Cryptography

Key Terms

Plaintext

Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.

Encoding

This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.

Hash

A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data.

Brute force

Attacking cryptography by trying every different password or every different key

Cryptanalysis

Attacking cryptography by finding a weakness in the underlying maths

Rainbow Tables

A rainbow table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades time taken to crack a hash for hard disk space, but they do take time to create.

Example

Hash : Password 02c75fb22c75b23dc963c7eb91a062cc : zxcvbnm b0baee9d279d34fa1dfd71aadb908c3f : 11111

Protection against Rainbow Tables

To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user.

The salt is added to either the start or the end of the password before it’s hashed, and this means that every user will have a different password hash even if they have the same password.

Recognizing Password Hashes

Automated hash recognition tools exist, but they are unreliable for many formats. For hashes that have a prefix, the tools are reliable. If you found the hash in a web application database, it's more likely to be md5 than NTLM. Automated hash recognition tools often get these hash types mixed up,

Unix Password Hashes

Unix style password hashes are very easy to recognise, as they have a prefix. The prefix tells you the hashing algorithm used to generate the hash. The standard format is $id$salt$hashed

On Linux, password hashes are stored in /etc/shadow. This file is normally only readable by root. They used to be stored in /etc/passwd, and were readable by everyone.

Windows Password Hashes

Windows passwords are hashed using NTHash/NTLM, which is a variant of md4. They're visually identical to md4 and md5 hashes, so it's very important to use context to work out the hash type.

On Windows, password hashes are stored in the SAM. Windows tries to prevent normal users from dumping them, but tools like mimikatz or from the Active Directory database: NTDS.dit exist for this. Importantly, the hashes found there are split into NT hashes and LM hashes.

You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy.

Windows NLTM hash format is Username:Relative Identifier:LM Hash:NT Hash

A great place to find more hash formats and password prefixes is the hashcat example page

HMACs

HMAC is a method of using a cryptographic hashing function to verify the authenticity and integrity of data.

A HMAC can be used to ensure that the person who created the HMAC is who they say they are (authenticity), and that the message hasn’t been modified or corrupted (integrity).

They use a secret key, and a hashing algorithm in order to produce a hash.