hons.un-excogitate.org

Submission and progress

Finally i've gotten access to this space again.

I'm glad to announce that I have in fact finished and submitted my thesis. This happened way back in November and have only just this week discovered that i received an 84% with some minor changes before getting it printed and submitted for storage (as a book) at uni.

Since my last post i have in fact finished my thesis and all accompanying university work and have just recently started a new computer & information security job for a subsidiary of riotinto.

Anyway - i guess this is it for this sub-domain .. i hope everyone elses studies continue to progress and expand.

Submitted Conference Papers

Last night i submitted two papers to be reviewed for the 2nd Australian Computer, Network & Information Forensics Conference 2004.

The first paper i submitted was based on an analysis of the integrity of digital forensic images acquired from Palm OS PDA devices, when acquired by PDD. The technical, experimental notes from this paper are what i've been writing up over here (Day 1 Day 2 Day 3 Day 4)

The second paper was one that i had written last semester for a unit - mostly based on the analysis and reports of my pilot tests on John the Ripper on the x86 Beowulf, Igneous. (Links: pilot experiments on clustered password cracking, pilot experiment results)

Also, on the same day, finally got my printouts of my proposal out so they could be formally submitted - which is great!

Anyway, need to go to work for a bit.

pilot experiment results

after finishing my initial pilot test (read: Pilot Experiments on Clustered Password Cracking) i compiled a report/assignment/paper for my supervisor, beneath is a copy of the report from the method until the end..

Real Passwords

Forgot to mention this earlier, but I might get the opportunity to run my tests on some live password files (Windows SAM Files). My supervisor notified me of this a couple of weeks back, naturally the first question that came into my head was that of ethics clearance - but the assurance goes that because it's the University's property, and because i would almost be "contracted" out to do the work - it should be fine.

So this will be interesting indeed.

ASMCrack

ASMCrack - another one of those cracking utilities that slipped through my finger-tips.

<quote>
ASMCrack is a unix password security tool. It checks the password file by trying whether a given word matches an encrypted password that was within the password file. To do so it uses very speed optimized 386 assembly routines, with pentium alignment and command order optimisations. It consists of three program subversions, that use differently sized look-up tables. The speed of those versions depends on the hardware, especially on the RAM speed and the CPU cache's size.
</quote>

What's interesting about this program is it's (dumb/simple/clever) way of working on multiple computers - in fact - the same way that JTR-MPI (a peek inside jtr) works in an MPI environment.

First: Determine an approximate speed rating for each computer u want to use

asmcrack -test

Second: Create a file for each of the computers - and their rating

Computer0 : speed
Computer1 : speed
..
etc

Third: Run the program on each node with it's appropriate node-number

asmcrack -multi:config.file,0

..

Now, even though the author claims it's all optimised and that jazz, it is quite out-dated compared to JTR, so whether or not it would perform up to par is yet to be seen.

pilot experiments on clustered password cracking

Short after igneous was finished i started my pilot test on John the Ripper-MPI (john-1.6.36-mpi) using a precompiled samba password list containing 50 passwords.

These passwords we're meant to contain a nice cross-section of differing password strengths, from weak passwords to strong passwords. For lack of a better system the metric used for password strength was a slightly modified version of that specified here which is targeted towards Lotus Notes/User management or something.

Anyway, the system is humming along great. All 12 compute-nodes running at about 0.99 - 1, after the first day a majority of the passwords were already cracked, approximately. JTR splits LanManager (Samba) passwords in half to crack them, which is fine because the LM passwords are initially split in two before they are encrypted anyway. At the end of about 4-5 days running, the test is close to having checked all passwords up to length 7, comprised of a 69-characterset.

This may sound (or may not sound) impressive in its own right, but because this is almost every-single possible LM password .. it's quite impressive.

A bit of history behind LM hashed-passwords (google will have heaps more information that i can be bothered typing out here) .. LM hashes are the password-type for win9x systems, and for backwards compatibility over networks, they are *also* by default included in winNT+ .. this would be fine, if they were in fact a strong password type.. but they are not.

A LM password is truncated (or padded) to 14 characters, then all the alphabetic characters are converted to upper-case, then the 14 characters are split-in-two, and each half is encrypted seperately. Concatenated back together at the end again. So what we have, is for each password, 2 seperate password hashes of length 7.

Back to the supposed-password-metric. Password 50 was meant to be a fairly strong password (relatively) .. unfortunately both-halves of password50 were cracked in about 3-4minutes.

Reasoning? .. JTR's brute-force attack goes as follows.

Character-length 1, Character-set-size 1
Character-length 1, Character-set-size 2
etc.
(Intersparsed in here are differing locking mechanisms, so for longer passwords they'll lock the first 4 characters and only iterate the rest)

With small password lengths it's very easy to crack passwords. Even when getting to the larger character-sets. The problem with password50 was that it was comprised of nothing BUT characters, which means as soon as the "character-set-size" reached 26 (or thereabouts because password50 did not have one of every alphabetic character) .. this large password could be cracked.
This speed is multiplied by n when n computers are splitting the load.
So by 3-4mins, JTRMPI had reach passwords of length 7, character-set-size about 22-26, and even though the password was 14-characters long, each half was still only 7.

....

So, for all this good-luck, naturally something had to screw up. IE: my comparison with Cisilia (a different clustered password cracking utility).

My plan was to run a live-CD version of OpenMosix (OM) on igneous, then run cisilia on the same password file. Therefore, same hardware, same passwords, different os/parallel-paradigm/cracking-tool. But for the sake of JTR finishing it's job, i had to run the tests in a different lab. A lab with a fairly homogenous hardware configuration .. but still the software did not want to play.
Only once did it want to run with the full amount of nodes available. Other times it crashed. I eventually got it running on a sub-set of the comptuers, only to discover the next day that it had stopped after 5hours after only cracking 4 passwords!

I'm guessing that the system has to be a bit more homogenous for this tool to work, my supervisor is recommending waiting for the semester to end so i can shift into a lab which will allow me greater freedom.

CSec experiment will hopefully commence this week

finally got igneous up and running, and will hopefully begin some tests of JTR-MPI on this 32-bit cluster.

The paper for my CSec unit will also require some further research into password strengths, and what is perceived as good methods of giving a password a certain strenth metric.

In regards to my presentation .. it went well. The feedback was fairly positive, and there didn't appear to be any gaping holes in my logic, method, or proposal document so far.

It all still feels like such slow going.

anyone say eeek?

have to do my honours proposal presentation tomorrow morning in front of the scarey crowd... am completely shit-scared.

I know i'm not going to die.. and it's not like the dentist where it will a) cost lots, b) possibly hurt lots - but it doesn't stop the nerves from going haywire.

I'll try and post about it later.

(also added to the lit review section)

oh f**k you endnote

right..

so as dan's pointed out before.. endnote is shit. Usually i can put up with it's crappy quirks and lil fuck-ups.. but for the last 30mins i've been drying to figure out why the text on my page has been getting pushed into a smaller and smaller area.. only just then i realised .. hang on.. the header-footer boxes were SOMEHOW getting extra blank-lines added when i was changing some formatting.

This has NEVER happened before, and with all the other format discrepencies i've been experiencing since endnote was installed.. i place the blame totally on you.

You vila piece of referencing software..

Too bad i'm too gutless to drop it.

supervisor reviews

last tuesday (the 23rd) we had our first lit-review meeting 1-on-1 with our supervisor, and i've found since then the going has been slow.

Every single paragraph that i write comes out at a crawling pace, i have a feeling my filtering system is getting all messed up and i'm over-concentrating on some details, just sometimes when u need to just write something out but it has to be legit (ie: proven and published somewhere) .. and that is HARD.

For ages i've been a semi-creative writer. One of my best classes in highschool was english lit (yes, not maths) and i've always had a passion for things related to that (i read a lot of fiction, i listen and get emotional with a lot of things like music etc) so to find myself having to conform with this rigid, almost lifeless, writing style is definately getting to me in a way which is completely stressing out.

As dan says, it's only March.. there will be plenty of time to stress later .. but god this is hard.

I can't wait til this phase is over and the gist of this writing-style has gelled a bit.

I can't wait.