Password Cracking with Rainbow Tables

1

Password Cracking with Rainbow Tables

Korhan BircanApril 23rd, 2008

Introduction to Computer System Security

Password Cracking with Rainbow Tables 2

OutlineIntroductionSecure passwordsDemoHellman’s original methodRainbow tablesCracking Windows PasswordsPassword crackersProtection mechanismsConclusion


Introduction

How passwords are storedWhere passwords are stored

Windows: C:\WINDOWS\system32\config\SAMLinux: /etc/passwdMacOS: /var/db/shadow/hash/

Shadow passwords/etc/shadow only readable by root/etc/passwd file shows a character such as '*', or x' instead of the hashed password


Introduction


Introduction

LanManager Hashpassword converted to uppercase, null-padded or truncated to 14Bpassword split into two 7B halves, a zero bit is inserted after every 7th bit, the resulting 8B halves are used to create two DES keyseach of these keys is used to DES-encrypt “KGS!@#$%”, resulting in two 8B ciphertext valuesconcatenation the two to get 16B LM Hash.

supported by all versions of Windows for backwards compatibility


Introduction

NTLM Hash: challenge-response sequence

Client sends supported or requested features (eg. encryption key size, mutual authentication etc.)Server replies with similar flags plus a random challengeClient uses challenge and its credentials to calculate the response


Introduction

Salted hashes: For each password, generate a random number (a nonce). Hash the password with the nonce, and store both the hash and the nonce.

usual approachhash = md5(“deliciously salty” + password)

• MD5 is broken• Its modern competitors, like SHA1 and SHA256 are fast, which is a

problem.

With 16b hash, there are 2^16 = 65,536 variations to the same passwordSpeed is exactly what you don’t want in a password hash function. Using raw hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t.


IntroductionHow passwords are cracked

brute force: online vs offline attack. Given enough time and CPU power password eventually gets crackeddictionary: list of words, encrypt them one at a time and check if hashes are equalhybrid: dictionary with mutation filters


Secure Passwords

Password Strengthbit-strength

[a-z][A-Z][0-9] and symbols = 95 variations per character = log(95) ~ 6.6b8 character password x 6.6b = 53b

cracking 72b key using current equipment is estimated to take about 1,453 yearsno digital computer is capable of breaking 128b or 256b encryptionNIST recommends 80b for most secure passwords ~ 12 character random password from 95 character domain


Secure PasswordsA strong Windows password includes characters from at least three of the following groups:

Use pass phrases eg. "I re@lly want to buy 11 Dogs!"


Secure Passwords

Use >14 charactersit is the limit that DOS network boot disks, Microsoft Remote Installation Services (RIS) Pre eXecutable Environment (PXE) boot disks, and older LAN Manager clients (Win9x) utilizes

Use Alt characters eg. Alt+0709 = ÅChange passwords often


Secure Passwords

Intel Pentium M 1.60GHz, 512MB RAM

hash/secalgorithm1,300,728LM2,623,294NTLM

924,898SHA13,401,360MD5


Secure Passwords

key space, N, plain dictionary attack26 chars, passwd length <= 7

36 chars, passwd length <= 7

256 chars, passwd length <= 7

26 chars, passwd length <=14

∑=

=7

1

6.8036i

i G

∑=

=7

13.83526

i

i M

∑=

==14

1

10 67107.626i

i EGx

PGxi

i 72102.72567

1

7 ==∑=

15.1min4.1min5.3min10.7min

SHA1MD5NTLMLM

2468.5 years671.2 years870.3 years1755.3 years

SHA1MD5NTLMLM

2,297,070.7 years624,619.6 years809,881.0 years1,633,359.2 years

SHA1MD5NTLMLM

1.0 day6.6 hr8.5 hr17.2 hr

SHA1MD5NTLMLM


Secure Passwords

secpol.msc


Secure Passwords

don’t use personal information use any word in any language spelled forward

or backward tie passwords to the month create new passwords that are substantially

similar to ones you've previously useduse the same password for different systems


Secure Passwords

Disable LM Hash


Demo Setup

Create guest account for each studentPasswords need to be alphanumeric and <15 characters longCrack them!


Classical Tables

1980 Martin Hellman: N keys, operations&memoryciphertexts are organised in chains, only first and last element stored; k:key, S:cipher, C:ciphertext P:plaintext, R:reductionfunction

= and generates a key from another key to form a chain:

m chains of length t are created, first and last elements are stored in a table.

3/2N


Classical Tables

To find a key, generate a chain of keys starting with R(C) and up to length tIf C was indeed obtained with a key used while creating the table then we will eventually generate the key that matches the last key of the corresponding chainUsing the first key of the chain, whole chain is regeneratedThe key right before R(C) is the key we are looking for


Classical Tables

There is a chance that chains starting at different keys collide and mergeProbability of finding a key, m rows and t keys:

Probability of finding a key, l tables with different reduction functions:


Classical Tables

False alarms:key may be a part of a chain which has the same endpoint but is not in the tablekey is in a chain that is part of the table but which merges with other chains of the table

Merges correspond to same endpoint, detected during sort. They are replaced with new chains


Bounds and Parameters

0mlmM ××= 0m

0tltT ××=M: bounds on memory

T: cryptanalysis time

m: number of chains per table

l: number of tables : starting point + end point = 8B

t: average chain length : time to encrypt a plaintext0m0t0mlmM ××=

Memory

Time


Bounds and Parameters

Winrtgen Benchmarks:


Rainbow Tables

A rainbow table is a compact representation of related plaintext password chains


Rainbow Tables

Recovering a password


Rainbow Tables

Probability of success in an m x t size table:start with m1 = m distinct keys in the first columnin the second column the m1 keys are randomly distributed over the key space of size N, generating m2 keys:

each column i has mi distinct keys. Success rate of table:


Rainbow Tables

Advantages over classical tables:t(t-1)/2 look-ups as opposed to t^2merges result in identical endpoints and are thus detectableno loops since each reduction function appears onceconstant length rainbow chains


Rainbow TablesAdvantages over classical tables:

When two chains collide in a single table they mergeInstead use successive reduction functions 1 to tIf two chains can collide they merge iff collision appears at the same position in both chains (probability is 1/t)If key is found early, gain can be up to a factor of t because while the rainbow table is searched, the amount of calculation increases quadriticallyto (t^2-1)/2 whereas in classical tables it increases linearly to t^2.


Rainbow Tables: Parameter Optimization

0.9990 success probability

610 MB table size

8353082582 keyspace

[ABCDEFGHIJKLMNOPQRSTUVWXYZ] charset


3 GBtable size

80603140212 keyspace

[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] charset


24 GB table size

915358891407 (2^39.7) keyspace

[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+= ] charset


64 GB table size

7555858447479 (2^42.8) keyspace

[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ] charset

Last table would take 41.3 years to generate on my laptop.


Rainbow Tables: Parameter Optimization

2100

len_chain

0:4

table index

8000000,40000000

71alpha[numeric]lm

num_chainslen_maxlen_mincharsethash


Password Crackers: RainbowCrack

extract password hashes using pwdump or fgdump


Password Crackers: RainbowCrackcreate rainbow tables

sort the tables


Password Crackers: RainbowCrack

Run the cracker


Password Crackers: Cain&Abel

Go to “Cracker”, right click to import hashes from pwdump file


Password Crackers: Ophcrack


Password Crackers: OphcrackLive CD: dumps the hashes from the SAM and SYSTEM files and you don’t need to be admin


Limitations of Rainbow Tables

table generation takes a long timefalse alarms occur oftensimple salting algorithm nullifies rainbow tables


Limiting physical access Continue to force the use of special characters Keep up with updates Use Multi-factor authentication salted hashesUse NTLMUse secure passwords

Protection Mechanisms


Use state of the art password schemesUse what your operating system gives you (eg. PHK’s FreeBSD MD5)Stanford Secure Remote PasswordAdaptive hashing: bcrypt

uses pessimized Blowfish

Protection Mechanisms


Conclusion

Rainbow tables reduce the number of table look-ups by length of chainsComputations reduced by 2, average case performance even greaterSome cryptographic systems believed to be secure when implemented can be cracked by anyone todayBe smart about choosing passwords and storing them


References“Making a Faster Cryptanalytic Time-Memory Trade-Off”, PhilipppeOechslin, CRYPTO 2003: pp617–630“Top 10 Password Crackers”, http://sectools.org/crackers.html“Cain&Abel”, http://www.oxid.it/cain.html“PWDump”, http://www.foofus.net/fizzgig/pwdump/“RainbowCrack”, http://www.antsight.com/zsl/rainbowcrack/“Ophcrack”, http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/“Winrtgen”, http://www.oxid.it/projects.html“Hacking dei Sistemi: Password”, Cardinale, Giacchetti, Giovannetti“Mac OS X password hashes”, http://www.macshadows.com/kb/index.php?title=Mac_OS_X_password_hashes“Shadow Password”, http://en.wikipedia.org/wiki/Shadow_password“Password Cracking”,http://en.wikipedia.org/wiki/Password_cracking“Selecting Secure Passwords”, http://www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx

Password Cracking with Rainbow Tables

Engineering

Transcript of Password Cracking with Rainbow Tables