Search n00bz.net

Entries in hashes (2)

Tuesday
Jun122012

Lessons in LinkedIn Password Cracking

So this past week the password cracking community had some excitement.  Several dumps of hashes were leaked.  One of those was LinkedIN.  This caught my eye since most professionals use this social media service.  I am a fan of passwords ever since I met Matt Weir when he presented about the science of password cracking.  One of his talking points was that people can pick anything as passwords but generally follow a pattern.  How many of us have a capital first letter and end with the number 1?  Password1 is technically a strong password in the eyes of Active Directory.

A few months ago, digininja created a tool Pipal which allows analysis of passwords.  This allowed the community a common metric and analysis tool to run the various password dumps.  Using the various data from previous dumps, I was able to fine tune my hashcat rules to be able to crack over half the LinkedIn hashes.  

Lessons Learned

  1. Start with a good dictionary.  KoreLogic has a group of amazing word lists here.  In addition, SkullSecurity has a list of previously cracked passwords and various wordlists which I also added to my master_wordlist.dic.  To make my master_wordlist.dic I would "cat infile >> master_wordlist.dic".  Make sure to use the double >> or else you wipe over the words already in the master_wordlist.dic.
  2. After adding everything to your list, you need to sort and remove the duplicates.  In Windows it is a pain since your list is too big for Excel and Access just plain stinks to use.  Score 1 for Bash! The command "sort master_wordlist.dic | uniq > master_sorted_wordlist.dic" worked perfectly.
  3. Fire up hashcat and crack!  Don't forget to use some rules and masks!  You don't need a GPU but it helps.  One thing I learned was my Dell Laptop has a nVidia card so check your gear.
  4. Now that I have a cracked list in the hash:plaintext format we need to remove the hash part.  Score 2 for Bash! The command "grep -o '[^:]*$' infile > outfile" will remove the hashes leaving you a file with only plaintext passwords.
  5. At this point you can perform a Pipal analysis or you can run your list through hashcat again using the cracked passwords as your new dictionary and apply the rules and masks.

 

 You can find the Pipal Analysis of the LinkedIn dump here.  Happy Cracking!

 

Tuesday
May242011

%27 + sqlmap = a newspaper

By newspaper, I mean the entire newspaper, not just a free issue!

NOTE: I disclosed to the owner of the site.  Within 1 hour, he had a developer work with me to close the hole.  Even though I called them at the end of a long day, they worked into the night to have this closed within 12 hours of me reporting it.  There was none of the all to common vendor downplaying the issue or telling you that you are wrong and how dare you report this.  The Sun-Sentinel was very respectful and showed a real willing to understand the full issue and resolve it ASAP. 

 

So I was reading my local newspaper, http://www.sun-sentinel.com/ and I saw an article about the recent mugshots.

One of the mugshots looked like a girl I went to High School with.  It wasn't her but I did see something interesting.

A url that ends in .php?id=####. For those who received a hackmiami.org sticker, they will notice a large %27.  That is the url encode for a single quote(').

Placing one in front of the equal sign resulted in an error page that will make even the n00b of n00bs smile.

Wow... not only is there a SQL error message, it provides the full SQL syntax that you usually see on a demo of how to SQL inject.  Now with this information, even a novice attacker could create some interesting SQL statements to pass to the underlying database backend. 

I will never forget the day Alex showed me sqlmap.  I remember saying, "Wow sqlmap makes the biggest n00b into 1337."  Alex responded, "You are still a n00b but now you are a n00b with the database."

sqlmap is an awesome tool that will automate extracting information from a backend database.  Just point it to the injection point and it can dump table names, password hashes, or even full tables.

You can find it at http://sqlmap.sourceforge.net or your local security distro (BackTrack 5)

Firing up BackTrack 5, I launch sqlmap.

Looks like we are using Apache, PHP 5.2.8 running a MySQL 5.0 backend.

Pulling the banner gave us additional information.

The current user is root and that account is a DBA!

sqlmap has some great features including the ability to upload a payload such as Metasploit's meterpreter or a web shell.  sqlmap supports all the usual flavors including asp, aspx, php or jsp.

Yes I aborted.  I am NOT uploading a backdoor shell to this site.  I maybe crazy, but I am not INSANE! 

@d1sc0rd1an has an awesome GPU setup.  Like most hackers who love password cracking, it is not where the password came from, or even what it unlocks that matters to him.

He only loves to feed his beast delicious hashes.  I dumped the hashes from the db to provide his system with.

I sent him the list (knowing they were simple unsalted hashes) and he send back a screen shot and a note.  The note said, "I am not going to use my rainbow table for this.  I am going to brute force this for fun."


When I called the newspaper to report the findings, I provided the "proof of life" that I had the root password.  Jokingly he replied, at least it wasn't "password" or as weak as the guy from Gawker!

So lessons learned:

%27 everywhere

sqlmap is a tool that everyone should look at.  You may not be a sql injection master, but a n00b with unsalted hashes is just as dangerous.

Do the right thing when you find a vulnerability and let the business owner know.  You wouldn't like it if you site was hacked.  Karma... it is more then just a wifi tool! (but that is another post!)