Brute-Force vs. Salt etc.+ [PHP5]

Discuss the many weaknesses of browser security and ways to mitigate the threat

Brute-Force vs. Salt etc.+ [PHP5]

Post by VadimCool on Wed Mar 21, 2012 6:51 pm
([msg=65132]see Brute-Force vs. Salt etc.+ [PHP5][/msg])

Hey guys, my personal experience with hacks reaches only to Counter Strike Source material hacking where I used crc32 bypass to generate a 4char at the end of the file to match the original one with the hacked one. Still works till this day, anti-flash and anti-smoke etc.. But anyways I have like a bunch of questions, I hope some of you with experience could help me out a bit even though they might sound a bit noobish.

#1 Something to think about.
Let's say we have a file and it is using md5 encryption instead of crc32, but also a sha1 to make sure that even if the file which has been modified bypasses md5 encryption, it will not match sha1 encryption check for the same file or a string of code/password. Of course it depends on what kind of hacking methods there are outhere. I would just like to throw it out to you guys to see what comes to your mind when we speak password encryption cracking/hacking. What is possible and what is not?

#2 Password vs. Salt
Many people are talking about implementing or cracking salty hash string on a web-site. But the only real reason I can see that salt could be useful in any way at all is if it is used for public network where people on the same network might try to fish for incoming signals/encryptions from other computers in their area.
But we're still suppose to log in as usually using a normal password. Where exactly does salt even become a solution or a problem if you are going to brute-force your way in on a user? Further more, what if username is unknown, like an Admin username that actually will have most of the authority over all kinds of administrative tools available to him on his own site. Isn't username equally important to know as the password it-self? How is that suppose to be cracked if say no notifications is provided to whether the username we're hacking even exists in the database?

#3 Final Solution.
Can anyone provide their own exceptionally short & simple, yet powerful PHP script on how to encrypt a password so that it would be very difficult to hack? Or is there other things to consider, like hacking a site outside it's original html/php form? Like the same way FTP Program could be used to make several connections to the server, could a pro hacker use some sort of open connection to test his brute-force method bypassing all kinds of restrictions from PHP script it-self like 5 login attampts limit before ban?

I would very much appreciate all the thoughts, ideas, suggestions and experience on this matter.
User avatar
VadimCool
New User
New User
 
Posts: 10
Joined: Wed Mar 21, 2012 6:13 pm
Location: Denmark
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by tgoe on Fri Mar 23, 2012 12:36 pm
([msg=65166]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

Hashing passwords isn't encryption. Crypto hash functions are designed to be one-way so that figuring out what a hash represents is impossible* without already knowing beforehand what was hashed. With encryption you'll have data, a key, and then the encrypted data; You'd be able to reproduce the original data with 'key' + 'encrypted data' without having the original. With hashes, there is no 'key'.

*Here's where brute-forcing and cracking comes in. The method you mention is essentially to automate the user interface by logging in and trying username/password combinations until you find a combo that works. This method is defeated by login timers, captchas, etc. Nothing to do with hashing. You hash passwords to protect user accounts that would be exposed if your password database was compromised some other way. A db full of hashes of passwords isn't as useful as a db full of the passwords themselves but it can still leak some info (which users have the same password?, Common hashes might correlate to weak passwords) and is vulnerable to a rainbow table. Salting your hashes is a way to defend against these things because the salt changes the hash. I'll post some code later (probably python :)) to demonstrate all this.
User avatar
tgoe
Contributor
Contributor
 
Posts: 718
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by VadimCool on Fri Mar 23, 2012 1:11 pm
([msg=65167]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

Thank you for the reply, but unfortunately it wasn't even close to what I was looking forward to. Maybe I should be more specific to why I was asking those questions in the first place. And the reason is that a site owned by someone I know got hacked by Anonymous couple of days ago. In their description they mentioned that you can just throw them more salt, they love salt. So I was wondering how the heck can you hack a site from probably a different country the web-site is hosted at and crack a salted hash without being able to register yourself, but only able to use a login form, yet without even knowing a username. With other word login form is only for admins and even if the username wasn't too long, still if say 8 characters + the possible combinations of passwords of 10characters or so that would be a very long journey. It's like not even cracking a password x8times but more or less 8x8 or even 8^8, I'm not that good at math.. But still how???

Sorry for the external link on how to crack salted passwords: http://www.slideshare.net/null0x00/n-ul ... ltedhashes
But I went to search on google and found this interesting site, yet couldn't make much sense out of it as it doesn't give me any clues to the problem I'm trying to solve.

So once again the main question is, what has salt to do with brute-force? OR is there different methods of bruteforcing to consider which aren't known to most of the people. Like with use of underground programs and techniques?
User avatar
VadimCool
New User
New User
 
Posts: 10
Joined: Wed Mar 21, 2012 6:13 pm
Location: Denmark
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by LoGiCaL__ on Fri Mar 23, 2012 2:15 pm
([msg=65171]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

Any brute force should be de-railed after x amount of attemps. The lower the better. Also, I think it is worth mentioning that just because you hash and salt a password, that doesn't make it secure while being sent unless https/ssl is being implemented. The password has to be sent to the server before any actions can be done to it. So, it is possible that if your friend isn't using ssl that user info is getting intercepted before it gets hashed+salted.

Brute force is an attempt to guess a password from the beginning of letters or numbers to the end. Ex: 0001, 0002, 0003, ..., 9999. Salt is a function performed on the server side which is used to change the hash of a password. So if a user entered a password like 123, someone could easily test that by putting it into a hash and checking the output. Salting it would be taking 123 and adding a user response to a secret question, or the password + password + username. 123123username. By putting that through the hash the output would be different and harder to guess than if the password was just 123. Salting a password will make brute force guessing harder.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1080
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by VadimCool on Fri Mar 23, 2012 5:59 pm
([msg=65177]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

Well now we're getting warmer. My friend indeed didn't use ssl connection which I also thought was a bit odd since the web-site is pretty popular in the country I live in. Just like another one of my friends on the link to the left.

But still I'm a bit lost on the whole concept of salt. As far as I understand there are 2 different kinds of salt. A solid one like "My name is Vadim" or a random one like from 0001..to 9999
If I were to add salt to my username and send it trough a not secure connection, then what exactly will it check for in the DB? If I were to include a random number next to my username, then how will I remove it on the next login right after the registration? Unless of course we also have a field in the DB for a random number which was added on the registration once to never be changed again. And somehow using some wicked script to match as one of the possibly POSITIVE numbers like an existing ID which is not fake to let me go trough security? Like 1111 would be false since my script is designed to generate and accetp numbers like maybe 1110 and 1112.. Am I close? So it will almost be like my own script will be using brute-force on login on my own web-site? So if I know the sequence, then for me it may take few seconds to re-generate say 10000 possible matches while for a hacker it may take several days? But still what about the username, as I pointed it out before even without salted username and password, it shouId take forever to find out a correct login? Unless it was intercepted without SSL, but intercepted WHEN and at what point? I never used it personally, but am about to in a month time. So I would like to know more about it to make my web-site more secure in comparison to some hehe. I already have SSL which I intend to use on the whole web-site just like facebook. :mrgreen:
User avatar
VadimCool
New User
New User
 
Posts: 10
Joined: Wed Mar 21, 2012 6:13 pm
Location: Denmark
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by LoGiCaL__ on Fri Mar 23, 2012 7:15 pm
([msg=65178]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

I think your still getting confused. A salt is a string of characters that you add to the password before hashing the password. It's doesn't have to be 0001, 0002. That was just a very basic example of a brute force guessing attack. Say you have a password. In this case the password will be "password123". password = password123. When the password reaches the server you have an option to salt and hash the password. Lets say the salt would be username. salt = joesmoe. Now, the salted password would be password123joesmoe. Now, password = password123joesmoe. Then you would put the password through a hash function and then store it in the database. In the database it would be stored as a string of random letters/numbers instead of a plain text password. This way, as mentioned ina previous post, if the database were compromised the passwords wouldn't be easily read.

When you enter a username and password, that is sent to the server before anything is done to it. So essentially, you would be sending password123 in plain text. Once it reaches the server it is then salted and hashed. So, from the client pc until the server, it is unprotected without SSL.

Keep in mind the examples I gave are very basic and probably easily guessed. You can get creative as possible when it comes to salting and hashing. username + password + securityquestion answer, hash then re-hash. You should definitely look it up on google. Also, just to get a good hands on experience and overall better understanding of what I'm talking about, install php and test it out on your own and print out the different output after each step to see the results and changes of the password and then finally how it will be stored. If your looking to secure the password before it gets sent then https/ssl is your best bet.

Unless it was intercepted without SSL, but intercepted WHEN and at what point?


It could be at several different points. Local network, network on which the server is on. I'm not saying that is how it happened, but it is a possibility. The hash used could also be a factor. For instance md5 is weaker than sha256.

There are some other members who can give you some great advice that just haven't been on yet. Wait it out and weigh your options.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1080
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by VadimCool on Fri Mar 23, 2012 8:16 pm
([msg=65179]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

Duhh, lol, I wasn't confused about those things you thought I was confused about. But NOW I got confused again... So great back to square 1 again! Ok..

#1 Local PC with a form sending Username: Vadim => over to Server where the web-site files are hosted at and there the MAGICK of hashing happens when it needs to happen => sending the request to the SQL Database to check for the validity of the Username.. BUT! That's where I'm getting off...

#2 I am a user, in order to log in I don't know anything about hashes and salt and am not suppose to. So I log in using my normal Username: Vadim. Lets skip the password to make this easier.. And on the other side somewhere in China lol or in Russia there is a noob trying to hack whatever username available he can possibly get his hands on. And finally he stumbeled on the name "Vadim" which went trough the same way I will be typing it in. But where instead the hacker used brute-force to type it in maybe 1000000times while I just used 1 try to type it in. But the same name is being typed in the form where neither parties have to think about any salts or hashes. That's what I was trying to say that the only reason I can see for a salted hash is on some sort of a local network.. not when it comes to far away attacks from distance. Unless I'm not sure what kind of interception it is possible to make on my connection between my local PC and the server from very far away. It is very unlikely I think considering that people shouldn't know much about me.

#3 So that would be the 3rd time I will ask the question what does salt have to do with brute-force attack? lol :mrgreen: Seriously.. don't confuse me any more than I already am lol Thanks guys.
User avatar
VadimCool
New User
New User
 
Posts: 10
Joined: Wed Mar 21, 2012 6:13 pm
Location: Denmark
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by tgoe on Fri Mar 23, 2012 8:50 pm
([msg=65181]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

You're pretty confusing yourself :)

Well I already wrote it so here's a program to play with 3 different versions of the same username/password database... plaintext, hashed and salted hashes.

accounts.py
Code: Select all
import hashlib
import random
import anydbm
import os
import os.path


class DB(object):
    def __init__(self, dbname, datadir="db", dumpdir="dump"):
        if datadir:
            if not os.path.exists(datadir):
                os.mkdir(datadir)
            self.dbprefix = datadir
        else:
            self.dbprefix = ""
        if dumpdir:
            if not os.path.exists(dumpdir):
                os.mkdir(dumpdir)
            self.dumpprefix = dumpdir
        else:
            self.dumpprefix = ""
        self.dbname = os.path.join(self.dbprefix, dbname)

    def write(self, key, val):
        self.db = anydbm.open(self.dbname, 'c')
        self.db[key] = val
        self.db.close()

    def read(self, key):
        self.db = anydbm.open(self.dbname, 'c')
        val = self.db[key]
        return val

    def has_key(self, key):
        self.db = anydbm.open(self.dbname, 'c')
        return self.db.has_key(key)

    def _dump(self, outfile):
        self.db = anydbm.open(self.dbname, 'c')
        keys = self.db.keys()
        f = open(os.path.join(self.dumpprefix, outfile), 'w')
        keys.sort()
        for key in keys:
            f.write("%s:%s\n" % (key, self.db[key]))
        f.close()


class Plain(object):
    dbname = "plain.db"
    db = DB(dbname)

    def __init__(self, name):
        self.name = name
        self.password = None

    def setPassword(self, password):
        self.password = password

    def checkUser(self):
        return self.db.has_key(self.name)

    def checkPassword(self, inputPass):
        return inputPass == self.db.read(self.name)

    def save(self):
        self.db.write(self.name, self.password)


class Hashed(Plain):
    dbname = "hashed.db"
    db = DB(dbname)

    def __init__(self, name):
        super(Hashed, self).__init__(name)

    def setPassword(self, password):
        self.password = hashlib.sha256(password).hexdigest()

    def checkPassword(self, inputPass):
        inputPass = hashlib.sha256(inputPass).hexdigest()
        return inputPass == self.db.read(self.name)


class SaltedHashed(Hashed):
    dbname = "saltedhashed.db"
    saltsname = "salts.db"
    db = DB(dbname)
    salts = DB(saltsname)

    def __init__(self, name):
        super(SaltedHashed, self).__init__(name)
        if self.salts.has_key(self.name):
            self.salt = self.salts.read(name)
        else:
            self.salt = str(random.randint(0, 100000000000))

    def setPassword(self, password):
        self.salt = str(random.randint(0, 100000000000))
        self.password = hashlib.sha256(self.salt + password).hexdigest()

    def checkPassword(self, inputPass):
        inputPass = hashlib.sha256(self.salt + inputPass).hexdigest()
        return inputPass == self.db.read(self.name)

    def save(self):
        self.salts.write(self.name, self.salt)
        self.db.write(self.name, self.password)


def dump(salts=False):
    DB(Plain.dbname)._dump(Plain.dbname + ".txt")
    DB(Hashed.dbname)._dump(Hashed.dbname + ".txt")
    DB(SaltedHashed.dbname)._dump(SaltedHashed.dbname + ".txt")
    if salts:
        DB(SaltedHashed.saltsname)._dump(SaltedHashed.saltsname + ".txt")


login.py
Code: Select all
#!/usr/bin/env python

import sys
import random
import accounts
import time

ATTEMPTS = 1

def generate():
    usernames = ['root', 'admin', 'user', 'toor', 'alice', 'bob', 'cindy']
    passwords = ['secret', 'god', 'sex', 'love']

    for user in usernames:
        print("Generating account for '%s'" % (user))
        pw = random.choice(passwords)
        types = [
                 accounts.Plain(user),
                 accounts.Hashed(user),
                 accounts.SaltedHashed(user)
                ]
        for acct in types:
            acct.setPassword(pw)
            acct.save()

def exploit():
    print("Running exploit...")
    print("USERNAME> 656c 7465")
    print("PASSWORD> 6168 6b63 007a")
    accounts.dump(True)
    print("Done.")

def login():
    user = raw_input("USERNAME> ")
    pw = raw_input("PASSWORD> ")
    success = 0
    types = [
             accounts.Plain(user),
             accounts.Hashed(user),
             accounts.SaltedHashed(user)
            ]
    for acct in types:
        if accounts.DB(acct.dbname).has_key(user):
            if acct.checkPassword(pw):
                success += 1
    if success == 3:
        print("Login successful.")
    else:
        print("ACCESS DENIED.")
        global ATTEMPTS
        ATTEMPTS += 1
        print("You must wait %d seconds to try again." % (ATTEMPTS**ATTEMPTS))
        time.sleep(ATTEMPTS**ATTEMPTS)

def register():
    user = raw_input("USERNAME> ")
    pw = raw_input("PASSWORD> ")
    types = [
             accounts.Plain(user),
             accounts.Hashed(user),
             accounts.SaltedHashed(user)
            ]
    for acct in types:
        if accounts.DB(acct.dbname).has_key(user):
            print("USERNAME taken")
            return
    print("Generating account for '%s'" % (user))
    for acct in types:
        acct.setPassword(pw)
        acct.save()

def menu():
    options = {
                'r': register,
                'l': login,
                'e': exploit,
                'g': generate,
                'q': sys.exit
              }
    opt = "r=register, l=login, e=exploit, g=generate, q=quit: "
    o = raw_input(opt).lower()
    try:
        options[o]()
    except KeyError as c:
        print("Invalid option: " + str(c))
    return True

if __name__ == '__main__':
    while menu():
        pass


Sample dumps:

plain.db.txt
Code: Select all
admin:god
alice:love
bob:love
cindy:love
root:god
toor:god
user:sex


hashed.db.txt
Code: Select all
admin:5723360ef11043a879520412e9ad897e0ebcb99cc820ec363bfecc9d751a1a99
alice:686f746a95b6f836d7d70567c302c3f9ebb5ee0def3d1220ee9d4e9f34f5e131
bob:686f746a95b6f836d7d70567c302c3f9ebb5ee0def3d1220ee9d4e9f34f5e131
cindy:686f746a95b6f836d7d70567c302c3f9ebb5ee0def3d1220ee9d4e9f34f5e131
root:5723360ef11043a879520412e9ad897e0ebcb99cc820ec363bfecc9d751a1a99
toor:5723360ef11043a879520412e9ad897e0ebcb99cc820ec363bfecc9d751a1a99
user:98d44e13f455d916674d38424d39e1cb01b2a9132aacbb7b97a6f8bb7feb2544


saltedhashed.db.txt
Code: Select all
admin:3acc45fc6fa12c2ad55b1faaa11c5bde51c0e7fe0404da22bea621984cc093c0
alice:e7d9f3a5f3c2c64f6f005a9016eb1d0f76dd6b25f3382c2843af67e3532fbbb4
bob:357929594e7bf56ed4eda1d523e0fc4be39154c86bcecf9968a6781815dee35b
cindy:f50416470765fa15a4827809b74b337a1d64b86a055e5ffddbb97c0c5b7ece78
root:cbd2665e0ed6a6925ca0c2024d168ce56ed3a1bbac6ac10381676faeac582829
toor:c709e4982f04037abbd9dd2a47ca7c31df16d9fb478cf31b8b0f6eb182e7a6c8
user:3ecd66bc367fed7309a6f30b718a025498e364b39d5bf6243e40b56bdc11bd91


Keep in mind that each db represents the same username/password combos. The salted version masks the fact that users pick weak passwords. Never use a 'solid salt' like you mentioned. Randomized salts require the attacker to generate a rainbow table for each individual account.

And like I mentioned in the earlier post.. bruteforce isn't necessarily about automating the user interface.

tl;dr: salts make rainbow tables hard
User avatar
tgoe
Contributor
Contributor
 
Posts: 718
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Brute-Force vs. Salt etc.+ [PHP5]

Post by VadimCool on Fri Mar 23, 2012 9:27 pm
([msg=65182]see Re: Brute-Force vs. Salt etc.+ [PHP5][/msg])

tgoe wrote:Nothing to do with hashing.

Ohh, thanks, now you're telling me... hehe.. HOW DID I MISS THAT!!?
Ok, nevermind... ehm py is awesome, but I know only the old version of PHP...+mysqli , so I really didn't get much out of that example.. But it's cool to have more examples just in case. Thanks.

Ok, so if it hasn't to do anything with hashing.. then we're left with fewer possibilities and closer to figure out what we ACTUALLY need to avoid such future attacks. Here is what I know now:

#1 If logging in from Home or some sort of a Public Network and hacker knows where you live, in this case it is very likely that even though hacker did get help from foreign country, the one who called for help is living in my country and could easily got close to my friend's location. So in that case hacking a router would be easier than hacking the web-site. BUT, that's a bit scary to know someone is outside your door trying to hack your network. And why then need any help from the outside friends??? Doesn't make any sense.

#2 If in need of the outside force, that means possibly more computers and more hacking skills to take the web-site down. Then again how long time will it take to brute-force a Username and Password both of 10 characters in lenght? Isn't it like about 20 letters ^10th = 10 240 000 000 000 that is a hell of a number not to mention the password maybe 30symbols and characters^10 for every character and so 10 times over.. Ehh.. If my math is anywhere near correct, then this is hopless attack.

#3 They could have taken the site using the back-door and not the front-door by going directly trough the web-site's hosting service provider's web-site. But I'm not sure how tight their security would be at that point. Maybe they are using some sort of smart spotting system to recognize automated brute-force attacks. Or they couldn't have hacked the e-mail as the e-mail is provided by the hosting services, almost sure of it.

#.. So what the heck is there left? If not an automated brute-force, then what??? And what's up with the outreach to the foreign country? Unless they trying to confuse all of us to make us think that Anonymous are some sort of IMMORTALS!

-- 10 hours later update --

I think I found out the problem... it was the backdoor. It's funny because in my case I have 2 backdoors. 1st when I login to my account from my web-hosting website to see what web-hosting solutions I have purchased and so on.. and to get access to any Hotels I have available from there. 2nd every hosting package I have, has an FTP with user and pass as well. So I guess the username lenght isn't very relevant in this case. But the password in both cases should be at least 12 characters and up to 18 characters including if possible, symbols like */#@. That way even if brute-force timers and captchars are removed, it should take the hacker years to crack the password. By that time you can change the password at least twice! So thanks all for your input. And you are still welcome to answer any unanswered questions of mien. It will be appreciated. :P
User avatar
VadimCool
New User
New User
 
Posts: 10
Joined: Wed Mar 21, 2012 6:13 pm
Location: Denmark
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests