RE: Whitespace in passwords

From: Craig Wright (cwright@bdosyd.com.au)
Date: Mon Sep 19 2005 - 20:47:38 EDT


Hi

I assume you have not checked the latest stats (www.rainbowcrack.com) -
"take more time then I have on this planet" - I am sorry - what cancer?
I had cancer years ago - it is a bugger.

Have a look at the progress tables
http://www.rainbowcrack.com/rainbowtables.php?PHPSESSID=96d8bbd546409f98
a6ec9f648da70372

There is NTLM and not just lanman - even on the areas not completely
cracked - expect this to be a matter of weeks or months to complete and
even with an incomplete table there is even with "alpha numeric symbol
14" sets a 80+% crack rate.

Further "alpha numeric symbol 5" does not mean the length is 5 chars -
it is still 14 chars in length. It refers to the symbol set not the
length just as "alpha numeric symbol 14" again refers to the symbol set
used. (PS the complete lanman "alpha numeric symbol 14" is available for
purchase from the researcher on a set of DVD's now and 100% complete -
just wait for the post). Crack one table and get 1 weeks access (or
there about)

My last review of a large US corporate netted me 90% of passphares (up
to 14 chars) in 30 minutes for 1800 of the 2000 captured users. This
included several domain and enterprise admins. This was using NTLMv2.

Ipsec tunnels and kerberos give about zero (apart from some ignorantly
blank ones on a group policy with 8 char min) and just over zero
respectively.

90 days - if I have 90 days and a 256 char "pass phrase" policy I will
have your complete list of pass phrases if I can get the hash. The issue
should be protecting access to getting the hash

The Rainbow crack default tables are up to 14 chars. Any password of up
to 14 chars (with the correct tables)

In the old days we tried to protect the /etc/shadow files etc. The same
applies today - stop access to the source and you will stop anyone
cracking them

"Any password that is under 10 characters is EASILY recoverable" - make
that Any password that is under 15 characters is EASILY recoverable (in
seconds), Any password that is under 32 characters is moderately
recoverable, Any password that is under 128 characters is difficult but
still recoverable in 90 days

Any password that is between 129 and 256 chars (on systems which support
this) are very difficult - but wait....
http://www.ietf.org/rfc/rfc2104.txt

We can still try to negotiate NTLMv2 to force short ie "data_len = 8
bytes" ie (and cut and pasted from the NTLMv2 negotiations -
"The 16-byte NTLM hash is null-padded to 21 bytes.
This value is split into three 7-byte thirds"

Can we look at 3 separate MD5 "thirds" - well yes, the MD5 tables just
happen to be available as well. Yes this makes life a little harder -
like trying to crack 3 pass phrases - but do-able

Craig

PS
Even NTLM v2 does not salt - this makes life very easy for an attacker

-----Original Message-----
From: Tim [mailto:pand0ra.usa@gmail.com]
Sent: 20 September 2005 5:10
To: pen-test@securityfocus.com
Subject: Re: Whitespace in passwords

Ok, we are now onto Rainbow tables. Sure, they can recover passwords
very quickly BUT they too have a limitation. Currently the Shmoo tables
are focused on LanMan challenge/responses which we all know are WEAK (in
soo many meanings of the word). Rainbow tables take quite a bit of time
to generate and to go through all of the possible combinations for a
table that is ALL LOWERCASE and 14 characters long regardless of the
algo would take more time then I have on this planet (possibly more time
that all of us combined).

I am soo sorry for using LanMan as an example in my earlier post.
LanMan only goes to 7 characters as that is the foundation of one of
it's biggest flaws. Also, keep in mind that there are not too many
programs that accept Alt-ASCII characters so that may not be acceptable.
Bryan Allott posted earlier the biggest point --> passPHRASES <-- Go
back to my earlier post with the math (ignore that I used LanMan as an
example).

The longer the passPHRASE it becomes exponentally more difficult to
recover he passPHRASE. Any password that is under 10 characters is
EASILY recoverable within the typical 90 day expiration time. That is
why pushing the users to create easily remembered passPHRASES is much
more effective then some sort of goobly gook that they will have a hard
time remembering and end up writing down in a post-it note stuck to
their monitor. One stupid character (regardless of what it is) will NOT
make a significant difference. Do not assume that by throwing in a
Alt-182 character will make your password 'unbreakable'.

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:56 EDT