Didier Stevens

Friday 15 July 2016

Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force

Filed under: Encryption — Didier Stevens @ 0:00

After cracking LM hashes we extracted from our Active Directory database file with a wordlist, we will perform a brute-force attack on the LM hashes.

This is the command:

hashcat-3.00\hashcat64.exe -a 3 -m 3000 --potfile-path hashcat-mask-lm.pot --username -1 ?u?d?s --increment lm.ocl.out ?1?1?1?1?1?1?1

Some of the options and arguments are the same as for the wordlist attack, I will explain what is different:

Option -a 3 instructs hashcat to perform a brute-force attack (a mask attack). A mask attack is a brute-force attack where you have to specify a mask for the candidate passwords. The characters used in candidate passwords for LM hashes can be anything, except lowercase letters (the LM hash algorithm uses uppercase letters). So the mask we specify needs to instruct hashcat to try uppercase letters, digits and special characters.

We do this by specifying a user-defined character set:

-1 ?u?d?s

This specifies that user-defined character set 1 is composed of uppercase letters (?u), digits (?d) and special characters (?s).

A LM hash is composed of 2 individual parts, one part represents a password up to 7 characters long. This is what hashcat will crack. So our mask is ?1?1?1?1?1?1?1. This instructs hashcat to use user-defined character set 1 for the first character in the candidate password (?1), the second character (?1), … until the seventh character (?1).

This mask will only generate candidate passwords of 7 characters. But we also need to test passwords of 1 character, 2 characters, … and 6 characters. Therefor we use option –increment.

Cracking LM hash is very fast because it is based on DES and because we only need to test passwords up to 7 characters. On a dedicated machine with GPUs, it can take less than an hour. Even on an old desktop with just an Intel HD Graphics 4500 it will take a bit less than 3 days.

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
- Device #1: GeForce GTX 650, 256/1024 MB allocatable, 2MCU
- Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
See the wiki on how to disable it: https://hashcat.net/wiki/doku.php?id=timeout_patch

Hashes: 62 hashes; 48 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

c2265b23734e0dac:1
aad3b435b51404ee:
944e2df489a880e4:R
1104594f8c2ef12b:F
fdcfc2afb2d1be34:V

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1) [1]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:        0 H/s (0.48ms)
Recovered......: 5/48 (10.42%) Digests, 0/1 (0.00%) Salts
Progress.......: 69/69 (100.00%)
Rejected.......: 0/69 (0.00%)

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

9fdfa4280126e140:AS
27bcbf149915a329:T1
158759f68c114883:92
8358f3d2c80c1dc5:ON

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1) [2]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:    23935 H/s (0.75ms)
Recovered......: 9/48 (18.75%) Digests, 0/1 (0.00%) Salts
Progress.......: 4761/4761 (100.00%)
Rejected.......: 0/4761 (0.00%)

7a01665eb2eb6c14:007
036d85e885962cfa:O@M
c3f5ba53c6ea977d:87L
b273d8f0d4cb5bbc:Y6G
INFO: approaching final keyspace, workload adjusted


Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1) [3]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:  1321.8 kH/s (9.05ms)
Recovered......: 13/48 (27.08%) Digests, 0/1 (0.00%) Salts
Progress.......: 328509/328509 (100.00%)
Rejected.......: 0/328509 (0.00%)

19d76dfe3931be22:2020
6d91129363e71245:*QFT
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

After hashcat finishes running, you can display the recovered passwords with this command:

hashcat-3.00\hashcat64.exe -m 3000 --show --username --potfile-path hashcat-mask-lm.pot lm.ocl.out

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:111f37ed915c5716aad3b435b51404ee:ROOT1$
user01:44efce164ab921caaad3b435b51404ee:123456
user03:56c94ea187dbb8d6d4b8a9676de6053e:RACHELLEANNE
user04:58ee1ecfcb1952c1aad3b435b51404ee:ZORDIC7
user05:22d8afdd59cc02d1aad3b435b51404ee:KURT!!!
user06:843201b3eec511e619d76dfe3931be22:GIRLISH2020
user07:d0d0b0a89785fea7dacc48edf1058ae1:AMOROSAOVEJA
user08:eb9fdbf6dde9d8a3c3f5ba53c6ea977d:453758487L
user09:ee3c975e9312263ac2265b23734e0dac:THURLOW1
user10:e69e57fcbfc3742627bcbf149915a329:BEAUFORT1
user12:3c152122664981d07a01665eb2eb6c14:MAISIE2007
user14:6595863b3f65214eaad3b435b51404ee:YELIZ6
user15:8dfa87789573aa6caad3b435b51404ee:TADOB
user16:bfa8b0f05b2ce944158759f68c114883:LM1181992
user17:63aa06ca844a0123aad3b435b51404ee:CUNINGO
user19:078198d4eefc6c55aad3b435b51404ee:LZAC08@
user20:44f388db34bb96628358f3d2c80c1dc5:FEPARAGON
user21:fdcfc2afb2d1be34aad3b435b51404ee:V
user22:9fdfa4280126e140aad3b435b51404ee:AS
user23:b273d8f0d4cb5bbcaad3b435b51404ee:Y6G
user24:6d91129363e71245aad3b435b51404ee:*QFT
user25:9ad12257392cdacaaad3b435b51404ee:*VQC(
user26:12bd073e0404ed39aad3b435b51404ee:976B0
user27:d12e81eacd737b89aad3b435b51404ee:XJW*WL
user28:adfc3aa0a57f3d1e944e2df489a880e4:A9LT5J$R
user29:5971713f415d2ff41104594f8c2ef12b:CRX3#W+F
user30:9ede745407ca42b2036d85e885962cfa:F-62RQTO@M
user31:3ceb8cc097f4b3bc274d6a66ff41a32b:8N)IMRGQ57_
user32:863a6a296d3d379888d84c068ac05e0a:43PDLBR8TS#V
user33:e7c148e3c455aa1f8138c5e16c20cfc5:B#F1HVU@QZ7NK
user34:c8e4acdacab3b81243b673bc86137536:WBJ_PVTZ6I42AV

As you can see we cracked all LM hashes.

Remark: if your output is slightly different (e.g. some of the passwords have an extra character appended), then that’s because of a bug in hashcat 3.00.

Cracking NTLM hashes with a mask-attack is almost the same as cracking LM hashes. Here is the command:

hashcat-3.00\hashcat64.exe -a 3 -m 1000 --potfile-path hashcat-mask-nt.pot --username -1 ?u?l?d?s --increment nt.ocl.out ?1?1?1?1?1?1?1?1

The differences are the hash type (-m 1000), the character set includes lowercase letters (?l) and we use a mask for 8 characters (?1?1?1?1?1?1?1?1). I’m not using candidate passwords longer than 8 characters, because it would take too long to test the complete keyspace.

Character set ?u?l?d?s is also defined as ?a. So we can omit the use of a user-defined character set, like this:

hashcat-3.00\hashcat64.exe -a 3 -m 1000 --potfile-path hashcat-mask-nt.pot --increment nt.ocl.out ?a?a?a?a?a?a?a?a

 

Thursday 14 July 2016

Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist

Filed under: Encryption — Didier Stevens @ 0:00

Now we will use hashcat and the rockyou wordlist to crack the passwords for the hashes we extracted in part 2.

With this command we let hashcat work on the LM hashes we extracted:

hashcat-3.00\hashcat64.exe -a 0 -m 3000 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out rockyou.txt

Option -a 0 instructs hashcat to perform a straight attack.

Option -m 3000 informs hashcat that we provide LM hashes.

Option –username informs hashcat that the hash file lm.ocl.out includes usernames.

Argument lm.ocl.out is the hash file.

Argument rockyou.txt is the wordlist.

I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 62 hashes; 48 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

aad3b435b51404ee:
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace

c2265b23734e0dac:1
944e2df489a880e4:R
1104594f8c2ef12b:F
9fdfa4280126e140:AS
56c94ea187dbb8d6:RACHELL
8358f3d2c80c1dc5:ON
27bcbf149915a329:T1
d0d0b0a89785fea7:AMOROSA
fdcfc2afb2d1be34:V
7a01665eb2eb6c14:007
e69e57fcbfc37426:BEAUFOR
158759f68c114883:92
843201b3eec511e6:GIRLISH
19d76dfe3931be22:2020
ee3c975e9312263a:THURLOW
dacc48edf1058ae1:OVEJA
d4b8a9676de6053e:EANNE
3c152122664981d0:MAISIE2
58ee1ecfcb1952c1:ZORDIC7
8dfa87789573aa6c:TADOB
bfa8b0f05b2ce944:LM11819
22d8afdd59cc02d1:KURT!!!
INFO: approaching final keyspace, workload adjusted


Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: File (rockyou.txt)
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: Mon Jul 11 22:54:46 2016 (2 secs)
Speed.Dev.#1...:  5193.2 kH/s (13.32ms)
Recovered......: 23/48 (47.92%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343328/14343328 (100.00%)
Rejected.......: 0/14343328 (0.00%)

Started: Mon Jul 11 22:54:46 2016
Stopped: Mon Jul 11 22:54:52 2016

To display the cracked passwords, we use option –show:

hashcat-3.00\hashcat64.exe --show -m 3000 --outfile-format 2 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out

Option –show instructs hashcat to display the cracked passwords.

Option -m 3000 informs hashcat that we provide LM hashes. This is necessary for –show.

Option –username informs hashcat that the hash file lm.ocl.out includes usernames.

Option –outfile-format 2 instructs hashcat to output the password without the hash.

Argument lm.ocl.out is the hash file.

I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:[notfound]
user01:[notfound]
user03:RACHELLEANNE
user04:ZORDIC7
user05:KURT!!!
user06:GIRLISH2020
user07:AMOROSAOVEJA
user09:THURLOW1
user10:BEAUFORT1
user12:MAISIE2007
user14:[notfound]
user15:TADOB
user16:LM1181992
user17:[notfound]
user19:[notfound]
user20:[notfound]ON
user21:V
user22:AS
user23:[notfound]
user24:[notfound]
user25:[notfound]
user26:[notfound]
user27:[notfound]
user28:[notfound]R
user29:[notfound]F

As you can see we cracked most of the passwords for users 1 through 20, except when the password is longer than 14 characters. Also remark that all passwords are uppercase.

With this command we let hashcat work on the NTLM hashes we extracted:

hashcat-3.00\hashcat64.exe -a 0 -m 1000 --potfile-path hashcat-rockyou-nt.pot --username nt.ocl.out rockyou.txt

The options and arguments are almost the same as for the LM command, except:

Option -m 1000 informs hashcat that we provide NTLM hashes.

Argument nt.ocl.out is the hash file.

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 43 hashes; 43 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace

32ed87bdb5fdc5e9cba88547376818d4:123456
e550853afc9a68106d73fd6680b25604:mychemicalromance
125fee170ce858738fc08d61291174ed:beautifulprincess
c1d5ff9561074a64e8164745f7e057a3:beaufort1
0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1
9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne
3081116936973f2a1019178a085e77cd:maisie2007
3f77a049f85d9ecb089313d68dc64796:maiseythorne2007
2a54f9c00701830e44923a19eea7df62:zordic7
7f5ab070d31e61251ab4ef78b6601941:yeliz6
0794f987708fd36dc158c3435d1e9d65:tadob
f85bbc519f1d4b9453d0d316d2f43efd:lm1181992
336413710df33e5d6ef4ba82ba762543:kurt!!!
8810b6cff094d7bbfa9254a47e460e8c:girlish2020
5bd6fddd235507a2baf82843b6174b4e:cuningo
d10107259670c218d8389bb05a6ca9a5:amorosaoveja
c09c4e921a0f7763e22aa5f38d73016a:Lzac08@
8d15a7e3fe3271b73180de20f9532111:Horselover1493@hotmail.com
9180c11efd4cb6149557f59b0cf80573:FEPARAGON
INFO: approaching final keyspace, workload adjusted

81ed9d39c208fb710f16fd01df2c5ea3:453758487l

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: File (rockyou.txt)
Hash.Target....: File (nt.ocl.out)
Hash.Type......: NTLM
Time.Started...: Mon Jul 11 23:26:10 2016 (2 secs)
Speed.Dev.#1...:  6402.3 kH/s (12.17ms)
Recovered......: 20/43 (46.51%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343328/14343328 (100.00%)
Rejected.......: 1150/14343328 (0.01%)

Started: Mon Jul 11 23:26:10 2016
Stopped: Mon Jul 11 23:26:17 2016

Remark that this time we cracked all passwords for users 1 through 20 (also the ones longer than 14 characters), and with the proper case.

Wednesday 13 July 2016

Practice ntds.dit File Part 2: Extracting Hashes

Filed under: Encryption — Didier Stevens @ 0:00

There are several how-tos on the Internet explaining you how to extract hashes from the Active Directory database file. I used this how-to for Kali Linux: https://blog.joelj.org/windows-password-audit-with-kali-linux/

The tools libesedb and ntdsxtract are used in this how-to.

I encountered an error when making libesedb:

libcfile_support.c:742:2: error: #error Missing file remove function

Make sure to read the comment from May 6, 2016 for this how-to: it offers a solution for this error. Edit libcfile/libcfile_support.c and add this line at the top:

#define HAVE_UNLINK 1

First we get the Active Directory database file I published and unzip it:

20160710-210725

Next we use libesedb (command esedbexport) to export the tables from ntds.dit:

20160710-210856

This may take some time, depending on the size of the database.

20160710-210938

The exported tables are in folder ntds.dit.export:

20160710-211024

Then we use ntdsxtract (command dsusers.py) to export the hashes (LM and NTLM) from the exported tables. First we export the hashes in a format suitable for John the Ripper. We store the files in folder dump. This command also takes the SYSTEM registry hive (file system) to extract the system key to decrypt the hashes.

20160710-211607

We let the command create the folder dump:

20160710-211642

Next the tool detects 2 schemas in the exported tables (objects 5 and 1480). First we try schema object 5:

20160710-211702

This fails:

20160710-211723

So we start again with schema object 1480, but first we need to remove the dump folder:

20160710-211757

20160710-211816

20160710-211831

Now you can find the extracted hashes (lm.john.out and nt.john.out) in folder dump:

20160710-211852

20160710-212259

Next we repeat the same command but export hashes in a format suitable for hashcat:

20160710-211921

20160710-211932

Now you can find the extracted hashes (lm.ocl.out and nt.ocl.out) in folder dump:

20160710-211954

20160710-212049

If you want these hash files to crack the passwords without having to run through this how-to, you can download them here:

ntds-hashes.zip (https)
MD5: B0A84D756C211A97087BA307F0CE5739
SHA256: 009520798DD34831C47ADAC47D6DEB3C153FC44BD9D400A0BB813EBA46728D86

Tuesday 12 July 2016

Practice ntds.dit File Part 1

Filed under: Encryption — Didier Stevens @ 0:00

I’m publishing a sample Active Directory database file (ntds.dit) together with the corresponding SYSTEM registry hive so that you can practise hash extraction and password cracking.

This ntds.dit and system file come from a virtual machine I installed just for this purpose: Windows Server 2003 Standard Edition with SP1 (English). The reason I selected an old Windows version, is that 2003 still supports LM hashes by default.

I changed the password policy to allow very weak passwords:

20160710-125218

I added 40 users: 20 users with passwords taken from the rockyou database leak and 20 users with random passwords (varying in length from 1 to 20 characters). Some of the passwords I randomly selected from rockyou are longer than 14 characters: when a password is longer than 14 characters, Windows does not store a LM hash for that password.

You can find many how-tos on the Internet showing you how to extract the LM and NTLM hashes from the Active Directory database file. I too will posts examples of hash extraction and password cracking.

Happy cracking!

ntds.zip (https)
MD5: F20E477D9784E009777F286ABF718FA3
SHA256: F5EBBF57B3C646FC339ECEEE03063BEDE9E0E7FC8254B0E57A77CC4036134B04

Monday 11 July 2016

hashcat 3.00 “fatal error: ‘inc_vendor.cl’ file not found”

Filed under: Encryption — Didier Stevens @ 0:00

When I tested hashcat 3.00 I got an error: “fatal error: ‘inc_vendor.cl’ file not found”. The fix for such errors is to update your (GPU) drivers. Unfortunately, I could not update at the moment but I still wanted to play with this new toy🙂

Here is the output with the errors (the warnings are another indication that a driver update is necessary):

1

The error is a build error. hashcat was not able to compile the code for a brute-force LM hash attack for my GPU (m03000_a3.2ad8800f.kernel). Older versions of hashcat included compiled code for different attacks, hashes and devices. But since version 2.0 (when hashcat became open source) hashcat compiles this code when necessary: Just In Time (JIT). You can see this in the kernels folder. In older versions (< 2.0) of hashcat, this folder is populated with code. In the newer versions, it is empty.

The build log indicates why this error occurs: file inc_vendor.cl was not found (this file is present in the OpenCL folder) when compiling m03000_a3.cl.

My workaround is to temporarily make the OpenCL folder the working directory, and then run hashcat so that it can compile the kernels:

2

Now you can find the compiled kernels in the kernels folder:

4

The mask I specify with this hashcat command is also much smaller: ?1 This way, hashcat terminates quickly and I can move back to the directory I want and use the full mask ?1?1?1?1?1?1?1:

3

This time there is no build error, because the necessary kernels are already build and taken from the cache (folder kernels).

Remember, this is a workaround, not a fix. The fix is to update the drivers. I updated the drivers later (not without issues), deleted the content of the kernels folder, and started again. This time, without build errors.

FYI: I generated the LM hashes for this example with this website: https://www.tobtu.com/lmntlm.php

5

Saturday 30 January 2016

Update: xor-kpa.py Version 0.0.2

Filed under: Encryption,My Software,Update — Didier Stevens @ 8:48

I added support for ZIP files to xor-kpa.py.

If you pass a ZIP file to xor-kpa, it will analyze the contained file. The ZIP file can be password protected (password infected).

xor-kpa_V0_0_2.zip (https)
MD5: CA4DB797A7C12E3E81F55D9634EE77BF
SHA256: 76344E06A2C1F121D4CDD1B063DC109E59B9D2351BA5CFDDEE8613DCD220283B

Friday 1 January 2016

XOR Known-Plaintext Attack

Filed under: Encryption,My Software — Didier Stevens @ 16:00

To celebrate my Microsoft MVP award 2016, I’m releasing a new XOR-tool. Because you can never have enough XOR-tools in your toolbox🙂.

When data is XOR-encrypted with a repeating key and you known some of the plaintext, you can perform a simple known-plaintext attack. Because when you XOR the ciphertext with the plaintext, you recover the key-stream.

With “repeating key” I mean the following: let’s assume that the encryption key is “Secret”. Then the first byte of the plaintext is XORed with “S”, the second byte with “e”, the third byte with “c”, …, the sixth byte with “t”. And for the seventh byte, we start again with “S”, then for the eighth byte again with “e”, …

When we know some of the plaintext, for example the beginning of the file, and we XOR this with the ciphertext, we obtain the key-stream: SecretSecretSecretSec It’s simple to extract the repeating key (Secret).

I’ve written a small Python program that automates this process: xor-kpa.py.

As an example, I’ve XORed the notepad.exe program with a key. We know that PE files contain the string “This program cannot be run in DOS mode”, this string is store in text file plaintext.txt. This is how you use xor-kpa:

C:\Demo>xor-kpa.py -e 3 plaintext.txt notepad-ciphertext.exe
Key:       Password
Extra:     30
Keystream: rdPasswordPasswordPasswordPasswordPass

This result shows that the recovered keystream is “rdPasswordPasswordPasswordPasswordPass”, and that the repeating key is “Password”. Extra (30) is the difference between the keystream length (38) and the key length (8). The higher the value of extra is, the higher the confidence is we recovered the correct key. When Extra is only 1, the confidence is low. To properly recover the key, the known-plaintext must be longer than the key.

With option -e you can filter for the minimum value of Extra.

Since the known-plaintext can often be a a short ASCII string, you can provide it directly as an argument in stead of writing it in a text file. To achieve this, just precede the argument with character #, like in this example (the double quotes are necessary because of the space characters):

C:\Demo>xor-kpa.py -e 3 "#This program cannot be run in DOS mode" notepad-ciphertext.exe
Key:       Password
Extra:     30
Keystream: rdPasswordPasswordPasswordPasswordPass

xor-kpa_V0_0_1.zip (https)
MD5: 4265BB1AFCD470A98070FFBDFCB1B52A
SHA256: CF41CEDE7281459FA47061B366AA9B4A5F579CC9BA46E73098B52EA8CAB6E816

Tuesday 29 December 2015

SHA256 Code Signing and Microsoft

Filed under: Encryption — Didier Stevens @ 10:28

In a couple of days Windows will no longer trust sha-1 code-signing. It happened in the past that Microsoft announced changes to AuthentiCode, and then did not follow though, but it looks like this one is going to happen.

First of all, the loss of trust will not happen for all executables with a sha-1 signature. It will only happen with executables with a “Mark of the Web” attribute and without a timestamp or a timestamp after 1/1/2016.

A “Mark of the Web” attribute means that the executable is flagged as downloaded from an untrusted source (the Internet), like this one:

20151229-111600

This is done with an Alternate Data Stream (ADS) named Zone.Identifier and with content like this:

[ZoneTransfer]
ZoneId=3

If you develop executables that will be downloaded and you sign with a sha-1 certificate, check that you also include a timestamp. As I explained in my blogpost, you can add a missing timestamp after signing. You don’t even need a code signing certificate to add a timestamp.

Tuesday 24 November 2015

Authenticode And Timestamping And sha256

Filed under: Encryption — Didier Stevens @ 0:00

I have a couple of how-to posts on digital signatures, like this code signing post. Let me revisit this topic now that Microsoft announced some upcoming changes to code signing.

I use signtool.exe that came with Visual Studio 2013 in my examples. Here is how to use signtool.exe from the command-line to sign an executable:

20151123-204917

FYI: in my case, I use option /a because I have more than one code signing certificate and I let signtool decide which one to use (option /a). But if you have only one code signing cert, you don’t need to use option /a.

As you can see, the version of signtool.exe I use (6.3.9600.16384) still uses sha1 by default.

20151123-204945

To use sha256 as digest algorithm (since Microsoft will deprecate sha1), use option /fd sha256, like this:

20151123-205150

20151123-205230

When we look at the details of the signature, we see that there is no Signing time or Countersignatures:

20151123-205310

The signature is valid, because we are still in the certificate validity period:

20151123-205524

But once we are outside the certificate validity period, the signature is no longer valid:

20151123-205921

And this is because a countersignature from a timestamping service is missing. A countersignature can be added with option /tr and the URL of a timestamping service, like this one:

20151123-210005

Option /tr URL specifies a timestamping service that supports the RFC 3161 protocol.

And now the signature remains valid, even after the code signing certificate has expired:

20151123-210052

To be sure that the timestamping service uses sha256, we can request this with option /td sha256:

20151123-210426

Conclusion: always use a timestamping service when signing code, this way your signature will not expire.

Remark: code signing and timestamping are 2 different operations. There is no requirement to execute these operation with a single command. You can also timestamp a signed executable like this:

20151123-211435

First command: sign

Second command: timestamp

And you don’t need a code signing certificate to timestamp a signed executable. You can take any executable with an embedded signature, and add a new timestamping signature with this signtool.exe timestamp command. Why do I mention this? This will become clear in a next post, where we take a closer look at Microsoft’s sha256 code signing announcement.

A last remark: as mentioned, option /a lets signtool.exe decide which certificate (from the certificate store) to use for the code signing (in case you have more than one code signing certificate). But if you want to explicitly select the code signing certificate to use, you can use option /sha1 with the sha1 fingerprint of the certificate you want to use. Important: /sha1 is a method to select a certificate, it does NOT instruct signtool to use the sha1 algorithm for the signature.

Wednesday 15 April 2015

PDF Password Cracking With John The Ripper

Filed under: Encryption,PDF — Didier Stevens @ 0:00

I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows.

It’s not difficult.

Download the latest jumbo edition john-the-ripper-v1.8.0-jumbo-1-win-32.7z from the custom builds page.

Decompress this version.

Download the previous jumbo edition John the Ripper 1.7.9-jumbo-5 (Windows binaries, ZIP, 3845 KB).

Extract file cyggcc_s-1.dll from the previous jumbo edition, and copy it to folder John-the-Ripper-v1.8.0-jumbo-1-Win-32\run.

Generate the hash for the password protected PDF file (I’m using my ex020.pdf exercise file) and store it in a file (pdf2john.py is a Python program, so you need to have Python installed):

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\pdf2john.py ex020.pdf > ex020.hash

Start John The Ripper:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe ex020.hash

Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/32])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret           (ex020.pdf)
1g 0:00:00:00 DONE 2/3 (2015-03-29 22:39) 10.20g/s 125071p/s 125071c/s 125071C/s
123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completed

By starting John The Ripper without any options, it will first run in single crack mode and then in wordlist mode until it finds the password (secret).

But you can also provide your own wordlists (with option –wordlist) and use rules (option –rules) or work in incremental mode (–incremental).

« Previous PageNext Page »

Blog at WordPress.com.