By Sukhpreet Singh

Abstract: This blog post addresses the process of cracking cryptographic hashes using various tools, Python scripts and Amazon Web Services (AWS) instance. Passwords play a crucial role in user authentication and this blog post demonstrates how this approach is vulnerable to various attacks such as Rainbow table attack, Dictionary based attack etc. This project will also address how the computation speed of breaking the hashes can be increased significantly using Dictionary based attacks.

Keywords: passwords, hashes, MD5, LM, Rainbow Tables, John the Ripper, Python, script, AWS.

Implementation: Figure-1 depicts the setup, which was used for implementation. The main tasks involved in this set up are as follows:

Setting up Kali Linux on a local machine and AWS instance; Assigning Controller and Server role to the local machine and AWS instance respectively; Passing a cryptographic hash from the Controller to the Server using Secure Shell (SSH); Breaking the hash on the Server and returning the recovered password to the Controller; Automating the whole process using Python.

Figure 1: Topology used for this experiment

The configuration used for Server at AWS was as follows:

Type: t2.micro vCPUs: 1 Memory: 1GB

The configuration used for local machine working as Controller was as follows:

Memory: 2 GB Processors: 4 Hard Disk (SCSI): 40 GB

“ec2-user” on the Server was used to allow remote access using SSH. This experiment addressed two kinds of hashes: Lan Manager (LM) hash and MD5 hash. The following attacks were used to break the hashes:

Dictionary attack using John the Ripper for LM hashes. Rainbow Tables for MD5 hashes

Ten Rainbow tables were generated to address MD5 hashes, which were based on up to seven character-length lowercase alphanumeric passwords. Following parameters were used to generate Rainbow tables:

Hash algorithm: MD5 Charset: loweralphanumeric Plaintext Minimum Length: 1 Plaintext Maximum Length: 7 Table index: 0-8 Chain length: 2100 Number of chains: 8000000 Part Index: 0

The tools used for Rainbow table attack were as follows:

Rtgen: to generate the Rainbow tables Rtsort: to sort the Rainbow tables Rcrack: to recover the password from a hash using Rainbow tables

Screenshot 1: Ten Rainbow tables generated on the Server

A new dictionary named as 7chars.txt was created from the “rockyou.txt.” It contained all the entries which were exactly seven characters long and alphanumeric in characteristic.

Screenshot 2: sample entries from 7chars.txt

A script named as “server.py” was used at Server to automate the process of hash identification and breaking the hash. The basic syntax of a LM hash is as follows:

Username: UserID: LM hash: NTLM hash

The steps that were used to identify an LM hash are as follows:

The hash, which is to be passed to the script, must follow the above mentioned syntax. The script performs the following functions: It assigns the hash to a variable and searches for a colon (:) in it. If a colon is present in the hash, it compiles a regular expression to match any username followed by a colon in the hash. It matches the subsequent three colons as well using split function (split()) of Python. The split function treats colon (:) as a field seperator and splits the hash into four different entities. In this way, LM hash and NTLM hash are treated and accessed as two differenet entities. It then uses the generated regular expression and the length of both LM and NTLM hashes to effectively identify the LM hash. If the hash is passed in the correct syntax, the value of “result” variable used in server.py will not be equal to “None” and length of LM hash and NTLM hash, i.e. 32, will be equal.

Once the hash was identified as an LM hash, then John the Ripper was used to launch a Dictionary attack to crack it. John generated a corresponding LM hash for each entry in 7chars.txt. Once the generated hash was equal to the input hash, the corresponding entry in 7chars.txt was displayed as the recovered password.

The following step was used for the MD5 hash identification:

Either the hash has to be 32 characters long or start with “1$1”

If the hash was identified as an MD5 hash, Rainbow tables were used to recover the password. The following is the screenshot of server.py:

Screenshot 3: server.py

The following script, named as controller.py was used to pass the hash from Controller to Server on AWS:

Screenshot 4: controller.py

The above set up was successful in identifying and breaking LM and MD5 hashes as shown in the following screenshots:

Screenshot 5: Successful LM hash break using John the Ripper

Screenshot 6: Successful MD5 hash crack using Rainbow tables

Analysis of Rainbow Table attack: To calculate the average time taken to recover the password using Rainbow tables, 30 random lowercase alphanumeric passwords were selected from 7chars.txt. A subsequent MD5 hash was generated for each entry and saved in “input.txt.” Each subsequent hash was fed to the ‘Rcrack” using another script named as­ “initiate.py.”

Screenshot 7: initiate.py

Screenshot 8: Thirty MD5 hashes

Time was recorded for each hash break and mean time was calculated to be 56.39 seconds.

S. No. Passwords Time taken to recover the password using Rainbow Tables (ss:ms) 1 d051977 56.9 2 heeter1 61.01 3 163625s 57.65 4 tocha10 57.81 5 panooza 56.83 6 1968oct 58.54 7 2310853 57.14 8 acjsc09 54.23 9 4656789 55.03 10 02r6s14 56.34 11 sarbach 60.4 12 sabfjas 54.79 13 8189pin 56.08 14 8830669 55.49 15 2640090 52.33 16 reetx13 56.19 17 wanblee 53.85 18 suck666 56.14 19 kai1992 54.12 20 7785863 53.72 21 2703787 56.55 22 juljay2 59.51 23 mefosho 53.5 24 ma02740 53.9 25 myrenes 52.95 26 keeleuy 52.66 27 edryl24 56.92 28 wincott 75.3 29 7909899 52.34 30 lag2008 53.41 Mean Time = 56.39 seconds

Analysis for Dictionary based attack using John the Ripper: Test was performed on two different kinds of dictionaries:

txt txt (syntax: secret!secret)

Screenshot 9: customRockyou.txt

John broke every hash (regardless of the complexity and length of the password, and configuration of the OS) in milliseconds. Analysis was performed on AWS t2.micro instance and a local machine. The latter had following configuration:

Memory = 512 MB Processors = 2 Hard disk = 40 GB

Attempts were also made to analyze performance of Rainbow tables and John the Ripper on GPU instances (p2.xlarge and p2.8xlarge) on AWS but instance could not be launched successfully.

Screenshot 10: Unsuccessful attempt to launch GPU instances

Mitigation Techniques: Cryptographic hashes are stored in Windows and Linux based operating systems to provide confidentiality. However, this method is susceptible to Rainbow Table attack and dictionary based attacks. The mitigation of above attacks lies in the following techniques:

Using Salts: A salt is a random value, which is added to the password before the hash is calculated. It does not have to be unique. This technique makes the hashes resistant to Rainbow table attack.

Using Two factor authentication: This technique acts as an impediment for a malicious actor to gain access of a system, even if they have successfully cracked the hash.

Conclusion: Passwords play a significant role in user authentication and/or authorization. Windows and Linux based operating systems store the hashes of these passwords. This experiment proves that hashes are vulnerable to Rainbow Table attack and Dictionary based attacks. It also addresses the trivial amount of time it takes to recover passwords with these phenomenal tools such as John the Ripper and Rcrack. To mitigate these attacks, Two-factor-authentication and salts should be used wherever possible.

References: