Research Assignment: notes on Password Discovery Tools

Posted on September 23rd, 2014

Password Discovery Hardware

Now that we’ve thought about a password improvement program it’s time to start gathering the tools and skills necessary to perform the work. We'll need a system on which to perform our analysis. Our goal is to provide insight into some real-world attacks on our own password infrastructure, so as much as I'd love to build a $20,000 rig for working on this, the reality is that is neither required nor does it add much for our stated objectives. One of the best (IMHO) analyses I have performed was to point out how many passwords could be discovered using a single core on an Intel i7 processor. However, I would recommend at least a decent desktop-class workstation with a modern processor sporting four cores, 16GB of RAM, and a few terabytes of storage. You can absolutely perform some decent analysis without a GPU, but it is more fun with one, so grab a good video card in the $180 range at minimum. If you are building, make sure to have a free PCIe slot or two so you can add video cards later, should you desire more power.

Okay, you’re not going to use an old 3dFX card, but damn, weren’t they great?



Password Discovery Tools
There are a number of password discovery tools out there, and you've probably heard of them. The ones I used are the following (in order of preference and value)

Hashcat
Hashcat (and oclHashcat) is possibly the most well-known and arguably the best performing password discovery tool available. Once, this was split into a number of different tools, but the authors have (thankfully) merged everything back into a few packages. The primary ones are hashcat, which is CPU-based, and oclHashcat, which has support for AMD and Nvidia GPUs. Hashcat supports a huge number of hash algorithms and is adding to this list all the time.
This power and flexibility comes at the cost of it being pretty complex to work with the first couple times. There are a number of attack modes, from masked (brute force++), combinator, rule-based character replacement and substitution, dictionary, and mixtures of the foregoing. Read the documentation, review the supplied examples, play with some commands, read the documentation again, and then go through the sample rule files.

0phcrack
0phcrack is a cracker for Windows passwords based on rainbow tables. It is compiled for Windows NTLM and LANMAN hashes, has source for Linux and many distributions (such as Ubuntu) have a package for it. They offer some tables for free download, and other, more complete tables are available for purchase. If you are only performing discovery against Windows systems, this is probably the easiest and fastest way to get up and running. Since it relies on pre-generated tables, this tool relies on fast CPU for lookups and a lot of RAM for storing the tables.

John the Ripper (JtR)
I wish that I had copious amounts of time to devote to research projects like this, so I could really delve into all the nuanced rulesets and masks for oclHashcat and JtR. Unfortunately, whenever I start to really delve into arcania such as that, I am invariably pulled away by another responsibility and by the time I get back to the research, I have forgotten what little progress I made. Such is my experience with the more advanced features of JtR. Fortunately, your research and review of the Hashcat documentation will not go unrewarded here. The rule syntax is the same, with the exception that Hashcat has implemented some features that John does not support.
I use JtR for two primary purposes:
  1. The obvious: JtR is a very solid password discovery tool supporting a larger number of algorithms and a rich ruleset language.
  2. More and more often, however, I find myself using John as a way to quickly generate a good word list from a shorter dictionary. I am probably doing something stupid here, but I like to run John with rules against a a short wordlist consisting of lower-case words, generating a list of those words with various permutations, depending on the rule(s) I chose. Then, I drop that into Hashcat in a hybrid-style attack.

Project Rainbow Crack
I am listing the Rainbow Crack Project last because I have not really had a chance to use it. This is a set of tools for creating and using rainbow tables to attack passwords. Rainbow tables essentially trade up-front time and storage space for a quicker attack time at a later date. Generating your own tables, can take a long time, especially if your system is regularly used for other tasks. This technique makes for some fascinating reading and I highly recommend it. As the math becomes pretty complex, I recommend going to the site, reading enough to get the table generation started, and then sitting back with some strong coffee and reading all you can about the technique and process.

Cryptohaze
Cryptohaze is a cross-platform password discovery tool with support for GPU and OpenCL acceleration, as well as support for rainbow tables. The have focused on Nvidia cards, and since all my current systems are ATI, I have not had a chance to demo this tool. However, they do have links to some very large rainbow tables via torrent, which -if available- could be a nice addition to our toolkit. (note to self to add a good system with Nvidia cards to next year’s lab budget).

Wordlists
We could just load the system up with a lot of expensive GPUs and set it loose against encrypted passwords and see what happens. There is no doubt we’d discover some passwords, and -depending on the company’s existing password complexity policies- maybe even a decent percentage of them. However, using only brute force is going to test a lot of passwords that nobody would ever use, and by the time we are forcing complex 10-character passwords the effort is too costly. However, people want to create passwords they can actually remember, that means passwords based on real words, and passwords based on real words means we have a starting point: dictionaries and wordlists. Therefore, we want to use a wordlist based on common words, such as a language dictionary, proper nouns, and common slang or abbreviations.


Password Hashsets
Now that we have tools, we need some practice material! Adeptus-mechanicus has a great archive of hashsets from previous public password dumps, as well as analysis performed upon some of their own auditing of those leaked passwords. Another source of test material: the Password Project maintains a number of leaked password sets.
Grabbing a few of these is a great way to hone our skills with the above tools, play around to gain experience with the various tools, and discover what works best for us.

Put the above together and start learning how to use the various tools I’ve listed. Working through a couple hashsets will give you a good feel for the time and effort involved in preparing and executing your password discovery run. If you come up with some good techniques or a workflow that works very well, please post in the comments!


References
A roundup of references and materials I either used to write this post, came across while researching this topic, or will use in subsequent postings:




Reading and thoughts on creating a program to increase Password Strength

Posted on September 12th, 2014

I still don't like passwords. However, the simple username/password authentication method continues to be a reality for most information security professionals, so I can't just ignore them, even though that's exactly what I want to do. Since the previous post linked above, I have continued to work toward some password (in)security understanding for myself, and for my fellow employees. With many different responsibilities, as well as working in this area having something of an uneasiness factor to it, progress has been slow. In the meantime, this post is basically a dump of some thoughts and research I've been doing:

Communication and Process
As I mentioned above, performing research and analysis in this area tends to make some people really uneasy. This is because, believe it or not, most people think their passwords are secure. I know, mind blown, right? Non-security professionals just do not understand how easy it is to discover in-use passwords. When they hear about breaches, such as Home Depot or the LinkedIn password leak, there simply isn't an understanding of how the cleartext data is actually obtained. And, as with all things, with ignorance comes distrust and fear. What this means for the researcher/analyst, is that, as with all things security-related, communication with the organization is key. Good communication with management, the legal team, and co-workers should be priority #1 as one begins this process. After all, the goal is stronger passwords and that will only happen as more people have some understanding of the inherent risks.

Words Matter
I'm not a fan of the "A" word, however, in this context, it makes a lot of sense. Auditors and the audit process are familiar business terms. Employees may not know exactly what goes on in an audit (be it financial-related, ISO testing, reviewing inventory levels, etc.) but the term is familiar and not (too) scary. In fact, the one aspect of auditing that is scary to most people is that it means more work for them. If you say that you are performing the audit, that creates an immediate "phew, no burden on me" feeling in the listener, making them much more pre-disposed to the whole process.

Have a written plan
This is something I will go into in one or more followup posts. Having a written plan at which you can point and say, "here are the parameters of my testing" will go a long way to provide the impression that you are a professional performing a job. Remember, the perception most people have of password cracking auditing is that of either bored teenagers causing mayhem or Russian cyber-criminals stealing money from bank accounts. The more your efforts look like the work by a firm such as Deloitte, the more comfortable others will be concerning your work.


Scope your work
Experimenting with password analysis can be fun, intellectually challenging, impart new skills,and reinforce old ones. I’d be surprised if anyone first working with these techniques didn’t spend an inordinate amount of time chasing a particular ruleset, going down a rathole in optimization, or just sit there reviewing the discovered passwords. This will happen, and far from being a problem, this is what you should do! However, the end goal is to build out a documented and repeatable process for this activity.
The purpose of scoping the work is to
  • Identify the passwords that will be analyzed,
  • anticipate any questions and concerns that may be raised by others,
  • describe the tools and procedures used to perform the analysis,
  • specify the amount of time that will be used for analyzing the passwords, and
  • craft the analysis in such a way that it highlights the risks posed by weak passwords and indicates a way toward stronger passwords


That is the end of this post. This series will be a progression from thinking out loud to actually performing password analysis with the intent to improve the strength of a set group of passwords; with the result (hopefully) of increasing both the actual security and the awareness of security within the enterprise, organization, or service. Next up will be a roundup of tools and peripherals for performing password analysis.





Resizing the Guest OS drive in a VirtualBox Machine

Posted on August 19th, 2014

Pre-made Linux distributions are great, especially when they come pre-packaged with a certain configuration or application so you do not have to waste an inordinate amount of time installing all the things. However, when they prove really useful, they are often pre-provisioned with too little resources. Most of these are easy to change, such as CPU and memory. However, if everything lives on the system partition and it was only created to be 20GB, then you are likely to run into an issue.

Resizing the guest OS system drive under VirtualBox is not a trivial task, especially if the source system used a VMDK-formatted virtual disk. In this post, I will show how to convert the guest system drive from VMDK to VDI and then expand that VDI so that it can accommodate your storage needs.
Note: This guide assumes a Linux guest in a Linux Host with VirtualBox. If you have a different configuration, adjust accordingly.)

Warning: Following this guide will create a copy that completely replaces the original version.

Creating a copy of your VM
  1. Create a copy of the VMDK disk using the VirtualBox VirtualMedia Manager tool.
    VBoxManage clonehd /tmp/NewVM-HD.vdi --format VDI --variant Standard
    (The output file, NewVM-HD.vdi above, can be named anything, but it's best to name the new virtual drive to something meaningful)
  2. Copy the new file to /tmp
  3. Remove the original VM and all its files from VirtualBox by right-clicking on the original VM and choosing 'Remove'.


  4. Modify the size to something large. I chose approximately a terabyte, since I will be using a dynamic disk
    VBoxManage modifyhd /tmp/FreeEed-01.vdi --resize 1260480
  5. Open the VirtualBox manager and create a new VM with the same OS type and architecture as the old one.
  6. When asked about creating a hard drive, choose the option "Do not create a virtual hard drive".


  7. This will create a new folder in your ~/VirtualBox VMs/ directory based on what you named the new VM. Copy the resized virtual disk sitting in /tmp into the new directory.
  8. Open the settings for the new VM in VirtualBox Manager.
  9. Under Storage, look at the Controller:SATA. Click the little icon for adding a new hard disk.


Resizing the system partition in the guest OS
You now have a working copy of the original, but running on a VDI-formatted virtual drive that can expand up to a terabyte in size. However, the guest OS will not see the additional space until the partition has been resized.

To modify the size of the original, system partition, you will need to boot a different operation system because you cannot extend the partition of a currently running operating system. Not really a big deal, just choose a Linux LiveCD from among the plethora available, and you should be fine. Make note of your guest's archiecture, 32-bit or 64-bit, and choose the same for the LiveCD. I chose a Kali Linux distribution, but anything should work.

  1. Go back into the Storage settings for the VM in VirtualBox Manager.
  2. “Insert" the LiveCD into the virtual CD drive. If you do not have a CD drive, add one.


  3. Make sure the CD is set above the virtual hard drive in the boot order


  4. Start the system to the Live distribution
  5. Start Gparted, the disk partitioning program in your LiveCD (you can see the Kali background in the screenshot below. Your current partition scheme may look a bit different than this one, but it is likely similar.

    Note that there is the default 28GB ext4 partition at /dev/sda1, then there is an extended partition for the swap space.

  6. The swap space is “blocking" our ability to extend the system partition. In order to extend /dev/sda1, we need to first remove the extended and swap partitions, resize /dev/sda1 to most of the disk, and then re-add the swap space at the end.

    In this screenshot, I have performed 4 separate operations that are waiting for me to click apply (the green check mark at the top)
    1. Delete the logical swap partition,
    2. Delete the extended /dev/sda2 partition,
    3. Extend (“Grow") the system partition, /dev/sda1, and
    4. Create a new swap partition, which I made a primary, since I saw no reason to make it extended
  7. Now, you apply the changes and everything should complete after a few seconds:
  8. Shutdown the VM
  9. Edit the VM settings and remove the LiveCD you inserted earlier.
  10. Restart the VM.
You should now have a working VM with a LOT more storage. This may not be the most elegant solution, but it seems pretty foolproof, even if you need to jump through a number of steps.

Automater, the incident Responder's Swiss Army Knife

Posted on August 15th, 2014

When you begin looking into a new case or researching some suspicious activity, what are the first three or five things you do? I'd be willing to bet that, depending on your specific role and what you know, those first few things are the same for every single investigation.
I recently came across a new(ish) tool called Automater. This tool received a massive rewrite from a monolithic script to a collection of multiple files, allowing for end-user extensibility without having to understand and modify the code.
step 1: Grab the code and give it a test run
Automater handles multiple IOC (Indicator of Compromise) types: IP addresses, domain names, and MD5 hash sums. Automater is smart enough to identify which type you want (well, they’re not particularly similar!) so you can simply specify the IoC on the command line and hit enter. To test it, go pull up some information from an old investigation and execute:
./Automater.py
and/or
./Automater.py
and take a look at the results. Magic, right? So, how does Automater do this?
step 2: Sites.xml
The real power of the rewrite comes from the newly introduced sites.xml file. This is essentially an xml-formatted config file which informs Automater all about the intelligence resources available for the IOC type that was specified in the command line. Inside the sites.xml file is a listing of all the available sites with information we may want to collect. These sites are then broken down by the query types they accept, since one site may contain a wealth of information regarding domain names, but have absolutely nothing regarding md5 sums of files, it only makes sense to look there if the information may be relevant.
Out of the box, Automater provides the following sources in its sites.xml:
  • robtex
  • Fortinet URL classifications
  • VirusTotal
  • IPvoid
  • Threatexpert
  • VXvault
  • unshort.me
  • URLvoid
  • malc0de
Maybe there is an external or even internal source of information you rely upon that is not included. Adding functionality is not difficult at all. In fact, the authors provide a good mini-tutorial on adding a new site to your configuration file.
step 3: Adding a new information source
Looking at their site, Network Solutions doesn’t only offer IP lookups, they -being a registrar- have a wealth of whois information relating to domain names. In determining whether or not a particular domain is interesting, I find it helpful to know characteristics, such as the registrar, when the domain was originally registered, and last updated. These can be helpful for that gut-check analysis
     
          hostname
     
     
          [+] WHOIS from Network Solutions
          [+] WHOIS from Network Solutions
          [+] WHOIS from Network Solutions
     
     
          netsol_whois
          netsol_whois
          netsol_whois
     
     
          Registrar\:\s+.{0,40}
          Creation Date\:\s+.{0,30}
          Updated Date\:\s+.{1,30}
     
     
http://www.networksolutions.com/whois/results.jsp?domain=%TARGET%
     
          Results
          Results
          Results
     
step 4: Add something new
Now that you’ve got your feet wet with Automater, I’d love to hear about ways Obviously, I am a big fan of this tool, even though I’ve only been using it for a few weeks.. It quickly provides a good bit of information that used to require multiple queries via command line or page loads. Now, if I want to make a gut-check of something, I have Automater perform some quick lookups for me and can make a snap decision on whether I can ignore, save for later, or drop everything else I happen to be doing.
Edit: I don’t know why I call this thing ‘Automator’. The authors named it Automater, and I have edited this to reflect that.

Lab: Hardening a Windows 7 system

Posted on October 13th, 2013

For this lab, prepare a Windows 7 image for your incident responders to log into, review, and make modifications. Get as creative as you like; I performed the following changes to my test system listed below and provided the following instructions.

  • Installed Software:
    • Cain & Abel
    • 7-zip
    • IIS: FTP & Web
    • Telnet server
    • TightVNC 1.3
    • open office
    • adobe reader
  • User accounts
    • added Argus, Joker, and Helper, all with Administrator access and weak passwords
    • added 'LocalUser' with a description that it should only have the ability to log on locally
  • Settings and Features
    • Disabled the local firewall
    • Turned off all Action Center notifications
    • Turned off automatic updates
    • Removed VNC icon notifications from the taskbar
    • Enabled LocalUser to be able to access the system
    • Created a network share for wwwroot with Everyone: Read/Write
  • Other Actions
    • Visited a few websites requiring passwords & told IE to remember so Cain can find them
    • Removed Cain from the start menu
    • Removed VNC from the start menu
    • Added a number of documents and PDFs as "working docs" in the primary user's Documents folder, one of which is weaponized using Metasploit.
    • Added some copyright-free pdf files in the ftproot directory as something to find on the system
    • Setup WinVNC to start via Scheduled Task 5min after boot.

Instructions

Pursuant to an intrusion investigation into your book publishing company, you identified a system on the network exhibiting a large amount of network traffic with external hosts. The system has been quarantined and your tier 1 responders have created a forensic image of the system and virtualized it so you can perform some analysis.

Basic information concerning expected system configuration, corporate network environment, and known incidents:

  1. Argus is the approved local user and his password is currently ________ (provide them with the password)
  2. This is a standard employee's system meant to perform regular user functions such as web browsing, reviewing PDFs, and editing documents.
  3. The company makes heavy use of open source programs to create content.
  4. The company publishes eBooks in the form of DRM-free PDF files.
  5. The company uses an account 'LocalUser' that should only be able to logon locally. This is for 'kiosk' and troubleshooting mode.
  6. Desktop users are allowed to logon to the system remotely so they can work from home.
  7. Remote logins must use Windows credentials.
  8. The adversary is known to harvest user credentials using readily-available tools.
  9. The adversary is interested in obtaining early copies of finished eBook products.
Your job is to identify potential issues with the system, identify any potential loss of corporate information and product, find evidence of adversarial behavior, and mitigate or remediate these issues, and then record them for discussion with the team during your upcoming meeting.


Using F-prot for Linux

Posted on September 19th, 2013

I'm not going to debate the threat of viruses on Linux, however, if you are like me and often use Linux to perform forensic and malware analysis on drives and data from Windows and MacOSX systems, then you probably want to run that data through an A/V scanner or two for some quick, automated analysis.

  1. Download the F-prot for Linux Workstation tarball
  2. extract it to /opt or wherever you like to store programs
  3. run the install script install-f-prot.pl
  4. answer no to the wrapper script (we only need to do command-line scanning, so this is unnecessary)
  5. allow the links and man pages to be created
  6. allow the cron update to enable hourly definition updates

and that's it! The script will find a trial license key and finish by downloading the current definitions.

To use your new f-prot scanner, mount a Windows image and run something like

$ fpscan --report --adware --applications /path/to/windows_image

This will report (--report) on malicious files, scan errors, installed adware (--adware) and suspicious applications (--applications) in image mounted at /path/to/windows_image. Check out the extensive help file to tweak the command line options you use.


Research One: Foundational Internet Technologies

Posted on September 16th, 2013

Research One: Foundational Internet Technologies

Understanding the foundations of the Intnernet

TCP/IP

Understand and be able to describe the "layers" of networking in terms of the OSI model. Which layers are pertinent to TCP/IP?

Know how the difference between a network prefix and host identifier

Know what subnet masks are and how they are used.

Know what network ports are and their purpose.

Know commonly used network ports and the applications associated with them.

DNS

Know the primary DNS record types.

Know the functions of DNS server types (e.g. forwarding, caching, resolver)

Be able to describe how an endpoint translates a name into an IP address.

List three ways DNS can be leveraged by an attacker.

Lab: Configure a BIND DNS server to act as a caching forwarder and use the resolvers at OpenDNS to perform name resolution.

DHCP

Describe how an endpoint obtains an IP address via DHCP.

List three ways DHCP can be leveraged by an attacker.

Putting it together

Explain what has to happen from the time you plug your computer into the corporate network to viewing a webpage like cnn.com.

SSH

Is SSH a secure protocol? Why or why not?

Now what SSH forwarding is used for.

Describe how SSH key authentication works.

List three ways SSH can be leveraged by an attacker.


Training Incident Responders Overview

Posted on September 12th, 2013

If your results from conducting exercise zero were anything like mine, it is likely that you have a group of people with a disparate knowledge base and wide-ranging skillsets. That is great, and exactly what you want! However, I believe that there are cerrain foundational technologies that everone wneeds to know. I dont't care if every single person on your team has an MCSE, JNE, CCIP, CEH, CISSP, and JD. In my career, I have come across more people with a combination of these certifications and still cannot tell me the fundamental difference between a hub and a switch or how a computer translates a hostname into an IP address.

Because of this, it is important that everyone is speaking the same language when it comes to those foundational Internet technologies, such as DNS and TCP/IP.

After my initial analysis and thoughts on the matter, I came up with a high-level syllabus for training the new incident responder. It looks like this:

High-level Incident Response training

  1. Networking Fundamentals

    • TCP/IP
    • DNS
    • DHCP
    • HTTP
    • SSH
  2. Operating System Fundamentals

    • Windows
    • Mac
    • UNIX
  3. Email
  4. Threats and Vulnerabilities
  5. The Incident Response Process
  6. Network monitoring and analysis
  7. Compromised host analysis
  8. Common attack techniques
  9. Anomaly identification
  10. Threat modeling

This will result in a set of training, self-guided research, modules, exercises, and labs to teach and provide some experience in each of the sections.



Kevin Neely

Interests changing daily. Work includes Risk, Security Analysis, Intelligence Legoification, Threat Landscaping, Response Ninjutsu, and other buzzzzwordy adjectival phrases.