July 12, 2011

The recent attack against Booz Allen led to 90,000 leaked passwords.  Unlike previous breaches where the passwords weren't encyrpted, it looks like in this case some care was taken to scramble the data.

Or was it?  There's hashing and there's hashing.  In the case of the Booz breach, cracking hashed password involves brute forcing it – i.e. you have to "guess" the password first and then hash it with sha1 and see if you are successful.  

So let's guess… I dunno… maybe… umm.. "123456"?

123456 after SHA1 is 7c4a8d09ca3762af61e59520943dc26494f8941b (see http://www.movable-type.co.uk/scripts/sha1.html)

Password1

Now let's encode it in base64 (there are tools that do this) and get fEqNCco3Yq9h5ZUglD3CZJT4lBs=

Password2

Now let's search the attached file for  fEqNCco3Yq9h5ZUglD3CZJT4lBs= in the hashed file with breached results.  And voila, 22 results:

Password3
(You can also find "1234", "12345", "12345678" the same way)

This process of guessing can be automated using automated "cracker" that goes through all options exhaustively (probably using a dictionary of popular password to find popular passwords fast).

If the attacked application was following best practices, it should've "salt"ed the hash (i.e. concatenating different values to each password before hashing) it would have created a different hash even if the password is the same – and would force the cracker to crack each password individually and not crack all the passwords at once.  That means that no one could find "123456" on all the text file at once as shown above – a hacker would have to do it individually to each password with respect to its salt value.

ADDITION:  Every hash can be brute forced. It just takes too much time to try every possible value (if the hashing algorithm is good). Of course, if the victim has chosen a guessable value – it would be easy for the attacker to guess it in just few tries. 

 


Share:
Share on LinkedIn

Posted by Imperva Blogger at 10:56:55 AM


Tags:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.