Secret stuff really appeals to me. Movies like National Treasure and Indy Jones, coupled with books like Da Vinci Code and By Way of Deception, really hook me. Who out there today doesn't daydream about having privileged access to some big secret that folks are chasing you down to get? Can I get a witness? If you really want to get someone's attention, start your statement with "Let me tell you a secret" I would stop eating Popeye's chicken to tune in to that OK, maybe not that drastic.
Cracking passwords is typically what most folks think of when they think about hacking. Password cracking is really a lot of fun and is something as IT folks we should do often as part of a security audit. When security folks today conduct pen testing, they are looking to piggyback on someone else's access level to get into a system. I feel like Jimmy Ray Bond when I do have to crack a password and actually do it. It is euphoric!
Brute Forcing passwords takes too long. Rainbow Tables are a very cool method sometimes referred to as time memory trade-off. It is a cross between a dictionary attack and a brute-force attack. What if I could tell you that you could crack every single possible combination of letters, numbers, and characters up to 18 characters long in less then 13 seconds? In walks the rainbow table. These tables are every possible precomputed password hash. As you can imagine, these tables are huge in size and not easily downloadable. The current size for all hashes is around 78 GB, and this changes monthly. Normally you either pay a monthly fee to use the tables online or just order the DVD sets. The price averages between $30 and $150.
If you balk at the price and would like to build your own tables, this can be easily accomplished with the program rtgen for Linux or Winrtgen for Windows. Use a powerful server PIII, or better, add some time, disk space, and there you go. Using the tables is a real piece of cake. When doing tables I always use Cain. I just load the hash file I captured with pwdump3, select rainbow tables instead of dictionary or brute force, and it is done superfast. The longest I have ever seen this process take was 12 minutes. If you do demos to "wow" folks, this is a superimpressive demo to show the power of tables. Just invite anyone to enter any password they want and crack it before they sit down. Bond, Jimmy Ray Bond.
Jimmy Ray Purser
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering and is a licensed professional engineer in Wisconsin.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Is this really helpful?
OK, so hacking and password cracking is nothing new, but advertising it is sort of irresponsible. Perhaps you're motivated by self-interest? You want more tampering so you'll be kept busy rebuilding the network and buying more Cisco equipment to try and defend against it.
Really, I think it's annoying when scribes share secrets.
Reply to Schratboy
Good comment. I believe the face of hacking targets has really changed and it is important for us to share what knowledge we know to bring things in the dark into the light. Time Memory Trade Off has big time changed the philosophy of password crackers in both attack patterns and software coding.
You argument is certainly one that goes back and forth in the security community. Is sharing info just training folks to be hackers, that normally may not be? I have always been under the opinion that any knowledge is good knowledge. I honestly have no self interest here other then trying to change the entire world of network security...in the network admins favor!!
Jimmy Ray Purser
Cisco Password Cracker
Hi Jimmy,
First, glad to have you onboard blogging for the Cisco Subnet, as we are very lucky indeed!
Am quite a fan of yours:
Cisco TechWiseTV discovers new TV networking superstar, Jimmy Ray Purser
Jimmy, do you have any comment regarding the Cisco Password Cracker?
Sincerely,
Brad Reese
http://www.BradReese.Com
Reply to Brad Reese
Thank you Brad! I am also a fan of yours as well!! This is a nice little online type 7 Cisco Password cracker coded up in Java which gives it portability and truthfully show just how far we have become in cracking these password...with a java scriptlet. Type 7 Cisco passwords have been cracked since '95 and truthfully should be avoided like a warm beer and tofu party.
However, I still see a whooooole bunch of them. A Google search with the string:
intext:"enable password 7
will give folks many results. Not on the device, but where a config was posted to get help. If you ever need to post a config or send one in email make sure you use the "show tech-support" command. That scrubs the passwords from the config file. In the end a big time practice would be:
- use the "enable secret" command to set passwords. These are encrypted using a one way MD5 hash.
- if you must use the "enable 7" to set password treat these as clear text passwords.
Jimmy Ray
Taste the Rainbow Tables
Hi, From what I understand is that a Rainbow table has every password digest (one way encrypted value)in it so all you need to do is use the captured digest and use it to look-up the corresponding value.
What happens if we change the way we store one-way encrypted passwords. Say you take the user-id, encrypt it using AES with the password as the key and then creat a digest of the resultant cryptogram how big would a rainbow table have to come to ensure you get the right combination of user and password? Is there such a thing as a keyed one-way hashing routine (even using a key you still cannot reverse engineer it)?
Just a thought.
Jeff
Reply to Jeff Davis
Hey Jeff,
A whole lotta truth going on in what you are saying there. I have coded up a few crypto packages and without a doubt the biggest issues are:
- Randomness
- CPU power
- Storage on the device
The more entropy we can get into a crypto package the better. The issue is storing the data and having a CPU big enough to chew on the crypto and its normal functions. We are really coming to a point in password management were we need to as hardware designers built a ASIC only for security functions to offload the CPU processes. Kinda like a TOE engine does for a high end NIC. This will certainly drive up cost and time to market across the board.
or
Roll out a full PKI infrastructure at the device level.
Jimmy Ray Purser
Post new comment