Home / Blogs

Crack the Code: That’s a Direct Challenge

I had quite an interesting experience recently. I was hired by a company to perform a vulnerability assessment and penetration test on their network. During the initial meeting, one of the key technical staff presented me with a challenge; He handed over the NTLM hash of the domain Administrator account and challenged me to decipher it. He explained that the complexity and length of the password would prevent me from deciphering it during the time allotted for the project. He was actually quite confident in my impending failure.

In most cases, this individual would have been right on the mark. On the other hand, I’m not sure he expected to challenge someone who has close associates with discretionary time on some of the most powerful computers in the world.

6 Hours, 2 Servers, 64GB of Memory, and 32 Processors Later and…

It took just under six hours to decipher the password. Of course, my ‘associates’ were using a program of my choice on servers with 32 processors and 64GB of RAM a piece. It’s nice to have friends with access like this. Especially in my line of work. Needless to say, my client was shocked when I called him the next day and gave him the password.

Let’s Have Some Fun: A Challenge For You

Shortly after this experience, I started thinking about writing an article about it. Then I thought to myself, why write just an article? Why not come up with a challenge for our readers?

Hidden in this article is information that will ultimately provide you with a phrase that has been encrypted (NOTE: you must look at the original article page). You will need to know a few pieces of general information such as, where to find the hash in this article, how to extract the hash from the article, what the password is that will reveal the hash, and what type of hash is being used! Still with me on this? You will need to do all this before you can start cracking the encrypted phrase.

First, you need to find the hashed phrase located in this article. I’ll give you a hint; I recently wrote an article about hiding messages in files. This article can be found on the Defending The Net Newsletter Archive. It is also in the CastleCops archive. Oh, and once you find where the hash is you will need a password to extract it. This one I am going to give away. The password to extract the hash is ‘letmein’ (without the ’ ’ of course).

Then, you will need a tool that can easily handle deciphering of the hash once you extract it from this article. There are quite a few out there that will do the job, however, I highly recommend using pnva naq noyr i2.69, a publicly available security tool that no self respecting security engineer should be without. You will also need to know the type of hashing algorithm that was used. I decided to use zrffntr qvtrfg svir because it is relatively well-known. (Try saying that 13 times real fast!)

So let’s get Cracken!!

Conclusion

The first person to successfully unravel this riddle and e-mail me at [email protected] with the deciphered phrase, along with a detailed description of how they accomplished the task, will receive a 512MB, USB2.0 Jump Drive. As soon as we receive this information we will post it on the main page of www.defendingthenet.com and www.castlecops.com.

By Darren W. Miller, Information & Network Security Specialist

Filed Under

Comments

Mark Smith  –  Jun 22, 2005 10:02 AM

I’m not sure I can see any Circle-ID relivant points in this article.

Anybody in infosec would already know that encryption / hashes can be broken using brute force methods with enough computing power. If they don’t, they shouldn’t be in infosec. (hint: it’s the reason why session keys are changed periodically, so that the password cracker has to start over again, and to also limit the amount of secret information exposed if a key does happen to be broken)

The lesson of being careful not to under-estimate your adversary is also not new. Many great miliaries have fallen because they have.

I don’t think there are any new security observations or lessons in this article. Nor are details of the experience of cracking the password provided, which could serve as a security case study of how to go about brute forcing an encrypted password.

All this article seems to me to be fundamentally doing is attempting to get Circle-ID readers to visit the two web sites listed. Having a brief look at these web sites gives me the impression that they are somewhat commercially oriented, which would then make the above article no more than an unacknowledged advertisement.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign