Monday, February 14, 2011

SSLSmart v1.0 Released

Back in 2009, I went to local OWASP chapter meet and presented on SSL Cipher enumeration script that I was using to enumerate SSL Ciphers for my assessments. Feedback was good but soon other things piled up and the script got burried. Later I realized the need for evolving the concept into an open source and cross platform free tool; named it SSLSmart.

SSLSmart was released last month and tool can be downloaded from here (Packetstorm). If you are interested to look at the whitepaper before downloading the entire zip file, you can obtain it from here (Packetstorm).

Here is how a sample SSLSmart run looks like:

Sunday, February 13, 2011

Rootkit.com Password Analysis

rootkit.com succumbed to a social engineering attack and more than 42000 of its user's passwords were made available on internet in clear (here). John the Ripper was used to recover the passwords. Out of curiosity, I analyzed certain aspects of passwords. The results of that analysis are shared below:

Password Lengths: The shortest password in the list was 1 character long and longest was 20 characters in length. A whopping 38.74% passwords were 6 characters in length. Here is the distribution of password lengths:

Length Occurences Percentage
1 16 0.04%
2 20 0.05%
3 270 0.64%
4 1444 3.41%
5 2646 6.24%
6 16424 38.76%
7 8258 19.49%
8 9786 23.09%
9 2029 4.79%
10 971 2.29%
11 250 0.59%
12 157 0.37%
13 62 0.15%
14 23 0.05%
15 8 0.02%
16 3 0.01%
17 1 0.00%
18 0 0.00%
19 2 0.00%
20 4 0.01%

Password Entropy:
Entropy of various cracked passwords was calculated using Eric Monti's rbkb's entropy function that performs chi-square calculation. Clearly, higher the entropy, lesser chances that your password will be guessed or cracked. Having said that, how easy is to remember and key in the passwords that are extremely random and are more than 16 characters in length?

Entropy Count
0 to <1 1620
1 to <2 7388
2 to <3 32071
3 to <4 1292
4 to <5 3
5 to <6 0
6 to <7 0



Cracked Passwords with Highest Entropy: 
Certain cracked passwords had entropy in excess of 4 bits. Table below lists down the cracked passwords with highest entropy. A good dictionary allowed JTR to crack most of the passwords.

# Entropy Password
1 4.321928095 q1w2e3r4t5y6u7i8o9p0
2 4.321928095 1234567890qwertyuiop
3 4.321928095 1q2w3e4r5t6y7u8i9o0p
4 4 1234qwerasdfzxcv
5 3.807354922 abcdefg1234567
6 3.700439718 qwertyuiop123
7 3.700439718 superman12345
8 3.700439718 1qazxcvbnm,./
9 3.664497779 kingoftheworld
10 3.664497779 qwertyuiop[]\\
11 3.584962501 !@#$%^&*()_+
12 3.584962501 fucktheworld
13 3.584962501 1q2w3e!Q@W#E
14 3.584962501 qazxswedcvfr
15 3.584962501 123qweasdzxc
16 3.584962501 1qazxsw23edc
17 3.584962501 q1w2e3r4t5y6
18 3.584962501 asdfghjkl;\'
19 3.584962501 qwerty123456
20 3.584962501 4rfv5tgb6yhn
21 3.584962501 qwe123rty456
22 3.584962501 1qaz2wsx3edc
23 3.584962501 1a2b3c4d5e6f
24 3.584962501 123456qwerty
25 3.584962501 1q2w3e4r5t6y


Password Distribution:
Finally, I looked at password distribution. An overwhelming 51% of cracked passwords were only in lowercase, this was followed by only numeric passwords close to 24%. Passwords using uppercase alphabets along with numerics were least favorite.

Password Type Percentage Share
Only Lowercase 51.81
Lowercase AND Numerals 23.92
Only Numeric 19.9
Alphabets (Uppercase AND Lowercase) 1.32
Alphanumeric 1.25
Passwords With Special Characters 1.11
Only Uppercase 0.45
Uppercase AND Numerals 0.24