Over the last few weeks, a number of updates have been pushed to the dev version of MASTIFF located in the Git repository. One of these updates is a major change to the analysis plug-in architecture.
Also, due to the Heartbleed bug that everyone has been dealing with, we updated the SSL certificates on the Git server. Unfortunately, this seems to be causing an issue with Debian and Ubuntu based clients. Update: We deployed a server-side workaround; details below.
The updates, and the fix to the Git issue, are described below.
This weekend at Infosec SouthWest 2014 KoreLogic's Crack Me If You Can (CMIYC) team ran a mini-CMIYC contest for the people attending the conference. The prize was a $100 dollar gift card.
We made the challenge pretty simple, with 1-2 hashes that were a little bit harder.
The winner was Scot Perkins. Congratulations to the winner! Here are the hashes we posted if you want to play along after the fact:
As previously discussed at multiple conference and in this blog, KoreLogic worked on the PathWell project for the DARPA Cyber Fast Track program. PathWell identifies and blocks common passwords based upon common password topologies and learned user behavior.
Watch this video for a detailed outline of what PathWell is and how it works, and what a topology is. (And check back later for new and improved versions of this talk we'll be giving in the near future.)
The PathWell software is not yet public, but people have frequently asked us to publish the list of the most popular topologies within enterprises that we compiled during that research. So, that is what we are doing today.
In order to make new development versions of MASTIFF available to the masses, KoreLogic has set up a Git server. This repository can be accessed at https://git.korelogic.com/mastiff or the repository can be cloned with:
git clone https://git.korelogic.com/mastiff.git
On January 20, I will be giving a talk at ShmooCon Epilogue on PathWell, a project we did last summer. Epilogue is a great event and is much easier to get tickets for than ShmooCon, and I highly recommend it. (And I said that before they accepted my talk ;)
Over the past couple of years, we - mostly my coworker Rick Redman (Minga) - have given many talks about how enterprise password strength enforcement rules, as currently implemented, are broken and harmful. They make enterprise passwords easy to crack. The only thing worse than having them is not having them.
PathWell ("Password Topology Histogram Wear-Leveling") introduces a new dimension for measuring and enforcing enterprise password strength that attempts to take away from the attacker the advantages that they currently have when cracking (or even just flat-out guessing blindly) an enterprise's passwords.
One of the issues when analyzing malicious Linux executables occurs when the executable has been statically linked and the debugging symbols stripped. Since the debugging symbols are stripped, IDA Pro is unable to identify the names of the library functions and we are left to determine the names on our own, or load and/or create the appropriate IDA signatures to identify the functions. To do this, we need to know which libraries were used during compilation, and possibly the OS (Linux distribution name and version) it was compiled on as well.
One of the reasons MASTIFF was written in Python was to give it the flexibility to run wherever it was needed. Linux and other *nix's have been supported since the initial release, but one goal was to have MASTIFF work on Mac OS X. It was suspected that MASTIFF would run without a problem on OS X, but it had never been tested...until now.
This week MASTIFF was finally tested and proven to work on Mac OS X. Mac OS X 10.8.5 (Mountain Lion) was used during testing, although other versions of OS X will likely work as well.
The instructions to install MASTIFF on Mac OS X are below. In these instructions we used Homebrew to install a number of packages. There are many ways to install packages on OS X, this is the one that was chosen this time.
We've just published details about the Crack Me If You Can 2013 encrypted file challenges here: the passphrase for each encrypted file, and the hints that are included in each one.
Encrypted File Types
Each encrypted file type had an Easy, Medium, and Hard file, with increasingly complex passphrases.
As a favor to @Druidian, I supplied a mini password cracking challenge for hackers at DEFCON. It was a small list of NTLM hashes that the teams had to crack. They had no idea what the significance of them was.
I supplied the following NTLM hashes:
This is the first of several posts we'll make post-Crack Me If You Can 2013. Later we'll gather things up and add content to the main 2013 contest site.
In this post I'll talk a little about the structural changes we made in this year's DEFCON contest, what we did that we think worked well, some not so well. We'd love feedback that we can use when planning future contests.
You may have seen the recent article on Ars Technica by Dan Goodin about KoreLogic. We (Rick Redman and Dale Corpron, KoreLogic consultants) dipped a computer in oil, and left it there, running, 24x7.
Although this idea isn't really all that new (Cray did it in 1985!), our use of it is relatively rare. We dipped a GPU powered password cracking system in the oil. Thanks to Midas Green Tech's help, it was really easy to do. Our hardware wasn't new or even custom, but it's running, right now, in mineral oil.
So, why did we do it?
It's official, Crack Me If You Can will definitely be back for DEFCON 21 in August.
We've been planning what to do for this year's contest, combining all our lessons learned. Will get the 2013 site up, and start announcing structure and rules soon.
The latest version of MASTIFF, 0.6.0, has just been released! Run over to the download site and grab the latest version!
The official changelog is located here, but the major improvements are described below.
Upgrading MASTIFF to the latest version is easy. You can follow this process:
Version 3.10.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release includes updated support for file hooks and introduces KL-EL-based XMagic. Consequently, the minimum required version of libklel has been rasied to 1.1.0, which has a library version of 2:0:1. Finally, file system support for SquashFS was added.
The latest version of KL-EL, 1.1.0, has just been released! It's available for download at its SourceForge site.
This release brings a much cleaner and faster parser, and a more consistent API for developers. The KL-EL standard library has been extended with a family of "abort" functions to trigger runtime errors in expressions.
|Please contact us if you would like more information about our services, tools, or careers with us.|