Cracking 14 Character Complex Passwords in 5 Seconds

Thursday, October 21, 2010

Dan Dieterle


See Part Two Here: NTLM Passwords: Can’t Crack it? Just Pass it!

There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly.

But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives.

/uploads/remoteimg/facf7aaea6b4a02aeb3e92d51c9f3fd0.jpgApparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast?

One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds.

So, how long would a long complex password hold up to the SSD based cracking technology?  

Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer.

So, I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker.

The results were stunning.

Let’s start out with an easy one. Here is the Administrator password hash from the machine:


And putting this into Objectif’s tool we get this response:

Password: Empty password…    
Time: 2 seconds

Administrator didn’t set a password, that’s not good…

Okay, that wasn’t 14 characters, let’s try a hard one.

How about this one:

Hash: 17817c9fbf9d272af44dfa1cb95cae33:6bcec2ba2597f089189735afeaa300d4

And the response:

Password: 72@Fee4S@mura!    
Time: 5 Seconds

Wow! that took only 5 seconds and that is a decent password.

Let’s try a few more:

Hash: ac93c8016d14e75a2e9b76bb9e8c2bb6:8516cd0838d1a4dfd1ac3e8eb9811350
Password: (689!!!<>”QTHp    
Time: 8 Seconds

Hash: d4b3b6605abec1a16a794128df6bc4da:14981697efb5db5267236c5fdbd74af6
Password: *mZ?9%^jS743:!    
Time: 5 Seconds (Try typing that in every day!)

And Finally:

Hash: 747747dc6e245f78d18aebeb7cabe1d6:43c6cc2170b7a4ef851a622ff15c6055
Password: T&p/E$v-O6,1@}    
Time: Okay, this one really pushed it to the limits, it took a whole 11 seconds to crack!

Very impressive, it took only five to eleven seconds in this test to crack 14 character complex passwords. I was able to create a password that Objectif’s site couldn’t decode; it was using characters from the extended ASII set.

But, unfortunately, I could not log into the XP system using it either.  

Want to see how a password would do without having to exploit a system and dump the password hashes?

Objectif allows you to put a password in and it will convert it for you. Then you can place the hash into the cracker and see how it does.

I believe that this demonstration shows that relying on passwords alone may no longer be a good security measure.

Many companies and government facilities are moving away from using just passwords to dual authentication methods. Biometrics and smartcards are really becoming popular in secure facilities. 

And if the rumors are true, it looks like Microsoft may include facial recognition authentication in the next version of Windows. Time to dust off the old Web Cam…

Cross-posted from CyberArms

Possibly Related Articles:
Network Access Control
Information Security
Passwords Access Control Hacking Hashes
Post Rating I Like this!
Robb Reck Holy smokes. All your passwords are belong to us, huh?
Dan Dieterle Lol, yeah, pretty crazy. Makes you think operating systems should have a default message for hackers, "Please lock up when you leave". :)
Terry Perkins Wow! This is truly scary.
Dan Dieterle Yes it really is. I just put the password that took eleven seconds back through the cracker and it got it in about three seconds this time.
Christopher Hudel I think it's important to note that this is not a general purpose brute-force victory over complex passwords in the abstract case. The LM hash has long suffered from problems, principally being the lack of a SALT and the reduction of passwords > 7 characters into two separate 7-character hashes.

Don't get me wrong - this is a totally awesome implementation of a LM hash password cracker using rainbow tables (for passwords <=14 characters). I'd be more curious to see how it does against long complex passwords in other environments/formats.
Dan Dieterle Excellent point Christopher.
Windows 7 and Server 2008 no longer use the LM Hash method. As Windows XP does store passwords by default in the LM Hash method.

From my understanding, the only way to turn this off in XP is by using passwords that are 15 characters or greater in length or a group policy edit.

Still the 300 billion passwords per second(PPS)speed is insane when compared to a GPU based craking site that claims speeds up to 600 Million PPS.

With cracking speeds guaranteed to increase, companies are wise to consider moving to biometric or dual authentication methods.
Dan Dieterle Apparently Windows 2003 Domain Servers also store user passwords in this manner by default.

Instructions for turning it off can be found here:
Terry Perkins Yes, Active Directory stores passwords in LM Hash and NTLM Hash. It is really easy to turn of LM Hash storage (using the link above).
Jimi Thompson IMHO, anyone who isn't using dual method authentication - at least for critical services - isn't very responsible.
Sam Hocevar Well done. Now thanks to that online service and the willingness of the crowd, Objectif Sécurité is building an interesting database of complex passwords.
Lucas Erratus Dan, sorry to inform you that you got duped and are giving them free advertising.

XP and older had LM hashes enabled by default (Registry setting + password change gets rid of them, see KB299656). A 14 character LM hashed password is effectively two 7 character passwords with a limited character set.

When using CPU and/or GPU to crack, you're limited by their speed.

If you're using a rainbow table, bottleneck is usually the hard drive. But rainbow table means storing the hash for every possible password you want included. First off, LM hashes only have 69 possible characters because lower case letters are converted to upper case. Storing 16 byte LM hashes to cover the complete keyspace (up to 7 complex characters minus lower case letters) means a rainbow table size of 108TB and several days to generate the rainbow table. A little expensive, but doable.

Now consider using NTLM hashes of 14 character passwords. NTLM uses 16 byte MD4 hashes and all 94 printable characters. You'll run out of money buying drives (61,194,178,149,144,031.84 TB) or run out of time generating the rainbow table.
Dan Dieterle Lucas, as you said, XP and older have LM hashes enabled by default. The shocking thing is that many businesses are using Windows XP and don't know this.

According to a Microsoft conference this summer 74% of businesses still use XP.

I could not find a stat for how many businesses still run Server 2003 instead of 2008, but I bet it is high, as most businesses will tend to stay with the server software that is working for them and that they are comfortable with.

If you can retrieve a password hash from these systems, they can be cracked in about 5 seconds if LM hashing is not turned off.

When taking hashes from a compromised machine, a hacker most likely already has System or Administrator level access anyways.

This kind of makes password storage schemes and cracking times a moot point.
Lucas Erratus Dan, your post is talking about 14 character complex passwords getting cracked in seconds. It sounds like doomsday. It's an incomplete picture when the flaws of LM hashes aren't pointed out. Additionally, using SSD shouldn't be compared to cracking with CPU/GPU. You use CPU/GPU to brute force or to create a rainbow table. That process is limited by CPU/GPU power. SSD only helps for reading a rainbow table. A 14 character complex password using a decent hashing algorithm is still safe.
Prabhjot Singh What if the password contains special characters like: ↓¹Γ↕♥╓~◙▼☻╚☼
As far I think most of the dictionary based attacks don't consider these characters. So in that case the password containing these characters will be uncrackable.
Regarding brute force also I don't think these characters are considered by most of the crackers unless you specify. eg: l0phtcrack 6, check the default character set used by it.
Regarding Rainbow crack, I don't think it will be considering hashes of these weird characters.
Most of the people don't even think about this fact, & in that case cracking speed is not a matter, you will never be able to crack down the password.
Dan Dieterle Prabhjot, excellent question. I tried a user acount with special characters and the free online cracker could not crack it.

Unfortunately, I tried to log in to the Windows account with the same special character password and it would not let me log in.

Not sure why, Windows did accept the password when I created the user account and even verified it.

But, when I logged out and tried to log back in, it would not accept the password.
Anthonie Ruighaver No password is safe. Several years ago there was a web site that automatically returned your password (if you only used a short password). It could do so as windows tried to authenticate you even though the website was external.

Nowadays, mobile phone cameras are the preferred shoulder surfing tool to catch passwords.

So why do we still use passwords only and why do we not have any controls to detect when someone uses a compromised password? It is not that difficult!

See my paper on page 110 of these conference proceedings:

Dan Dieterle Anthonie, is just using biometric authentication alone really that much better?

I would assume they still use an authentication "key" of some sort stored on the drive to match it with the biometric input.

Granted it would be more difficult, but wouldn't a hacker be able to access the "key" and use it like a cracked password?
Anthonie Ruighaver No. I am not a fan of biometric authentication. In practice, biometrics will not always works and needs a backup authentication. That's often the major weakness of the final authentication system. I do suggest that multiple authentication methods, for instance password + usb key + bluetooth should be considered, but more importantly I propose that without detective controls/processes authentication is the weakest point in an organization's security.
Bernard Varaine As Dan said on a previous post
<<When taking hashes from a compromised machine, a hacker most likely already has System or Administrator level access anyways.
This kind of makes password storage schemes and cracking times a moot point. >>

Anthonie Ruighaver Not always, Bernard. If it is an internal attack, physical access is enough to get the hashes.
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.