Call it what you want – hacking, cracking, a dump, a data breach, whatever. The fact is that these events are becoming more and more common, and as IT professionals we need to know how to deal with the fallout. There is a great visualization that illustrates this recent trend on informationisbeautiful.net.
Often, one of the results of these breaches are that the public gets some insight into the security protections that a company uses (or lack thereof). In the case of the recent 000Webhost breach, we discovered that passwords for over 13 million of their customers were stored in plaintext; that is to say, with no protection whatsoever.
Also in recent news, users of the Ashley Madison service had a large amount of their information disclosed, including account details and password hashes. The primary protection mechanism for password storage that was in use here is a technology called bcrypt (a very strong password protection mechanism – you can find more details here and here), however due to a legacy function that had numerous flaws (for all of the details, check out this blog post) some user passwords were also simplified and stored as MD5. Due to how MD5 functions, hardware like GPUs and ASICs are able to be used to quickly and efficiently crack the passwords, and in this case they were then able to use information gathered from cracking the MD5 hashes to significantly speed up the attacks on bcrypt-stored passwords.
One of the major problems with password hashes getting dumped is that password reuse is a real problem, and without the use of a password safe (like LastPass, KeePass, 1Password, or more enterprise products such as CyberArk or ERPM) it’s not realistic to think that end users will ever fix this on their own.
There are numerous websites and password managers available where you can check if your password has been a part of a breach, where the companies behind those websites seek out and collect password dumps to perform password cracking on them. Simulating the attacks that malicious individuals use in this way allows them to provide a security monitoring and alerting service to their customers. Many companies with a significant web presence, including Facebook, Twitter, and LinkedIn, will also scour the Internet for dumps and attempt to crack the passwords, then compare the cracked passwords to the information they have stored for your account. If they get a match, they can take steps to protect your account by doing things like expiring your sessions, forcing a password reset on your account, etc.
I recently developed a lab focused on how to perform these password cracking attacks for a local security group called Steel City InfoSec. The lab is available here on my GitHub, and if you aren’t familiar with password cracking, I suggest trying out the Beginner lab. That difficulty level includes additional details about how to complete the lab, including a hints area that contains explanations and commands to run for each the steps of password cracking. There is also a recording of my presentation and my slides available (along with additional information on the Steel City InfoSec message boards) if you are interested in a bit more background.
If you’ve done this sort of thing before and want to experiment with different tools or just download a bunch of word lists, feel free to try out the Intermediate lab. Specifically, take a look at the downloads readme file to get a clean listing of everything that I’ve provided as a part of the lab.
If you have a GPU cracking rig or a cluster of machines at your disposal, and you’ve done this sort of things a few times in the past, take a crack at the competition. It’s important to note that with the competition you will need to be a bit more creative about how you create a word list than just using the dumps that I’ve provided, and GPUs/ASICs will not help you as much as if you were cracking something stored with MD5 or even SHA-256. Also, please note that the competition prizes were for the Steel City InfoSec event is are no longer available.
While working on the lab, if you find anything that isn’t clear or may be incorrect, please feel free to reach out to me directly (via a GitHub issue or pull request) and I can either lend a hand or fix any bugs as appropriate. In addition, I will be available on RMU campus on November 10th in the evening in Hale 304, presenting this material to Dr. Paullet’s class.