All your old-tech passwords belong to us, for just $17

How a $17 online tool can crack passwords to your cloud data.

CloudCracker $17 tool steals passwords
Credit: Psyomjesu, CC BY-SA 4.0, via Wikimedia Commons

Today's lesson on how the cloud can work against you, as well as for you, is about your passwords and keys, and how they're becoming useless. I've stolen a link from Mark Gibbs to help.

Let's say you've been letting older security encryption methods live out their life in the pastures of your data center. CloudCracker, using massively-induced dictionary attacks, can make mincemeat from a frightening number of password key-exchange seeds.

For just $17 per, CloudCracker can conveniently crack the following password seeds: WPA/WPA2, NTLM, SHA-512, MD5s, and/or MS-CHAPv2. No tears, please. And yes, cracked like an egg, a $17 egg. Certainly no one would abuse such a service, would they?

It works like this: grab a network traffic sample, upload it to CloudCracker after choosing what you're trying to crack. Pay the money. An aggregation of cloud computing power comes together to render massive dictionary attacks until, Bingo!, your desired password hash is rendered.

Let's try and understand what the CloudCracker computing aggregation can break:

  • Several million Wi-Fi access points in North America. In fact, most of residential and small business APs across the entire planet.
  • Any password on a peer-based Windows network, including most NAS devices, and multitudes of SAMBA3-compatible passwords. PPTP VPNs are affected, as well as scandalous numbers of point-of-sale systems, and NTLM-linked peer networks.
  • Add in to this mix many MS-CHAPv2 connected links, which can include older VPN circuits , Network Access Servers—and many of these are still in use today.
  • MD5, “Flame”-like code signing certificates. Look up “flame cracks” for details.
  • MD5-generated x.509 certificates, the self-signed kind.

Maybe these protect something important, how can I know?

Your partners might have the same problem, too. Many Apple VPNs use PPTP with MS-CHAP-v2 password authentication. $17. That library Wi-Fi system: WEP2. $17. Your data archive and not-upgradable, firmware-based NAS appliance: $17.

CloudCracker uses dictionary attacks based on samples you provide of traffic. How to get traffic? Ask any competent teenager to download a WireSharking network traffic analyzer. You could do it yourself, too. Get a decent sample of the traffic and it doesn't take much to capture the sample. Feed it to CloudCracker. Let a gang of cloud-based IaaS systems digest the samples, and it's likely your sample will render the password used to encrypt/hash the traffic sample. Then you have it — the key. Beware of your next steps; some of them may or may not be the crux of criminal or civil action.

Is it legal to crack sample traffic as CloudCracker does it? I'm not a lawyer. It doesn't matter what I think anyway, because I don't have the legal war chest necessary to fund a garrison of legal helpers. You don't either. But your public relations, legal, analyst community, and customers will want to hear about your continued use of the above vulnerable passwords once they're cracked.

Yes, your next week should be spent looking for any implementations of these, so that you can summarily implement updated methods of key/passphrase/hash exchange. Piece of cake, right?

Because for $17, any aforementioned door can be forced open. Your lunch can be eaten. Listen for the burp. Enjoy that meal.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.