Whatever works, works!

SEC-T 2012

I recently had the privilege of attending SEC-T 2012, one of the few really technical Swedish security conferences. [http://www.sec-t.org]

All in all a really great conference, i got to talk to some cool people and i really think that everyone left with a vast amount of new knowledge and ideas.

But that is not really what this post is about.. This post is a lesson in practicality.

The problem

SEC-T had a on-site competition during the entire conference. Hashes (MD5/SHA1/whatever) had been scattered all over..
The task was to find them, find out what plaintext was fed to which hashing-algorithm and then post the original plaintext and algorithm to a web-server to get points. A pretty fun competition, but as always a bit distracting from the talks.

All in all, over 70 hashes were created, we were told that they were placed … well.. everywhere…

Some of them were just printouts, some were QR-codes, some barcodes etc…

 

Some creative positions where the hashes were located:

* On a paper taped to the bar
* In the ceiling
* On organizers webpages
* On sponsors webpages
* Hidden inside the presentations
* Displayed intermittently on the walls
* Taped to the back of one of the few girls around(!)

All i had the first day of the conference was my phone, not much fun to be had there… So I outsourced some of the hashes to a friend (Thanks @se_fla!) and had six cracked hashes waiting for me late at night when i got back from the bar at Patricia:

The solution

Sometimes it does not matter what you do, as long as you get the results you want.

I’m not really that into writing down hashes from paper or transcribing some text that was scrolling behind one of the speakers, but i did notice a pattern in the hashes i had the plaintext for.. They were all speakers at the conference.

During the lunch-break I hacked a small python-script that took words from a wordlist, hashed the word with any algorithm i could think of (and quickly find support for in python). A somewhat brute-force approach to the problem at hand.

In the wordlist i threw in any kind of word or name that I suspected and then just let it do its magic, over a somewhat shaky [3G→Android→WLAN→Windows7→NAT→VirtualBox Backtrack] connection.

The result

The result was surprisingly that i got 27 points, landing me in second place, losing  by only one tiny point! Not bad considering the small amount of effort.

My choice of algorithms paid off, there actually were some base16, md2 and md4 hashes around. A bit disappointed that i did not land a single NTLM, but then again, i don’t know if there were any! Also: This method of attack does naturally not work against any kind of hash/cipher that requires a salt.

Kudos to the guys from Cybercom who performed the HTML-attack on the scoreboard that we were talking about over beers about the evening before. That trick gave them (temporarily) 1337 points!

What have we learned?

“Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen.” This “attack” would have been impossible if there was any kind of punishment for trying invalid combinations or if any kind of rate-limiting was active.

This particular piece of software might very well have been designed with “hackability” in mind. It was, after all, part of a security conference full of hackers that are very likely to do all kinds of interesting things, when the organizers say “Feel free to do anything to the challenge-server!”.

But the moral of the story is the same: You always need to analyze the risks to any piece of networked software, this particular problem will not apply to any software, but if you don’t think about it, you could find yourself  unpleasantly surprised some day.

Passwords are bad. PERIOD.
…but if you have to use them, give the following points a bit of thought:

  • How much and how often is enough?
  • Should one user be able to try 40k passwords at all?
  • Should one IP-address be allowed to try 10 passwords/second?
  • How do you differentiate users coming from one IP-address? Cookies? Think again…

The code

No fun without the code, right? I don’t really know if someone would ever need this in the future, but here it is for reference, keep in mind that it was authored under serious time-constraints!

The winning numbers

Some of the plaintexts, one was found after the competition was ended. (As it was to late it does not count)