 All right, so we have the the pleasure nay the the honor of hearing David Hulton talk about the end of Kerberos and net TLM NTLM 1 and man, you really like giving me a hard one to go Cracking deaths, so please welcome and give give it up for Hakari David Hulton All right. Thanks a lot for showing up here. So yeah, I'm gonna be talking about cracking DES today Does everybody here know what DES stands for? Okay. Well, we're gonna be talking about a slight variant of DES. It's called the date encryption shark I Don't know how this made this into my slides here, but there may be some sharks in this presentation So did anybody here catch my talk I gave with moxie back in 2012 on cracking MS chaffee 2 Okay, a couple people so MS chaffee 2 stands for the micro shark challenge handshake authentication protocol and provides mutual authentication with a password and specifically focused on Usage with PBTV VPNs also used for WP enterprise and and a number of other protocols And this the research that we presented was nothing new It was actually the sim very similar attack was outlined by a bunch of cryptographers back in 1999 And we just kind of revisited that and basically the paper showed that state actors You know it could easily crack this and it was widely used in in Windows Do you guys see something that's weird, huh, okay So so basically how it works is that you connect to a server it sends a client challenge and And and then the then the the client generates a hash and then it basically uses their NT their their user password that's converted into an NT hash and and then encrypts the challenge to create the response and sends it back to to authenticate with the server and up until this point people had basically just been attacking the user password and And this was really good for people had weak passwords But if you're really trying to crack every pass go through every possible password this sends up being a very large key space they have to go through and so the attack that we presented was Basically just trying to crack des to recover the NT hash Which in a lot of cases can be used as the password equivalent to authenticate to to these networks and so Does you know people think that it's insecure? you know because to the 56 and Initially people thought oh, this is like similar to triple des but really this is three separate des operations So it's additive and not you know not doesn't explain exponentially increase So it's really you know they online that's closer to two to the 57. They have to you have to go through in order to actually brute force this and The the key thing here is that this last key is actually only 16 bits long And so that's pretty easy to crack just because your your NT hash is only 16 bytes long and so you're really just trying to crack two des keys and Another interesting thing here is that your challenge hash is the plain text that's used in both these operations and So normally how you'd implement this is you would go through the full key space twice To crack both of these keys, but because your plain text is the same You can go through it just once and then do two compares afterwards to see if you found the right key And so that's kind of the the attack that we presented and oh, whoa, what? weird oh Okay, okay get out of here sharks. Oh, thank you. Thank you so So yeah, we demonstrated that it could be do it done in two of the 56 des computations And the key thing is that we made it so anybody could do this instead of just you know governments and stuff like that so how this worked is a Moxie released this program called chap crack that you could point at a p-cap file and it would extract out the information to Basically create a token that you could then submit to cloud cracker and then that would go on to an FPGA cluster that we put together and Within 24 hours, it would send you the NT hash for that MS chap V2 Communication in this case we we supported a PPTB VPNs and WP enterprise and so Yeah, in this day and age des should be super easy to crack right back in 1999 the EFF does cracker was you know invented and It took around 9.2 days and so with more as law you think it'd be really fast now So looking at doing this in around 24 hours using CPU instances would take around 80,000 CPU cores to crack a key Which is pretty expensive Even in the cloud Then there's also GPU instances that are also fairly expensive and so what we did was we happened to have some FPGA hardware laying around and We were able to provide this at around $20 a key just using kind of spare FPGA hardware I mean one of these systems about five years ago would cost around 150 grand for the system but we we put this on as an online service just for to create awareness and It ended up getting relocated into my basement. So that's a That's my basement. Oh, whoa And So then of course everybody rushed to fix everything right that's that's what happens whatever you show that there's something's vulnerable Hi And so one one of the VPN providers that we called out in our talk was Specifically was I predator and all that they did was just added a little thing to their website discouraging people from using PPTP, but of course everybody still supports this And then people kind of dismissed WP enterprise Taxes being oh well, everybody does strong certificate checking. So this isn't really an issue And of course everybody here does strong certificate checking with every WP enterprise network they connect to I'm sure so Since then we got some interesting jobs Like for example, you know this first one up here looks like What you would kind of expect from? You know a challenge response that we're trying to crack But then we we saw these ones was like one one two two three three four four And we also saw these ones where the two ciphertexts are the same And so people were obviously using the service to crack other things besides just Emma's chat V2 and One day the traffic to our website dropped off and I noticed the cloudcracker.com was down I emailed Moxie and he never replied to me. So I don't know what happened to him But we ended up reinventing this as a service that Turkan provides and it basically is just a web interface to the FPGA cluster in my basement so So we decided to kind of reinvent the service a little bit figure out what people were actually using this for and try to Just add some additional support For all these different features and The real point of this whole service is to you know Like it's kind of the grand experiment of how do we finally kill a legacy crypto algorithm? that's like so pervasive and and And so hopefully you know after all this awareness eventually it'll finally get phased out of all these major products So one thing that we found out was that what people were using this for was With have it has anybody here use s&p capture or like responder or anything like that? And kind of windows pen testing engagements So landman and Intel MV one which are kind of legacy authentication Protocols now for just authentic age authenticating to a windows share They there's all these tools out there to kind of set up a fake samba server And then do downgrade attacks and capture this this challenge response and so the default The default Challenge the s&p capture sends out is this one one two two three three four four and people were using that to crack windows authentication and And so it turns out that you can basically take the values that S&P capture or a responder spit out and and It's essentially MS chap v1, which is pretty similar to MS chap v2 But you can provide the whole the whole challenge and so you can plug that right into our website and essentially crack someone's NT hash just with this authentication and And then this you know obviously works no matter how complex the person's password is because you're actually cracking the NT hash and not the not the password and So so yeah, we kind of made a update of the site to to take these hashes directly from from s&p capture and And then same with if you're using responder you can essentially just copy and paste it in the website and And then get the NT hash for for any sort of net capture No What was that So then also with WPA to enterprise things have kind of evolved a little bit since then now You know, I've talked to some people and it turns out there's still lots of environments out there that don't do authentic don't do proper certificate checking a big surprise and There's there's some better tools out now and so now if you ever come across a WPA enterprise network you can Run host APD and do kind of evil twin attacks and captured Essentially, they're they're net LM and copy and paste it into the website and for $20 within 24 hours You'll get basically access to the network because the NT hash that you get from us You can plug right into your WPA supplicant config file and then authenticate to the network or go through and decrypt The traffic or whatever you've captured for that network. Ah No, man, there's there's more and more of these sharks in my presentation And then also There's there's some research done some recently by Karsten Null about how doing over there updates to sim cards All of the authentication with that is basically done with a single des on a lot of carriers And so this is actually featured in mr. Robot a little while ago And so we we also added this just general-purpose interface for to allow anybody to crack Des if you find it in any any sort of applications out there and And so it's just based on simple rules with like masks and you provide essentially the information you know about About what's happening? It'll go through all the possible des keys and kind of send you a list of all the ones that match that criteria and so as a kind of a to demonstrate this general-purpose interface We thought we'd try just using Kerberos is kind of an example for this and so Does anybody here use Kerberos in their environments or looked at Kerberos a little bit? Has anybody out of those people have you seen des used in the wild at all does CBC or RC for? Okay, well Some people are still using des. I know that for my day job. We still use des on our network But it turns out that with Kerberos. It's really trivial to downgrade and so A lot of these legacy networks that still support it You can easily downgrade it by just using a simple header cap filter and so this is on our get hub where If you look over here in the encryption types We just substitute any encryption type with des CBC CRC and and that causes everything to just downgrade to that and then You can use that to You can also use wire shark to capture this I mean here's some wire shark captures here and I What's that I Guess I guess sharks are hackers too according to Google so and then once you once you capture this These Kerberos packets. It's all based on ASN one And so there's lots of known plain text just in the ASN one Encoding and so we we can automatically extract out basically the known plain text and create a token to submit it to the website and And because of CBC, it's relatively easy to to generate all of that So this is kind of an example of running it on a Kerberos capture that has some des traffic And then these are the submission tokens You can just submit directly to the website to crack the deskey and actually I I'm really horrible at Kerberos and so I kind of presented this at a couple conferences recently and somebody emailed me and Showed me how to use these keys to actually authenticate to the network. So now You can basically take the key that we crack for you within 24 hours And now you can authenticate to the Kerberos network and through Linux. And so anyway, there's some oh, whoa So I also started receiving emails on people asking if I could crack des crypt files Or a des crypt hashes from like old shadow files and password files And has anybody come across any des like crypt hashes and shadow files or a couple people? Okay? What sort of operating system did you? Okay, okay, buddy machine. Nice. Yeah So Yeah, yeah So so initially this was designed to run on a PDP 11 So it would take more than one second to compute and computers have surprisingly become a little bit faster since then But of course nobody uses this anymore, right? And so obviously there's some people that do another one that we found is that a lot of these people are requesting this We're doing car hacking and a lot of the a lot of the infotainment systems and cars use cunex Which I guess still supports a dozen. It's actually the more secure version. They also have another proprietary version of Their own their own password hashing algorithm. That's fully reversible. So so it's actually much more secure And so so we just went through the internet and tried to find as many of these hashes as we could Like this one appears from like the Charlie Miller Charlie Miller and Chris Vellisack g-pack There's another presentation that I just found found one of these in on car hacking There's tons on the internet and so I implemented this so it just goes through the full key space and So no matter what how difficult the password is it'll crack it and it takes around three days on the on the system that we have and so You can just plug it into the into the website and within you know a few days you'll get the password no matter what and so we started looking around for secure passwords and I Asked my buddy Carl if he had any really secure ones that you could send me and he sent me this one That's used in all of the on-star systems and so he ran it through here and it turns out the password is root And so And then and then like yeah the Jeep one is like do you know all these are like lowercase, you know Relatively easy to crack with just John the Ripper. So since then I've received some that are actually pretty complex They're using like boats and other things like that But if any of you are interested in trying to crack any of these. Yeah, just let me know and we can run on the system Elevators everywhere So when will this ever get fixed Does anybody here remember like session hijacking and you know stealing cookies and stuff like that And then also remember fire sheep where they basically made it so anybody and their grandma could You know log in to arbitrary Facebook accounts if you're just you know the Starbucks and so So kind of our our whole philosophy here is that you know if we make this easy for everybody to do then Eventually it'll get fixed and so that's kind of the current strategy and so The we're really asking ourselves like how do we motivate change and make this even more easier for people to do and So the biggest problem is that we charge for the service and the reason why we do that is mostly because you know I only have one of these FPGA clusters and it takes a decent amount of time to crack and And you know we do have to pay for air conditioning and power and stuff like that But it's mostly a form of just load balancing, you know and rate limiting with the service and So what if we can make the service free So so we looked into making a rainbow table for this and it's a relatively large key space like the largest off-crack table or you know standard Rainbow table I could find was somewhere around 2 to the 52 and It was around 2 terabytes and so our goal was basically to make You know one for the whole deskey space, which is about 10 times bigger than the largest table out there And and then also, you know making a reasonable size So so we could and a reasonable crack speed like close to real-time so we could just offer this as a service and And and not have to worry too much about rate limiting so the hardware that I picked up was six terabytes of NVMe storage and I kind of borrowed some FPGAs from from the office and also borrowed a server and It came up with some some rough parameters So I managed to borrow a decent amount of hardware to generate the tables And you know got everything all laid out and You know is ready to get going and then of course there's always hardware issues when you're dealing with hardware so like FPGAs started overheating we started having like we weren't Expecting FPGAs to go from like, you know drying say two amps up to drying 40 amps like and you know in a split second And so there they're all sorts of things we had to overcome But eventually all these things got fixed and we spent weeks generating basically kind of the first couple tables and ran into some issues and that we had collision rate problems and effectively made the tables unusable so we had to kind of go back to the drying board and Came up with some new parameters that made it more like around 12 seconds to crack a key instead of three seconds, but seemed totally fine and then of course we went back to To generate stuff and then some customer ordered hardware and so we had to like ship it out or something So anyway took took a while to generate everything, but eventually we had tables generated We got a this cracking system up right now We have you know the six FPGAs and these NVMe drives are pretty tiny so they're kind of off to the side and all of the air is just kind of directed straight onto the FPGAs and Turned out that our coverage was actually better than expected right now We're at about ninety nine point six five percent accuracy coverage, so you know one in two hundred times you'll you'll crack your key and and then Yeah, when you're cracking the two keys and your coverage drops slightly because you know It's relying on both of them getting cracked But then if we don't find it immediately then we just offload it to the cracking rig and then it takes you know a day to find it so Yeah, we currently have this up and running and on average it takes you know less around 20 seconds or something to find your keys No Shark So anyway, it's free and you can start using this right now We also have an API that we release so you can tie this directly into your tools And one of the key things to note is that this is specifically for cracking windows authentication So using SMB capture or or a responder and if we have We have some time as a Riverside in here. I think we have okay We have a couple minutes, so I can I can just show you this demo real quick here So using responder So Yeah, so normally, you know you fire a responder and then if there's any windows machines on your network They're vulnerable to this downgrade attack then Any sort of file share that they go to or you'll just start getting floods of servers connecting to you because it's basically Responding for any sort of net bios lookup request and so now now we have our NTLM view one authentication here and so we can copy this and Paste it into You basically just say NT hash and paste into here and you can give it your email address and I didn't want to do this connected to the internet And so you'll you'll basically receive an email kind of like this within about 20 seconds and then you can take your NTLM hash, which is right here and then go back over to here and Well, I'll just have this canned here So then you can do us and be client and now you're connected as administrator or whatever And then you can also, you know do any sort of like PS execs stuff to basically, you know get it pop a shell on this on the system as as that user and And then yeah, you're not relying on any of the other sort of you know injection or relay attacks and stuff like that It's so now you have basically the password equivalent for that user no matter how complex their password is So Yeah, anyway the kind of the big thing here is that you know, we've know that this is an issue since the late 90s We knew that you could build custom asics for about 200 grand that would do it in nine days And if you were to build the same thing nowadays in theory it could crack any deskey in around a minute and a half and And so it's you know, no surprise that FPGAs can do it in you know, a matter of hours or seconds doing different techniques so So yeah, I think this is kind of a bigger issue with with this algorithm Can we really get this phased out and get people to stop using it because this will probably become an even bigger issue You know in the future with with the other algorithms that we have out now, so Right now you can check out Crack.sh we have an API set up if you want to tie this directly into responder just to automatically crack these NT hashes We have some plugins like there's an Airbot plugin if you want to just like submit stuff directly through Slack or IRC or something like that and And we also have all the code for the rainbow table stuff up on GitHub So if you want to run one of these systems for yourself All the code is there We haven't figured out the best way to host or mirror this six terabyte rainbow table but if you have any ideas, let me know and There's yeah tons of people that contributed to all the all the research in this so lots of things to them and So help me kill legacy crypto if any of you want to try to crack some stuff Just shoot me an email and I'll let you run free jobs in the system tons of info online and And then of course come out to tour camp. I'm sure everybody's been barred been barred in you with that the whole weekend but We might have time for one or two questions if there are any anybody All right, thanks a lot for coming