Home page logo
/

basics logo Security Basics mailing list archives

RE: ADS Password Storage Protection-4 Books for 4 Characters
From: "dave kleiman" <dave () davekleiman com>
Date: Wed, 19 Jul 2006 12:19:35 -0400


Well Roger I cannot resist, and I cannot let you have all the fun.

So here is my challenge 4 Books for 4 characters.
No hints except the password is exactly 4 characters long.

Here is the NT hash:

17481E722654CBDA2A6779A805CDD098

Someone should get this really quick!

All four are excellent books from Syngress:

http://www.syngress.com/catalog/?pid=3110

http://www.syngress.com/catalog/?pid=3420

http://www.syngress.com/catalog/?pid=3440

http://www.syngress.com/catalog/?pid=3820


Dave






    -----Original Message-----
    From: Roger A. Grimes [mailto:roger () banneretcs com] 
    Sent: Monday, July 17, 2006 20:51
    To: Gregory Rubin; security-basics () securityfocus com
    Cc: eric.baechle () dhs gov
    Subject: RE: ADS Password Storage Protection-$100 reward to 
    crack my password hashes
    Importance: High
    
    $100 Contest Challenge Below (so keep reading):
    --------------------------
    I password crack for a living. If you can find a fast 
    15-character password hash cracker, please let me know the 
    tool and technique. I know the theoretical 
    technique...dictionary attack tool that uses words as 
    characters and do character substitution using words 
    instead of letters when doing a dictionary attack.
    
    At 15-characters, 99.999% of users won't use a complete 
    dictionary word, so direct dictionary attacking is out. 
    Most users will use one or more dictionary words. Most 
    words will be small (e.g. I, the, me, free, etc.), so 
    entropy will be small. 
    
    (Dr. J of Microsoft has done an excellent paper on this 
    idea-although his conclusion is that moderately long 
    passphrases are no better than short complex 
    passwords-something I disagree with.)
    
    But there aren't any publicly available tools (John the 
    Ripper can be configured to do it though) for 
    word-for-character substitution at the moment. Plus at 15 
    characters, users may will throw in non-words or complexity 
    in their passphrase. As long as the attacker does know that 
    you use full words only and zero complexity, they would 
    have to guess all characters, and at 15 characters it 
    becomes non-trivial to crack.
    
    CHALLENGES:
    Tell you what, let's do a test, with three challenges:
    
    Challenge #1 (Complexity at 10 characters) for the first 
    person to email me the plaintext equivalent to the 
    following NT hashes:
    
    Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04
    
    Clues Normal Password Cracker Would Not Have:
    1. It's 10 characters long exactly
    2. Contains no words contained in the English dictionary, 
    but is based upon two words that have been "license-plated" 
    (i.e. hybrid attack is
    needed)
    3. Moderate complexity, but nothing beyond alpha letters 
    and numbers.
    
    Prize for Challenge #1: 
    1. Your name in my InfoWorld column
    2. A free copy of my book, Honeypots for Windows (Apress, 2005)
    ---
    
    Challenge #2 (15 characters long, no complexity) for the 
    first person to email me the plaintext equivalent to:
    
    Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F
    
    Clues Normal Password Cracker Would Not Have:
    1. It's exactly fifteen characters long
    2. Contains one or more words contained in the English 
    dictionary 3. Absolutely no complexity.
    
    Prize for Challenge #2 for the first person to email me the 
    plaintext equivalent 1. Your name in my InfoWorld column 2. 
    A free copy of my latest book, Professional Windows Desktop 
    and Server Hardening (WROX, 2006)
    ---
    
    Challenge #3 (15 characters or longer, some complexity) for 
    the first person to email me the plaintext equivalent to:
    Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81
    
    Clues Normal Password Cracker Would Not Have:
    1. It's fifteen characters or longer
    2. Contains one or more words contained in the English 
    dictionary 3. Some minor complexity.
    
    Prize for Challenge #3 for the first person to email me the 
    plaintext equivalent 1. Your name in my InfoWorld column 2. 
    $100 out of my pocket (my wife is going to love me) 3. A 
    free copy of my latest book, Professional Windows Desktop 
    and Server Hardening (WROX, 2006) 4. A free copy of my next 
    sole author book, Windows Vista Security:
    Preventing Malicious Attacks (Wiley, 2007), when it comes out.
    (or you can substitute any of these books for my latest 
    co-author book, MCSE Core Electives in a Nutshell 
    (O'Reilly, late 2006) when it comes out.
    
    ------
    Rules:
    1. I solely determine winners and all rules 2. You can only 
    claim one challenge prize. Send me the passwords if you 
    break them, but if you win both challenges #1 and #2, I'll 
    give you all the prizes listed in #2, but I'll give prizes 
    in #1 to the next closest winner.
    
    All password hashes can easily be cracked with the right 
    tool and dictionary. I expect the first challenge to be 
    cracked first. I suspect all three can be cracked. In the 
    real world, the attacker would not be given the clues I 
    have given. But I want readers to understand how hard this 
    would be to do even if you had all the clues a real cracker 
    would need to begin the attack. 
    
    This is proof of concept of password length over 
    complexity. If someone breaks Challenges #2 or #3 before 
    #1, I'll know I'm wrong.
    
    Have fun and enjoy.
    
    -----Original Message-----
    From: Gregory Rubin [mailto:grrubin () gmail com]
    Sent: Monday, July 17, 2006 5:43 PM
    To: Roger A. Grimes
    Cc: eric.baechle () dhs gov; security-basics () securityfocus com
    Subject: Re: ADS Password Storage Protection
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    While I agree that length is far superior to complexity, I 
    must disagree that 15 char is sufficient.
    
    (Pure theory to follow)
    Each additional letter in English provides approximately 
    1.1 bits of entropy.  Even grossly overestimating this at 2 
    bits, the total entropy of a 15 char passphrase is only 30 
    bits or the equivelent of a complex password of length 3 to 
    4.  Thus, the passphrase remains vulnerable to dictionary attacks.
    
    For secure systems, the user should type a sentance.  That 
    will easily provide around 20 or more characters.  At that 
    length, the entropy at the word level (as opposed to just 
    the letter) starts to really come into play and the pass 
    phrase becomes secure.  For administrators, it doesn't even 
    need to be much longer, but they could throw in a little 
    complexity as they are likely to be more competant.
    
    For low security systems, the users are going to pick weak 
    stuff no matter what, so is it worth the added inconvience?
    
    Greg
    
    P.S. Signed with a 40+ char pass-phrase.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.11.9
    
    iD8DBQFEvAR15KDU23nQpRcRAo8NAKC6zl2Y0IhsInZmaH0wec6nGZuzQwCg5jWq
    UzR9jOPNsVbLXPjA2Lncaz4=
    =81Gb
    -----END PGP SIGNATURE-----
    
    ------------------------------------------------------------
    ---------------
    This list is sponsored by: SensePost
    
    Hacking, like any art, will take years of dedicated study 
    and practice to master. We can't teach you to hack. But we 
    can teach you what we've learned so far. Our courses are 
    honest, real, technical and practical. SensePost willl be 
    at Black Hat Vegas in July. To see what we're about, visit us at: 
    
    http://www.sensepost.com/training.html
    ------------------------------------------------------------
    ---------------
    


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]