Author: Christopher Truncer

SQLMap –data trick

Christopher Truncer Featured Category, IT Security , , Leave a comment

I’ve recently learned a new trick about sqlmap that I think is worth sharing.  If you already know this, power to you, if not, hope that this helps you out.

The scenario where I learned this trick was as follows: I was trying to run sqlmap against a web form that I identified as being vulnerable to a SQL injection attack.  I ran sqlmap with the usual “–forms” after providing it the web address of the form, and off sqlmap went.  However, as the tool started parsing the code, I immediately kept receiving errors about mal-formed HTML code which would cause sqlmap to error out and quit immediately.   I attempted running the same command a couple more times, all with the same result, and was therefore unable to have sqlmap run against the form field.

Needless to say, I was pretty disappointed because I know the form had an injection flaw.  It was obviously posible to to manually exploit the injection flaw to dump the data out of the DBMS behind the form, but an automated tool such as sqlmap would be able to get the job done much quicker, so I set out on researching how to fix this.  Within about 30 minutes, I found my answer.

I discovered that instead of giving sqlmap the -u URL of the form web page, I should actually give it the URL of the form processing page.  Next, since the information is passed via a POST request, I need to copy the variables and the values sent in the post request, and input that into sqlmap.  To gather all this information, I turned on Burp Suite, navigated to the form processing page, ensured intercept was on, and then submitted data through the form.  Burp suite caught the form processing URL and all data being sent via a POST request.  I copied the URL and set the URL as the -u value for sqlmap.  I also copied the data that was being sent in the POST request, and set the data as the –data value within the sqlmap command.  The last piece of data I used within the sqlmap command (before I gave what I wanted out of the DBMS such as –dbs, or –tables) was the -p switch.  This switch lets me identify specifically which parameter I wan sqlmap to target.  Since I already identified the injection flaw within the form, I just found the variable name that was given to the specific form field which was injectable, and provided it within the sqlmap command.

Edit: Want to be able to just give the request in a single file?  Easily copied from Burp Suite?  Just save the request that burp intercepted in a txt file, and then call sqlmap and pass it the text file using the -r switch.  This will tell sqlmap to read the url and variables from the request file.

To help show what I mean, I’ll use my web page’s login form as a sample target.  If I had to perform the exact steps above in relation to my login page, the sqlmap command would look like (the “-” should actually be a double dash for the dbs and data switch, however it is being filtered at the moment):

 ./sqlmap.py -u http://www.christophertruncer.com/wp-login.php –data=”log=TestUserAccount&pwd=TestUserPassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.christophertruncer.com%2Fwp-admin%2F&testcookie=1″ -p pwd –dbs

In the command above, I am giving it the login.php page as the page to target.  This is the page the processes the data sent in the POST request made by a browser (in this case, it’s also the page where the form is stored).  The information in the –data switch is the information sent in the POST request to the form processing page.  The -p parameter is the variable that I am having sqlmap target, which in this case is the password field.  Finally, the –dbs switch is given to tell sqlmap once I have injected into the form, return all database names stored on the backend database server.

Once I set the above commands, I ran the sqlmap statement, received no errors, and was able to automate gathering all the data I needed/wanted from the backend database.

Hope this helps in the event anyone comes across a mal-formed html code error within sqlmap!

eHarmony Password Cracking with Pipal Analysis

Christopher Truncer Featured Category, Password Cracking , , , , Leave a comment

Over the weekend I ran hashcat on my machine against the md5 hashes from the eHarmony hack.  One thing that is interesting to note, is that all eHarmony passwords that use a character are uppercased.  This helps reduce the keyspace and allows more effective brute force password checks.

After a couple days of both dictionary and brute force attacks, I’ve found 1071380 passwords.  Below are the stats that pipal (by Robin Wood aka @digininja) produced.

Total entries = 1071380
Total unique entries = 1071376

Top 10 passwords
PHIL4 = 2 (0.0%)
PROV3 = 2 (0.0%)
JER29 = 2 (0.0%)
FREETOBEME = 2 (0.0%)
MAR141991 = 1 (0.0%)
KEZEA = 1 (0.0%)
LEJKA = 1 (0.0%)
BILHA = 1 (0.0%)
JENBA = 1 (0.0%)
POMAA = 1 (0.0%)

Top 10 base words
lisa = 254 (0.02%)
chris = 221 (0.02%)
tina = 196 (0.02%)
eric = 188 (0.02%)
nana = 167 (0.02%)
mama = 163 (0.02%)
usmc = 161 (0.02%)
emma = 158 (0.01%)
mike = 154 (0.01%)
lola = 146 (0.01%)

Password length (length ordered)
2 = 2 (0.0%)
3 = 2 (0.0%)
4 = 3 (0.0%)
5 = 46628 (4.35%)
6 = 253347 (23.65%)
7 = 279971 (26.13%)
8 = 200416 (18.71%)
9 = 133066 (12.42%)
10 = 90838 (8.48%)
11 = 35970 (3.36%)
12 = 18727 (1.75%)
13 = 7974 (0.74%)
14 = 4173 (0.39%)
15 = 277 (0.03%)

Password length (count ordered)
7 = 279971 (26.13%)
6 = 253347 (23.65%)
8 = 200416 (18.71%)
9 = 133066 (12.42%)
10 = 90838 (8.48%)
5 = 46628 (4.35%)
11 = 35970 (3.36%)
12 = 18727 (1.75%)
13 = 7974 (0.74%)
14 = 4173 (0.39%)
15 = 277 (0.03%)
4 = 3 (0.0%)
2 = 2 (0.0%)
3 = 2 (0.0%)

|
||
||
||
|||
|||
|||
|||
||||
||||
|||||
|||||
|||||
|||||||
||||||||
|||||||||||||||||
00000000001111111
01234567890123456

One to six characters = 299977 (28.0%)
One to eight characters = 780362 (72.84%)
More than eight characters = 291018 (27.16%)

Only lowercase alpha = 0 (0.0%)
Only uppercase alpha = 435542 (40.65%)
Only alpha = 435542 (40.65%)
Only numeric = 10457 (0.98%)

First capital last symbol = 158 (0.01%)
First capital last number = 493747 (46.09%)

Months
january = 27 (0.0%)
february = 5 (0.0%)
march = 191 (0.02%)
april = 251 (0.02%)
may = 2289 (0.21%)
june = 361 (0.03%)
july = 229 (0.02%)
august = 92 (0.01%)
september = 9 (0.0%)
october = 45 (0.0%)
november = 38 (0.0%)
december = 33 (0.0%)

Days
monday = 33 (0.0%)
tuesday = 11 (0.0%)
wednesday = 2 (0.0%)
thursday = 4 (0.0%)
friday = 32 (0.0%)
saturday = 4 (0.0%)
sunday = 30 (0.0%)

Months (Abreviated)
jan = 2971 (0.28%)
feb = 500 (0.05%)
mar = 10381 (0.97%)
apr = 742 (0.07%)
may = 2289 (0.21%)
jun = 1369 (0.13%)
jul = 1234 (0.12%)
aug = 850 (0.08%)
sept = 142 (0.01%)
oct = 665 (0.06%)
nov = 1021 (0.1%)
dec = 974 (0.09%)

Days (Abreviated)
mon = 6302 (0.59%)
tues = 21 (0.0%)
wed = 290 (0.03%)
thurs = 13 (0.0%)
fri = 915 (0.09%)
sat = 886 (0.08%)
sun = 1826 (0.17%)

Includes years
1975 = 641 (0.06%)
1976 = 637 (0.06%)
1977 = 649 (0.06%)
1978 = 714 (0.07%)
1979 = 656 (0.06%)
1980 = 827 (0.08%)
1981 = 715 (0.07%)
1982 = 725 (0.07%)
1983 = 736 (0.07%)
1984 = 849 (0.08%)
1985 = 733 (0.07%)
1986 = 727 (0.07%)
1987 = 715 (0.07%)
1988 = 580 (0.05%)
1989 = 652 (0.06%)
1990 = 479 (0.04%)
1991 = 441 (0.04%)
1992 = 339 (0.03%)
1993 = 278 (0.03%)
1994 = 299 (0.03%)
1995 = 361 (0.03%)
1996 = 322 (0.03%)
1997 = 318 (0.03%)
1998 = 415 (0.04%)
1999 = 469 (0.04%)
2000 = 1443 (0.13%)
2001 = 816 (0.08%)
2002 = 752 (0.07%)
2003 = 814 (0.08%)
2004 = 877 (0.08%)
2005 = 1083 (0.1%)
2006 = 1235 (0.12%)
2007 = 1302 (0.12%)
2008 = 1401 (0.13%)
2009 = 1373 (0.13%)
2010 = 897 (0.08%)
2011 = 202 (0.02%)
2012 = 228 (0.02%)
2013 = 85 (0.01%)
2014 = 52 (0.0%)
2015 = 57 (0.01%)
2016 = 46 (0.0%)
2017 = 43 (0.0%)
2018 = 50 (0.0%)
2019 = 95 (0.01%)
2020 = 390 (0.04%)

Years (Top 10)
2000 = 1443 (0.13%)
2008 = 1401 (0.13%)
2009 = 1373 (0.13%)
2007 = 1302 (0.12%)
2006 = 1235 (0.12%)
2005 = 1083 (0.1%)
2010 = 897 (0.08%)
2004 = 877 (0.08%)
1984 = 849 (0.08%)
1980 = 827 (0.08%)

Single digit on the end = 102834 (9.6%)
Two digits on the end = 145583 (13.59%)
Three digits on the end = 74986 (7.0%)

Last number
0 = 45295 (4.23%)
1 = 96804 (9.04%)
2 = 56343 (5.26%)
3 = 56725 (5.29%)
4 = 43399 (4.05%)
5 = 44898 (4.19%)
6 = 40625 (3.79%)
7 = 46685 (4.36%)
8 = 40858 (3.81%)
9 = 45590 (4.26%)

|
|
|
|
|
|
|||
|||
|||||| | |
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789

Last digit
1 = 96804 (9.04%)
3 = 56725 (5.29%)
2 = 56343 (5.26%)
7 = 46685 (4.36%)
9 = 45590 (4.26%)
0 = 45295 (4.23%)
5 = 44898 (4.19%)
4 = 43399 (4.05%)
8 = 40858 (3.81%)
6 = 40625 (3.79%)

Last 2 digits (Top 10)
23 = 15230 (1.42%)
12 = 11373 (1.06%)
11 = 10914 (1.02%)
01 = 10281 (0.96%)
00 = 8981 (0.84%)
21 = 8385 (0.78%)
22 = 8264 (0.77%)
13 = 7935 (0.74%)
69 = 7928 (0.74%)
07 = 7778 (0.73%)

Last 3 digits (Top 10)
123 = 8690 (0.81%)
007 = 2778 (0.26%)
000 = 2628 (0.25%)
234 = 2469 (0.23%)
777 = 1759 (0.16%)
001 = 1685 (0.16%)
009 = 1674 (0.16%)
008 = 1653 (0.15%)
111 = 1611 (0.15%)
101 = 1601 (0.15%)

Last 4 digits (Top 10)
1234 = 1995 (0.19%)
2008 = 1277 (0.12%)
2009 = 1258 (0.12%)
2000 = 1192 (0.11%)
2007 = 1171 (0.11%)
2006 = 1097 (0.1%)
2005 = 967 (0.09%)
2345 = 909 (0.08%)
2004 = 784 (0.07%)
2010 = 782 (0.07%)

Last 5 digits (Top 10)
12345 = 793 (0.07%)
23456 = 444 (0.04%)
54321 = 153 (0.01%)
55555 = 133 (0.01%)
11111 = 123 (0.01%)
77777 = 110 (0.01%)
56789 = 106 (0.01%)
00000 = 94 (0.01%)
96969 = 66 (0.01%)
34567 = 65 (0.01%)

US Area Codes
234 = NE Ohio: Canton, Akron (OH)

Character sets
upperalphanum: 624283 (58.27%)
upperalpha: 435542 (40.65%)
numeric: 10457 (0.98%)
upperalphaspecialnum: 482 (0.04%)
upperalphaspecial: 473 (0.04%)
specialnum: 67 (0.01%)

Character set ordering
stringdigit: 479830 (44.79%)
allstring: 435542 (40.65%)
digitstring: 58288 (5.44%)
stringdigitstring: 50016 (4.67%)
othermask: 24689 (2.3%)
digitstringdigit: 11889 (1.11%)
alldigit: 10457 (0.98%)
stringspecialstring: 342 (0.03%)
stringspecialdigit: 223 (0.02%)
stringspecial: 90 (0.01%)
specialstring: 8 (0.0%)
specialstringspecial: 6 (0.0%)

Hashcat masks (Top 10)
?u?u?u?u?u?u?u?u: 108525 (10.13%)
?u?u?u?u?u?u: 101112 (9.44%)
?u?u?u?u?u?u?u: 88475 (8.26%)
?u?u?u?d?d?d?d: 52666 (4.92%)
?u?u?u?u?u?u?u?u?u: 50870 (4.75%)
?u?u?u?u?d?d: 38725 (3.61%)
?u?u?u?u?u?u?u?u?u?u: 33055 (3.09%)
?u?u?u?u?u?d?d: 32912 (3.07%)
?u?u?d?d?d?d: 30207 (2.82%)
?u?u?u?u?u?u?d: 26176 (2.44%)

LinkedIn Passwords Cracked with Pipal Stats – Work in Progress

Christopher Truncer Featured Category, Password Cracking , , , , , , 4 Comments

I’ve spent the past couple days attempting to crack the hashes from the LinkedIn dump.  I’ve used a combination of dictionary and bruteforce methods to discover the plaintext password.

I am still in the process of cracking the hashes, however I wanted to take a second and run Pipal (a great tool by Robin Wood (@digininja) that produces statistics that can aid the password cracking process) to start to find patterns, and modify my cracking masks to find new patterns.

After reviewing the current stats, I’ve already identified a number of things to change to help find more passwords.

These stats will change as more passwords are found, but I’ve copied the output from Pipal into this post.  I’ll be interested to see if others can verify these findings.  Also hope that the output can help aid other researchers.

If anyone has any questions, comments, or suggestions, feel free to get in touch with me @christruncer.

Enjoy

 

Total entries = 3123784
Total unique entries = 3123784

Top 10 passwords
““““ = 1 (0.0%)
^^%#!# = 1 (0.0%)
^(!)## = 1 (0.0%)
^&^&^&^& = 1 (0.0%)
^#^$%^ = 1 (0.0%)
^#!(%( = 1 (0.0%)
^%$#@! = 1 (0.0%)
^%#)** = 1 (0.0%)
~!@#$% = 1 (0.0%)
<>,.>< = 1 (0.0%)

Top 10 base words
link = 2159 (0.07%)
alex = 1342 (0.04%)
mike = 1287 (0.04%)
june = 1161 (0.04%)
password = 1127 (0.04%)
love = 1119 (0.04%)
john = 1027 (0.03%)
linked = 1019 (0.03%)
july = 961 (0.03%)
blue = 936 (0.03%)

Password length (length ordered)
1 = 23 (0.0%)
2 = 32 (0.0%)
3 = 71 (0.0%)
4 = 74 (0.0%)
5 = 104 (0.0%)
6 = 574821 (18.4%)
7 = 528687 (16.92%)
8 = 1073209 (34.36%)
9 = 478872 (15.33%)
10 = 274961 (8.8%)
11 = 111567 (3.57%)
12 = 52246 (1.67%)
13 = 18346 (0.59%)
14 = 7905 (0.25%)
15 = 2881 (0.09%)

Password length (count ordered)
8 = 1073209 (34.36%)
6 = 574821 (18.4%)
7 = 528687 (16.92%)
9 = 478872 (15.33%)
10 = 274961 (8.8%)
11 = 111567 (3.57%)
12 = 52246 (1.67%)
13 = 18346 (0.59%)
14 = 7905 (0.25%)
15 = 2881 (0.09%)
5 = 104 (0.0%)
4 = 74 (0.0%)
3 = 71 (0.0%)
2 = 32 (0.0%)
1 = 23 (0.0%)

|
|
|
|
|
|
|
| |
||||
||||
||||
|||||
|||||
|||||
||||||
||||||||||||||||
0000000000111111
0123456789012345

One to six characters = 575119 (18.41%)
One to eight characters = 2177013 (69.69%)
More than eight characters = 946771 (30.31%)

Only lowercase alpha = 829695 (26.56%)
Only uppercase alpha = 21300 (0.68%)
Only alpha = 850995 (27.24%)
Only numeric = 190553 (6.1%)

First capital last symbol = 23393 (0.75%)
First capital last number = 317485 (10.16%)

Months
january = 276 (0.01%)
february = 110 (0.0%)
march = 969 (0.03%)
april = 1173 (0.04%)
may = 5719 (0.18%)
june = 1762 (0.06%)
july = 1186 (0.04%)
august = 766 (0.02%)
september = 194 (0.01%)
october = 403 (0.01%)
november = 288 (0.01%)
december = 304 (0.01%)

Days
monday = 270 (0.01%)
tuesday = 106 (0.0%)
wednesday = 36 (0.0%)
thursday = 55 (0.0%)
friday = 278 (0.01%)
saturday = 43 (0.0%)
sunday = 150 (0.0%)

Months (Abreviated)
jan = 9753 (0.31%)
feb = 1302 (0.04%)
mar = 39626 (1.27%)
apr = 2803 (0.09%)
may = 5719 (0.18%)
jun = 4717 (0.15%)
jul = 6017 (0.19%)
aug = 2926 (0.09%)
sept = 924 (0.03%)
oct = 2277 (0.07%)
nov = 3557 (0.11%)
dec = 2879 (0.09%)

Days (Abreviated)
mon = 18611 (0.6%)
tues = 135 (0.0%)
wed = 1193 (0.04%)
thurs = 107 (0.0%)
fri = 3910 (0.13%)
sat = 3201 (0.1%)
sun = 7040 (0.23%)

Includes years
1975 = 3135 (0.1%)
1976 = 3104 (0.1%)
1977 = 3144 (0.1%)
1978 = 3328 (0.11%)
1979 = 3261 (0.1%)
1980 = 3910 (0.13%)
1981 = 3381 (0.11%)
1982 = 3354 (0.11%)
1983 = 2957 (0.09%)
1984 = 2996 (0.1%)
1985 = 2354 (0.08%)
1986 = 1906 (0.06%)
1987 = 1621 (0.05%)
1988 = 1364 (0.04%)
1989 = 1230 (0.04%)
1990 = 1204 (0.04%)
1991 = 1143 (0.04%)
1992 = 1001 (0.03%)
1993 = 1056 (0.03%)
1994 = 1238 (0.04%)
1995 = 1429 (0.05%)
1996 = 1553 (0.05%)
1997 = 1617 (0.05%)
1998 = 1924 (0.06%)
1999 = 2320 (0.07%)
2000 = 7743 (0.25%)
2001 = 4349 (0.14%)
2002 = 4076 (0.13%)
2003 = 3924 (0.13%)
2004 = 4345 (0.14%)
2005 = 4928 (0.16%)
2006 = 5288 (0.17%)
2007 = 6166 (0.2%)
2008 = 7916 (0.25%)
2009 = 4912 (0.16%)
2010 = 6822 (0.22%)
2011 = 6887 (0.22%)
2012 = 2404 (0.08%)
2013 = 314 (0.01%)
2014 = 236 (0.01%)
2015 = 238 (0.01%)
2016 = 208 (0.01%)
2017 = 199 (0.01%)
2018 = 224 (0.01%)
2019 = 436 (0.01%)
2020 = 1006 (0.03%)

Years (Top 10)
2008 = 7916 (0.25%)
2000 = 7743 (0.25%)
2011 = 6887 (0.22%)
2010 = 6822 (0.22%)
2007 = 6166 (0.2%)
2006 = 5288 (0.17%)
2005 = 4928 (0.16%)
2009 = 4912 (0.16%)
2001 = 4349 (0.14%)
2004 = 4345 (0.14%)

Single digit on the end = 350379 (11.22%)
Two digits on the end = 575205 (18.41%)
Three digits on the end = 203834 (6.53%)

Last number
0 = 168275 (5.39%)
1 = 367045 (11.75%)
2 = 188843 (6.05%)
3 = 200913 (6.43%)
4 = 140753 (4.51%)
5 = 140199 (4.49%)
6 = 126615 (4.05%)
7 = 151775 (4.86%)
8 = 137828 (4.41%)
9 = 144357 (4.62%)

|
|
|
|
|
|
|
|||
||||
|||||| |||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789

Last digit
1 = 367045 (11.75%)
3 = 200913 (6.43%)
2 = 188843 (6.05%)
0 = 168275 (5.39%)
7 = 151775 (4.86%)
9 = 144357 (4.62%)
4 = 140753 (4.51%)
5 = 140199 (4.49%)
8 = 137828 (4.41%)
6 = 126615 (4.05%)

Last 2 digits (Top 10)
23 = 65415 (2.09%)
01 = 59404 (1.9%)
11 = 50754 (1.62%)
12 = 43549 (1.39%)
00 = 42332 (1.36%)
10 = 33730 (1.08%)
07 = 29416 (0.94%)
99 = 27473 (0.88%)
08 = 26396 (0.85%)
22 = 24695 (0.79%)

Last 3 digits (Top 10)
123 = 46505 (1.49%)
007 = 13480 (0.43%)
000 = 13360 (0.43%)
234 = 12088 (0.39%)
001 = 10681 (0.34%)
008 = 8320 (0.27%)
010 = 7622 (0.24%)
111 = 7302 (0.23%)
011 = 7254 (0.23%)
999 = 5978 (0.19%)

Last 4 digits (Top 10)
1234 = 10841 (0.35%)
2008 = 7165 (0.23%)
2000 = 6911 (0.22%)
2010 = 5842 (0.19%)
2011 = 5765 (0.18%)
2007 = 5561 (0.18%)
2006 = 4763 (0.15%)
2009 = 4386 (0.14%)
2005 = 4377 (0.14%)
2004 = 3848 (0.12%)

Last 5 digits (Top 10)
12345 = 2858 (0.09%)
23456 = 1346 (0.04%)
54321 = 397 (0.01%)
00000 = 330 (0.01%)
11111 = 294 (0.01%)
55555 = 220 (0.01%)
77777 = 213 (0.01%)
45678 = 184 (0.01%)
34567 = 177 (0.01%)
56789 = 172 (0.01%)

Character sets
loweralphanum: 1469801 (47.05%)
loweralpha: 829695 (26.56%)
mixedalphanum: 348160 (11.15%)
numeric: 190553 (6.1%)
mixedalpha: 79534 (2.55%)
loweralphaspecialnum: 54671 (1.75%)
mixedalphaspecialnum: 50166 (1.61%)
upperalphanum: 33844 (1.08%)
loweralphaspecial: 25687 (0.82%)
upperalpha: 21300 (0.68%)
mixedalphaspecial: 10436 (0.33%)
upperalphaspecialnum: 2606 (0.08%)
specialnum: 2512 (0.08%)
upperalphaspecial: 859 (0.03%)
special: 168 (0.01%)

Character set ordering
stringdigit: 1432870 (45.87%)
allstring: 930529 (29.79%)
alldigit: 190553 (6.1%)
stringdigitstring: 178044 (5.7%)
othermask: 159383 (5.1%)
digitstring: 121673 (3.9%)
stringspecialdigit: 41091 (1.32%)
digitstringdigit: 35033 (1.12%)
stringspecialstring: 17847 (0.57%)
stringspecial: 13070 (0.42%)
specialstring: 2137 (0.07%)
specialstringspecial: 1386 (0.04%)
allspecial: 168 (0.01%)

Hashcat masks (Top 10)
?l?l?l?l?l?l?l?l: 238761 (7.64%)
?l?l?l?l?l?l?d?d: 183616 (5.88%)
?l?l?l?l?l?l: 175645 (5.62%)
?l?l?l?l?l?l?l: 148901 (4.77%)
?l?l?l?l?l?l?l?l?l: 127938 (4.1%)
?l?l?l?l?d?d?d?d: 107499 (3.44%)
?d?d?d?d?d?d: 93340 (2.99%)
?l?l?l?l?l?l?l?l?l?l: 78643 (2.52%)
?l?l?l?l?l?d?d: 75618 (2.42%)
?l?l?l?l?l?l?l?d: 67087 (2.15%)

Certifications – Don’t blame them! Change the hiring process.

Christopher Truncer Certifications, IT Security , Leave a comment

Before I begin with this post, it should be obviously known that I hold a number of certifications.  However, I do feel that I can write this article without any bias.  However, take from this what you want.

For the past few months now, I’ve seen a constant, if not increasing, number of anti-certification and anti-certification body posts, tweets, etc.  This has come from a wide variety of various individuals, to (if memory serves me correct) even some articles on IT related websites.  However, one thing that you almost, if not always, see in common with these certification rants is that no other alternative is provided.

So what’s the point of IT certifications?  The reason we have certifications is to try to provide some sort of standardized method of testing individuals and demonstrating the level of knowledge that an individual has.  While IT professionals can use certifications as a method of ranking one’s knowledge of different concepts, IT professionals, seeing as they work in the field themselves, are generally capable of judging another person’s level of knowledge through interaction with one another, typically better than any certification can.

So what about those that don’t work in IT?  IT “outsiders” typically don’t have the same skill set as those that work in IT, therefore, they are usually unable to make a judgement on the level of knowledge required for a position in relation to a potential job candidate.  As a result, the certifications an individual holds is what is typically turned to in the early stages of an interview.

The complaints that I have seen lately stem from the fact how certain certifications are useless, how a certification doesn’t mean that an individual knows anything, or how anyone can learn something to pass a test.

All of these are valid points.

I am in no way arguing against these points.  However, if there is a failure within the hiring process while also using certifications as a metric, I would argue that the bigger problem is in your candidate vetting process.  Almost all HR/Recruiting departments (except for those that specialize in IT recruiting) need some sort of metric to measure a candidate to determine if they are worth passing on to a hiring manager.  IT professionals cannot expect any recruiter to be able to make a solid judgement of the level of knowledge that a job candidate has.  Recruiters simply do not have the background that IT professionals do, so it is not realistically possible for a recruiter to pass judgement.

This is where certifications come in.  Recruiters rely on the hiring manager to provide some sort of base requirements for jobs.  A hiring manager can provide certifications as a way to establish some base level of knowledge that a recruiter can use.  However, this should quite obviously not be the only roadblock simply because (as pointed out earlier) almost anyone can learn to pass a test.  At this point, a technical interview should be performed to assess a candidates true level of knowledge and experience.  This should be the most important part of the candidate vetting process, as this will be the only time to get the best picture of what a potential hire knows before bringing them on and working full time with them.

Another point might be that people “hate” certifications so much that they will purposefully not be tested for any of them (or any specific ones), and then valid candidates could be “skipped over”.  While this cannot obviously backed up with fact, I believe the number of candidates that fall into this category is far smaller than the number of candidates who may still dislike certifications, but still obtained some as a result of job requirements.  Those that do not obtain certifications due to their lack of respect for certs knowingly limit themselves for career opportunities, and I think this is almost a disservice to that individual.

In all the anti-certification posts that I have seen, I have yet to see anyone provide another usable metric that can be used by non-IT people to attempt to measure where a candidate stands in what they know.  To declare a problem, and not provide a solution, not even an idea, is not an answer.  Anyone can say any system is broken/flawed, a lot of systems far beyond the realm of IT are, but they just might be the best system out there at the moment.  Just claiming something doesn’t work provides a service to no one.

I’m challenging the anti-certification crowd to step up and provide the industry with a viable alternative.  I agree the certification route isn’t perfect, but it’s the best thing we have out there at the moment, which is why you won’t see any anti-certification posts come from me.  Provide the industry with a better, realistic, alternative than certifications, and I will be among the first to hop on that bandwagon.

However, I’m still waiting.

How Did I Figure Out I Wanted to Work in IT Security?

Christopher Truncer IT Security , , , , 3 Comments

Randomly, I’ve been asked by people how I got started in the security world, specifically within IT.  To be honest, it’s a little amusing to me seeing as I know there is so much more out there I still have to learn.  But looking back, I can see that I have come quite a ways, and I have loved every step along the way.  I figured it might be worthwhile for me to post my thoughts, and the path that I took about how I really started working in this great industry, and give my thoughts on what a successful security person might be (by no means can I provide the all-encompassing list, but it’s just my thoughts).  This will be broken up into numerous blog posts on here.

My first exposure into security probably came at college, I know significantly later than probably many others out there.  I took my first security class at a school which barely offered any, and I could not wait for it to begin.  Throughout the course, I realized it wasn’t going to be all that intensive, I found the material easy and very logical to understand, which resulted in great grades for the class.  However, the real learning came to me when I began talking to the teacher, and meeting up with him after class.  Through this one on one time, I was exposed to the first hacking tool I’ve ever seen, Metasploit.  I still remember him saying, “Hey, see that server over there?  Watch this.”.  He then fired up Metasploit on his computer, typed in all of his commands, and boom, a shell popped up.  When I saw him make a folder via the shell, and then it pop up on the desktop of the server, it was like this black magic to me.  At the time, I felt like people always heard about hacking attacks, network infiltrations, but it’s just some news story far away, and it doesn’t really happen.  When I saw it happen right in front of my eyes, it’s like my whole world opened up.

I went home that very same day, installed Auditor (pre-backtrack days) and fired up metasploit.  This was my very first interaction with not only metasploit, but linux also.  I had never used linux, knew of it, but just never tried it before.  I can’t tell you the number of times I lost my documents (until I finally started saving them on a usb drive) when trying to learn how to setup dual partitions on a single hard drive to run linux and windows.  I finally settled on Kubuntu at the time, and started trying to learn the OS.

At the same time, I was lucky enough to have a roommate who told me, “Yeah, you can try hacking into my computer”.  So I did.  It took quite some time, as I never really knew what I was doing.  But, like the security class, I still remember the first time I was able to break into his system.  It was some basic remote code execution that he hadn’t patched on his XP computer, and I setup to do a VNC injection as the payload.  I just couldn’t believe my eyes when I saw it successfully worked, and then when his actual desktop showed up on my computer, and that I could actually move his mouse on his computer with my computer.

It was right then and there, that I knew exactly what I wanted to do as my job.

Shmoocon 2012 Recap

Christopher Truncer IT Security , , , , Leave a comment

I was one of the lucky few to bypass the crowd inflicted DOS attack and get a barcode to Shmoocon.  It was a nerve-wracking experience where all I, and my coworkers did, was press F5 as fast as we could, but it paid off and we were able to attend.

Being my first Shmoocon, I didn’t know what to expect.  Registration looked like it was going to be a nightmare, but it was an extremely fast process seeing that all they needed to do was scan our barcode.  The talks that were presented were great.  In my opinion among the most interesting was a talk on NFC by Kristin Paget and the different talks by the EFF.  Kristin Paget showed that with a quick read of a credit card via NFC, anyone can easily reprogram a mag stripe with the information read from the NFC transaction and charge the credit card like normal.  Marcia Hoffman gave a great presentation on the disclosure of passwords, and when the government can force you to disclose your password.  Hanni Fakhoury also gave a presentation essentially on anticipatory obstruction of justice when it comes to deleting/destroying evidence.  These were probably among my favorite talks.

Also, I participated in Hack Fortress during Shmoocon.  I played with Pwn State on their hacking team.  It was a really interesting blend of Team Fortress 2 and Capture the Flag.  As players on the hacking team solved challenges, the opposing Team Fortress 2 team would be penalized, possibly by being set on fire for 30 seconds.  As the Team Fortress team had flag captures, the hacking team would be given hints.  After three rounds, our team won the competition.

Overall, it was a great conference.  I was able to meet some extremely intelligent people, attend some great talks, and play in a pretty fun game.  It’s definitely a con I’m going to try to attend again next year.

 

Stratfor Hack and Password Analysis

Christopher Truncer IT Security, Password Cracking , , , , 1 Comment

UPDATE: Stats have been updated down below based off of my latest findings from 2/6/2012.  I’ve also posted a video from my talk I gave on Stratfor and a GPU cracking method from Shmoocon Epilogue.

Ever since CarolinaCon of last year, it has become a hobby of mine to crack password hashes.  When a company needs to store user passwords, the plain text password is not stored, but typically rather a hash of the password is what is actually stored.  Hash cracking is the process of taking a cryptographic hash (MD5, SHA-1, SHA-2, etc.) and using multiple techniques to discover the word that was used to create the hash.  Hash cracking can provide educational value because it can allow developers/security architects discover the amount of time it can take for an attacker to discover the plain text password from a hash, and adjust their hashing algorithm accordingly to ensure it is secure.  Additionally, hash cracking can be used as a method of auditing passwords employed by users to ensure that they meet specific password requirements.

Hash cracking has become significantly easier to perform because of the capability to offload the processing required to crack a hash onto a GPU.  GPU based cracking has significantly increased the speeds at which hashes are able to be cracked either via dictionary file word mutations or the tried and true brute force method.

So, as I’m sure many of you know, Stratfor (a company which provides independent analysis on world events/trends) was hacked over the winter holiday season.  When Stratfor was hacked, the attackers were able to dump a significant portion of their database.  Unfortunately, Stratfor actually used very few industry best practices when it came to securing customer data.  For example, all customer credit card data was stored without being encrypted in any format.  This included name, address, credit card number, expiration, and CVV code.  Additionally, the attackers were able to dump other customer information such as full name, e-mail address, username, password, etc.

Since the password hashes were released and made public, I gathered them and began the process of cracking them. I did this not because I had any malicious intentions or plans to harm anyone, but because I think it’s interesting to understand how people choose passwords, and to discover any security lessons that can be uncovered via cracking a group of hashes.

Over a process of several days, I’ve been able to discover a significant amount of the passwords that were being used (which I later discarded), and here’s some notes:

  • Customers did not want to change the default password that was given to them.  It appears that when a customer signs up, Stratfor assigns them an alphanumeric password that is 8 characters long.  It is composed only of lower case characters, upper case characters, or numerical digits.  Probably 70% of Stratfor’s customers did not change this password.
  • A other users did change their passwords, however they were unfortunately easily discovered.  The passwords used were primarily dictionary based with small (if any) mutations implemented.  For example, someone might have use p@ssword instead of password.
  • Unfortunately, there were users who changed their password from the 8 character alphanumeric password down to a single letter.

After I was able to crack a portion of the hashes, I ran a tool against the passwords that were found called Pipal.  Pipal is a great tool that is capable of analyzing passwords in a list and producing useful statistics about the discovered passwords for the researcher to discover trends that might be in use.  The following excerpts are some statistics that have been found after running Pipal on the passwords I have cracked so far:

Total entries = 815147
Total unique entries = 701257

Top 10 passwords
David = 4 (0.0%)
22 = 4 (0.0%)
bill = 4 (0.0%)
John3 = 4 (0.0%)
Brendan1 = 4 (0.0%)
Patches1 = 4 (0.0%)
Christina = 4 (0.0%)
Romans8 = 3 (0.0%)
Romans1 = 3 (0.0%)
Joseph = 3 (0.0%)

Top 10 base words
stratfor = 347 (0.04%)
strat = 201 (0.02%)
password = 137 (0.02%)
intel = 118 (0.01%)
mike = 116 (0.01%)
alex = 112 (0.01%)
john = 107 (0.01%)
blue = 100 (0.01%)
ranger = 89 (0.01%)
qwerty = 87 (0.01%)

Password length (length ordered)
1 = 51 (0.01%)
2 = 72 (0.01%)
3 = 395 (0.05%)
4 = 4619 (0.57%)
5 = 5943 (0.73%)
6 = 48052 (5.89%)
7 = 35238 (4.32%)
8 = 682603 (83.74%)
9 = 19870 (2.44%)
10 = 10817 (1.33%)
11 = 4172 (0.51%)
12 = 2041 (0.25%)
13 = 648 (0.08%)
14 = 410 (0.05%)
15 = 231 (0.03%)

Password length (count ordered)
8 = 682603 (83.74%)
6 = 48052 (5.89%)
7 = 35238 (4.32%)
9 = 19870 (2.44%)
10 = 10817 (1.33%)
5 = 5943 (0.73%)
4 = 4619 (0.57%)
11 = 4172 (0.51%)
12 = 2041 (0.25%)
13 = 648 (0.08%)
14 = 410 (0.05%)
3 = 395 (0.05%)
15 = 231 (0.03%)
2 = 72 (0.01%)
1 = 51 (0.01%)

        |
        |
        |
        |
        |
        |
        |
        |
        |
        |
        |
        |
        |
        |
      | |
||||||||||||||||
0000000000111111
0123456789012345

One to six characters = 59126 (7.25%)
One to eight characters = 776965 (95.32%)
More than eight characters = 38182 (4.68%)

Only lowercase alpha = 59099 (7.25%)
Only uppercase alpha = 2119 (0.26%)
Only alpha = 61218 (7.51%)
Only numeric = 14019 (1.72%)

First capital last symbol = 3162 (0.39%)
First capital last number = 53073 (6.51%)

Months
january = 23 (0.0%)
february = 4 (0.0%)
march = 69 (0.01%)
april = 80 (0.01%)
may = 401 (0.05%)
june = 107 (0.01%)
july = 91 (0.01%)
august = 56 (0.01%)
september = 15 (0.0%)
october = 30 (0.0%)
november = 17 (0.0%)
december = 22 (0.0%)

Days
monday = 24 (0.0%)
tuesday = 5 (0.0%)
wednesday = 4 (0.0%)
thursday = 2 (0.0%)
friday = 33 (0.0%)
saturday = 4 (0.0%)
sunday = 13 (0.0%)

Months (Abreviated)
jan = 613 (0.08%)
feb = 204 (0.03%)
mar = 2291 (0.28%)
apr = 327 (0.04%)
may = 401 (0.05%)
jun = 426 (0.05%)
jul = 362 (0.04%)
aug = 314 (0.04%)
sept = 63 (0.01%)
oct = 243 (0.03%)
nov = 273 (0.03%)
dec = 323 (0.04%)

Days (Abreviated)
mon = 1125 (0.14%)
tues = 6 (0.0%)
wed = 233 (0.03%)
thurs = 8 (0.0%)
fri = 328 (0.04%)
sat = 354 (0.04%)
sun = 518 (0.06%)

Includes years
1975 = 122 (0.01%)
1976 = 105 (0.01%)
1977 = 106 (0.01%)
1978 = 105 (0.01%)
1979 = 88 (0.01%)
1980 = 106 (0.01%)
1981 = 127 (0.02%)
1982 = 131 (0.02%)
1983 = 111 (0.01%)
1984 = 153 (0.02%)
1985 = 129 (0.02%)
1986 = 102 (0.01%)
1987 = 96 (0.01%)
1988 = 113 (0.01%)
1989 = 75 (0.01%)
1990 = 90 (0.01%)
1991 = 77 (0.01%)
1992 = 68 (0.01%)
1993 = 55 (0.01%)
1994 = 39 (0.0%)
1995 = 72 (0.01%)
1996 = 60 (0.01%)
1997 = 69 (0.01%)
1998 = 62 (0.01%)
1999 = 89 (0.01%)
2000 = 368 (0.05%)
2001 = 219 (0.03%)
2002 = 150 (0.02%)
2003 = 140 (0.02%)
2004 = 166 (0.02%)
2005 = 207 (0.03%)
2006 = 199 (0.02%)
2007 = 197 (0.02%)
2008 = 234 (0.03%)
2009 = 343 (0.04%)
2010 = 464 (0.06%)
2011 = 336 (0.04%)
2012 = 67 (0.01%)
2013 = 17 (0.0%)
2014 = 20 (0.0%)
2015 = 13 (0.0%)
2016 = 23 (0.0%)
2017 = 16 (0.0%)
2018 = 10 (0.0%)
2019 = 23 (0.0%)
2020 = 70 (0.01%)

Years (Top 10)
2010 = 464 (0.06%)
2000 = 368 (0.05%)
2009 = 343 (0.04%)
2011 = 336 (0.04%)
2008 = 234 (0.03%)
2001 = 219 (0.03%)
2005 = 207 (0.03%)
2006 = 199 (0.02%)
2007 = 197 (0.02%)
2004 = 166 (0.02%)

Single digit on the end = 94421 (11.58%)
Two digits on the end = 39271 (4.82%)
Three digits on the end = 12636 (1.55%)

Last number
0 = 9243 (1.13%)
1 = 23350 (2.86%)
2 = 21082 (2.59%)
3 = 21283 (2.61%)
4 = 17841 (2.19%)
5 = 18162 (2.23%)
6 = 17410 (2.14%)
7 = 18677 (2.29%)
8 = 17503 (2.15%)
9 = 18617 (2.28%)

 |
 |||
 |||
 ||||| | |
 |||||||||
 |||||||||
 |||||||||
 |||||||||
 |||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789

Last digit
1 = 23350 (2.86%)
3 = 21283 (2.61%)
2 = 21082 (2.59%)
7 = 18677 (2.29%)
9 = 18617 (2.28%)
5 = 18162 (2.23%)
4 = 17841 (2.19%)
8 = 17503 (2.15%)
6 = 17410 (2.14%)
0 = 9243 (1.13%)

Last 2 digits (Top 10)
23 = 3833 (0.47%)
11 = 3086 (0.38%)
01 = 3064 (0.38%)
12 = 2413 (0.3%)
00 = 2371 (0.29%)
10 = 1859 (0.23%)
99 = 1802 (0.22%)
77 = 1540 (0.19%)
22 = 1478 (0.18%)
34 = 1400 (0.17%)

Last 3 digits (Top 10)
123 = 2798 (0.34%)
000 = 753 (0.09%)
234 = 748 (0.09%)
007 = 612 (0.08%)
111 = 573 (0.07%)
001 = 532 (0.07%)
010 = 461 (0.06%)
777 = 404 (0.05%)
009 = 358 (0.04%)
999 = 332 (0.04%)

Last 4 digits (Top 10)
1234 = 669 (0.08%)
2010 = 366 (0.04%)
2000 = 323 (0.04%)
2009 = 305 (0.04%)
2011 = 257 (0.03%)
2008 = 196 (0.02%)
2001 = 181 (0.02%)
2345 = 179 (0.02%)
2005 = 173 (0.02%)
2006 = 172 (0.02%)

Last 5 digits (Top 10)
12345 = 162 (0.02%)
23456 = 84 (0.01%)
54321 = 37 (0.0%)
00000 = 31 (0.0%)
11111 = 26 (0.0%)
99999 = 17 (0.0%)
77777 = 16 (0.0%)
33333 = 16 (0.0%)
45678 = 15 (0.0%)
20000 = 14 (0.0%)

Character sets
mixedalphanum: 438261 (53.76%)
mixedalpha: 192042 (23.56%)
loweralphanum: 90324 (11.08%)
loweralpha: 59099 (7.25%)
numeric: 14019 (1.72%)
upperalphanum: 9986 (1.23%)
mixedalphaspecialnum: 6362 (0.78%)
upperalpha: 2119 (0.26%)
loweralphaspecialnum: 1427 (0.18%)
loweralphaspecial: 947 (0.12%)
mixedalphaspecial: 265 (0.03%)
specialnum: 116 (0.01%)
upperalphaspecialnum: 50 (0.01%)
special: 24 (0.0%)
upperalphaspecial: 22 (0.0%)

Character set ordering
allstring: 253260 (31.07%)
stringdigitstring: 221613 (27.19%)
othermask: 156529 (19.2%)
stringdigit: 112163 (13.76%)
digitstring: 45284 (5.56%)
alldigit: 14019 (1.72%)
digitstringdigit: 9106 (1.12%)
stringspecialdigit: 2254 (0.28%)
stringspecial: 440 (0.05%)
stringspecialstring: 329 (0.04%)
specialstring: 80 (0.01%)
specialstringspecial: 46 (0.01%)
allspecial: 24 (0.0%)

Hashcat masks (Top 10)
?l?l?l?l?l?l: 18062 (2.22%)
?l?l?l?l?l?l?l?l: 14903 (1.83%)
?l?l?l?l?l?l?l: 10863 (1.33%)
?l?l?l?l?l?l?d?d: 9241 (1.13%)
?d?d?d?d?d?d: 6106 (0.75%)
?l?l?l?l?d?d?d?d: 5063 (0.62%)
?l?l?l?l?l?l?l?l?l: 5063 (0.62%)
?l?l?l?l?l?l?l?d: 4549 (0.56%)
?l?l?l?l?l?d?d: 3868 (0.47%)
?l?l?l?l?l?d: 3846 (0.47%)

Newly OSWP Certified! My Exam Thoughts

Christopher Truncer Certifications , 2 Comments

Well, I am happy to report that the results of my OSWP exam came in and I was successful in passing the exam!

This was probably one of the most fun certifications that I had a chance to study for.  I already knew a good amount about breaking into wireless network, however I did not know all techniques, and that was exactly why I wanted to take the course.

Both the videos and the large pdf file provided go into detail describing different attacks and different scenarios that you could face.  After working my way through all the videos, and the pdf file, I felt up to the challenge to take the exam.

About 15 minutes before my exam, I received an e-mail with the login instructions and the instructions for the exam itself.  It was pretty much exactly what I had expected.  Oddly enough, I was fairly nervous once I logged into the system.  In retrospect, I have no idea why because I really knew all the material, and I’ve performed the same attacks on my own many times.  Maybe it was just because I felt I already knew it all, that if I couldn’t pass, I really would have felt pretty ridiculous.

I also can’t talk such good things about this exam format as well.  Sure, learning theory and being able to answer test questions are a tried and true method of learning material.  However, I don’t think much else can represent truly knowing the material other than actually performing what was learned.  All Offensive Security certifications are based on actually forcing you to demonstrate your knowledge.  Not only does it make you prove your knowledge, but it also just makes it a lot more enjoyable.

Anyways, the exam was a good representation of the material that was learned during the course itself, and I would certainly recommend this course to others interested in learning about wireless security.  If anyone has any questions about the certification, feel free to ask.

Next on my list, OSCP!

OSWP – Offensive Security Wireless Professional Progress

Christopher Truncer Certifications , , Leave a comment

About a month ago I signed up for Offensive Security’s Offensive Security Wireless Professional (OWSP) certification.  I’ve had a decent amount of experience hacking both WEP and WPA wireless networks, however, I knew that I did not know it all, and I wanted to get into something like the OSWP to fill in the gaps.  After registering for the course, I am happy to say that the OSWP certainly did provide that service.

Once you’re registered, all candidates receive access to a large pdf file and a number of flash based training movies helping to explain all background information, and provide demonstration based training for the attacks you’re expected to perform.  I really enjoyed it because the OSWP goes in depth on all attacks that one can carry out with the aircrack-ng suite and it provided the training on the attacks that I’ve never (had to) perform before.  Beyond the attacks, the training materials provide an extensive technical background clearly explaining the theory behind wireless security, and the attacks.

I’m registered to take the test in a few weeks, so I’m looking forward to putting everything I’ve gained to the test.  I’ll be sure to post once I know how everything went.