Cracking unknown hashes with Belgian beers Once upon a time I was sitting lonely in a consulting office in Brussels and trying to absorb the information posted daily on my regular blogs ... Suddenly, I was challenged by an unknown crypto hash VOhRrmhZvX7lEG9KvuF/6FVA, or at least something which looked like a hash, on radajo.com. I quickly started analyzing the string of characters: - The character base looked like A-Z, a-z, 0-9 and '/' - The length was 24 bytes of 192 bits As it looked the string was encoded, I realized that hex was not possible because of the character base, but base64 would be possible. Uncoding the string, revealed something which left me more clueless than before 'TèQ®hY½~åoJ¾èU@$'. Encoding the string in hex (0AE25D13507675415DD5D90B652CD0E6F8FA3188) provided me with a 20 bytes (or 160 bits) hex-string. Quickly, I fired up my favourite browser and used it to browse to my brain-extension tool, Google, looking for an algorithm resulting in a 192 bits base64 string or 160 bits hex string. SHA-1 looked like the only thing which was possible (SHA-0 is not really widely used), so I browsed to www.sha1search.com and tried to lookup this hopefully well-known hash ... unfortunately. As I know all three spanish parts of RaDaJo, I know they weren't 'cabròns' who would provide me with an unknow SHA-1 hash. That would take ages to crack ... Back to the base64 string... I was desperate and even tried ROT-13 :-). But as you can see here below, it didn't really give the expected results: ROT-1: WPiSsniAwY7mFH9LwvG/6GWB ROT-2: XQjTtojBxZ7nGI9MxwH/6HXC ROT-3: YRkUupkCyA7oHJ9NyxI/6IYD ROT-4: ZSlVvqlDzB7pIK9OzyJ/6JZE ROT-5: ATmWwrmEaC7qJL9PazK/6KAF ROT-6: BUnXxsnFbD7rKM9QbaL/6LBG ROT-7: CVoYytoGcE7sLN9RcbM/6MCH ROT-8: DWpZzupHdF7tMO9SdcN/6NDI ROT-9: EXqAavqIeG7uNP9TedO/6OEJ ROT-10: FYrBbwrJfH7vOQ9UfeP/6PFK ROT-11: GZsCcxsKgI7wPR9VgfQ/6QGL ROT-12: HAtDdytLhJ7xQS9WhgR/6RHM ROT-13: IBuEezuMiK7yRT9XihS/6SIN ROT-14: JCvFfavNjL7zSU9YjiT/6TJO ROT-15: KDwGgbwOkM7aTV9ZkjU/6UKP ROT-16: LExHhcxPlN7bUW9AlkV/6VLQ ROT-17: MFyIidyQmO7cVX9BmlW/6WMR ROT-18: NGzJjezRnP7dWY9CnmX/6XNS ROT-19: OHaKkfaSoQ7eXZ9DonY/6YOT ROT-20: PIbLlgbTpR7fYA9EpoZ/6ZPU ROT-21: QJcMmhcUqS7gZB9FqpA/6AQV ROT-22: RKdNnidVrT7hAC9GrqB/6BRW ROT-23: SLeOojeWsU7iBD9HsrC/6CSX ROT-24: TMfPpkfXtV7jCE9ItsD/6DTY ROT-25: UNgQqlgYuW7kDF9JutE/6EUZ Disappointed in my own knowledge and years of experience with password cracking, I decided to give up and throw myself into the Belgian 'soft' beers (Jupiler). Coming back from the pub, I decided to pay a visit to my good old friend, John ... The Ripper, John.. to be correct. I don't know why, but it seemed the beer troubled my rationale and brought back memories ... I kind of recognized the compoistion of the string. It reminded me that I have seen these strings before in some kind of old UNIX /etc/passwd file. I quickly created a file 'passwd' in the classic UNIX password file style and tried to crack it the hard way: csh-2.05b# screen csh-2.05b# echo 'owner:VOhRrmhZvX7lEG9KvuF/6FVA:a:a:a:a:a' > passwd csh-2.05b# john -i:all passwd Loaded 2 password hashes with 2 different salts (Traditional DES [24/32 4K]) Well well, 2 HASHES? Doink? I must have drunken to much beer ... because last time I checked, I only inserted one hash into the password file. Argh, probably some kind of bug in john... As it was already 2am, I disconnected my screen session and went to bed. The following morning, I arrived in my office and immediately fired up putty (yes, I am obliged to use Windows by my company :p): csh-2.05b# screen -r csh-2.05b# john -i:all passwd Loaded 2 password hashes with 2 different salts (Traditional DES [24/32 4K]) epooh9 (owner:2) Whoehoew! My dear old friend didn't let me down!. While 'epooh9' seems like an odd password to use, I decided to mail RaDaJo asking them to confirm my results because as a security consultant, I don't really have a lot of time to waste my time on writing a story if I am not sure that the results of the challenge were correct. A few hours later, the Ra in radajo mailed me back stating that he could not say if I am correct or not ... Well, anywayz, I was not going to write the story if I wasn't sure ... One thing which troubled me, was the "2 password hashes loaded with 2 different salts".. The next day, I came back and decided to look again at what John was doing: csh-2.05b# screen -r csh-2.05b# john -i:all passwd Loaded 2 password hashes with 2 different salts (Traditional DES [24/32 4K]) epooh9 (owner:2) winnieth (owner:1) guesses: 2 time: 0:18:23:51 c/s: 95276 trying: winnif67 - winnieg! csh-2.05b# Wow, what's that ... now he cracked the second hash (in the meanwhile, my brains where thinking ... 'which second hash?'). At least a password 'winniethepooh9' sounded more likely than the result I got yesterday. So the hash was cracked, but what the hell was it used for? Calling again upon my brain-extension tool, Google, I started looking for 'DES 2 hashes'. I stumbled upon a site explaining the bigcrypt() and crypt16() algorithm and how it is being used on HP-UX: "An object of this class encapsulates a passphrase hashed using the "bigcrypt" hash function found in HP-UX, Digital Unix, OSF/1, and some other flavours of Unix. Do not confuse this with the "crypt16" found on Ultrix and Tru64 (for which see Authen::Passphrase::Crypt16). This is a subclass of Authen::Passphrase, and this document assumes that the reader is familiar with the documentation for that class. This is a derivation of the original DES-based crypt function found on all Unices (see Authen::Passphrase::DESCrypt). The first eight bytes of the passphrase are used as a DES key to encrypt the all-bits-zero block through 25 rounds of (12-bit) salted DES, just like the original crypt. Then, if the passphrase is longer than eight bytes, the next eight bytes are used as a DES key to encrypt the all-bits-zero block through 25 rounds of salted DES, using as salt the first 12 bits of the hash of the first section. Then, if the passphrase is longer than sixteen bytes, the next eight bytes are used, with salt consisting of the first 12 bits of the hash of the second section. This repeats until the entire passphrase has been used. The hashes of all the sections are concatenated to form the final hash. A password hash of this scheme is conventionally represented in ASCII using the base 64 encoding of the underlying DES-based crypt function. The first two characters give the salt for the first section, the next eleven give the hash of the first section, the next eleven give the hash of the second section, and so on. A hash thus encoded is used as a crypt string, on those systems where the bigcrypt algorithm is part of crypt(), but the syntax clashes with that of crypt16. This module does not treat it as a crypt string syntax." Well, that looks familiar .. DES ... 2 hashes ... base64 encoded ... HP-UX. Now everything became suddenly very clear! Knowing that all three Ra Da and Jo have been working with HP in Spain for a long time, it could be that they are kung-fu masters in HP-UX! And I remembered something else... around January 2007, I was in Madrid for a project and went for some non-Belgian beers in a 'cerveseria' with Da and Jo, and I recalled they were explaining me about some mistake in the HP-UX hashes very similar to LANMAN hashes. I think I hitted the jackpot :-) But, as I am unsure by nature, I wanted to be really, really certain ... (and else you would question the title of my story). During SANS Secure Europe in Brussels, I went for diner with Da and my dearest spanish friend Carlitos. I suggested to take a quick drink before diner, and I ordered a 'Chimay' (Belgian trappist beer) for Da ... and he clearly enjoyed this 7°C beer :-). Next, I ordered him an 'Orval' (Belgian trappist beer) which has 6,2% of alcohol. I started talking about the 'winniethepooh9' password and asked if it was correct. He clearly mumbled that the Ra part of radajo would kill him, so he could not talk about the results... but the smile on his face provided me enough assurance that I was correct. The thing I have learned out of this challenge, is that knowledge and tools will not always provided the right answer ... it is the Belgian beer which is always right :-) El Tio De Belgica (Pieter Danhieux)