Validity of most-common-password lists

As this tweet asks: what's the validity of the various lists of the most common passwords people choose, such as this one http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time.

The answer is: it depends. If you dump the passwords at the average website, you'll see these as common passwords.

But they may not reflect passwords chosen for important sites, like corporations or banking. The less important a site, the poorer the passwords. People will choose poor passwords for something like Sony Playstation gaming than they would for their corporate account. This is especially true when your corporate account enforces rules for password complexity and reset.

GPU cracking for $250

ATI and nVidia have just shipped their spring refresh cards. Both now sell an essentially top-of-the-line card for $250 (either the ATI HD 4590 or the nVidia GTX 275). If you do password cracking for pentests, you might want to pick up a few of these cards.

Both would be an excellent card to buy for password cracking. Either would increase password cracking speed by around 10x. I prefer the nVidia card because the CUDA programming support is easier to work with, but I suspect the ATI card may be slightly faster for crunching numbers.

Note the way I say "top-of-the-line". For graphics, the more expensive GTX 285 is better than the GTX 275. However, both cards have the same number of "stream processors" at roughly the same clock speed. Therefore, both should crack passwords at the same speed. What makes the GTX 275 cheaper is the fact that it less backend graphics resources (fewer raster units, slower memory speed, narrower memory bandwidth, smaller frame buffer). We don't care about these other graphics resources -- all we care about is the number of "stream processors" and how fast they run.

Graphics cards are for cracking

I finally got around to testing Elcomsoft's WPA password cracking. If you'll remember, Elcomsoft announced last month that they could use the graphic card to crack WPA passwords 100 times faster than with a normal processor. I found it’s not 100 times faster, but the acceleration is significant enough that if you do WiFi pentesting, you should probably get a graphics card to speed this up.

I ran their software on a number of systems. A screen shot of the results are below:
The systems are:

• "Core2Duo-GT260" is a nVidia GT260 GPU, w/ Core 2 Duo 3.0-GHz
  
• "Core2Quad" is a Core 2 quad 2.4-GHz.
  
• "EEE901" is an an Intel Atom 1.6-GHz dual-threaded.
  
• "MacBookAir" is using the nVidia 9400m GPU, w/ Core 2 Duo 1.86-GHz
  
• "Pentium3-400MHz" is using Intel Pentium III 400MHz single core CPU

Using the nVidia GT260 graphics card, the system could test roughly 10-thousand password hashes-per-second. A cheap quad-core CPU can only do about 1-thousand password hashes-per-second. This is not the 100-fold speed-up promised, but it is an impressive 10-fold speed-up.

I tried out some other processors as well. Intel has shipped a new extremely-mobile processor (intended for cell-phones) called the "Atom". It has roughly a tenth the CPU power of the desktop processor.

A tested the MacBook Air. Its graphics accelerator is actually slower than the built-in processor. Its 9400m GPU only does 178 hashes-per-second, but the Core 2 Duo could do around 400 hashes-per-second.

Graphics cards work by having a lot of tiny/simple processors. Here is a breakdown of some typical processors:

In theory, the speed of the cracking software should correlate with the frequency multiplied by the number of cores. The card to get right now is probably the 9800 GX2. I just ordered one from Newegg for $274. It puts two chips together on a single card, which should make it faster (as well as cheaper) than the GT260. I spent another $200 to get a system to go around it.

Elcomsoft currently cannot handle different cards. Therefore, when cracking software on a MacBook Pro (which has a 9400m and a 9600m), you won’t be able to use both simultaneously.

WPA is NOT obsolete

Elcomsoft, a company that produces password cracking software, has recently announced an upgrade to that product that uses the computer's graphics processor (GPU) to crack Wi-Fi passwords 100 times faster than before. In response to this, one so-called expert has claimed this means that WPA/WPA2 is obsolete, and that you must use VPNs to secure Wi-Fi networks.

Not quite.

At worst, all this really means is that you have to add one extra character to your WPA password to achieve the same level of security. Password cracking is exponential. Each additional character in a password makes it 100 times more difficult to crack (assuming you use upper and lower case, numbers, and symbols).

The claim of 100 times is a little hyped. It's comparing the most expensive graphics card solution costing $1000 (dual GT280s) compared to a cheap CPU. On my system with a cheaper graphics card (Nvidia 8800GT), the GPU is likely to be only 5x faster than my CPU. If you are going to invest a lot of money in password cracking, you should probably invest in FPGAs (such as those from Pico Computing) instead.

You can only crack WPA passwords when everyone on the same network uses the same password (using "pre-shared keys" or PSK). Companies that give out different passwords to different people (using a RADIUS server and EAP) are not vulnerable to this sort of cracking. If home users are paranoid, then can install a RADIUS server.

Password crackers are good at figuring out the way people choose passwords. If you choose something like "Aardvark*Zebra", your password will be cracked quickly. Your WPA password needs to be both long AND complex.

The true danger of cracking tools like Elcomsoft's isn't the GPU, but the fact that it also uses distributed computing. You can grab all the computers in a small business and have them collaborate on cracking a single WPA password. Few people are going to invest in hardware for the purpose of cracking password, but lots of companies have "unused cycles" they can harness. If somebody were to release an open source program with GPU accelerated WPA cracking, then we'd have something more to worry about.

EDIT: George Ou also has an nice post debunking this idea.

The Perfect NetBook: Eee 701 2G Surf

The Register has a review of netbooks (mini notebook computers).

For security professionals, the best netbook I've found is the original one, the Eee PC 701 (aka. Eee PC 2G Surf). The thing that makes it perfect is the Atheros WiFi card in the computer and the $250 price tag.

WiFi hacking/pen-testing requires a card that can both receive packets in monitor mode and send/inject inject raw packets.

WiFi was designed with the idea that the chip should include it's own low-power microprocessor to take care of all the management traffic. In this way, the host machine can be asleep saving power. The consequence of this is that the host machine is typically unable to see the raw packets nor send raw packets of its own.

Atheros designed its chips to be more open. The "madwifi" project was able to create Linux drivers for Atheros chips that allow full control over packets.

Other chips allow a subset of these abilities. There are several others that allow "monitor mode" to receive packets. Few, though, allow the ability to send every type of packet. They will overwrite the sequence numbers, for example, or prevent fragmentation. Others will refuse to send corrupt packets.

When doing WiFi fuzzing, you need to be able to craft every type of packet, including corrupt packets (indeed, that's the point of fuzzing -- to see how a system handles corrupt packets).

The easiest method for WEP cracking is to replay encrypted ARP packets (identified by their size and broadcast address) over and over to generate encrypted responses. After about 40,000 response packets, the 128-bit WEP can be cracked in just a few seconds. I cracked my home WEP test network in about 15-minutes.

For cracking WPA, you need to be able to send deauth packets to force stations to re-authenticate. You then grab this information and hope they've chosen an easily guessable password that can be dictionary cracked.

The best thing about the Atheros chipset is that there exists full access-point software. That means you can setup the Eee PC as a full access-point. For pen-testing, you can also set it up as an "evil twin" -- so that users log onto your access-point instead of their intended one (allows you to intercept their traffic as they surf the Internet).

The Eee PC models contain Ralink chips for 802.11n. Right now, there are no driver for either monitor mode or transmit for these chips. (Note that the Wikipedia article on Eee PC claims that all models use Atheros WiFi chips -- this is wrong). You can, however, buy $33 mini-pci cards and replace the WiFi if you want.

Another important feature is the SD slot within the Eee PC. At NewEgg, 4GB cards are $10 and 16GB cards $40. It's pretty easy to install BackTrack distro and boot from these cards. You could replace the existing OS, but I'm to lazy and boot distros like BackTrack and Knoppix from SD cards.

Booting OSWA on Eee PC with SD flash

These are some notes for making a bootable SD flash card for my Eee PC from the "OSWA Assistant" bootable CD.

A bootable or "live" CD is a popular way of distributing hacking tools. You just put the CD into any computer and boot from it (instead of your normal hard disk). You get a Linux desktop and pointers to a list of common programs. The most famous of these is probably the "Backtrack CD.

Another one for wireless auditing is "OSWA Assistant". I've never used it before, but they were handing out CDs at BlackHat 2008 Vegas.

The computer I want to use for this Asus Eee 2G Surf", a $299 disposable laptop. Everybody should probably have a handful of these around to play with.

The problem with the Eee PC is that it doesn't have a CD-ROM drive, so I can't boot the OSWA CD. However, it does have three USB ports and one SD flash port. The SD port is especially nice for booting. You can get 2-gig SD flash cards for $7; they are hella cheap.

To make a bootable SD card from the CD, I went through the following steps.

Step 1: I copied all the files to the SD card. I first put the SD flash card into my Windows PC which became the "D:" drive. I downloaded the latest oswa-assistant.iso image from the OSWA website, opened it in WinRAR on my Windows PC, and extracted all the files to the "D:" drive. You can use pretty much any tool for extracting the files, I just happened to have WinRAR handy. I didn't even know that WinRAR could extract files from ISOs - I just assumed that is the sort of thing that WinRAR ought to be able to do.

Step 2: I needed to make the flash bootable. Most bootable CDs use a tool called "isolinux" to go through the boot process. There is a sibling tool called "syslinux" for making bootable Linux flash devices, such as USB flash or SD flash. I downloaded the syslinux archive, extracted to "C:\syslinux". I opened a command prompt, went to "C:\syslinux\win32" and ran "syslinux.exe -ma D:" to make the SD card bootable.

Step 3: I had to change the "isolinux" configuration to a "syslinux" one. I renamed the "D:\boot\isolinux" directory to a "D:\boot\syslinux" directory instead. I also had to rename the "isolinux.cfg" file in that directory to "syslinux.cfg".

Step 4: I had to configure the Eee PC to boot from SD, otherwise it will boot from its own hard disk. When the system boots, I hit "F2" to go into the BIOS configuration, and change the boot order so that Removable Devices are at the top of the list.

At this point, the system boots. However, there several problems. First, it complains "You passed an undefined mode number.", which refers to the fact that it doesn't understand something about the text mode screen. Simply hit to continue.

When it reaches "Starting udev hot-plug hardware detection...", it will hang for a while with the message "Starting udev hot-plug hardware detection… udevd-event[2706]: run_program: '/sbin/modprobe' abnormal exit". Don't worry, it will continue on with the boot process after about 5 minutes. It's a bit annoying though. I wish I knew what was failing.

Step 5: There was one fatal error. X Windows hangs looking for an AGP card. The In order to fix this, I had to edit the "D:\boot\syslinux\syslinux.cfg" file and put "noagp" on the second line:
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=791 initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=oswa noagp

Step 6: Profit!

Blah Blah Blah

I love having a blog, it means I can rant, and I sure do like ranting. Like earlier in the week I was upset that the media made a huge deal out of a Russian site selling a Vista exploit. These reports made it seem like a much worse problem that it was and few reporters actually mentioned that is was a LOCAL bug and an attacker needs valid credentials to login to the machine to carry out the attack. I suppose headlines like “Russian site selling lame bug that affects almost nobody” would not have been as eye grabbing.

This trend of dumping on Vista has continued but this time its cracks. If you are not familiar with the term there are ways to circumvent legitimate licensing and copyright protection schemes and download and run copies of Microsoft’s latest shiny toy with out *GASP* paying for it. Maybe this story is getting play because outside of the hacker community not many people have heard of “warez” and it’s finally going mainstream, maybe its getting play because it’s a slow news week; I can’t decide which.

Let me disclose something: all the cracks that have been discussed in the media recently I made efforts to go and find. I now have a very extensive collection of Windows Vista cracks. You might be asking yourself why I would do that, why not just buy a copy of ask MS to give me one. Its simple, I am waiting for the first cracks to appear that are massively infected with virii or spyware. I have seen some, but I am more waiting for something that is massively blatant like after 90 days of operation you are prompted for a credit card number or the OS will delete itself and take all of your work/photos/music with it. Surely these free spirited pirates wouldn’t do such a thing you might say…honor among thieves and stuff like that.

I ask you, what’s the best way to build a botnet now that a botnet master can’t count on massive windows remote 0day every three months that can be used in a recruitment drive. Its simple you build yourself a good reliable network of people who can’t patch (security patches require a legit copy of Windows) and you know will take your bait (free copies of Vista!!). It makes for a great plan; you can even add new functionality to your trojaned OS by releasing “cracked” patches. I am going to call this the “addict pirate” because once you get a sap hooked on this he or she has to keep coming to you for his fix or *GASP AGAIN* pony up for a legit copy.

Enough ranting about “addict pirates” and back to the poor reporting and business aspects of these “cracks”. These types of cracks have been around for years and no matter what people say this will not affect the sale of the OS. What makes me the most irate is how the reporting on the Vista cracks make it seem like this is the first time an OS has been pirated. Right now on file sharing networks you can find copies of Windows XP, 2000, ME, 98, and 95. There are even copies of Windows 3.1 floating around! And I don’t mean 3.11 for Workgroups, I am talking about the OLD SCHOOL stuff.

If you take one thing away from this blog post make sure it’s this thought: this is not a new or shiny problem, as long as there has been software there have been people stealing it. Nothing to see here, move along.