Jump to content

bwall

Recommended Posts

So recently my buddy and me started poking holes in some password safe systems(like KeePass). I made a blog post about most of these could easily be defeated by adding a WndProc listener to the clipboard, and watching for passwords as they get copied and pasted. That post is here: http://ballastsec.blogspot.com/2012/07/insecurity-in-password-management.html

Not all of the password safe systems use this method, or have alternative methods as well. So the best way to attack these safes is to crack the safe.

Currently, I have only implemented a safe cracker for Password Safe(http://passwordsafe.sourceforge.net/) after doing a light analysis then spending a lot of fun time making a dictionary cracker for it. Blog post about it here: http://ballastsec.blogspot.com/2012/07/auditing-of-password-safe-continues.html

You can also find the source code that I've released so far here: https://github.com/bwall/SafeCracker/

and finally find the tarball of the latest version with a nice little Makefile here: https://github.com/downloads/bwall/SafeCracker/safe-cracker.tar.gz

safe-cracker has currently only been tested in a Linux environment, if you really wanted to compile it on Windows, you would need the pthread library. If I were you though, I would wait until I finish implementing OpenCL into the cracker, as I will supply a compiled copy for Windows.

What I would like to know is, what other password safe systems would you want audited? I want to add a few to this project, and hopefully start pushing development towards cracking more state of the art hashes.

Link to comment
Share on other sites

I would say look at things like oclHashCat, check all the hashes and encryption schemes it goes after, and like the Chinese, build a better car...lol. I mean, they are the defacto programs out there for this sort of stuff when it comes to cracking hashes, but personally I find the gui for oclHashCat confusing, let alone the cli end of it and I don't think it has any functionality to crack password safes like you are doing.

More than anythign though, I think people just want simplicity, and I think if that is the key ingredient to the program, you have a winner, hands down. Especially if GPU based cracking comes into play, because right now, there aren't a whole lot of crackers that both use GPU and are easy to learn/use. Don't get me wrong, oclHashCat is a great program, but its also friggin HUGE once unzipped, and not like you are going to be carrying it with you on your thumb drive to every job(although thumbdrive are fairly cheap these days).

So if you can 1 - keep it simple, 2 - implement GPU+CPU cracking on the go, and 3 - keep the file size down, while being cross platform, you got yourself a good starting point for a long term project that could grow beyond simple password safe cracking.

I know we've only met back in June, but from what I have seen from working with you so far, you got some killer skills and knowledge for such a young guy, especially your encryption ideas. I think if you find that nitch, like FireBwall but with a cross platform product, you could end up seeing your tool incorporated in things like Back|Track, maybe get yourself a job as one of their dev's and be handed projects to work on. Most of the people who are dev's for back|track have regular day jobs, but I know its been avenue's for them to get those full time jobs at some of the bigger infosec companies too.

I personally don't use password safes, mainly because of projects like what you are working on, and I'm a complete tinfoil hat type. But I am always forgetting passwords and having to rely on systems for resetting them when that happens. One tool I use that I love is mailpassview from NirSoft. its not just for my own use, but I can help recover passwords for people on other computers, like friends and family who can't remember their passwords, so things like that, have legit use and needs, implement something like that as well.

Link to comment
Share on other sites

More than anythign though, I think people just want simplicity, and I think if that is the key ingredient to the program, you have a winner, hands down. Especially if GPU based cracking comes into play, because right now, there aren't a whole lot of crackers that both use GPU and are easy to learn/use. Don't get me wrong, oclHashCat is a great program, but its also friggin HUGE once unzipped, and not like you are going to be carrying it with you on your thumb drive to every job(although thumbdrive are fairly cheap these days).

So if you can 1 - keep it simple, 2 - implement GPU+CPU cracking on the go, and 3 - keep the file size down, while being cross platform, you got yourself a good starting point for a long term project that could grow beyond simple password safe cracking.

Well said, and if the OP's tool can do a better job why not. I personally used many different password cracking tools, one of them being the Cuda Multiforce, due to its simplicity and support for Cuda. I know the oclHashCat supports both CUDA and ATI graphics cards, and its one of the fastest cracking password tool out there, however it can be very confusing and sometimes frastrating to use, not that I can't use it, but as Digip pointed out being easy to use and to learn is very important for the end users, if they can't get something to work because of its complexity, or lack of instructions they gonna look else where.

The oclHashCat has many different features, which makes it the swiss army knife for security professionals and pen-testers, even though they do have an online wiki detailing, what each feature does and how to use them, I belive they could've done a better job in terms of keeping it simpler and less confusing with the commands. Furthermore, I belive BitWeasel has done an amazing job with his Cuda Multiforcer, he has kept it as simple as possible, the commands are very easy to use and remember and the tool works without much hicups.

Link to comment
Share on other sites

Thank you both for the advice. As digip knows, I was recently side tracked from the OpenCL/CUDA integration as I may have stumbled onto a weakness with SHA-256 when used with the algorithm described in section 4.1 of this Bruce Schneier paper http://www.schneier.com/paper-low-entropy.pdf

I'm trying to get in contact with him so I can see if he agrees its a weakness, and hopefully publish the weakness along with him.

I did have an idea which would make this useful for a back|track or similar forensic tool. It would search for different password databases in the current system(like for KeePass, Password Safe, Mozilla, Chrome, etc) then recover passwords for the databases as well as the passwords stored inside them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...