Shmoocon 2009 Day 3

Enough with the Insanity: Dictionary Base Rainbow Tables
by Matt Weir
Defense against offline password cracking
1. salt
2. Make it computationally expensive, 100 X SHA1.
Unless of course you salt it wrong.
WPA and WPA2 keys are salted with the SSID. NTLM uses the username as a salt.
The Problems with Rainbow Tables

  • Probabilistic in nature
  • Long creation time
  • Two hashes take twice as long to crack as one
  • Collisions result in a lot of wasted work

Traditional Rainbow Tables have been brute force attacks. However as Lanman hashes are increasingly disabled, and some organizations have implemented long password requirements (14 characters and up) we need to look at other methods. I’ve found NTLM Rainbow Tables to be massive. In my experience, any organization that has a strong password requirement can’t use NTLM Rainbow Tables. Last time I looked there wasn’t a Rainbow Table with length up to 8 and UPPERS, lowers and numbers. It would be too big.
So what do you do? Over at you can download hybrid rainbow tables. From what I see its only really short passwords. I though Matt said they had a version of rcrack to generate your own hybrid rainbow table. That would be pretty cool.
I currently do this through bruteforce looking for the following.
Aaaa11122 where
A = UPPERS. So in this case the first letter is a upper case letter.
a = lower. In this case characters 2, 3 and 4 are lower case letters.
1 = lowers or numbers. So positions 5, 6 and 7 are lowers or numbers.
2 = lowers, numbers or ! So positions 8 or 9 have that.
I suspect a rainbow table looking at length 8 or 9 with that combination would save me time in the long run.
Matt has developed a dictionary based rainbow tables generator available at the URL at the top of this entry. It can take a dictionary and use common word wrangling rules to create rainbow tables. You can also check for common keyboard combos and double passwords. People often double their current password to meet lengthy password requirements.
I currently use Inside Pro’s Extreme GPU Bruteforcer. (Its much cheaper than Elcomsoft.) The software is cheap and a NVidea GeForce 8800 GT is relatively cheap as well. While watching this talk I was wondering about GPU bruteforcing versus Rainbow Tables. If I can do a hybrid Rainbow Table, is it then possible to write software to do a hybrid attack using the GPU. Or does the way a GPU work make that a bad idea?
By Blake Hartstein
JS Unpack is a javascript unpacker available online at
It may be available as a download to run locally at some point.
The Problem:
There is a large volume of malicious javascript files. These encoded/encrypted javascript exploits are difficult to analyze.
In the past you would need to manually attempt to decode it by downloading it, attempting to modify it to be ‘safe’ and then run it. This is kind of dangerous and requires a sacrificial lamb.
To defeat manual analysis the malware creater would use escape sequences, encryption based on tags (so if you change a tag, it wont decrypt), Environmental variables as an encryption key, version detection, timing, and blacklisting. Additionally exploit kits can set their website to only service the malware once to an IP.
After manual methods, more automated efforts have occurred such as JSDecode by Dave Zimmer, the Ultimate deObfuscator by Stephen Chenette of Websense and Malzilla.
JS Unpack has the following goals

  • Safety – not requiring a sacrificial lamb
  • Archive content
  • Simulate the Browser and plugins (pdf and flash)
  • Combine the best hooking techniques
  • Enable analysis despite IP blocking
  • Integrate with IDS, crawling and other research

ClamAV is used to statically unpack executables
Plenary Session: Tough Security for Tough Times
This is mostly random notes from the session:
Security spending is holding steady due to compliance requirements and increasing threats.
The half life of security knowledge is 18 months.
This came back in a discussion of security degrees. Engineering constants don’t change. But very quickly the degree you received could be seen as useful as a diploma form the punch card era.
DLP is seen as taking off by one analyst. (I guess when everything is DLP, it must get a lot of sales)
Management needs to understand that security isn’t overhead.
The bad guys have learned to stay below the radar. Business will ignore it as long as a threshold isn’t exceeded.
How do you grow security talent that can relate to business.