Have you ever during a penetration test collected a list of values that look very much like hashes, and thought "I could maybe start cracking those, if I only knew what algorithm was used to calculate those hash values".

I had exactly this happen recently.  In the past I've found any one of the dozens of lists of hash outputs on the net to be handy - Hashcat for instance has a pretty complete list posted ( http://hashcat.net/wiki/doku.php?id=example_hashes ).  But this time I donned my googles and found the handy Hash Identifier python script at https://code.google.com/p/hash-identifier/ .  This tool really saves a lot of work - these days my eyes are too old and my fingers are too big to be counting tiny characters in a hash string with any accuracy.

Hash_ID.py does a nice job of the more commmon hashes.  Of course, if someone has the bad judgement to hash the output of one algorithm with another one (this is a really BAD idea if you are trying to prevent collisions), an identification utility like this will only id the last hash algorithm used.

Did it work for me?  Yes, yes it did!  It nicely identified the hash algorithms used.  With the hashes and the algorithm, I was able to dump the list into OCLHashcat on a VM I've got for this (described here https://isc.sans.edu/forums/diary/Building+Your+Own+GPU+Enabled+Private+Cloud/16505).  And the values did indeed give me a list of passwords, which I was then able to use against several different systems.

The finding of course in this situation was NOT "Nyah Nyah, I got in!", that's NEVER the finding.  What goes in the report is (in a tactful way) "Application XYZ is using a simple unsalted hash algorithm to protect passwords", along with an english-language explanation of why exactly this is a bad idea, worded so that the manager of the coder who owns the XYZ application will understand it.

The end goal of a pentest isn't really to get in.  The goal of a pentest is to explain to your client why fixing security related issues will benefit their business, and to get that explanation in front of the folks who decide which projects get priority.  Breaking in is usually just the most fun way to make your point effectively.

Back to the tool at hand - if you've used a different hash identification utility, let us know using the comment form at the bottom of this page!

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

High CISO employment rates means shortage for security industry
Infosec management is a seller's market; those who are qualified don't have to look too hard for work. What is good for the individual is not good for industry, however. The downside is that it is tough for enterprises to hire qualified IT security ...

and more »
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Citrix has started shipping a slimmed-down version of its GoToMeeting online meeting and video conferencing product that had been in beta testing since September.
A surprising thing about Goldman Sachs, one of the globe's most influential investment banks, may be the sheer size of its technology organization. It makes up a major part of its workforce.
OpenJPEG CVE-2013-6045 Multiple Remote Heap Based Buffer Overflow Vulnerabilities
OpenJPEG CVE-2013-1447 Multiple Denial Of Service Vulnerabilities
OpenJPEG CVE-2013-6054 Multiple Remote Heap Based Buffer Overflow Vulnerabilities
OpenJPEG CVE-2013-6052 Multiple Out of Bounds Memory Corruption Vulnerabilities
Microsoft, Mozilla and Opera Software today joined Google in revoking rogue digital certificates that had been issued by a subordinate certificate authority (CA) of France's cybersecurity agency.
Politics collided with technology this year as stories about U.S. government spying stirred angst among U.S. citizens and foreign governments and the flawed HeathCare.gov site got American health-care reform off to a rocky start. Meanwhile, the post-PC era put aging tech giants under pressure to reinvent themselves.
GIMP XWD File Handling Heap Buffer Overflow Vulnerability
Varnish Cache CVE-2013-4484 Remote Denial of Service Vulnerability
GIMP XWD File Handling CVE-2013-1913 Heap-Based Buffer Overflow Vulnerability
Expect to hear a lot about 4K television from Sony at January's International CES show in Las Vegas.
An intermediate certificate authority (CA) registered to the French Ministry of Finance issued rogue certificates for several Google domains without authorization.
American and British spy agencies apparently believe there are real-life terrorists lurking among the elves, gnomes and the trolls of online gaming worlds.

Rekindling concerns about the system millions of websites use to encrypt and authenticate sensitive data, Google caught a French governmental agency spoofing digital certificates for several Google domains.

The secure sockets layer (SSL) credentials were digitally signed by a valid certificate authority, an imprimatur that caused most mainstream browsers to place an HTTPS in front of the addresses and display other logos certifying that the connection was the one authorized by Google. In fact, the certificates were unauthorized duplicates that were issued in violation of rules established by browser manufacturers and certificate authority services.

The certificates were issued by an intermediate certificate authority linked to the Agence nationale de la sécurité des systèmes d’information, the French cyberdefense agency better known as ANSSI. After Google brought the certificates to the attention of agency officials, the officials said the intermediate certificate was used in a commercial device on a private network to inspect encrypted traffic with the knowledge of end users, Google security engineer Adam Langley wrote in a blog post published over the weekend. Google updated its Chrome browser to reject all certificates signed by the intermediate authority and asked other browser makers to do the same. ANSSI later blamed the mistake on human error. It said it had no security consequences for the French administration or the general public, but the agency has revoked the certificate anyway.

Read 5 remaining paragraphs | Comments


Every week seems to bring news of yet another website hacked, user accounts compromised, or personal data stolen or misused. Just recently, many Facebook users were required to change their passwords because of hacks at Adobe, a ...
Mobile devices generated 20% of the world's browsing activity last month, the first time that the surging category reached the 1-in-5 milestone, according to StatCounter, a Web analytics company.
Summary: Samsung launched the 840 EVO mSATA (mini-Serial ATA) Solid State Drive (SSD) line-up, which includes the industry's highest capacity mSATA SSD ultra-thin notebooks.
FFmpeg Prior to 2.1 Multiple Remote Vulnerabilities

I had a chat with another one of the ISC Incident Handlers the other day about inventorying large networks, which is covered in the first two Controls in the SANS "Critical Security Controls" (http://www.sans.org/critical-security-controls).  Paraphrased, these controls boil down to "know what's on your network" and "know what software and services are running on those stations".

This seems like a couple of pretty obvious statements, but it started me thinking about my client base.  For instance, about just how many are still running old print servers that top out at 10Mbps and advertise IPX printer SAPs.  Similarly, I started implementing a standard to isolate ATMs in a banking environment (without changing any IPs), and found a number of switches sol old that they didn't support port based ACLs, or Private VLANs or source port filtering. 

In short, it's really easy to let sleeping dogs lie (or prevaricate) - it's easy to let that 10 year old (plus) hardware that's been working forever stay on the network until you need a feature that doesn't exist on them.  And if it's easy to let this happen with IT owned gear that you know about, how about stuff that's NOT owned by IT?  Stuff like cameras, projectors and video conferencing units?  Or how about even more removed from IT - gear like elevator controls and HVAC systems?  Time clocks or PLCs?   Or, just to up the ante, medical devices that are network attached in a hospital or other health-care setting?

And that's just the hardware.  If you are inventorying your corporate stations' software, you're most likely using the OS's "list applications" commands or API calls to do this, whether in your own scripts or wrapped into a commercial product.  

For windows, you might use commands like:

wmic product list /format:csv > applist_for_database_import.csv
wmic product list brief /format:htable > %COMPUTERNAME%_applist.html

In Linux, depending on the distro you might use one of these:

rpm -qa
yum list installed
dpkg --get-selections

However,  these commands and other active scanning methods won't help you in a lot of cases - situations like:

  • Stations not owned by IT, so you likely don't have credentials
  • Embedded devices, which might not have a CLI
  • Other embedded devices, which might not be owned by IT (back to no credentials again)
  • Stations that you don't know exist
  • Stations on networks you don't know about
  • Access points that your users might have hidden under their desks
  • Applications like Java, where you might be up to date in C:\Program Files (x86)\Java, but you might have an oldy-moldy Java install that came bundled with an app 4 or 5 years ago, buried 6 levels deep in some other application directory
  • Or utility type applications, stuff like Putty (when was the last time you updated your copy of putty?), or applets like the GNUtils that got downloaded once 6 or 7 years ago, then copied from laptop to laptop so that all your scripts work? 
  • Any application that didn't install using the OS native install (msi in windows, rpm, apt-get or yum in Linux)

So, what should you do to find these incognito stations and camoflaged applications?  For many of my clients, we look for evidence of these situations in the network traffic that they create, just the same way we often find Indicators of Compromise in malware or attack situations. 

Several tools will help you in finding, fingerprinting and identifying versions of apps like this.  The "granddaddy" of these "passive scanner" applications is p0f.  Downloadable from http://lcamtuf.coredump.cx/p0f3/, it's been around for over 10 years, is still actively developed and is still free.  If you have a budget and are looking for a commercial alternative,  PVS from Tenable might also fit the bill - either instead of or in conjunction with p0f.  Info on PVS can be found here: http://www.tenable.com/products/passive-vulnerability-scanner, it's available for free for up to 16 nodes, or you can get an "eval-ware" version for larger networks.

So, with good tools in hand and pure intentions in your heart, how to proceed?  You'll need to find a spot on your network to capture traffic of interest - the obvious place is to put your sensor station would be on a SPAN port, sniffing the traffic on the inside interface of our firewall.  However, this won't find traffic to identify internal-only stations like internal-use database servers, print servers and the like.  For these, you'll want a SPAN port capturing an entire internal VLAN, or perhaps capturing traffic from internal router ports.  It's best to take some time and apply some business process knowledge to place your station well, or in many cases several stations.

There are lots of other pointers on using "fingerprint" applications - the SANS Reading Room at http://www.sans.org/reading-room is a great place to start, or the SANS Security Resources pages here http://www.sans.org/security-resources/idfaq/p0f.php.

In my most recent deployment of p0f, we found unpatched Win95 stations running a pharmaceutical assembly line.  Stations that were put in by the industrical controls vendor back in the mid-90's, buried inside the cabinets with the PLCs and so on, then just plugged into the network so the plant engineers could get to them.  Nobody left in the organizations had any idea these stations were there, the plant engineers who used them knew the interfaces, but not what was behind them.  And of course these stations were just about as business critical as you could find - SCADA systems in all but name.

What tools have you used for passive discovery?  Use our comment form and let us know where you've placed passive sensors in your network and most importantly, what's the most interesting things that you've found?

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft sold out the Dell Venue 8 Pro tablet within minutes of kicking off an online discount Monday morning.
Qualcomm Monday announced the availability of a far-reaching proximity technology similar to what's already been deployed by Apple and other retailers to reach out to customers at store locations.
LinuxSecurity.com: GIMP could be made to crash or run programs as your login if itopened a specially crafted file.
LinuxSecurity.com: Two security issues were found in Samba, a SMB/CIFS file, print, and login server: CVE-2013-4408 [More...]
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenEXR, allowing remote attackers to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: A vulnerability in Festival could result in arbitrary code execution, and privilege escalation.
LinuxSecurity.com: Several vulnerabilities have been discovered in the chromium web browser. CVE-2013-6634 [More...]
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Several security issues were fixed in the kernel.
Apache Solr 'SolrResourceLoader' Directory Traversal Vulnerability
Facebook users spent much of 2013 talking about the new pope, elections around the world and, of course, relationships.
Opencart Multiple Vulnerabilities
Microsoft Internet Explorer Sandbox Security Bypass Vulnerability
Print n Share v5.5 iOS - Multiple Web Vulnerabilities
LiveZilla Reflected XSS in translations
[SECURITY] [DSA 2811-1] chromium-browser security update
Most people believe tech innovation holds the best promise for curing fatal diseases and are confident they could administer their own tests, according to a new multinational survey.
After a decent start earlier this year, IT hiring is slowing down.
Eight top tech companies in the U.S. have asked governments around the world to reform surveillance laws and practices, and asked the U.S. to take the lead.
Verizon has signed an agreement to acquire EdgeCast Networks, in an effort to enhance its video delivery and Web services capabilities.
Healthcare is broken. No one disputes that. No one lacks perspective on how to fix it, either. The challenge, though, is disrupting a system that makes more money treating sickness than it does preventing it. Technology and innovation can play a part, but so can flipping the entire care model on its head.
Mobile device management tools make sense when you are trying to control who can access your enterprise network and applications from particular phones and tablets. But to effectively evaluate these products, you should first identify what you're trying to control: the apps on particular devices, the pairing of a user with his device, the device itself, or the files on each device.
Internet Storm Center Infocon Status