Well, we've got some computers in front of this because it's time to talk about cryptographic attacks. Now, when we talk about cryptographic attacks, the easier way to interpret this is cracking passwords. Now, don't get too excited, and everybody's like, you get to finally get to crack some passwords. Well, first of all, let's make sure we understand what we're talking about when we talk about password cracking. When you have some kind of server, a web server, an FTP server, an SSH server, a game server a, I don't care what kind of an operating system that's sharing folders, it doesn't matter what it is, you are going to have to have a list of usernames and passwords stored somewhere on that server system. Now, if you're going to store them, well, you have to when someone logs in there, they're going to type in a username and password and then come to that server.
So you have to store the password. So how do you store it? Well, you could just store it in clear text, you can literally have a list somewhere on your hard drive that says, Mike comma, and then whatever his password is, and Bob common, whatever his password is, and Janet common, whatever her password is. And we could do that. But the downside is, is that if a bad guy gets to that server, he could get easy access to our passwords. So traditionally, what we do with a password is that when we create a new user and have them type in a password, the password is never stored on the hard drive, we just hash it.
So we just make a hash of the password. Now if you've got a hash of the password sitting on the server, and somebody who's a client wants to log in, what they're going to do is it the server is going to say, please type in your username and password. So they type in a username and password on their side. And then that is hashed. So the hash comes over the internet's and then gets to the server. The server compares the hashes and that's how it logs in.
So we we would really never Use clear text except in the most primitive of situations. The important thing to understand here is if you want to get into cryptographic attacks, if you want to hack passwords, what you're really doing is hacking hashes. So there's a couple of things that come into play here. Number one, you have to be able to get to those list of hashes, first of all, so the one of the hardest jobs of cryptographic attacks is to how do you get to that server? And how do you grab those usernames and password lists? You don't know what the passwords are, but how do you at least get the list?
That varies for every single thing that's out there. If you want to get your Windows system, it has its own set of passwords and hashes. If you want to get to an FTP server depends on the brand. They have their own usernames and passwords. The biggest part of cryptographic attacks really isn't the hacking the hashes, the biggest part is getting to that and I'm not covering that in this section because there are huge groups of people who spend all kinds of time with all kinds of different stuff to think out how to get to these different things. The second thing we need to talk about is that if the password is stored in a hash, there is no way for you to reverse that hash to figure out what the password is, it's just not going to happen.
So what we're going to do instead is we're going to generate hashes until we get the hash that we have a copy of. And now that we have the copy, we know what this hash is because we generated it ourselves. And then we know what the password is. So when we're talking about cryptographic attacks, and in particular, we're going to talk about brute force attacks and dictionary attacks and rainbow tables and all that kind of stuff. Keep in mind what we're doing more than anything else is generating hashes and make it a competitor when we compare the right ones. Then we finally can say we have the password.
So I want to go through this process a little bit. And the best way to do this is to pick an arbitrary server to attack. So in this case, I'm going to use a program called free SSH and I've got it right here. So This is free SSH. SSH is a wonderful little SSH and telnet server. I've been using this thing for years and years.
Nothing special about it. But one of the things is kind of fun is that it's got these user accounts. So I'm going to add a user. And I'm going to add a user called Timmy. And there's all these different ways I can store stuff. I could use NT, which is the Windows operating system that it's on.
Or in this case, I'm going to use password stored as a Sha one hash. And I'm going to give it a dangerously simple password. And I'm going to call it m ik e all lowercase. Do not try such a small password at home. All right, and then what do I want this guy to be able to do with this particular SSH tool? So here we go.
Now I've got this Timmy in here. And I want to go ahead now and I want to first of all I have to figure out where is this Timmy password. So to do that, hit OK. All I've done there is actually got free SSH to save that particular one. So now I want you to watch this. So I had to do a lot of research for this old program. But I dug and dug and I finally found some documentation that says all the passwords with the SHA one hash are stored in this little file right here.
So I could open this file up and scroll it around here, I can see some other user accounts I have on here. But here's the Timmy account right here. So that is the actual hash that is storing that password of my key now. Now that I have the hash, that's great, but I need some tool that I can take this hash value and throw it in and say, keep running a bunch of hashes until you find one that matches that. And that process, which we call a brute force attack can be done all kinds of different ways. Now for this one particular example, I'm going to use an old program called Cain and Abel.
Let me show you that guy. So this is Cain and Abel. Now I need to warn you a couple things about Cain and Abel. Before we get started with this, first of all, Cain and Abel is a very, very powerful tool, but it's very dated. So even though I'm running a modern windows 10 system here, there's a lot of features of Windows 10 that really just don't come into play anymore. The other thing is that anytime we talk about cryptographic tools like this is that they're not instantly easy to use, it would be kind of like someone saying, hey, let's go ahead and make an accounting spreadsheet and I hand you excel.
Sure, it's a good tool, but you really have to understand what's going on. So there's a lot of steps in here, that simply because I'm familiar with the tool, you'd have to do a little experimentation on yourself. So here we go. So we take a look at this and there's a cracker function right here, you'll see that and it says, What do you want to crack? So it's all look, these are all these different kinds of hashes because that's mainly what we're hashing in this world. So I know this is a Sha one hash because That's how the free SSH store stuff.
So here's my Sha one hash tool. So what I'm going to have to do first of all, is go over. And I'm going to grab this hash. So I'm just doing a regular old copy. And now I need to put it into the cracker. And what I've done now is I've inserted the SHA one hash into it.
So now let's go ahead and start cracking. So what we're going to do first off is we're going to do brute force, we're basically going to say, look, Cain and Abel, I want you to start with the letter A, make a Sha one hash, make a letter B, make a Sha one hash, go through all those, then do a then do a B, then do ABCD. Get the idea that this could take a little bit of time. Well, it absolutely does. So let's watch what happens. So what we're going to do is a brute force attack.
Now you'll notice that I've got a lot of options here and all of these crackers have some type of tool like this. So it's going to say just use lowercase and numbers. Now, for the sake of brevity, what I'm going to do here is I'm going to make it even simpler than that. And I'm just going to say just use lowercase letters. Now, what I want you to watch right here is the key space. So right now I'm in the thousands, millions, billions, trillions, gazillions, the number of permutations that would have to go through to do every possible combination, just using the 26 letters of the alphabet, as you can see is huge.
But there are a few other things we know. And again, I'm cheating here, folks, simply because I know that the password is very, very short. What I'm going to do here now I want you to watch the key space, I'm going to reduce the possible password length. So watch what happens that key space as I keep making the numbers shorter and shorter. So one of the reasons why people always say use long passwords as you just saw it right there. The longer the password, the more difficult it is for me to crack it.
In a brute force scenario. If you use complicated passwords with upper and lowercase and numbers and all that stuff, it starts going into the months, days years kind of a thing. So what I've done here is I've got it knocked down to a maximum of eight characters. And let's go ahead and start it and see what happens. So if you take a look right here, it was pretty much instantaneous, but you'll see it found the password is Mike. So that is one example of brute force.
Now keep in mind one more time with brute force is doing. It's literally generating based on the predefined character set that I set up for it. I said, start with just the letters of the alphabet and just lowercase and a ground through them. So you can see that it went through just about a trillion iterations in a very, very short amount of time. So imagine for a minute let's take a look at this one more time. And imagine this time, let's say I had a big compliment.
And password. So what I want to do now is let's change this. So let's change it. So it's going to be lowercase alphabet, uppercase alphabet and numbers. Do you see that right there? So I got to reset them here a little bit, he still thinks I'm working on the old one here.
Okay. Now watch the key space. As I start to bring it up. You see that I'm already up to exponential notation. So that is a really good example of why we use complex passwords. We use complex passwords to make cryptographic attacks harder period.
Okay, so that's one example. And in this particular example, what we did is we simply ran a brute force attack. Now, brute force attacks, as you can see when things get complicated, can become incredibly onerous. Now, this is just a regular Your middle of the road desktop system if I wanted to, I can buy computer systems or building myself that use graphics processors and all this extra power and they can calculate a lot faster. But it still becomes very, very difficult. So what we want to do is I want to go ahead and do an attack.
But let's make some assumptions. One of the things we know about people that I don't think I've ever met anybody who used a password that was one to x, f nine, l ampersand to write what we do as human beings is we tend to use dictionary words, Mike 47, then Timmy 22, and one Johnny five, then we turn all the O's into zeros and you know all that stuff. Well, if we know that, we can do another kind of attack called a dictionary attack. Now a dictionary attack starts by using a text file that is filled with dictionary words, it will take those dictionary words, and then it will manipulate them. For example, if I put the word Mike in the dictionary, I could tell the cracker to go don't do just money. But do capital M ik E, and then make mic one mic to mic 47, all that type of stuff.
So a dictionary attack will always always start with a text file that's full of dictionary words. So let's try a dictionary attack. Alright, so let's go ahead and grab that hash one more time. And I'm going to go ahead and plug it in here. So there's my hash. Now, the whole idea behind a dictionary attack is we have to feed the attacking tool, a dictionary, so I have a very simplified one.
If you take a look right here, I've made a little file called dictionary dot txt. And you can see that I have all of about what nine words in there. Keep in mind that you can download dictionaries from the internet that have hundreds and hundreds and hundreds of thousands of different words in there. So dictionaries can be massive man of devices. Again, I'm cheating for the sake of brevity. And so we've got that dictionary ready to go.
So let's go ahead and do the dictionary attack. So I'm going to go ahead and select dictionary attack this time. And you'll see that I've already pre selected that text file. Now, this is a pretty handy tool because he always remembers where you left off. And I've done it attack before he remembers them at the end of the file. So I got to go through this little process.
And say, go back to the beginning. And what I'm going to do is start it. And boom, you can see he pretty much almost instantly got the answer. Now, I made this one easy because the passwords, just four characters, and they're all lowercase alphas. So again, for brevity, it works out real well. But let's take a look a little bit more detail here.
You'll notice that you tell these crackers how to deal with the particular type of words. So for example, here's one where it says here if the uppercase and lowercase, then do it also an uppercase or if the word in the dictionary is all uppercase to lowercase. Here, I can say do case permutations. Now watch, if I click that, it actually turns a couple of these off, because now it's saying change just the second letter to capital takes the third letter, however that might be. And the other one right here at the bottom might be familiar to some of you guys. add two numbers to the end.
So whatever the word is, you know, so if it's Mike do mic one mic to my three, mic four, all the way up to Mike 99. And I wonder if how many guys out there sit there go, Ooh, yeah, he would probably crack my password based on that. So dictionary attacks are fantastic. And they speed the process up simply because they take advantage of the fact that human beings tend to use words they're familiar with as part of their passwords. So at the top of every one of these dictionaries is password and 123 and 1234. So don't even bother with those.
I'll have you hacked in milliseconds, literally. Now, both of these methods we've talked about so far brute force And dictionary attacks basically require the cracking program to generate hashes and compare generate hashes and compare. So for smaller passwords, that can be a relatively good way to do things, but a lot of people use much more complex passwords. And in that case, we need to speed up the process. And probably the best way to speed up the process is what's known as a rainbow table. Now, a rainbow table is a pre generated bunch of hashes.
Now you need to be careful here. a hash table is nothing more than all these different words with a hash in it. A rainbow table is kind of like it's almost like an indexed hash table if you've ever worked with databases, where it will have indexes so that searching can take place a lot faster. It uses what's known as reduction formula to allow these really big files that allow us to look at a bunch of hashes but the important thing is, is that a rainbow table already has the hashes In it, so it eliminates that whole part of the process. So what we're going to do is one more time, we're going to go through this process, except this time we're going to use a rainbow table. Now I need to warn you about something.
Rainbow tables are massive, massive, even the smallest rainbow table is going to be in the 10s of gigabytes and really serious like work for a living like trying to crack bad guy passwords types of rainbow tables can be in the terabytes upon terabytes. So usually, what you'll end up doing is you go Look, I need to generate hashes based on just lowercase alphas. Go ahead and generate my own rainbow table. And that's what I've done. In this particular case. You can download them there are companies that will sell you rainbow tables, they will deliver a six terabyte hard drive to your front door filled with massive rainbow tables.
So rainbow tables are going to be used when the passwords are more challenging. And it's a little bit harder to do. So let's go ahead and do rainbow tables using cane enabled. So just for fun, this time I picked there were three users, I just grabbed another password just for fun. So what we're going to do here, we're going to right click on this, and we're going to go ahead and do a rainbow table attack here. And you'll notice that here's my rainbow table, if you take a look over here, this is the actual rainbow table.
And I generated this one myself, it's a tool set that came with the same guys who make Cain and Abel. So if you just take a look at for example, properties, you'll see this one 610 megabytes, this is literally the smallest rainbow table I could possibly generate. So this will see what happens here a lot of times, because I said make a rainbow table based on Sha one and just do lowercase characters and then generate all this big superduper multiple indexed rainbow tables. So let's go ahead and put it in So we got it loaded up, I've already selected it. And what I'm going to do here is hit start cross our fingers. Oh, didn't work in this particular case.
Now, as a good cryptanalysis person that is not that big of a deal for me, I picked a password that probably had numbers in it, or upper and lowercase. And then these types of processes, I would just go ahead and generate a much more complex rainbow table. And just keep trying it again, because that's what takes place in these types of scenarios. Now, I need to warn you about something and that is, well, I've been lying to you a little bit and I'll show you what I mean. Right now. So what I'm going to do is I'm going to go ahead and add that hash back in now watch really close what happens.
So I'm just going to hit paste. Now when I hit OK, look at this. It says the length of the SHA one hash must be exactly 20 bytes long. each byte is eight bits of Sha one hashes 160 bits. Yes. Wait a minute, Mike, you just cut and pasted that hash from that i&i file.
So what's going on? Well, what's happening here is most good password storage do something to make it a little bit harder. In this case, what we're seeing is this particular tool just adds two characters to the end of the hash. It just kind of arbitrarily puts two characters in. And if I were to cut and paste that you can see it kind of slows me down from a cryptanalysis standpoint. Now again, because I did some research online and because I experimented a little bit, I just took the first 20 characters deleted those last two out, put it in and everything ran Great.
So what we're trying to do here is the free SSH tool is trying to obfuscate things a little bit. Now that's an incredibly simplistic way to do it. What we do tend to see more common is something called a salt, Sal tea. So in a salt situation, it kind of goes something like this So let's put a, a password here. So I've got a password of Timmy. Okay.
Now normally we would just hash that and generate a hash value. But a salt is a value. That's an arbitrary value that tends, there's a lot of different ways to solve. But one of the ways is you have a fixed value in what back in the Linux systems, you would have a, when you install the GNU Linux system, it would all have a fixed salt. And we're going to say the salt is some four characters here, who cares what it is. So what we do is we take Timmy and concatenate those four characters to the end, and then we hash it.
So that's what's known as a salted hash table. Salted hash tables, as you might imagine, are a lot harder to crack a lot harder. You would be hard pressed with the exception of some old applications like this pre SSH to find situations where people do not salt their hashes. Now again, this tool has functions that could deal with it, but they take forever, and it becomes an unattractive way to do things. Now what I want to do now is show you one other situation we run into. And I bet you've seen this before yourself.
So what we're going to do now is we're going to take a look at my little home router I've got right here. And what I want to show you is that you'll see that I've got an SSID right here, okay, but I'm going to go into wireless security. Now wireless security, I'm using WPA two personal, and I'm going to go ahead and type in a shared key. Now, this is kind of a nice little feature on this DD WRT is I can actually show it to you. So I'm going to type in Fred. Now, the problem we have here is that with wireless, we're not going to be passing the word Fred throughout just through the air.
So what we're going to have to do is we're going to go ahead have to hash that thing, but a lot of people would be able to hack that Fred fairly easily. So one of the things we'd like to do is Type in big, long, complicated pass codes, which is one thing that could be helpful. But the other thing we do, and this is just one example, we see this all over the place is something called key stretchy. So we're going to go over to Wireshark. And let me show you how to do all this stuff. So what I'm going to do is type in Fred.
And then I'm going to type in whoops, then I'm going to type in the s, s ID. And watch what happens here. That is really what your personal shared key is on there. This is one example of what we call key stretching. In a key stretching scenario. We take, you know, you type in your little word, whatever it might be, but it takes some other values and generates a very, very complicated key which can then be passed through the ether, whatever or hashed or whatever.
And it's much much harder for The bad guys to do this. So if you take a look on the screen, you'll see here it says pbk df two. There are two types of key stretching that you see WPA for wireless, go uses the PDK df two algorithm, which is a great one. The other one you'll see a lot is called B crypt. And all these do is take some kind of key and not just hash it, not just salted, they stretch it out. And they make it very, very complicated, simply because it's really, really hard to crack these.
In fact, proper key stretching is in today's world, pretty much uncrackable. If you do all this stuff, right? And if you use longer passwords, and you use key stretching, you can save all your passwords and hashed encrypted formats on your hard drives. And nobody is ever ever going to mess with them.