CORE CloudCypher was born as a critical support tool required by our SCS (Security Consulting Services) team while performing world-class penetration testing engagements. In most of their consulting engagements they are usually able to get access to encrypted passwords and they need to know if they can convert the encrypted passwords into plaintext to (1) perform further penetration testing activities or (2) assess the strength of authentication mechanisms in place to provide feedback to the customer. These activities are very common and usually requested by most security teams and security consultants as part of their daily jobs.

CORE CloudCypher was built applying all the knowledge collected over several years of delivering penetration testing services and researching cracking techniques, common password selection patterns, and other topics related to password cracking. In summary, the service uses at least  three techniques to evaluate the robustness of the password submitted to it, those are: (1) “Dictionary based attack” using a comprehensive database of real world passwords and common mutation that standard users apply to their passwords, (2) “Statistical based brute force attack” meaning that the passwords are subject to a brute force attack using MARKOV chains, and (3) “Rainbow tables attack” which allow us to certify that passwords with certain characteristics will always be converted to plain text if present.

The combination of all these approaches provides the user with a powerful and easy-to-use service to assess the strength of passwords and to obtain the plain text of audited hashes that are fully integrated with CORE Impact identity management capabilities.

Having said this, let’s focus our attention to how to start exploring CORE CloudCypher.

Environment Setup

Prior to start using CORE CloudCypher you’ll need to set up the environment which is very straight forward as only 3 steps are required:

1- Install your copy of CORE Impact 2013 R1 or later

2- Contact your account manager or customer support for assistance if your trial period has expired.

3- Go to “Toolbar\Tools\Options” and (1) define if you want to automatically submit your credentials to CORE CloudCypher in cases that include a given module (like “Password Dump from SAM”) that identifies valid Windows credential and (2) specify your email address is you want to receive email notifications from the services when submitted jobs are completed as shown next.

CloudCypher - 1

 

How To

So, once your environment is ready you have at least three ways of using CORE CloudCypher as described below:

Option 1 - Test CloudCypher by Submitting Gathered Identities

The simplest, most common, and straight forward case to try CORE CloudCypher is by submitting a previously gathered credential to the service.

Let’s assume you’ve run RPT (Rapid Penetration Testing) and one or more modules were able to identify and commit Windows NTLM identities to the Identity Manager. In that case you can audit the strength of collected hashes by following steps 3 thru 5 from the next example.

You can also collect Windows NTLM identities by executing the module “Password Dump from SAM” on any agent installed on a Windows box. The module will try to collect all the available identities on the target machine and their corresponding password hashes. If the module is successful it will commit all the information into the Identity Manager and, if the module was executed with the option “Automatically submit credentials to CORE CloudCypher” enabled, the collected hashes will be automatically sent to the service.

Option 2 - Test CloudCypher by Importing PWDUMP Results

Assuming you previously ran PWDUMP in a Windows box and you have the results provided by the tool in its standard out format, you can try CORE CloudCypher by following these steps:

1- Search and execute the module “Import Identities from PWDUMP”

 CloudCypher - 2

2- Feed the module with the PWDUMP output file. If you don’t have a PWDUMP output you can copy the following sample lines into a “txt” file and continue executing the following steps.

TestUser1:1:00000000000000000000000000000000:0a4ab4d488f177fd595714a29954e892:::

TestUser2:2:00000000000000000000000000000000:73c43de8848dd722f82637ab353c254c:::

3- Go to the Windows NTLM section of the “Identity Manager”

CloudCypher - 3

4- Right click on a given identity and select “Crack Using CORE CloudCypher”

5- Wait for the results. Progress information is provided by the service thru the “Module Log” and an alert will be emailed to you as soon as your job is finished.

Also, if you’d like to send more than 1 hash at a time, you can select all the hashes you want to submit, and execute the module “Password cracking using CORE CloudCypher”.  By doing this all the selected identities will be sent to CORE CloudCypher at once.

Option 3 - Test CloudCypher by Creating a Test Identity

This third alternative assumes that you are not comfortable with any of the previous suggestions. You just want to try the service by creating a fictitious identity with a specific plaintext password.

If this is the case, you will first need to create a new module in CORE IMPACT to support manual identity creation as follows:

1-Create a new dummy module by going to “Toolbar\Modules\New Module” specifying just the module name as shown in the following screen.

CloudCypher - 4

2- Search and edit the new module by right clicking it.

 CloudCypher - 5

3- Replace the existing sample code by the code provided below. Keep in mind that Python is very picky about spacing and indentation since it's used to determine the flow of your script or program. For example, if you replace spaces with tabs the module won’t work at all.

#
# Description:
#
# Author:
#   Sebastian Tello
#
# Copyright (c) 2001-2013 CORE Security Technologies, CORE SDI Inc.
# All rights reserved.
#
# This computer software is owned by Core SDI Inc. and is
# protected by U.S. copyright laws and other laws and by international
# treaties.  This computer software is furnished by CORE SDI Inc.
# pursuant to a written license agreement and may be used, copied,
# transmitted, and stored only in accordance with the terms of such
# license and with the inclusion of the above copyright notice.  This
# computer software or any other copies thereof may not be provided or
# otherwise made available to any other person.
#
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
# FOR ANY DIRECT,  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL  DAMAGES RESULTING FROM THE USE OR MISUSE OF
# THIS SOFTWARE
#
#--

__xmldata__ = """<entity type="python" name="Generate Windows NTLM Test Identity">
        <property type="container" key="features">
            <property type="string" key="network"/>
        </property>
        <property type="string" key="author">CORE Security Technologies</property>
        <property type="string" key="brief">Generate Windows hashs from a plain text password.</property>
        <property type="string" key="category">My Modules</property>
        <property type="xmldata" key="Description" readonly="1">
        </property>
        <property type="string" key="classname">GenerateWindowsHashes</property>
        <property type="parameters" key="parameters">
            <property type="unicode" key="PASSWORD">admin</property>
            <property type="unicode" key="USERNAME">TestUser</property>
        </property>
        <property type="parameters" key="parameter_description">
            <property type="string" key="PASSWORD">Plain text password.</property>
            <property type="string" key="USERNAME">Username asociated with the identity</property>
        </property>

        <property type="container" key="highlight_preconditions" readonly="1">
        </property>
</entity>"""

import binascii
# from Crypto.Cipher import DES
from Crypto.Hash import MD4
from impact import modulelib
from impact.identity_manager import manager
from impact.identity_manager.identity import Identity

class GenerateWindowsHashes(modulelib.Module):

    def initialize(self):
        module_parameters = self.getParameters()

        self.pwd = module_parameters['PASSWORD']
        self.username = module_parameters.get('USERNAME')

        lm = "0"*32
        ntlm = NTLM.generate(self.pwd)
        self.hash = lm + ":" + ntlm
        self.add_test_identity()

    def add_test_identity(self):
        identitiesManager = manager.getImpactIdentityManager()
        identity = Identity.from_dict({Identity.USERNAME: self.username,
                                       Identity.PROTOCOL: Identity.PROTO_SMB,
                                       Identity.NTLM_HASH: self.hash,
                                       Identity.VALIDATED: False,
                                       })

        identitiesManager.addIdentity(identity)

class NTLM:
    @staticmethod
    def generate(passwd):
        hash = MD4.new(passwd.encode("utf-16le")).digest()
        return binascii.hexlify(hash).upper()

4- Save the module and reload it by going to the “Toolbar\Modules\Reload”

5- Execute the new “Generate Windows NTLM Test Identity” module feeding it with the username and the plaintext password of the dummy identity you want to create.

6- Follow steps 3 thru 5 from the previous example.

Conclusions

CORE CloudCypher is not a silver bullet; but initial usage indicates it will crack the vast majority of passwords used by most user populations. Each hash will be worked on for a few hours and go through a multi-stage process requiring no user skills about password cracking.

Your feedback and questions are greatly appreciated. I’d like to thank all our customers that are intensively using the service and providing us with feedback about their experiences. I’ll be happy to provide more insight to anyone interested on the topic, so fell free to contact me for additional information.

Flavio de Cristofaro – Vice President of Engineering for Professional Products