring (pixel shading)
We want realistic surface (bump mapping and anti aliasing) We want realistic surface (bump mapping and anti aliasing)
We want it fast (acceleration)
We make the entire graphics pipelineprogrammable for pixels and vertices
Single Instruction, Multiple Data
Highly parallel
41© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU – Hardware layoutThe new kids on the block
ALU / CORE: Arithmetic Logic unit: digital circuit doing the logic
Control: dispatcher, keeping track of operations and memory p p g p ylocations. On GPU a thread dispatcher also exists for thread creation and finishing
42© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
DRAM and cache: fast and extra fast memory
GPU – Hardware layoutThe new kids on the block
Multiprocessor
All cores/threads
Thread dispatcher
SIMD -> Single Instruction on Multiple Threads
One instruction on all(!) threads, just don’t branch( ) j
Multithread programming is hard, thread dispatcher takes care of a lot
43© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU – Hardware comparisonThe new kids on the block
CPU: 4-16 cores at 3GHz
Cell: 7 cores at 3.2GHz
Nvidia GTX295: 240 cores per GPU (2 GPU’s) at 576MHz Nvidia GTX295: 240 cores per GPU (2 GPU s) at 576MHz
ATI Radeon HD 7970: 2048 cores at 1GHz
Nvidia Fermi: 512 cores at 700MHz
Nvidia Tesla C2050 (High performance computing, no display ( g p p g p ycapability): 448 cores at 1.15GHz
44© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
GPU – Password crackingThe new kids on the block
API is via CUDA or FireStream
Reprogramming your code relatively easy
Paralleling your functions/threads is also made easy Paralleling your functions/threads is also made easy
OpenCL: GPU + CPU
CUDA and OpenCL are heavily(!!) developed, getting stablep y( ) p g g
Hardware is heavily(!!) developed, prices drop
45© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Many tools already exist
GPU - Disadvantages The new kids on the block
Support of hashes is very limited
Yes a lot of tools, but they mostly do MD5, SHA1 and NTLM
Hard to scale your hardware
Power, motherboard, casing, etc
No/limited support for distributed crackingpp g
46© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Existing tools not stable and hard to automate
Recent changesg
47© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Recent changes
Ways for distributing of cracking power
Cryptohaze (proper network distribution built-in)
oclHashcat plus oclHashcat-plus
Virtual Open Cluster + oclHashcat-plus
Advances in cracking
21% reduction in SHA1 calculations
48© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Putting the theory together
Wrap-up
What we do
What we really want What we really want
49© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Wrap-upPutting the theory together
Some new architectures with awesome power and limitations
But we do password cracking: But, we do password cracking:
Brute force is only part of the game
cracking strategy, dictionary, rainbow tables and then brute force
It needs to be stable
Useless if we still can’t crack the 9 character NTLM
50© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
What we doPutting the theory together
Local cracking on pen testers laptop
Central lab facilities
GPU cracking server GPU cracking server
CPU cracking cluster
51© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
What we do – cracking clusterPutting the theory together
John the ripper
Allows for brute force and dictionaries
Patched with tons of hash algorithms Patched with tons of hash algorithms
Patched with Multi Process Instruction
~70 CPU cores over 1 server and 30 desktops
52© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
What we do – cracking clusterPutting the theory together
53© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
What we do – what we really wantPutting the theory together
+ =+ =
54© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Research projects
Distributed Password Cracking Platform – the final step
Feasibility of attacks on weak SSL ciphers
Building a more resilient TOR Building a more resilient TOR
We encourage different ideas and topics
To give you an idea, in the past we have supervised Security of g y p p ysoftware update mechanisms, RFID in garbage disposal systems, Smart Metering systems, Security of browsers, Security of car alarms, GPU password cracking, Synergy of Social Networks,
55© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Passive LAN information gathering, DMA in Metasploit, etc.
Questions
Questions?
56© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Marc Smeets MSc CISSP CISAKPMG IT [email protected]
57© 2010 KPMG NL, the Dutch member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.