 Good afternoon. Thank you for skipping your lunch coming here. So yeah, buying time, what is your data worth? This is a approach to distributed password brute forcing, along with some statistical analysis and an approach to giving a real dollar value to your password based on brute force attacking done in a cloud on the internet environment and the cost that is involved in that. I'm a member of Chaos Theory and a proud DC-404 member. This is our fourth out of seven talks here at DEF CON this year. So we're going to go ahead and assume that we've taken over the con and we're the largest local DEF CON community group here. At this point, maybe the only. With DC-404, just for a few minutes in case anybody's heard of it, I've worked on AnonimoS and SAMIL. And if anybody is into the depths of the internet, I was also one of the primary contributors to Group hug. So what is this distributed password cracking? It's a scalable password cracking solution that will go across multiple machines and at the same time on each machine, it's a multi-threaded solution. So instead of the majority of the password cracking tools that exist now utilizing a single-corner system with dual and quad-core systems becoming more prevalent, this will actually utilize 100% of the processing power in the box, which gives an order of magnitude in and of itself and password cracking. Yeah, there we go. All right, sounds loud enough up here. So in addition to that, it comes with its own level of pretty great level of flexibility along with some simplicity. It really can take as an input just about anything you want to feed to it. Some existing inputs that are going to come with the tool as it's released. Obviously, you can send it a brute force string, a brute force attacks and then a start and a stop string and an alphabet to run through. It can run through a word list of rainbow table or hash table and it can also spit out its own output. So in addition to providing an answer, it can provide a rainbow table as output, do some pre-computing as well. It's visual aid for how it works. So basically, when you feed it the input, you're going to feed it a brute force attack, a dictionary rainbow table and it's going to take that as a single large key space or crypt space and break it into smaller chunks. Those smaller chunks will get sent out across the different servers and then each server will take that chunk of its own, break itself into smaller chunks and send those out to the individual threads on the system. Then the thread will take the chunk and actually process each individual word at a time and then spit back and ask for another chunk. And that will all roll back up. So if a server finishes its chunk and there's more available, it will come out, request a second chunk and just process through the whole thing by splitting it up into smaller pieces instead of trying to attack it just one word at a time. So again, just a quick review on the technology just in case people aren't extremely familiar with password cracking you've got your different algorithms, your MD5 which is the free BSD and the more common Unix-based password hashing, NTLM on the window side of the fence, SHA which is what WPA2 uses or the CalPATI2 uses. Those, of course, will come with their own different speeds that they can run at. In addition, you can feed it, of course, a brute force dictionary rainbow tables which is exactly what your rainbow tables look like right here. And also one of the things that you run into when you're trying to brute force or crack a password are the different tools or utilities that people put in place to make it more difficult. Salt being the one that's most applicable for this tool largely designed to prevent you from being able to do a Rambo table or a hash-based attack which is, again, one of the reasons why this tool helps reinvigorate the attack when a Rambo table isn't a solution because of a salt like on an MD5 password, you're left with having to try each password again and you're left back to that problem of time. If this tool were to be used, which it could, and it approached somewhere to the Hydra tool so that you could do a remote attack on an actual service, again, you've got a prevention mechanism there of limited number of retries and also the actual availability of the system to handle X number of connections per second. Distributed computing, the approach here, particularly for password cracking is considered embarrassingly parallel because it's extremely easy to, at least in theory, divide the attack up into smaller chunks like I described in the last slide and send it out across all the servers. Distributed.net did this forever ago. Their approach was largely aimed at cryptography itself, not password cracking, which is really a whole nother ball of wax because one of the issues you run into there is the key space is so large, so much larger than a password, the numbers are quite, it takes quite a bit longer, this may help, but it still takes years as Distributed.net has shown to actually effectively attack a cryptography-based hash such as public-private key or anything like that. Other tools that are similar to this, Dijon is John in the Distributed format. It's not as easy to use as this, but it's one approach. John, through its ability to add functions to it, someone has written a parallel function that you can use to make it at least run parallel on the same machine and maybe, through some creativity, get it to run across separate machines. And AccessData has a commercial product called DNA that appears to be very similar to this approach, but it's not GPL. You know what? If I don't put it there, there you go. All right. So what is it? There's two pieces to this tool, and the first piece is actually written in C, obviously for speed reasons, and that is the multi-threaded side of it for breaking it down on one system across all the cores on a server. It was designed to be as simple as possible, so it takes a single function to crack a single password and then return a true-false result or optionally fill a buffer that was passed to it with the resulting hash in the instance in which you're actually producing hashes and not cracking a password. So I don't know if anyone's tried to poke around in John's source code where you can actually add new password hashing methodologies or anything else, but it's far simpler than anything else I was able to find in the sense that it doesn't have a library or a list of 12 different functions with different states to apply to actually crack the password. You write one simple function to do one password, and it does the rest, and we'll send it across all the servers and everything else for you. Additionally, it's an asynchronous, interuptable process. So you start the attack, it returns immediately, and you feed it a callback function, so it will return when it's done. You still get your status, you can, at your own will, report on the status of the attack as it's going on an individual level, and obviously that was pretty important to be able to get it to run across multiple servers and then send the data back. So that's another nice benefit of this particular C library. And then again, it's very easy to take the output of the using the C framework and turn it into the Python distributed attack module. So really what's inside, basically what's inside this lib attack tarball is an entire environment for you to build easily a single multi-threaded attack, like command line program. It comes with all of the lib tool and make and configure setup inside of it. You just drop your code in, run a configure make, make install, and you're done. And then with just a little bit of glue, it actually will turn around into the next step of the attack from making it distributed. Breaking out of the detail on the lib attack thread, there's the primary structure which is called attack ST. This is the attack structure that you build when you want your attack. You're primarily filling it with your reader and your writer, which are the file structures that you use to send, okay, what's my list of words? What's my list of hashes? And then if you're actually going to want to write this back out, what am I writing it to? What's the file I'm going to write the output to? All of this, even the writing out of hashes can still be easily distributed across all the different servers. And you set it to null if you don't want to write out, or if you wanted to write out, you just pass it a file structure. Both the file in and file out file structures are the same structure type, which is on the next slide. Next, the other important thing that you'll need to feed this, everything from Sunder is essentially private or internal data used by the attack itself. Nothing you need to fill, but in addition to filling in file and file out, you'll give it the actual function that it's using to cracking the one that takes one word and returns the result. And then the number of threads you want it to run on and your callback function. Nice. Alright, I'm moving on. We'll just burn. So this is the file structure that you'll prepare that you'll send to it. There are initialization functions inside. Thank you for making me talk louder since that's exactly what this is designed for. There are initialization functions inside the library that come with the different reader and writer modules that you can plug in. But this was designed somewhat similar to the GTKC object oriented approach where you've got a couple of pieces of data and then you've got a series of methods that are referenced inside the actual file structure itself. So you'll pass it the path of the file. For instance if you're opening a file, you can also pass it when you're building your own reader or writer. You can pass it a pointer to your own data to use. For instance, on a file reader you can pass it the file pointer itself. On a brute force attack you use the pointer to store the start and end string. Things like that. There are four functions that the LibAttack thread will call on any particular reader or writer. It'll open it. It'll ask for the next block which on a reader would be the next block of words to read. And on a writer that's going to be the next block to write data out to that'll get essentially like a right buffer that'll get flushed out to the file. Free is called every time a block is completed so you have to manage your own memory inside of the file structures. If you allocate a block it's possible for deallocating it when you're done and the free function will be called for every block to assist you in that. And then when the attack is done it closes the file structure. And that's essentially the entire no, that's essentially the entire attack structure. You've got your attack ST and your two different files. You read in and you read out. You write out. Once you've built your structure there's three different methods you use to manage the attack. One to start it, one to stop it and one to check it. Since it's a synchronous once you've started it, whether it's through a signal interrupt or your own decision, you can stop the attack at any time. It clears out any unprocessed words and will stop the attack after finishing any blocks that are currently going on. So generally it'll stop it just about immediately in a few hundred milliseconds the attack will shut down. Checking will just return the current status of the attack, the number of records that it's tried so far and the total number of records. This function obviously is only going to return the attack running on the current system or in the current environment. So on a multi-threaded attack this is something that on a distributed attack this is something that has to be aggregated and is what's handled by Medusa. So here's a complete attack function after all of that. The entire function is quite a bit simpler again than other approaches. It's passed a word the size of the word. If it's going to need to write out it's passed the buffer for writing out to and the size of that buffer. You set up the void data. The data pointer is your own pointer that you have access to if you need to use which you know this is generally where you're going to store the hash that you're trying to find the answer for. For example with CalPATI it stores all the different fields of data that are extracted out of the packet dump with an MD5 hash cracking attempt. It's got two values that's going to store the salt and the actual crypt text. Load that up out of the data pointer pass it over to a function to actually produce the resulting hash and then compare your results. There's two different return values that this function can return. Either it's an invalid word that can't be checked if it found the answer or it didn't find the answer. So again simplicity was the goal here to try to build something that could be easily take on additional brute forcing password cracking attempts. This is actually the building of a hashing function so instead of like the first one that was actually trying to crack a password this is a function that is going to produce a hash file. Now in this particular hash function I chose in part because it's so simple this one is actually just copying the input word into the output buffer. It's not actually producing any type of hash. To produce a hash you know the only extra line that you would add that the two that I had for producing hashes didn't quite fit well on the screen but the additional line you actually produce the hash and write it back out. Where this particular function is used is actually taking a list of words and turning it into a lib attack thread dictionary. Obviously the only difference here that you can see is that the word is the same but what it does is it nullpads it to a fixed size so the dictionary that lib attack thread prefers to use is a fixed size set of words so that you can the reason that was critical was when you're doing a distributed attack and you're passing the same dictionary out to hundreds of different computers it's very likely that you will take out of one dictionary have multiple clients use different pieces of it so by making the dictionary words fixed length it's very easy to give out chunks of that dictionary to different clients. Basically a rainbow table that would look the same the majority of the rainbow tables I looked at I've seen so far have all been fixed widths on each chunk of each hash that it's using so this is basically the same thing except instead of it being a hash it's just a word it needs to be checked but again you can see here that building a function that produces rainbow tables is also very simple you just take in the word produce the result send it back to the output buffer lib attack thread takes care of the responsibility of taking each individual hash aggregating it together into a larger buffer and then sending that back to another thread that actually writes all the data out into the resulting file for you so now we've got different we've got an attack function it's been rolled up into now it needs to be rolled up into the actual library that you can use to send out to a distributed attack this is an example of a library function that can be used for exactly that purpose. Now the initialization of the library is a two-step process first you initialize your readers into writers file structures that actually will be bringing in the words or writing the words back out and then you initialize the actual attack passing it those readers and writers passing it your function that you're using the number of threads and all the other details the check stop and attack don't need to be customized or modified for each and every attack you just basically need to initialize your attack and then the rest of the library works as is as you can see here it's just as important to make an initialization function you also need to make something to clean your mess up when you're done so there's really two functions in your library for every different type of attack that you want to build. So because it comes with auto make auto configure and lib tool preset up in this environment adding a new attack to the environment and making it so that you can do all the fancy configure make install it's pretty simple it's basically three lines you need to specify the name of the library you need to specify the source files that you're using for the library and if there's any additional libraries you need to link in then you specify those but that's that's all there is to it so most of the mess here is also is also taking care of and producing an attack library. Here's an example of actually running the attack inside of say command line executable once you've got your initialization methods put together and you've got your resulting C library that you're going to load into your program you basically initialize your data structure now here's an example of a cow patty data initialization you can see that there's several different variables that are required to compare the hash against what was pulled off the wire so you'll fill up your cow patty data structure with what you want to attack you'll fill up your dictionary attack structure with a dictionary file the actual function that's going to be used to run the attack word by word and then the number of threads and the callback when it's done then you start the attack and it's going to return immediately and the attack against going to run in a separate thread so now you're free to do whatever you want in this particular instance I'm just looping waiting for the attack to finish every five seconds and spitting out the current number of records that have been processed so it's really fairly similar this current approach is fairly similar to what cow patty currently does the main difference being that instead of spinning out each thousandth word and the time involved it's every five seconds just spits out how many words it has been computed one of the side effects to running a multi-threaded attack is in some examples where they'll show you the last password that was tried it's fairly difficult to determine what the last password that was attacked was as a part of output of the user because it's running three four five however many threads you've got going at once different simultaneous attacks so instead useful output is the number of passwords tried per second and the total percentage of the key space that's been exhausted, things like that then when you're done you run the destroy function and the callback will get called for you even if you stop the attack prematurely the callback will still get called so you can get your output in any errors that came from the callback so there we go it's very easy to stop signal handling can often be frustrating when dealing with just about anything that you have to write and see with here's a very simple example of a one function call to actually stop your attack storing the attack structure globally inside of the executable and then just calling stop attack on it is all you need to do you can put this on all of your signal handles and at any point in time the attack will stop the binary will close up and everything cleans itself up nicely then again just like building the library was fairly simplistic making it so that you can utilize the existing framework for building the actual executable is just as simple again you really only need three lines the name of the output executable file the name of a list of all of your source files that are needed to compile it and a list of any special libraries that need to be linked into the executable all the libraries that are required by the attack function itself pthread for the threading or anything else for the attack function will actually already be linked in to the library so you really need to specify anything additional for instance with cowpatty it needs access to the pcap so that it can pull apart the data capture and get the variables out of it so that's really the only thing you have to link in in this particular case just a quick recap again you're going to build and attack structure that's primarily filled with where you want to read your word or hash list from and where you want to output your data if you're going to do a rainbow or hash table you need to build your also specify the function that's going to be used individually for attacking each word and then the number of threads and a callback function inside of that initialization and destruction methods inside of your library are the two things that you have to define there but all together you're looking at writing three functions both all of which should be easily less than 100 lines apiece and you've got a multi-threaded distributed command line attack beast so next step now one machine's nice taking cowpatty for as an example from 90 or 100 passwords per second to for 800 passwords per second or in one particular instance I was able to get it to run at almost 1900 passwords per second on one system is nice but you're still limited to one box and you're still limited most likely to a box that you have so the next step is running that out across as many machines as you can rent, buy, steal, store or in fact that is where Medusa comes into play a web-based framework that will load up an attack library module and then send it out across multiple clients that have linked into it it's written in Python which is where the name Medusa comes from and it operates on a client server protocol so you've got one server that distributes the attack out to as many clients as you link up to it it's one level deep, it's not multiple levels and it doesn't do P2P but it's still very effective and with this type of approach it reflects the type of control that you're probably going to want in the sense that you're going to want to make sure that the systems that are linked into you are systems that you trust because if it's not a system that you trust and it's cracking passwords, it could be returning bad data it'll automatically load up the attack modules basically what you do is you drop the library module into a directory and it searches in that directory and pulls everything into it it loads those up, it drops it into a web interface for you to fill in all your initialization data and then runs the attack for you so there's a little bit of glue that has to be stuck in between the C library and the Python module that actually gets loaded up and basically what you're doing here is you're telling the web framework what it is that it's being fed at the very top of the file you specify the name of the data structure that is holding your hash your hash data the name of the Python module and then the description that gets put on the website, on the web page of what exactly this is doing underneath that you then define those arguments that are being sent to the attack to be processed so in this particular instance this is an MD5 crack and this is the initialization argument so it needs assault and it needs the actual crypt text one of the things that is convenient about this wrapper is that it will actually allow you to reorganize those arguments into something that's more convenient for the web framework and for user input and this particular instance both assault and the crypt are being passed to one argument type the argument type is called MD5 password so inside of the Python framework inside of Medusa's framework is another directory full of Python scripts that are also loaded up that you can add to that list different argument types string, integer, hex this is a custom one that I put in for free BSDs MD5 crack and basically what it does is it produces to the user web input of give me the entire hash dollar sign one, dollar sign salt, dollar sign and then the actual crypt text it takes the salt and the crypt text out it turns the crypt text from its current text representation into a binary representation and then it feeds those two pieces back to the actual library to do the cracking instead of producing two inputs to the user to have to do the work themselves it can actually wrap that up so another example of this type of convenience you can have 20 or 40 or 60 individual hash files that you want to aggregate together into a single conglomerated hash table you can have those 20 files the file in arg type that's already in Medusa will see those 20 files and read the description out of it and produce to the user one option on the drop down to pick from it will then take that 20 files divided by the number of clients that are attached to it and when it actually spits out the attack it will break each file into as many pieces as you can do and send out each piece of each different file to each client and manage the attack for you doing all of that in python means that not only is it easier to add new argument types because python is a lot easier to write in and much more flexible but it also means that the interface between python and c is much more simplistic this argument type here the md5 password argument type here can also be referenced like a function you can actually pass arguments to it those arguments automatically get shoved into the nest of the init function on the python class the argument type class so if you wanted to have greater flexibility one example that I I don't think I have in the slides here but with your file in an argument type you can pass it a type hash or whatever you want so when it looks at all the different hashes that are inside of this attack server it will group it by type and it will only show if you say file in hash then it will only show you the hash or rambo table files in the system if you pass it dict then it will only show you the dictionary files inside of the system so there's lots of ways in which you can customize the argument types to again present a valuable user interface on the web attack side and at the same time not have to deal with writing it to much c code for processing this since you can all handle it in python instead so here's the actual wrapper code basically all you have to do this functions goal here is to take the arguments from python and feed them into c so there's four pieces of that the first you just define whether it's an integer string whatever it is the different arguments that you're expecting to get from python the second chunk is where you call the py parse tuple it will actually get the attack arguments and shove them into your c variables the third step is an optional one when you're dealing with binary data that is not a null not a c string that's null padded then python will also pass you the size of the string so you're going to want to check that against what you're expecting for instance with cow padding the nonce and the ea pull frame variables very likely will have zero byte data inside of it so you can't just receive it as a string and check the length of it you've got to get the actual size of the data that's being passed back from python and check and make sure it's the right size that you're expecting if you're just dealing with simple strings and integers you can actually skip that part or if you just don't feel like actually checking your data you can skip it anyways and then the last piece is where you just call your initialization function again you don't need to deal with calling the start and the stop and the checks or anything else you're just getting the data initialized so that the attack can run once it's initialized Medusa will take over the rest for you so again with the argument types I think I really skipped ahead and covered a bit of this already but whatever you pass inside of the argument type will get fed into the C and it can take arguments that will pass to the class and then this lies to class here is here is an example here you see file and deck so this is exactly what I was talking about earlier the file and argument type can take an option of what type of files to show to the user in this particular case this is only going to show dictionary files that it wants to crack and not show hash files Medusa was built using Aaron Schwartz web PY framework the biggest reason why I chose web PY was so that you can run it however you want if you just run the actual Python framework run the controller file it will spit up its own web server and chunk right along if I remember correctly it uses the cherry pie web server Python based web server so you don't have to actually do anything to get it to run simply now you're not going to it's not going to be SSL encrypted and you're going to have other limitations to using that approach but that's the simple approach it's also a full WSGI framework compliant application because of web PY so you can drop this into Apache drop it into light htvd drop it into any basically any web server that supports fast CGI and take advantage of the SSL and if you would roll it into Apache you can SSL encrypt the actual traffic you can take advantage of the fact that it's going to be a far more robust framework or service to run in and it gives you that flexibility to run it however you want or wherever you want you can run it inside of an existing website you can embed it inside of an existing WSGI and append it under the end of something an existing site and hiding it somewhere as well right exactly someone else's website alright it's moving right along it's time for the live demo FROT FROT with parallel so here we go here is a demo of a different environment with 40 different clients attacks to it typically Medusa will output the URLs of the different clients attached to it so that you can see what you're working with in this particular case for the demo I'm actually hiding the URLs but the whole framework is stateless based all the entire attack distribution of the attack is stateless so request between the clients and the servers or between you and the server is done with basic HTTP authentication and absolutely no session or state inside of it so again simplicity was a goal of this design as well and it uses XML RPC to communicate between the clients and the servers and this so let's go straight to doing an attack here I've loaded up Calpatty and FreeBSD MD5 modules that can either do a brute force attack on Calpatty, a dictionary attack on Calpatty a rainbow table it can actually produce rainbow tables each client will write its own rainbow table file out to its own self if you're not going in that particular instance if you're not going to use a shared file system or back it up to any of those cloud data storage systems that are available then you're going to have to deal with bringing those hash files back but the goal and intent here is to use a shared file system to store the actual data on I'm not going to name any even though I'm tempted to so if you pop in here this is to do Calpatty I'm just actually going to fill it in with some data that was pre-extracted now for this particular demo I did not have time in Python to write for instance a something that can process a packet capture dump like Calpatty could but instead of doing that I'm just simply asking for the output that comes from the processing the dump off of the wire included with the the updated Calpatty release is a small C program where you just feed it the dump it spits out these variables exactly as they need to be retyped but again also it wouldn't be terribly difficult to write a Python module that would be dropped into Medusa where you would upload the actual dump from your packet capture and then it will break that into the values and send it out one of the other advantages to this system that's running on the cloud is you don't have to have any of this hardware with you you can use your cell phone when you walk in somewhere and grab a Freebase DMD5 hash off of a system if you were to do the whole dropping of USB sticks attack and hope that someone picked it up and put it into their machine when it reads the hash off of their Windows computer it could upload it automatically to an existing web Medusa server and then it will attack for you immediately the whole thing is done on the internet so you don't need any more hardware than a basic web browser like a cell phone to actually start up an attack and this particular one oops I've only got one dictionary file here and it's a 40 million word dictionary file just a little bit more and it's going to get split across 40 clients so now the attack is running each block has its own status of how much of it's been processed out of the block that's been split up against now again this is one file this is one dictionary file that was split in a smaller chunks and passed out to each server so each server has gotten a one million roughly one million word chunk of that dictionary file that it's responsible for processing one of the things that you'll notice is that the attack speed or records per second here is accelerating it started off pretty low and it's getting faster there's two things to be aware of here the first thing is that the time that's being measured for the attack started right before the attack actually got sent out to each client and is being measured as the client send their results back in now for the purposes of this demo I accelerated things to be between one and five seconds on the reporting back and a normal attack that's going to be a lot of traffic you've got ten hundred or a million different bots or cloud computers running together you're not going to have each one of them shoot back the status every few seconds works well for demo but but in reality this is going to be something that you're going to want to set and then wait for the answer to come back for you one of the other things that I've noticed and I don't know if this is I'm assuming so far that this is a side effect of the particular computers I'm using for this attack but when the attack starts up when it pegs the CPU at a hundred percent it seems to be it seems to be allocating the resources on the fly so when it first starts for the first couple of seconds it'll use one or two cores out of the eight core system and then after about five or ten minutes it's eventually consuming a hundred percent of all the cores but for some reason there is a delay there before it actually ramps up at any rate you can see it's already running at over ten thousand keys per second you know if you run cow patty on your local laptop you're likely to get about 90 keys a second this is several orders of magnitude higher and this is currently running on it's actually twenty different cloud servers linked together and basically the cost to me to run all of these is sixteen bucks an hour so for sixteen bucks an hour you can go over over a hundred times faster than you could on your local laptop when trying to crack cow patty in particular just looking at the output here again each block has its own status as it's being processed and then each client is listed underneath it with it's with whether or not it's still active, actively processing blocks being utilized for this attack the client once it links up to a server the client is essentially only produces status output of what it's currently doing you cannot start an attack from a client or manage a client at all from the web interface you can only manage things from the server so and again it continues to ramp up over time this will eventually scale up to about eighteen hundred keys per server which across forty servers would be about eighty thousand keys a second once it fully ramps up if I'm doing my math and my head right so again for about sixteen bucks an hour you can do eighty thousand keys a second ten minutes alright I can't even see it there is a reset button here to do there is a reset button here at the very bottom of the screen that's not showing up to stop an attack and restart another one the hash based attack on cow patty accelerates this so much faster to the point where a forty million hash is run in less than a second on twenty on the forty link servers together and a brute force attack of a md5 password runs at about thirty three thousand keys per server so while this is fun since I'm running out of time I'm actually going to stop the demo short and get back here and press alright so where this became very useful besides trying to get other people's passwords was actually taking the output of how fast you can run an attack on a rented cloud server and take that versus what it costs you to rent that server and use that to come up with a dollar value for passwords so here for instance are your cracks per dollar for five different hash types and the last two actually were estimated I was not able to get an attack launch we'll put together for them so instead I compared the speed of John on password md5 to the speed of John on those two different types and extrapolated the results here but so again for a dollar you can get about eight million cow patty cracks with the dictionary two point eight billion if you're going to use a rainbow table a hundred and forty nine thousand md5 attacks two hundred and thirty seven billion on NT Landman if people didn't somehow already believe that Landman was dead I've got some numbers here that will show you that for about a couple hundred bucks you can get any NT Landman password and then with OpenBSD Bluefish it still reigns supreme on the password hashing coming in just about just a little bit faster than WPA which is pretty slow go ahead and give me the money I'll get that for you later so here's that extrapolated to different ways of to different passwords based on the characters you're going to use inside of your password so if you're only going to use lower alphanumeric characters and cow patty and you've got a seven character password get your password for a couple hundred bucks it does even cost a dollar to get it if it's NT Landman and if you go all the way to an alphanumeric and all special characters NT Landman is still 273 bucks and you can run through the entire key space on cow patty you're in the millions already in terms of dollars to break that type of password if you look at eight character passwords I went ahead and at this point dropped the extrapolation data because the numbers that I'm multiplying were so high that I'm just assuming they were going to be wrong at this point because it was estimated from the beginning but just working with the three things here you can see that an eight character password as you would assume really kind of steps the bar up a bit but if you're using a hash table on cow patty you're still at about two million dollars for an eight character password and with an MD5 password you're at 40 million dollars so just as a potential conclusion as you could draw from here if this was a home network it looks like an eight character password if you were to attack the entire key space we'd keep you pretty safe but if this was let's say Google decided for whatever stupid reason to store all their sensitive data on an eight character password isn't going to do it it's not secure enough now ten character password and all of a sudden the numbers are quite different you're in the billions trillions on cow patty billions if you're using a rainbow table and pretty large billions on a free BSD dictionary so ten character password if you really just want to be stupid and brute force the whole thing you're getting into fairly safe territory here but that's assuming that brute forcing is the only way to go what about a dictionary attack now the key space is massive but here's an example of using dictionary words and assuming that each dictionary word that you use is actually run sort of like through John's I forget the extension but the ability to actually take one word and well let's reverse it let's spot some characters let's put some prefixes and suffix ten million words and you do two thousand translations per word what is the value of that type of approach an example of how this can be useful is companies looking to keep their passwords secure it's not uncommon for them to run a password through a dictionary and look for something common but here's an example of the size of the dictionary you ought to be using to consider that to be a safe password a ten million word dictionary with two thousand translations and you get a twenty billion different passwords that are being tried still a couple thousand dollars in CalPuddy it's really not a whole lot if you use a hash it's seven bucks this could be any length of password it could be any length as long as it fits within you're only going to try ten million different words or combinations of words and then it's also fairly inadequate on the MD5 password hash even if you extrapolate that to ten trillion words still with two thousand different combinations per word you're talking with CalPuddy without Rambo tables it looks pretty good but with Rambo tables on a large scale corporate or enterprise network that's really not a whole lot of money and with the FreeBSD you're talking $133 million that's a fair chunk of change but again if this is the Unix system account to Google's financial data or something else critical that is using some that a password is protecting it very well could be insufficient still and that is a massively large dictionary so while brute forcing isn't very effective walking that line between having a password that you can remember that you're completely sure isn't somehow even accidentally based on extrapolation of a large dictionary file which you're talking I mean even all the words in the human language is going to be under a million I would assume even if it was 100 million you're still talking about several combinations of each word and then still run through multiple permutations it's pretty likely with the file of that size that you could get most passwords and you're still talking about a pretty reasonable amount of money to spend depending upon what you're trying to get to right right this is a worst case scenario and that's the whole point here is to take what password are you currently using are you really confident that 100 million password dictionary that I was trying several combinations of each word on I wouldn't come up with the password you chose whether it was 12 characters, 24 characters if it's still based on something mnemonic it's very likely that it would be found in a dictionary of that size and that's still a reasonable amount of money to be spending depending upon the data you're trying to get at so again where's the impact the impact comes from the fact that you're not actually using these servers you can whether you're running it illegally off of a botnet from a black hat standpoint you're doing it legitimately off of cloud computing services or you're for whatever reason using off time on your existing enterprise network with a large number of machines there are several different ways in which you can utilize this to not only test your own passwords and come up with the with the dollar value strength of your passwords that you can compare against the data that you're trying to protect but this is something that can perhaps even already is in use on botnets already the amount of traffic particularly if you're not wanting to watch the actual keys per second can be almost zero you know you really just need one packet to start it and one packet per client per response to end it and that's it so with a million you're talking million clients you're talking a million in one packet perhaps spread out over the lifetime of the attack it's something that could be could be very easily hidden inside of botnet traffic as is with spam and other data also everything's getting faster one particular cloud computing option just double well actually two and a half times increase their processing power for the same amount of money between beginning of this year and today so even if you're going to just assume more is law then these things these dollar values cut in half every year every two years but the current rate of cloud computing I assume because it still is new and the actual cost isn't quite clearly known yet it's still changing and these numbers are going to continually decrease every day and the passwords will become cheaper and cheaper and cheaper to break again a recap that password strength is a good way to measure the safety of your data the strength of your password should correlate to the value of the data you're trying to protect with this method you can now apply a dollar value to the strength of your password and then you can correlate that to whether or not you're sufficiently securing the data that you're trying to secure in most cases I would argue at this point that you're not being very effective because most passwords that won't fall into a potential dictionary style attack of this scale are probably too hard to remember so now you've got the post-it note problem you wrote it down somewhere or you wrote it down in a system that's protected with another easier password either way ultimately you're stuck with most likely a mnemonic password system which ultimately can be found from a dictionary Rambo tables make it even easier I'm done alright just 30 seconds on what next you know there's a lot more that can be done with this tool including for instance that dictionary approach of splitting trying different 2000 different or more combinations per word all of these things can be easily added to the Python side of the framework instead of the C and they get very easy to distribute it out across the attack Q&A is across the hall that's it thanks guys