Exercise: Cryptographic Failures
Solutions for this exerciseRead your passwords
In this exercise, we see why crypting data, without secure storage of the key is not sufficient.
- Install Firefox (or create a new profile for those tests).
- Configure it to save passwords
- Visite one or more web sites with passwords (for instance the ones we have seen last week).
- Download LaZagne (github repository)
- Read the passwords of firefox (and some others also).
List of passwords
Unsalted
We have hacked a web site and received the following file corresponding to usernames and passwords of users:
The usernames (as you already know), are always the three letters and one digit in front of the string. Then it is a hash that is not salted. The hash has been generated by the function SHA1.
For unsalted passwords, you can use rainbow tables like : crackstation.net to access most of the passwords.
Some hackers have also their own rainbow tables. But most of them don't, since the most interesting passwords are salted.
Username | Hashed Pwd | Password |
bie1 | 8da4d36229d9b0eb24a9e7c875151a66e5a9eb19 | toto72 |
doj1 | 1f71e0f4ac9b47cd93bf269e4017abaab9d3bd63 | bonjour |
due1 | 59d9a6df06b9f610f7db8e036896ed03662d168f | Hallo |
arb1 | 8cb2237d0679ca88db6464eac60da96345513964 | 12345 |
frc1 | e8dd41e392fc88d355adc5ce95805975c7baffd6 | Kj56I-0 |
hnr1 | ba1630afffe80fe0e5fcf353cc9dc245ef2683a9 | gju98 |
knr1 | 8be3c943b1609fffbfc51aad666d0a04adf83c9d | Password |
ert1 | db8ac1c259eb89d4a131b253bacfca5f319d54f2 | HelloWorld |
sdf2 | 7e6dfeb48afce444b8be7b274b7e0869bd7c9c86 | MorgenZäme |
yxc3 | 5a7f6ec9cdb4dc7035dc03c36e8d48f463cf339c | GoodMorning |
ztr1 | fb4d8deebe0cd2ae130336c889897f72234586eb | Thisismypassword |
lkj1 | 06da63dbb1896fb91bfac21d3ede356aa69e0db6 | Bonjourlemonde |
opi2 | 1f71e0f4ac9b47cd93bf269e4017abaab9d3bd63 | bonjour |
mnb3 | 048302433b4d42b6fc68f92ffca414a9a976dd46 | MotDePasse |
rut1 | 1bba086040e9071efd98e303ea4758b1d91f05b5 | Password2015 |
edc2 | 789ba01887bc4bf6495465a2e007c641259d013f | bonjour2015 |
rfv3 | b518312d4755b54f8155e0f7c26b12eca1474287 | MotDePasse2015 |
tgb1 | daa1f31819ed4928fd00e986e6bda6dab6b177dc | MyPassword |
Some hackers have also their own rainbow tables. But most of them don't, since the most interesting passwords are salted.
Salted
We have hacked another web site and received the following file corresponding to usernames and passwords of users:
In this example, we have salted the hashes with the username and a semicolon.
You can brute force the password with a length of 4 or 5 using a small Python script. It will not work for password of length 7, you will need something like C (or install a precompiled software).
Username | Hashed Pwd | Password |
bie1 | f952bf8a0c5a4c3c630c2f11b7cd2f1ce6d31ac1 | toto |
doj1 | c8215163f78d5ca3f53d31cf9eecc2a94b692c0c | Hello18 |
due1 | b3b6fec7270d61c5233e94584a44c05072a16582 | Hallo |
arb1 | 5ebdf7b8a05bd7c8d29fab38a24107e67038c7bf | qwertz |
frc1 | 8f45d408209a0fd5114d589db35e6e11b8d6436c | asdfgh |
hnr1 | 7f661d99c5334f889468f3d3c3e675eea5510fac | gju98 |
knr1 | cef984bc0c44d1bf3f6d1bf0e34eb0d3457ce189 | Pass |
opi2 | 771eede0589a442dc47b94fec18f7871dac1fd56 | bonjour |
mnb3 | ce3d1bdd4462743e1e3c1098d92d41ab103484e3 | Passe |
rut1 | 1a05afa03a80e7667e8dcbbac6c1654b2624c5af | 2015 |
edg2 | f88dd27d89cded768dd53637c6d03b6dbb1ea86c | abrkdj |
rfg3 | 2ebca136044a4bb0d0a20a59784b65d43e4a2ff4 | eirud13 |
tgg1 | ec9076e7f4e1248719557c35473014f6862586a1 | fjfj09 |
function hashPassword($username,$password){ return sha1($username.';'.$password); }Modify the program done for exercise Authentication to bruteforce the first password.
You can brute force the password with a length of 4 or 5 using a small Python script. It will not work for password of length 7, you will need something like C (or install a precompiled software).
Installation of HashCat
Download and install the tool HashCat, for advanced password "recovery".
Use hashcat to discover the passwords of the users we hacked. There are also GPU optimized versions of this software. So, if you have a strong graphic card, you should download one of them.
You may need a list of passwords (acquired from many attacks) at the bottom of this page crackstation.net.
Remark if you use one of those passwords, you should change soon ;-).
You may need a list of passwords (acquired from many attacks) at the bottom of this page crackstation.net.
Remark if you use one of those passwords, you should change soon ;-).
Related Pages
Contact
Prof. Dr. Emmanuel Benoist
Berner Fachhochschule - TI
Quellgasse 21
CH-2501 Biel/Bienne
Switzerland
Mail: emmanuel.benoist (at) bfh.ch
Berner Fachhochschule - TI
Quellgasse 21
CH-2501 Biel/Bienne
Switzerland
Mail: emmanuel.benoist (at) bfh.ch
Social Networks
Follow
me
on
Linkedin, Scholar
& Research gate