Scribd
Upload
8 views51 pages

Cyb25 Password en

The document reviews advancements in code breaking and password recovery technologies, covering basic cryptography concepts, types of encryption, and various password states and types. It discusses tools such as the Password Recovery Tool Kit (PRTK) and techniques like dictionary attacks and rainbow tables for password recovery. Additionally, it highlights the challenges posed by increasing keyspace values and the limitations of lookup tables for stronger cryptosystems.

Uploaded by

Eduardo Manolo López López
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views51 pages

Cyb25 Password en

The document reviews advancements in code breaking and password recovery technologies, covering basic cryptography concepts, types of encryption, and various password states and types. It discusses tools such as the Password Recovery Tool Kit (PRTK) and techniques like dictionary attacks and rainbow tables for password recovery. Additionally, it highlights the challenges posed by increasing keyspace values and the limitations of lookup tables for stronger cryptosystems.

Uploaded by

Eduardo Manolo López López
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 51

A Review of Advancements

in Code Breaking and


Password Recovery
Technology
Code Breaking and Digital Forensics

FBI Supervisory Special Agent


Chris Beeson
Laboratory Director
Silicon Valley Regional Computer Forensic Laboratory
Menlo Park, CA
cbeeson@fbi.gov
www.rcfl.gov
Course Content
• Basic concepts in Cryptography
• Keyspace Dilemma
• PRTK
• Rainbow Tables
• Other Code breaking tools
What is Cryptography
• Cryptography: The art and science of
keeping messages/information secure

• Encryption: Transformation of data


into unreadable form

• Decryption: Reverse of encryption

Applied Cryptography 2nd Addition – Bruce Schneier / RSA Laboratories FAQs about Cryptography Version 3 - 1996
Types of Encryption
• Access Protection
– Not encrypted, just locked
• Data obfuscation
– Encryption by way of scrambling (ROT13)
– Trillian
– XOR
• Data encryption
– Crypto systems
Password States
• Not stored
– Application uses authentication sequence to
verify (ie Word/Excel)
• Stored by User
– Application offers to store, then obfuscate or
encrypt (IE, Yahoo, Netscape)
• Stored by Application
– EFS
Password Types
• Open/Modify Passwords (Word/Excel)
• Unlock
– No encrypt, needed to open file (early Quicken)
• User/Master (PDF)
• Administrator
• Password archives
– PasswordSafe, PasswordsPlus, etc
Terminology
Function
Salt

FEK
Keyspace

Array
Plain Text
Cipher Text
Hash
• Hash Function
– Variable length data stream = fixed length
number
– Must be reproducible with same data
– Cannot be reversed (number back to original
data)
– Also called Message Digests (ie md5)
What is a Hash Function?

WINDOWS LOGON

CAT

MD4 / SHA

= A2D3C1AE4FD2EAC213DE45FA2DEC2AE2
Terminology
Function
Salt

FEK
Keyspace

Array
Plain Text
Cipher Text
Salt
• Salt is used to make a passkey unique for
each user/machine
• Salt is normally published and is not
secret
• Salt is rarely more than a couple of bytes
in size
Two
TwoUsers
Users– –
Same
SamePassword
Password- Without
- With Salt:
Salt:
User 1 cat = f3fca383b05f665ff43244ecdecfe959
User
User 22 cat
cat == ccd15a3c85d28019fb3ef173f7ff344a
f3fca383b05f665ff43244ecdecfe959
Terminology
Function
Salt

FEK
Keyspace

Array
Plain Text
Cipher Text
File Encryption Key
+ SALT
+

=
9o2GrDE398fD7ipR3
You get the idea !
Terminology
Function
Salt

FEK
Keyspace

Array
Plain Text
Cipher Text
Keyspace Values
Key: Any One of a Larger Number of Values
Keyspace: Range of Possible Values
(this can get big!)

20 1,048,576
30 1,073,741,824
32 4,294,967,296
33 8,589,934,592
40 1,099,511,627,776
50 1,125,899,906,842,620
56 72,057,594,037,927,900
60 1,152,921,504,606,850,000
70 1,180,591,620,717,410,000,000
80 1,208,925,819,614,630,000,000,000
90 1,237,940,039,285,380,000,000,000,000
100 1,267,650,600,228,230,000,000,000,000,000
110 1,298,074,214,633,710,000,000,000,000,000,000
120 1,329,227,995,784,920,000,000,000,000,000,000,000
128 340,282,366,920,938,000,000,000,000,000,000,000,000
160 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000
Keyspace

Key Space Calculation Spreadsheet


Key Space (# of bits) 40
Size of Key Space 1,099,511,627,776

Keys Tested Per Second 500,000

# of Machines 1

Time (in seconds) 2,199,023


Time (in hours) 610.840
Time (in days) 25.45
Time (in years) 0.070
Terminology
Function
Salt

FEK
Keyspace

Array
Plain Text
Cipher Text
Array

An Array is used by cryptographic systems to


generate bit streams used to encrypt and decrypt
data.

A random bit is used with a “Exclusive Or” (XOR)


algorithm that switches the bits that comprise the
data.
Terminology
Function
Salt

FEK
Keyspace

Array
Plain Text
Cipher Text
Plain Text  Cipher Text

10100100001010011
(array value)

PT ^ array value = CT
Crypto System
40 bit

Password
MD5 Hash, SHA Hash ??

40 bit

FEK

MD5 Hash, SHA Hash ??

RC4 1

6
2

7
3

8
4

9
5

1
0

1 1 1 1 1
1 2 3 4 5

1 1 1 1 2
010101010101011
6 7 8 9 0
^ PT
The Key Space and Password
Space Dilemma
Code Breaking Tools
Password Cracking

Ability to recover passwords from well-known


applications
– Decrypt files, folders, and hard drives
– Gain access to files protected by the Microsoft Encrypted
File System (EFS)
Distributed Code Breaking

Ability to recover passwords and/or keys using:


• Brute-Force attacks - Key-Space attacks - Pass-phrase attacks
– One system manages many Clients
– Distributed code breaking to many clients
• Apple Macintosh
• Linux
• UNIX
• Windows
– Uses 'Idle Process' time
Attacking the RC4
Implementation in MS Office
Microsoft Office 40-bit
Encryption

• Due to U.S. Export laws, MS Office 97 and


later versions use 40-bit FEK to initialize RC4
symmetric encryption algorithm.

• An exhaustive key space attack of a 40-bit key


using a 25 computer distributed network
attack (DNA) takes 24+ hours
MS Word – 40 bit Encryption
MS Word Advanced
Encryption Option
Code Breaking Tools
• AccessData
– Password Recovery Tool Kit (PRTK)
– Distributed Network Attack (DNA)
PRTK Overview
Recovery Modules

Some up front
knowledge
might make a
difference !!
• Working Smarter rather than Harder!
Dictionary Attacks

• User Created – Inside/Outside PRTK


• Dictionaries
– Common – Common English words
– Passwords – Password lists (golden dictionary)
– Crime – Sex and drugs
– Misc – Keyboard combinations
– Names – Common names
– General – Webster like
– Unicode
Dictionary Creation
• Select
Dictionary
to Import
• Import
Dictionaries
Utility
What is a Level?
• Level Technology – PRTK/DNA
• Primary Dictionary Search
– rabbit Prefixes
– RABBIT
Postfixes
– Rabbit
– rABBIT Word in a Word
• 1abduct Concatenation
• Toabduct Markov
• abduct123
Reverse
Starting a Job

OR
FIX.DOC
D
R
DRAG
O
P
PRTK
Starting a Job – PRTK
• Drop file into PRTK
Decryption Steps
Properties – Information
Basic File
and Status
Information

o File Name / Path


o Application Type
o Version
o Size
o Dates
o Hashes
o Attack Type
o Profile in use
o Status
o Time Begin / End
Documenting Results – PRTK
• Written Reports
• Electronic Reports
Documenting Results – PRTK
Rainbow Tables
Code Breaking Lookup
Tables and Rainbow Table
Technology

– Use pre-generated cipher text – file encryption key


lookup tables to derive the key that will open 40-bit
encrypted MS-Excel and MS-Word files.
– Recovery time is on the order of 1-5 minutes per file
regardless of the password
– Able to provide the users login LAN and Windows NT
passwords (i.e. attacking the hashes in the SAM file)
Attacking 128-bit
Cryptosystems

– BestCrypt, WinZip (AES), WinRAR, PGP, DriveCrypt, etc.


– Keyspace is to large for lookup tables to be an option
– Only option is to “guess” the user’s password
– Biographical Profiling Options
• NTUSER.DAT File
• Web Crawling
• FTK Export Word List
– The sweet spot for password lengths are 7-10 characters.
– The more resources that can be dedicated to the problem
the higher probably of success
Other Tools
• John the Ripper
– Primarily a user authentication password
cracker (logon)
• Unix, Windows LAN hash

• LC5 L0phtcrack - @stake = Symantec


– NLA
Questions?
Code Breaking and Digital Forensics

FBI Supervisory Special Agent


Chris Beeson
Laboratory Director
Silicon Valley Regional Computer Forensic Laboratory
Menlo Park, CA
cbeeson@fbi.gov
www.rcfl.gov

You might also like