Sunday, April 1, 2012

Your MD5 is wrong

This is an annoying display of ignorance on the part of many people at certain conferences. They will enter a contest and often times the answer must be submitted in the form of an md5 hash. So they will solve the puzzle and the secret key to give them points will be "kittens". They need the MD5 of the string "kittens" so they run the following:

echo 'kittens' | md5sum
f261adc7c891836ecc58c62fb80c6e34

They submit that hash to the scoring engine and it says INCORRECT, TRY AGAIN. "Well wtf...lets check our answer again". *1 minute later* "yeah its definitely right, their scoring engine must be broken or something"

I've heard that muttered all too often at contests and it makes me cringe. Here is what went wrong, and the scoring engine is working perfectly fine, you just dont understand how echo works. It helps if we look at things with our hexray vision.

echo 'kittens' | xxd -p
6b697474656e730a

you see that? whats that last character? '0a' - if you look up what '0a' means in the ascii table (man ascii), you will see that it represents  the new line. echo, BY DEFAULT, appends a new line to whatever string you wrote. That folks, is what fucked up your hash.

echo -n 'kittens' | xxd -p
6b697474656e73

now the 0a is gone. now pipe your new echo command into md5sum and you have the correct hash the scoring engine was expecting.

you could avoid the whole issue if you used printf instead of echo. To visualize this:


printf kittens | md5sum
84169a8d5b3289e8ece00d7735081b53  -

echo kittens | md5sum
f261adc7c891836ecc58c62fb80c6e34  -

echo -n kittens | md5sum
84169a8d5b3289e8ece00d7735081b53  -

just an fyi: apparently bsdutils of 'md5' have a -s for string argument that does it all in one go:


md5 -s kittens
MD5 ("kittens") = 84169a8d5b3289e8ece00d7735081b53




Bad Passwords and Password Complexity

I've heard this time and time again: "We are ok, we require password complexity". lulz, are you serious? I'm not even going to get into how bad windows "password complexity" or the rest of their policies are. I'm just going to remind people of this one simple truth:

Password policies only apply on new passwords.

Which means, if you had accounts before you enabled the policies, you may still be at risk for accounts with password of password, or same as username, or other really retarded "it would never happen to me" passwords.

This is the exact reason why I STILL find weak passwords in environments where password complexity is on, minimum password length of like 20. jimbob's password is still jimbob, because he created that password before the policies were enacted.

Solutions?

Well you could set every person's password to require a change on next login. and then set the password change interval for every 30 days. But, thats not enough. Because you could force every user to reset their password on login, but if there are accounts not being actively used, they will simply ask the attacker to change their password.

What I would do is this:

1. Temporarily turn off the account lockout threshold on the domain.
2. get a list of every user on every domain
3. use metasploit or medusa to try a decently sized dictionary file against all the users
4. make a note of all the users with weak passwords and either disable that account or change the password yourself
5. reenable the lockout threshold to something reasonable, like 3 or 4
6. make sure password complexity is on
7. make sure minimum password length is on, I would make it 15 to kill all chances of LM hashes being stored.
8. disable LM hashes ery'where

You also want to make sure to write up a basic "dont be a idiot with your passwords" email to distribute. Make it humorous so that its memorable, this way when someone is breaking the policy, it will be funny to their coworkers to belittle them. Make the minions do your policing for you.

Some simple "Human Password Policies"
1. Never write down your password anywhere - thats what your brain is for
2. Never give out your password to anyone, you dont give you safe combination to anyone do you?
3. You no longer have a Pass-"word", you have a Pass-"phrase", make it a sentence, a lyric, something funny only you will remember.
4. Like your wife said, the longer the better.