Password Hash Crack
In continuation with the previous blog.
The database which was procured after the execution of the SQL injection attack, Anonymous was able to lay their hands on the usernames and passwords which were stored in that database. Storage of passwords is an important aspect of any system. The passwords in this database were hashed using MD5 instead of the recommended method of using a salt or stretching for md5. This is an excellent article which speaks about salting the hashes and is aimed at developers.
Using rainbow tables for computing MD5 hash collisions becomes difficult only when the passwords are COMPLICATED and that’s exactly what was revealed – Top Execs of HBGary Federal used simple passwords and these passwords were re-used in their twitter and other online accounts.
Sounds simple??? but it does require some patience and some understanding on MD5 and passwords. Firstly, MD5 cannot be reversed but can be compared against pre-computed hashes, popularly known as rainbow tables. A better starting point would be this , this or this .
A simple string with 6 characters hashed using md5 without stretching or salt takes on an average 8 mins 14.987 secs to find the collision and or the matching ascii text. and a string which has 5 characters takes – 5 – 6 secs. So longer and complicated the string the longer it would take to find the collision, coupled with regular password changes , will give you some respite. Different systems will provide different averages, just for the sake of statistics.
Many online sites are available which have pre-computed rainbow tables and provide google type search engine to search for the collision, some are free and some charge a small amount for finding the collision.
This blog is not a primer on password cracking and the sole intention is only to provide a brief insight into the functional aspects of hackers and the tools that they use or the resources that are available to them vis’a’vis the technology that the developers use to protect their wares and to expose the false sense of security which everyone feels when a developer says ‘We have encrypted the passwords’.
Next time when you place an order for a software which provides a login interface, ensure that you know a little bit about the security standards which have been incorporated.
And a piece of advise for developers, open up a channel get your software hacked in an open competition and patch up every flaw that’s found. This method would prove more economical and rewarding than any other method.
Some hackers do it for the thrill, some for the finances which a “0 day exploit” can create and some for garnering respect within the community. Reminds me the story of “The boy who stole Half Life 2”.
Next – Social Engineering Attack on HBGary Federal.