SlideShare a Scribd company logo

Cryptography implementation weaknesses: based on true story

Download as ODP, PDF
V
Vlatko Kosturjak

Vlatko Kosturjak discusses weaknesses found in a Cisco SHA256 password hash implementation. He describes how he was able to determine the hash was using an insecure custom charset and no salt or iterations. This allowed him to crack the hash using rainbow tables. He created tools to convert Cisco configuration files to the John the Ripper format and cracked multiple passwords. His recommendations include implementing stronger cryptography, avoiding password reuse, and working with security researchers to improve implementations.

Technology
1 of 20
#fsec Cryptography implementation weaknesses based on true story Vlatko Kosturjak https://twitter.com/k0st BM-2D972vHJXV8nwaFG6vUfEmy5tFjrE97edN
Agenda ● True story – my perspective ● I got this hash... – What it is? – Is it vulnerable? – How I can crack it? ● Recommendations ● Summary ● Questions
Elephant in the room...
Let's start with the hashes! :) http://www.openwall.com/lists/john-dev/2013/03/15/10
Somewhere in the galaxy... http://www.openwall.com/lists/john-dev/2013/03/06/5
Let's look closer! Same hash for same password different user? ● Password reuse identification ● Password frequency ● Memory-time trade off vulnerability ● Rainbow tables ● Lookup ● Pot file ● Database ● On-line
Story goes on... http://www.openwall.com/lists/john-dev/2013/03/12/5
Finding what it is.. ● “...My only advise is to just pretend you found this hash and have no clue where it came from. Now try the first two things that you should do when you find a 43 character hash with uppercase and lowercase letters, numbers, dot, and forward slash. Hmm that might be too much info...” Sc00bz64 on john-dev ● Formats – Crypt – Hex – Base64 – ...
So, what it is? In short, please! ● BASE64 with custom charset – ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXY Zabcdefghijklmnopqrstuvwxyz ● SHA256 ● No salt ● No iteration ● Length – 1-25 characters
Cisco SHA256 implementation ● First implementation in PHP – http://pastebin.com/1yCLwyVY ● First implementation in Perl – http://www.openwall.com/lists/john-dev/2013/03/16/12 – https://gist.github.com/kost/5177541 ● Time to crack! :) https://twitter.com/k0st/status/312988851138355201
First C implementation as new format type in john http://www.openwall.com/lists/john-dev/2013/03/16/7 https://github.com/kholia/JohnTheRipper/tree/cisco-type-4
Wait a minute? ● It is Base64 with custom iteration – Decode it! – And encode it correctly ● How john likes it ;) ● What that means? – No need for new john format – SHA256 exists already ● CPU ● GPU
Over? Not yet!
cisco2john.pl $ ./cisco2john.pl cisco.conf >cisco.in 2>cisco.seed $ cat cisco.in enable_secret_level_2:5e884898da28047151d0e56f8dc62 92773603d0d6aabbdd62a11ef721d1542d8 enable_secret:$1$4C5N$JCdhRhHmlH4kdmLz.vsyq0 $ ./john -wo:cisco.seed -rules cisco.in https://github.com/magnumripper/JohnTheRipper/blob/unstable-jumbo/run/cisco2john.pl
cisco2john.pl multiple configurations $ ls *conf 127.0.0.1-startup-config 127.0.0.1-running-config [..] 192.168.1.1-startup-config 192.168.1.1-running-config $ cat *.conf | ./cisco2john.pl >cisco.in 2>cisco.seed $ ./john -wo:cisco.seed -rules cisco.in https://github.com/magnumripper/JohnTheRipper/blob/unstable-jumbo/run/cisco2john.pl
Public advisory http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
Password types sorted by recommendations Password type Method 5 MD5 4 SHA256 (no salt) 7 Decode 0 Plaintext
Recommendations ● Implementators – Think about implementation of your crypto ● Even big guys missed it – Implement basic checks ● Users – Don't use type 4, use 5 – Don't use 7/0/4 in short ;) – Password reuse is problem – Don't mix same passwords with different password types
Summary ● Crypto implementations can be bad – Nothing new ● “Improving” crypto is two way direction ● Working together – Less time – more rock – There are smart people out there ● John-dev ● Nmap-dev ● Metasploit ● ...
Thanks for your time Questions? https://twitter.com/k0st BM-2D972vHJXV8nwaFG6vUfEmy5tFjrE97edN

Recommended

my portfoliopresentation
my portfoliopresentationmy portfoliopresentation
my portfoliopresentationJoseReyes
 
Perfiles
PerfilesPerfiles
PerfilesDianaPaolaFrancoGavi
 
New text document
New text documentNew text document
New text documentsskchaitu
 
Roll your own web crawler. RubyDay 2013
Roll your own web crawler. RubyDay 2013Roll your own web crawler. RubyDay 2013
Roll your own web crawler. RubyDay 2013Francesco Laurita
 
Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.Deepanshu Gajbhiye
 
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE
 
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇACODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇACODE BLUE
 
JS in Space
JS in SpaceJS in Space
JS in SpaceRyan Kotzen
 

Recommended

my portfoliopresentation
my portfoliopresentationmy portfoliopresentation
my portfoliopresentationJoseReyes
 
Perfiles
PerfilesPerfiles
PerfilesDianaPaolaFrancoGavi
 
New text document
New text documentNew text document
New text documentsskchaitu
 
Roll your own web crawler. RubyDay 2013
Roll your own web crawler. RubyDay 2013Roll your own web crawler. RubyDay 2013
Roll your own web crawler. RubyDay 2013Francesco Laurita
 
Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.Deepanshu Gajbhiye
 
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE
 
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇACODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇACODE BLUE
 
JS in Space
JS in SpaceJS in Space
JS in SpaceRyan Kotzen
 
iOS Zagreb Meetup #02 -
iOS Zagreb Meetup #02 - iOS Zagreb Meetup #02 -
iOS Zagreb Meetup #02 - Infinum
 
Stephen Ridley - Greyhat Ruby
Stephen Ridley - Greyhat RubyStephen Ridley - Greyhat Ruby
Stephen Ridley - Greyhat RubySource Conference
 
Cocina conxamarin
Cocina conxamarinCocina conxamarin
Cocina conxamarinJosé Manuel Montero Ortega
 
Office doc (10)
Office doc (10)Office doc (10)
Office doc (10)ly2wf
 
File hosting search engines
File hosting search enginesFile hosting search engines
File hosting search enginesUmar Ali
 
Link download
Link downloadLink download
Link downloadNadzirah Md Rashid
 
Palestra "Do PHP ao Rails"
Palestra "Do PHP ao Rails"Palestra "Do PHP ao Rails"
Palestra "Do PHP ao Rails"Almir Mendes
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSVlatko Kosturjak
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! Sean Prunka
 
<?php>m doing! (shh, yes you do.)
<?php>m doing! (shh, yes you do.)<?php>m doing! (shh, yes you do.)
<?php>m doing! (shh, yes you do.)Sean Prunka
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2ice799
 
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]Ross Spencer
 
Node js javascript no lado do servidor
Node js javascript no lado do servidorNode js javascript no lado do servidor
Node js javascript no lado do servidorMauricio Vieira
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Webbisauna - ClojureScript for Javascript Developers
Webbisauna - ClojureScript for Javascript DevelopersWebbisauna - ClojureScript for Javascript Developers
Webbisauna - ClojureScript for Javascript DevelopersJuho Teperi
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine LearningTarek Hoteit
 
Using FXML on Clojure
Using FXML on ClojureUsing FXML on Clojure
Using FXML on ClojureEunPyoung Kim
 
Fosdem managing my sql with percona toolkit
Fosdem managing my sql with percona toolkitFosdem managing my sql with percona toolkit
Fosdem managing my sql with percona toolkitFrederic Descamps
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 

More Related Content

What's hot

iOS Zagreb Meetup #02 -
iOS Zagreb Meetup #02 - iOS Zagreb Meetup #02 -
iOS Zagreb Meetup #02 - Infinum
 
Stephen Ridley - Greyhat Ruby
Stephen Ridley - Greyhat RubyStephen Ridley - Greyhat Ruby
Stephen Ridley - Greyhat RubySource Conference
 
Office doc (10)
Office doc (10)Office doc (10)
Office doc (10)ly2wf
 
File hosting search engines
File hosting search enginesFile hosting search engines
File hosting search enginesUmar Ali
 
Palestra "Do PHP ao Rails"
Palestra "Do PHP ao Rails"Palestra "Do PHP ao Rails"
Palestra "Do PHP ao Rails"Almir Mendes
 

What's hot (7)

iOS Zagreb Meetup #02 -
iOS Zagreb Meetup #02 - iOS Zagreb Meetup #02 -
iOS Zagreb Meetup #02 -
 
Stephen Ridley - Greyhat Ruby
Stephen Ridley - Greyhat RubyStephen Ridley - Greyhat Ruby
Stephen Ridley - Greyhat Ruby
 
Cocina conxamarin
Cocina conxamarinCocina conxamarin
Cocina conxamarin
 
Office doc (10)
Office doc (10)Office doc (10)
Office doc (10)
 
File hosting search engines
File hosting search enginesFile hosting search engines
File hosting search engines
 
Link download
Link downloadLink download
Link download
 
Palestra "Do PHP ao Rails"
Palestra "Do PHP ao Rails"Palestra "Do PHP ao Rails"
Palestra "Do PHP ao Rails"
 

Similar to Cryptography implementation weaknesses: based on true story

Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSVlatko Kosturjak
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! Sean Prunka
 
<?php>m doing! (shh, yes you do.)
<?php>m doing! (shh, yes you do.)<?php>m doing! (shh, yes you do.)
<?php>m doing! (shh, yes you do.)Sean Prunka
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2ice799
 
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]Ross Spencer
 
Node js javascript no lado do servidor
Node js javascript no lado do servidorNode js javascript no lado do servidor
Node js javascript no lado do servidorMauricio Vieira
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Webbisauna - ClojureScript for Javascript Developers
Webbisauna - ClojureScript for Javascript DevelopersWebbisauna - ClojureScript for Javascript Developers
Webbisauna - ClojureScript for Javascript DevelopersJuho Teperi
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine LearningTarek Hoteit
 
Using FXML on Clojure
Using FXML on ClojureUsing FXML on Clojure
Using FXML on ClojureEunPyoung Kim
 
Fosdem managing my sql with percona toolkit
Fosdem managing my sql with percona toolkitFosdem managing my sql with percona toolkit
Fosdem managing my sql with percona toolkitFrederic Descamps
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git filesVlatko Kosturjak
 
Don't Think Websites, think data
Don't Think Websites, think dataDon't Think Websites, think data
Don't Think Websites, think dataMike Ellis
 
Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02
Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02
Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02World Sports Boats
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 

Similar to Cryptography implementation weaknesses: based on true story (20)

Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny!
 
<?php>m doing! (shh, yes you do.)
<?php>m doing! (shh, yes you do.)<?php>m doing! (shh, yes you do.)
<?php>m doing! (shh, yes you do.)
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2
 
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
 
Node js javascript no lado do servidor
Node js javascript no lado do servidorNode js javascript no lado do servidor
Node js javascript no lado do servidor
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Webbisauna - ClojureScript for Javascript Developers
Webbisauna - ClojureScript for Javascript DevelopersWebbisauna - ClojureScript for Javascript Developers
Webbisauna - ClojureScript for Javascript Developers
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine Learning
 
Using FXML on Clojure
Using FXML on ClojureUsing FXML on Clojure
Using FXML on Clojure
 
Fosdem managing my sql with percona toolkit
Fosdem managing my sql with percona toolkitFosdem managing my sql with percona toolkit
Fosdem managing my sql with percona toolkit
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git files
 
Don't Think Websites, think data
Don't Think Websites, think dataDon't Think Websites, think data
Don't Think Websites, think data
 
Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02
Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02
Dontthinkwebsitesthinkdatafinal 090713100859 Phpapp02
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 

Recently uploaded

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Cryptography implementation weaknesses: based on true story

  • 1. #fsec Cryptography implementation weaknesses based on true story Vlatko Kosturjak https://twitter.com/k0st BM-2D972vHJXV8nwaFG6vUfEmy5tFjrE97edN
  • 2. Agenda ● True story – my perspective ● I got this hash... – What it is? – Is it vulnerable? – How I can crack it? ● Recommendations ● Summary ● Questions
  • 3. Elephant in the room...
  • 4. Let's start with the hashes! :) http://www.openwall.com/lists/john-dev/2013/03/15/10
  • 5. Somewhere in the galaxy... http://www.openwall.com/lists/john-dev/2013/03/06/5
  • 6. Let's look closer! Same hash for same password different user? ● Password reuse identification ● Password frequency ● Memory-time trade off vulnerability ● Rainbow tables ● Lookup ● Pot file ● Database ● On-line
  • 8. Finding what it is.. ● “...My only advise is to just pretend you found this hash and have no clue where it came from. Now try the first two things that you should do when you find a 43 character hash with uppercase and lowercase letters, numbers, dot, and forward slash. Hmm that might be too much info...” Sc00bz64 on john-dev ● Formats – Crypt – Hex – Base64 – ...
  • 9. So, what it is? In short, please! ● BASE64 with custom charset – ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXY Zabcdefghijklmnopqrstuvwxyz ● SHA256 ● No salt ● No iteration ● Length – 1-25 characters
  • 10. Cisco SHA256 implementation ● First implementation in PHP – http://pastebin.com/1yCLwyVY ● First implementation in Perl – http://www.openwall.com/lists/john-dev/2013/03/16/12 – https://gist.github.com/kost/5177541 ● Time to crack! :) https://twitter.com/k0st/status/312988851138355201
  • 11. First C implementation as new format type in john http://www.openwall.com/lists/john-dev/2013/03/16/7 https://github.com/kholia/JohnTheRipper/tree/cisco-type-4
  • 12. Wait a minute? ● It is Base64 with custom iteration – Decode it! – And encode it correctly ● How john likes it ;) ● What that means? – No need for new john format – SHA256 exists already ● CPU ● GPU
  • 14. cisco2john.pl $ ./cisco2john.pl cisco.conf >cisco.in 2>cisco.seed $ cat cisco.in enable_secret_level_2:5e884898da28047151d0e56f8dc62 92773603d0d6aabbdd62a11ef721d1542d8 enable_secret:$1$4C5N$JCdhRhHmlH4kdmLz.vsyq0 $ ./john -wo:cisco.seed -rules cisco.in https://github.com/magnumripper/JohnTheRipper/blob/unstable-jumbo/run/cisco2john.pl
  • 15. cisco2john.pl multiple configurations $ ls *conf 127.0.0.1-startup-config 127.0.0.1-running-config [..] 192.168.1.1-startup-config 192.168.1.1-running-config $ cat *.conf | ./cisco2john.pl >cisco.in 2>cisco.seed $ ./john -wo:cisco.seed -rules cisco.in https://github.com/magnumripper/JohnTheRipper/blob/unstable-jumbo/run/cisco2john.pl
  • 17. Password types sorted by recommendations Password type Method 5 MD5 4 SHA256 (no salt) 7 Decode 0 Plaintext
  • 18. Recommendations ● Implementators – Think about implementation of your crypto ● Even big guys missed it – Implement basic checks ● Users – Don't use type 4, use 5 – Don't use 7/0/4 in short ;) – Password reuse is problem – Don't mix same passwords with different password types
  • 19. Summary ● Crypto implementations can be bad – Nothing new ● “Improving” crypto is two way direction ● Working together – Less time – more rock – There are smart people out there ● John-dev ● Nmap-dev ● Metasploit ● ...
  • 20. Thanks for your time Questions? https://twitter.com/k0st BM-2D972vHJXV8nwaFG6vUfEmy5tFjrE97edN