Re: smb-brute: Case sensitive passwords

[Fyodor <fyodor () insecure org>]

On Sat, Feb 07, 2009 at 12:50:34PM -0600, Ron wrote:
> Hey,
>
> I just comitted a change to how passwords are checked in the
> smb-brute.nse script (in my experimental branch). I now start with using
> Lanman, which is case insensitive. Then I bruteforce the case, starting
> with one uppercase character, then two, etc. I also put the
> all-uppercase version second, since I'm going to guess it's more common.
> So for "test", it'd do this:
>
> test
> TEST
> Test
> tEst
> teSt
> tesT
> TEst
> TeSt
> TesT
> tESt
> tEsT
> teST
> TESt
> TEsT
> TeST
> tEST

Hi Ron.  I'm quite excited about the new SMB functionality in general!
I am speaking at CanSecWest next month and I'm trying to think of good
ways to use one or more of the smb scripts to demonstrate the power of
the scripts themselves, and of NSE in particular.

I haven't thought about it enough, but one idea might be to
demonstrate the way the scripts can chaing together.  I could have a
VM running Windows and show how the accounts can be determined by one
method (or guessed), then the passwords brute forced, then other
scripts take over and determine detailed information about the system.

For the rest of my email, I think I misunderstood your message.  I
responded with the thought that you were going to try every
capitalization combination of every unpw library password in sequence.
But now I think I understand that you are verifying using
case-insensitive Lanman that a password has the right letters, and
then using case-sensitive NTLM to determine the exact case.  I think
that is a great idea!

I'll include the rest of my email, even though I think much of it is
based on my misunderstanding.  As some of the ideas/data might still
be useful for unpw.

On the subject of capitalization, perhaps this capitalization brute
force should be an option people have to specify.  Or at least it
should only happen after all as-is passwords have been gone through.
Then it should probably go through all of them with just the first
letter capitalized before continuing on to try other capitalization
schemes.  As you noted, there are only a small number of relatively
likely capitalizations.  Take a look at a password cracker such as
John the Ripper for a good idea of the sort of permutations which are
most valuable.  Solar Designer based many of his decisions there on
real-world testing.

Many people here probably saw the unfortunate phpbb hack a few days
ago, where an attacker compromsied their databases and posted a list
of 28,635 user passwords and more than 100 megabytes of database
dumps.  Now those passwords are particularly lame, but the
capitalization stats are dramatic:

All lower-case passwords: 28,290 (98.8%)
One or more capital letters: 345 (1.2%)

Even with a four letter example such as "test", the capitalization
brute force makes the cracking take 16 times as long.  One an average
password file, it probably takes at least 64 times as long.  That's a
bitter pill if we're only gaining 1.2%.

Also, it might be better to offer these sorts of permutations in unpw
rather than the smb brute force script itself.  They are just as
applicable to the other brute forcers.

As a first order of business, I'll bet that improving our password
list by mixing in more data (including, perhaps, the PHP list) would
be much more effective than brute forcing every capitalization of the
existing words.  Though I do agree that having the capitalization
brute force option is good to have for when people want an intensive
check.  I think the key is to timebox (as you mentioned) based on how
long the user is likely to want to gring the service, and try the most
likely password candidates first.

> One option, if this becomes an issue, is to timebox it, make sure that
> no crack takes longer than, say, 10 seconds. At 10 seconds (or
> whatever), give up and move onto the next account. I dislike that idea,
> though.

I actually think it is promising.  Sometimes people just want to do a
quick sweep for obvious passwords since they are in a hurry.  In other
cases they have more time and are willing to spend days trying to
crack an account.

> The only real issue is that this script won't find passwords if a server
> is set to NTLM-only, or if somebody uses a password greater than 14
> characters. But I don't think either of those is common enough to
> matter.

Does Vista still allow Lanman by default?  Is there a way to detect
whehter a server is set to NTLM-only before doing the grinding?

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org