October 6, 2012 at 5:03 am
Comments posted to this topic are about the item Your Password has Failed the Test
Best wishes,
Phil Factor
October 6, 2012 at 8:43 pm
Hi Phil,
I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
October 7, 2012 at 8:07 am
These privileges would give you control over every SQL Server instance, and if XP_CmdShell was enabled, then you could control the machine.
I disagree not about controlling the whole machine but with the suggestion that having XP_CmShell turned on causes any sort of a problem. Specifically, you're talking about someone breaking in with an "sa" prived account. Whether or not XP_CmdShell is enabled or not, you've just let someone in with "sa" privs and they can turn XP_CmdShell on just like any other "sa" prived person can. In fact, any hacker hell bent on gaining such access will be expecting XP_CmdShell to be turned off and will turn it on without missing a step.
XP_CmdShell is not the problem here. Poor security is the only problem here.
--Jeff Moden
Change is inevitable... Change for the better is not.
October 8, 2012 at 9:15 am
I agree completely on performing password audits. PWDCOMPARE, however, is good for a first pass but not for the only pass. If you can find a password with PWDCOMPARE and without prior knowledge of the password, it's absolutely a worthless password. If you can't find it with PWDCOMPARE, you have no knowledge of its strength - it may still be an absolutely worthless password.
For actual password auditing, I highly recommend using dedicated tools like Hashcat[/url], preferably with at least one modern, up to date graphics card (or NVIDIA Tesla card, for the industrially inclined or Amazon cloud renters) - note that SQL Server 2012 support is being added. Note also that cracking speeds against with a single machine in the $4000 price range for SQL Server 2005 through 2008 R2 passwords is now in the range of 22000000000 password attempts per second (yes, that's twenty two billion attempts per second, i.e. a one hundred thousand word dictionary with 220,000 rules applied every second... so putting three numbers at the end of a common word isn't going to help you much!).
Note that that rate allows brute force exhaustion of the entire 95^8 space (8 character cryptographically random password with all of upper/lower/number/symbol) in only about three days. 69^8 (as before, but only upper or lower case, not both) is exhausted in about 6 hours (generating an average cracking time of 3 hours, and 1 in 10 passwords being cracked in a little over half an hour).
Additionally, you can test the strength of passwords you think are secure (like the immortal "P@$$w0rd", which meets all "industry standard" windows complexity rules, and its children, "P@$$w0rd1" through "P@$$w0rd123", and all of which are some of the absolute very worst passwords in the world), with code similar to what I posted at the beginning of this year:
ETA: Added brute force timing notes.
October 8, 2012 at 9:56 am
WayneS (10/6/2012)
Hi Phil,I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?
Personally I use crossword word-list sites.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
October 8, 2012 at 10:40 am
WayneS (10/6/2012)
Hi Phil,I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?
1) Be careful looking -
1a) Never download anything except a text file or a compressed file
2b) Virus scan everything first
2c1) Download using a LiveCD without a hard drive
2c2) Download using a LiveCD with a hard drive unmounted
2c2.5) Download using a disposable installation (install, download, wipe with DBan or another DOD wiper) - credit to GSquared
2c3) Download using a VM
2c4) Only go to known reasonable sites
2) Public domain dictionaries (1913 Webster edition, etc.) are available.
3) Name lists are available from the U.S. Census .gov site http://www.census.gov/genealogy/www/data/1990surnames/names_files.html
4) As Gail said, crossword lists
4a) English Open Word List
4b) UK Advanced Cryptics Dictionary (UKACD)
5) Linux distribution wordlists - watch for copyright and licensing, not all are licensed under GPL
5a) dictionary-common wordlists
5b) aspell wordlists (the U.S. one is under copyright, so find and read the license first)
5b1) Shell script: aspell -l $1 dump master | aspell -l $1 expand | tr ' ' '' >$1.txt
5b1i) replace $1 with the language you want to get.
6) Known cracking wordlists from reputable sources (usually cracking competition teams or security vendors)
6a) Go to any of these at YOUR OWN RISK - see 2b and 2c1.
6b) Skullsecurity
6c) Openwall
6d) Korelogic
6e) Facebook breach list
6f) phpbb breach list (very small, very good for the size)
7) Your own additions for whatever industry and company you're in or deal with, or people involved. People _love_ to have company information, personal information, etc. in their passwords, from names to cars to kids.
7a) Be clever, think up some way of using the company name that's just so clever. Try it. Repeat until you crack at least one password.
7a1) If you've got more than 50 ordinary human-generated passwords and you haven't cracked one in at least 50 tries, get someone else to try generating words and case variations. Someone more normal :).
8) Use a tally table to generate lists of dates in various formats, the last 100 and next 50 years, etc. to add to words if you really insist on using PWDCOMPARE instead of a rules based cracker; Jennifer2007 is not as uncommon a password for people with 5 year old daughters as you might think.
October 8, 2012 at 11:00 am
Nadrek, please add to your list, "Download using a disposable machine".
I have an older desktop PC that still works. I flash (image) the drive after a clean installation of the OS and patches. Keep the image on removable media and remove the media before actually using the machine. Then I can go to all the hacker sites in the world, get the data I need, clean up the data (ASCII .txt files are pretty darn safe, after all), burn the txt files to CD cleanly, and then wipe the system and reload from the (clean) image.
It's easier and faster than you might think to do that kind of thing.
It's really easy to tell if a CD ended up with any data on it other than the txt files you wanted. And if you have auto-play turned off, it can't execute any code you don't tell it to.
This is better than using a VM for this kind of thing. Some malware can put a rootkit below the hypervisor level and thus infect the host machine instead of just the VM.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
October 8, 2012 at 11:07 am
GSquared (10/8/2012)
Nadrek, please add to your list, "Download using a disposable machine".
Hmm... I'll rate that one just below the two LiveCD ones, both of which should be considerably easier than building a machine (unless you do it once and just keep restoring the image to it).
It is, however, an excellent idea, and doubly so if you want to stick with Windows. Just make sure you've got your AV installed with relatively recent updates prior to plugging in the network cable for the first time.
October 8, 2012 at 1:47 pm
Nadrek (10/8/2012)
GSquared (10/8/2012)
Nadrek, please add to your list, "Download using a disposable machine".Hmm... I'll rate that one just below the two LiveCD ones, both of which should be considerably easier than building a machine (unless you do it once and just keep restoring the image to it).
It is, however, an excellent idea, and doubly so if you want to stick with Windows. Just make sure you've got your AV installed with relatively recent updates prior to plugging in the network cable for the first time.
Exactly.
Not necessary with *nix machines, really. But with Windows, if you need that for whatever reason, it's easy enough.
The whole point is build-once-restore-many.
As for AV on it, it depends on what you want to research. If you're researching virus/malware/rootkit code, then not having AV on it can be part of the point. Restore from image, surf some suspected (or known) to be malicious sites, without deliberately installing/modifying anything, then compare the current state of the O/S and disk with the image state. With the right tools, you can find just about anything that way, no matter how cleverly hidden.
For this passwords-from-malicious-sites-thing, AV is probably not a bad idea. But I operate on the assumption that it's got malware on it as soon as I start using it, regardless of whether AV says so or not, and re-flash from the image at the right point, anyway. So AV isn't really necessary at that point. Don't care if I prevent, because I'm going to cure regardless.
Another concern, of course is BIOS worms. Make sure on your system flash that you don't just do the disks, but also the BIOS. Booting from WORM media (CD/DVD/etc.) won't protect you from BIOS worms, and new ones can frequently bypass AV systems (till they get signatured), so be careful about that if you use that solution.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
October 8, 2012 at 2:54 pm
Hi Phil,
I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?
I started out with a list of every word in the English language. There are several of these around. You probably won't find these used if you have a policy in place, but if you do the usual @ and 0 substitutions as well, then a lot crawls out. I add words from books on the Gutenberg project. Capitals should be random in a good password, but they usually aren't, so a simple doubling of the list with a capital for the first letter. Then, every time there is a release of passwords from one of the security experts as ASCII files, I update the list to include them. (there are surprisingly few extra strings from this). I never never get the passwords from the hackers, only second-hand from the security experts, and then as plain ASCII.
My only purpose is to check that the passwords are reasonable. I 'm not a security expert and so I don't hack into machines. You only need to google a bit to see that the unsalted hashes are very easily decoded, and there are plenty of utilities that claim to be able to read the more recent salted hashes. I haven't tried one, but I bought a utility a while back when I locked myself out of a SQL Server entirely (long story) and it let me in in a moment by allowing me to change the passwords in windows and SQL Server!
Best wishes,
Phil Factor
October 9, 2012 at 9:35 am
Phil Factor (10/8/2012)
I started out with a list of every word in the English language. There are several of these around. You probably won't find these used if you have a policy in place, but if you do the usual @ and 0 substitutions as well, then a lot crawls out. I add words from books on the Gutenberg project. Capitals should be random in a good password, but they usually aren't, so a simple doubling of the list with a capital for the first letter.
Some SQL code that generates some permutations (1337 speak translations included, other rules cheated around by this being designed to test plaintext passwords for how bad they are in advance). Note that this SQL could can be used to generate at least some options for PWDCompare to use, in a primitive, hardcoded form of the rules files that John the Ripper, Hashcat, PasswordPro, and other professional CPU and/or GPU hash cracking software uses. Thus you keep your actual list small, while you crack large numbers of passwords.
This approach, of course, quickly grows time-consuming on a computer level... which is why you switch over to a GPU level (Even a $50 or $100 card, much less a set of 8 $400 cards), and increase speeds by many orders of magnitude, at which time this approach leaves you needing longer wordlists and more and more rules in order to get a weekend run to actually take the whole weekend on real hardware, or an overnight run to take all night.
I have large multigigabyte wordlists and small word lists. Suggested starting points, if you don't just want to use the .rule files from hashcat or similar:
1) Add all numbers from 1 to 9999 to the end of each password - 4 digits gets years automatically.
2) Add all dates from the past 300 to next 100 years in the most common formats with various separators
3) Full 1337 speak translations in various dialects
3a) Partial 1337 speak translations - permutation based, so it does get big fast on long words.
4) Add fully random nonsense to the beginning and/or end.
5) Combination passwords from smaller dictionaries - i.e. envelopingadvertisers and its closest derivatives, Envelopingadvertisers, envelopingAdvertisers, EnvelopingAdvertisers, and so on with no space, a space, a comma, a dash, and if you want to get scientific about it, brute-force all combinations from length 0-2 for the separator. For a two word list, you could easily also try 3 character random separators.
5a) triple and quaduple combination passwords from small and very small dictionaries. For instance, "correct horse battery staple" has only length 7 or less words. If I look at a normal British wordlist's 7 character and less words, I see about 19,000 words. 19000^4 (four words, only one way of separating) comes out to, at current cracking speeds on a single top grade consumer cracking machine, about two months. 19000^3 (three word passwords), of course, is 19000 times smaller, and takes only five minutes to check, so we can easily apply a set of 64 rules and still check it in about five hours, or use cheaper hardware and check the 64 rule list in only a few days (say, over a weekend). Note that if we filter for 6 character and less words we find only 12000 words left, many of them not commonly used.
6) Combinations of the above.
Note that pegging a desktop/[gaming] laptop/dedicated PW audit server's CPU and/or GPU to 100% for days or weeks on end is nowhere near as problematic as doing so to a production SQL Server :).
P.S. Phil, note that utilities to "let you back in" generally operate by finding the location of the password hash and related information on disk and changing whatever was there to a known or newly generated value; they don't actually figure out the old plaintext password.
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply