GPU ASSISTED LM HASH CRACKING WILLIAM GROESBECK UNIVERSITY OF NEVADA, RENO – SPRING 2013 (Psst, the 90’s called - they want their hashing algorithm back)

Outline  What is the LM Hash?  What makes it so terrible?  How do we generate it?  Why would we want to?  Sequential Implementation  Parallel Plans  Questions

What is the LM Hash  (Mostly) obsolete, password hashing function  Obsolete because it was compromised  Used < Windows NT  Could be manually disabled via group policy  Vista and Windows Server 2k8 disabled LM hash by default

What makes it so terrible?  See: How do we generate it?

How do we generate it?  Step 1: Start with password provided by user  (As long as it’s <=14 ASCII characters)  Step 2: 14 characters is really too many  Split it into two 7-byte halves  Step 3: Case sensitivity is really overrated  Convert everything to uppercase  Step 4: Okay, now we can get to work  Use each 7-byte half to DES encrypt the ASCII string  ( K ey of G len Zorn and S teve Cobb & Shift )

How do we generate it?  Step 1: Start with password provided by user  <=14ASCIIchars  Step 2: 14 characters is really too many  Split it into two 7-byte halves  Step 3: Case sensitivity is really overrated  Convert everything to uppercase  Step 4: Okay, now we can get to work  Use each 7-byte half to DES encrypt the ASCII string  ( K ey of G len Zorn and S teve Cobb & Shift ) Max Keyspace: 95^14 or 2^92

How do we generate it?  Step 1: Start with password provided by user  <=14ASCIIchars  Step 2: 14 characters is really too many  Split it into two7-byte halves  Step 3: Case sensitivity is really overrated  Convert everything to uppercase  Step 4: Okay, now we can get to work  Use each 7-byte half to DES encrypt the ASCII string  ( K ey of G len Zorn and S teve Cobb & Shift ) Max Keyspace: 95^14 or 2^92 95^7 or 2^46

How do we generate it?  Step 1: Start with password provided by user  <=14ASCIICHARS  Step 2: 14 characters is really too many  Split it into two7-byte halves  Step 3: Case sensitivity is really overrated  Convert everything to UPPERCASE  Step 4: Okay, now we can get to work  Use each 7-byte half to DES encrypt the ASCII string  ( K ey of G len Zorn and S teve Cobb & Shift ) Max Keyspace: 95^14 or 2^92 95^7 or 2^46 69^7 or 2^43

How do we generate it?  Step 1: Start with password provided by user  6d930e4dc7d5f3c691b9bafbe80a3a3c  Step 2: 14 characters is really too many  Split it into two7-byte halves  Step 3: Case sensitivity is really overrated  Convert everything to UPPERCASE  Step 4: Okay, now we can get to work  Use each 7-byte half to DES encrypt the ASCII string  ( K ey of G len Zorn and S teve Cobb & Shift ) Max Keyspace: 95^14 or 2^92 95^7 or 2^46 69^7 or 2^43

Intermission: A bit about DES (I’m sorry!)  Block cipher  Symmetric algorithm  Considered insecure because brute force  Uses 64-bit (56-bit, actually) key to encrypt 64-bit block of plaintext  Consists of bit shifts, permutations, and substitutions  For LM Hash, plaintext is always and key is 7-bytes of password

Intermission: A bit about DES Step-by-Step (repeat for each half of key used for LM hash)  Step 4.1: Generate 16 separate keys (one for each round) 1. Permute input key according to PC-1 (returns 56-bit permuted key) 2. Split permuted key into left and right halves 3. For 1<=n<=16, left shift each half by either 1 or 2 left shifts 4. For 1<=n<=16, run concatenated pairs through PC-2  Returns 16x 48-bit keys

Intermission: A bit about DES  Step 4.2: Permute plaintext according to IP  Step 4.3: Split permuted plaintext into two halves (returns 2 32-bit halves)  Step 4.4: For 16 rounds:  L n = R n-1  R n = L n-1 ⊕ f (R n-1, K n )where f is Feistel Function

Intermission: A bit about DES  Feistel Function (Takes 32-bit half-block and 48-bit subkey) 1. Expand 32-bit half-block to 48-bits using expansion permutation 2. XOR expanded half-block and round key 3. Split 48-bit result into 8 6-bit pieces 4. Pass 6-bit pieces through 8 separate “S-boxes” 1. 6-bits to 4-bits 2. ex: > 01 (Row) > 1101 (Column) 5. Permute 32-bit combined S-box result S-Box 1 Column Row (8x 6-bit -> (S-boxes) -> 8x 4-bit -> (permutation) -> 32-bit result)

Intermission: A bit about DES  Step 4.2: Permute plaintext according to IP  Step 4.3: Split permuted plaintext into two halves (returns 2 32-bit halves)  Step 4.4: For 16 rounds:  L n = R n-1  R n = L n-1 ⊕ f (R n-1, K n )where f is Feistel Function  Step 4.5: Concatenate Right and Left values (R 16 L 16 returns 64-bits)  Step 4.6: Perform Final permutation (IP -1 )

How do we generate it? (cont’d)  Step 5: Concatenate output of DES encryption of halves  Leaves us with a 16-byte result  Step 6: Bask in a feeling of overwhelming security Fun fact: If half of the password is empty, it will return 0xAAD3B435B51404EE Thus, the LM hash for an empty password is AAD3B435B51404EEAAD3B435B51404EE

Why would we want to?  Many simple operations  Repeated many times  Seems like a natural fit for parallelization

Sequential Implementation  Start with empty, 7-byte password  While left and right hashes haven’t been matched -AND-  Still more passwords to try  Get hash from password  Does it match the left hash?  How about the right?  Increment the password by one character Can be set to only A-Z, alpha-numeric, or all ASCII characters A B C.. AA AB AC … AAA AAB AAC … AAAA AAAB AAAC … etc…

Sequential Implementation  Tested using password “abcd”  LM Hash is E165F0192EF85EBB AAD3B435B51404EE  Timing  A-Z only (26 characters): 6.5sec, 72,385 passwords  A-Z,0-9 (36 characters) only: 17sec,190,585 passwords  All ASCII Chars (69 characters): 143sec,1,328,458 passwords

Sequential Implementation Not very pretty. But it works.

Parallel Plans  Port over to CUDA-land  One hash per thread  Minimal data transfers  Target hashes -> Device  Found passwords -> Host

?