salt cryptography & cracking salted hashes by fb1h2s
DESCRIPTION
Salt Cryptography & Cracking Salted Hashes by fb1h2s @ null Pune Meet, August, 2010TRANSCRIPT
![Page 1: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/1.jpg)
FB1H2S aka Rahul Sasiwww.fb1h2s.com
www.garage4hackers.com
Garage 4 Hackershttp://www.garage4hackers.com
Cracking Salted Hashes
Web Application Security: The Do and Don'ts of Cryptography.
![Page 2: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/2.jpg)
• Cryptography Advantages Drawbacks• Hash Functions Advantages• Salted Hash Functions Difficulties in cracking
www.fb1h2s.com www.garage4hackkers.com
An Introduction
Garage 4 Hackershttp://www.garage4hackers.com
![Page 3: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/3.jpg)
•This paper would be an advisory of the strong ways of using Cryptography Functions.• And the Various possible way for cracking them in a Hacker perspective.
Garage 4 Hackershttp://www.garage4hackers.com
www.fb1h2s.com www.garage4hackkers.com
![Page 4: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/4.jpg)
Application that doesn’t use cryptography hashes:
• Consider this Piece of code from a login form.
• How this java script application works .• What the salt value “CC6AB28BA9FAD121184B09E00F1DD6E7” is, was the
current session id.• There would be no way for the program to verify the password value.• Unless, in the Back end Data Base, passwords are unencrypted and stored. Point No1: Always encrypt and save your sensitive data in database..
onclick="javascript:document.frm.id.value='user';document.frm.passwd.value='value';this.form.passwd.value=(hex_md5('CC6AB28BA9FAD121184B09E00F1DD6E7'+this.form.passwd.value));this.form.submit();
www.fb1h2s.com www.garage4hackkers.com
![Page 5: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/5.jpg)
So now what if the data are Encrypted , IS it secured ??
www.fb1h2s.com www.garage4hackkers.com
![Page 6: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/6.jpg)
Hash Functions: Cracking The Salted Hashes:
“I recently came across this huge data base of an Email service provider and I will take this paper the way I went to crack those hashes”
The few possible way to crack hashed passwords are:• The algorithm used for hashing should have some flaws and hashes
should be reversible• Or that you will have to Brute force the hashes with a wordlist of
Dictionary or Rainbow tables.• Or simply if you have UPDATE Privileges on that Data Base Update
it with a know password’s hash value. “All this is possible only if you know what algorithm the hashes are
build on ”
www.fb1h2s.com www.garage4hackkers.com
![Page 7: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/7.jpg)
So what is that you could do to figure out the Hashing Algorithm used??
• Answer: All algorithms generate a fixed length hash value.• So based on the Output you could estimate what algorithm was used.Am putting in few cheat sheets for figuring out the hash algorithms based on
hashes.
www.fb1h2s.com www.garage4hackkers.com
![Page 8: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/8.jpg)
www.fb1h2s.com www.garage4hackkers.com
![Page 9: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/9.jpg)
www.fb1h2s.com www.garage4hackkers.com
![Page 10: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/10.jpg)
My hashes were 13 char long and no where in the cheat sheet, but I was able to figure it out using few programming tutorial
websites.
The hashes I had were: Php Crypt Function Hashes.
www.fb1h2s.com www.garage4hackkers.com
![Page 11: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/11.jpg)
A simple walk through of of the Php crypt function: • It’s is a hash algorithm which takes in a “String” and a “salt” and encrypts the
hashes. • And by default it uses “DES” to encrypt hashes.• Consider Ex:
www.fb1h2s.com www.garage4hackkers.com
<?php$password = crypt('password');?>Hashes: laAsfestWEiq1Here password hashes generated would be on basis of a random 2 digit salt.
Or we could provide our on salt.<?php$password = crypt('password',’salt’);?>Hashes: sih2hDu1acVcAAnd the password verification code would be as follows: if (crypt($user_password, $password) == $password) { echo "Correct Password";}?>
![Page 12: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/12.jpg)
• In either of the cases the salt is appended with the Hashes, property of DES.
• Well as I mentioned above the security of salt cryptography is on the fact that the salt is unknown to the cracker
• Well with this basic piece of Information, all the hashes were cracked easily.
• All I have to do was load a common passwords dictionary and add it with the constant salt, and get my work done
www.fb1h2s.com www.garage4hackkers.com
![Page 13: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/13.jpg)
Slated Hashes.
Salt/Hash algorithm with Constant Salt:Example:
• In this program a constant salt is used therefore the salt is not saved in the database.
• So our dumped hashes won’t be having the salt value.
www.fb1h2s.com www.garage4hackkers.com
$password = "password"; //user input$salt = "salted";$password = md5($salt.$password); //saved in db md5(saltedpassword)Hashes: 1423de37c0c1b63c3687f8f1651ce1bfSalt: salted
![Page 14: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/14.jpg)
For verifying such algorithms we need to try the following things.
• Try to create a new user using the target application.• Dump the data again and verify what algorithm is used using
the above mentioned methods.• Consider the new password added was “password”
md5(‘password’)== “5f4dcc3b5aa765d61d8327deb882cf99”, instead if the updated value was “1423de37c0c1b63c3687f8f1651ce1bf” that says a salt is used and is a constant one as it dsn’t seem to be added with the final hashes.
www.fb1h2s.com www.garage4hackkers.com
![Page 15: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/15.jpg)
Cracking the salt:• Now for breaking this, the only thing you could do is to bruteforce the
hashes for figuring out what the salt is.For ex:
Conclusion: • Never use a constant salt for all hashes: If your PHP application is storing Sensitive values and you want to encrypt
and store its salted hashes then Crypt() function is not the right option nor depending on any constant salt functions is the right choice.
www.fb1h2s.com www.garage4hackkers.com
We know : Md5(‘password’)== “5f4dcc3b5aa765d61d8327deb882cf99”Now question is Md5(‘password’ + “????WHAT????”) === “1423de37c0c1b63c3687f8f1651ce1bf”
![Page 16: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/16.jpg)
Salt/Hash algorithm with Random Salt:
• If random salt is used for each hash, which is necessary for application whose source is publicly available, then it would be necessary to store the salt along with the hashes.
• -ve point is it’s possible to extract the salt from the hashes. • But + point is, that cracker need to build hash tables with each salt for
cracking each hash• We could extract the salt, but as different hash will be having a different
salt, it’s impossible to crack all hashes at a stretch.
www.fb1h2s.com www.garage4hackkers.com
$password = user_input(); //user i$salt = rand(5); ";$password = md5($salt.$password); //saved in db md5(saltedpassword)Hashes: 6f04f0d75f6870858bae14ac0b6d9f73:14357 (Hash:Salt)Salt: 14357
![Page 17: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/17.jpg)
A Scenario for the Requirement for a new tool.Tool: One such tools documentation would be.• The whole Idea of such a system comes from the concept of torrents,
where if you want something you have to share something.• Here if you want to crack something you will have to share your
processing speed.
www.fb1h2s.com www.garage4hackkers.com
![Page 18: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/18.jpg)
How it should work
• You download the Cracker tool Client• You have an admin hash to crack that of wordpress, you add the hash
along with salt to cracker Client.• Cracker client sends the hash to Crack server.• Crack server accepts you as part of the distributed cracking Netwrok.• Crack server updates you with the new set of hashes, algorithm, and
permutations you have to carry out.• Logic is when someone is doing work for you, will have to work for them
too. • There by your work will be carried out by many different computers.More on this tool is mentioned on the paper.
www.fb1h2s.com www.garage4hackkers.com
![Page 19: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/19.jpg)
Finding an unknown Hash Algorithm:
• Consider a situation where the hashes are multiple encrypted with different hash algorithms, fro example:
• So in such kind of situation were multiple hashing algorithm is used and algorithm is unknown, and it would be really hard to find what the hashes.
Now you need an algorithm brute forcer
www.fb1h2s.com www.garage4hackkers.com
<?php
$password = sha1('password'); // de4he6la fe4oe6late4he6lade4he6lade4he6la$final_password= md5($password)Final Password Hashes: 1423de37c0c1b63c3687f8f1651ce1bf
![Page 20: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/20.jpg)
Algorithm_Bruter
• So I came up with this script, which takes in a known “password” and its “hashes” and then moves it through many different commonly used hash algorithms and tries to find a match, predicting what algorithm it used in the back end.
• You could check out the script here.• http://www.fb1h2s.com/algorithmbruter.php• This could be used in an above mentioned situations.
www.fb1h2s.com www.garage4hackkers.com
![Page 21: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/21.jpg)
Algorithm_Bruter.php
www.fb1h2s.com www.garage4hackkers.com
![Page 22: Salt Cryptography & Cracking Salted Hashes by fb1h2s](https://reader033.vdocument.in/reader033/viewer/2022061203/547de04eb4af9f52468b477d/html5/thumbnails/22.jpg)
Thank You
• Greetz to all NULL, Andhra Hackers, Garage4H hackers members.
www.fb1h2s.com www.garage4hackkers.com