Thanks to my sponsors: Astrid, Dirkjan Ochtman, Berkus Decker, Manuel Hutter, Integer 32, LLC, Brandon Piña, Ahmad Alhashemi, Guillaume Demonet, Yann Schwartz, Sean Bryant, Romain Ruetschi, old.woman.josiah, Geoffroy Couprie, Raine Godmaire, L0r3m1p5um, Marc-Andre Giroux, Xirvik Servers, Christoph Grabo, Marcus Brito, Ula and 230 more
Veronica Mars and NTLM password hashes
👋 This page was last updated ~4 years ago. Just so you know.
Intro
When I started my Patreon, I had no idea if it would work at all. The whole thing seemed like a gamble: spend an inordinate amount of time writing quality articles, and hope that folks will like it enough to kick in 5, 10, or 50 bucks a month just to see more of them.
I'm happy to say the gamble paid off - literally. Take that, impostor syndrome!
Don't get it mixed up, buddy - everyone's here for me.
But.. I write you.
Sure, whatever you need to tell yourself.
There were so many topics I wanted to write about. For a start, though, I wrote about about things I already knew about to some extent, like files and protocols.
My objective was always to "branch out": to not just talk about software, but hardware and other things too. Why not get people talking about their jobs? Why not discuss something that has very little to do with programming?
That's why I made it clear on the Patreon pitch: the common thread here, above all else, is curiosity.
One thing I couldn't figure out: what the heck kind of "goals" should I set up on the Patreon page?
The whole thing I want to do (and that folks seem to enjoy) is write! If I were to set up goals that were non-writing related, that would mean less time to write, and I was concerned I'd eventually spend all my time doing those "extras" rather than focusing on what I do best.
And that's where the problem and the solution meet - I figured I'd have, as a goal, to write about something I wouldn't usually write about.
My original goal for 25 patrons was:
I have several secret projects brewing, and I will reveal one of them when I reach this goal!
The secret project I was thinking of was a demake of Keep Talking And Nobody Explodes for Windows 98 Second Edition. The twist? When the bomb explodes, you get a Blue Screen of Death.
I went ahead and sent this video to the developer of the original game, Steel Crate Games, and although they were impressed with it (and hadn't seen anything like it), they let me know that they could not approve any kind of public distribution of personal projects that borrow aspects of their own games.
So that fell a bit flat. I still have the post-mortem for that, and I might still publish it, although it's been... ten months now, I'd have to dive back into it, and I'm over it, a little. It was a big disappointment for sure.
My next goal, for 50 patrons, was:
I will go through an entire season of a TV show I like, and pick apart - in the most lovingly nerdy way - scenes that mention technology / computers / the internet / security threats, explain what they were probably thinking of, how likely this is in real life, and give a realism grade to each episode.
That goal was met, and then for 100 and 200 patrons, I didn't really promise anything, since I hadn't fulfilled either of the 25 or 50 goal yet.
So, it's time to make good on at least one of my promises.
Going through just one episode is already a lot of work, as you're about to find out. So, I'm starting this as a series, and I reserve the right to add to it whenever I watch an episode that I just can't... resist... dissecting.
Without further ado, let's jump into our first episode.
Veronica Mars
Let's take a look at one of my favorite shows: Veronica Mars! The show started airing in 2004, and is currently enjoying a perfectly respectable 8.3/10 on IMDB.
Seasons 1 through 3 are a delightful look back at the years 2004-2006. Of course, it's set in a "surfer town" in California, which is the furthest thing from where I grew up (a ski resort-adjacent town in France), but despite that, we shared countless cultural cornerstones.
What happened after Season 3 is... what it is.
There was the movie in 2014, and a Season 4 in 2019, both of which felt very different. In the first three seasons, a lot of tough and serious subject matter were tackled, but it was always wrapped in the youthful optimism of the 2000s. Sure, life threw curveballs at them, but so what? They had their whole life ahead of them!
Season 4 in particular kinda broke me. They're all "all grown up", and the problems they had when they were younger didn't magically fix themselves. Everything they're going through we should've seen coming, but didn't want to. I can't go into any more details without spoiling it for you, so I recommend you go take a look for yourself.
Luckily, it's Season 1 we're looking at today. Blissfully stuck in the year 2004, when Facebook wasn't used for election interference yet, when everyone thought Gmail was an April's Fools, when Ubuntu wasn't run in Docker containers yet, and when World of Warcraft had no expansions.
The set-up
The show takes place in Neptune High, where everyone's parents are either millionaires, or working for millionaires. Class conflict is a central topic throughout the show - the 09ers (rich kids, named after their area code) are despised by "everyone else", and vice versa.
Veronica (Kristen Bell, The Good Place, also the voice of Anna in Frozen) doesn't really pick a side. Back when he was Sheriff, her dad pissed off the entire town. Now, he's "just" a private investigator, and Veronica helps him out. That makes her a pariah, and the target of many a hazing.
She's a fighter, though. The friends she has, she doesn't get by playing nice. She gets rough, and she gets even, and the sensible kids in school end up respecting her for that - even the jocks.
She's not afraid to use what she's learned to pursue her own investigations, either to help other high school students, or by sheer curiosity.
In Episode 8, there's a new craze overtaking Neptune High. Everyone is filling out this purity test. Rich kids and non-rich kids included.
It's just an online form you fill up, and then it gives you a purity percentage - if you get a 60, you're 60% pure, 40% naughty. One of the 09ers notes that "anything under 60 is really slutty".
It's all fun and games until... until whoever is running the Purity Test website starts letting anyone buy the results of anyone else.
Then, predictable drama unfolds. The day after, at school, it's mayhem.
Veronica is enjoying the chaos, as ones does, until something catches her attention. Meg Manning (Alona Tal, Supernatural) is getting grilled by her boyfriend about being unfaithful during summer vacation, but she denies everything.
Him, well, he's big mad.
And, as she does every single episode, Veronica gets involved. She tells Meg she can help, maybe. Because she's nice.
So, Veronica goes fishing. She starts by asking some dude a doozy of a question:
And this is the first mention of technology we can really analyze. Usually, in that kind of scene, TV writers love to cook up a good word salad. Something about IP address, tracing, the calls coming from inside the house.
But here, it actually makes sense. Veronica's full question is:
Is there any way to convert ciphertext to plain text without initial knowledge of the crypto-algorithms?
Plain text refers to the unencrypted input, say, "Rob Thomas", whereas cipher text refers to the encrypted form. If we use the "crypto algorithm" rot13, the cipher text for "Rob Thomas" would be "Ebo Gubznf".
So, it is a meaningful question - if you only have the cipher text, ie. the encrypted version, can you recover the plain text, if you don't know which method was used to encrypt it?
The answer to that question is "it depends". In the words of Qasim Mohammed Hussein, from Tikrit University:
There is no available systematic method that can recognize the encryption algorithm of all type of cipher texts. Since each cipher has a special characteristics. But there are test to find the randomness of cipher test such: Index coincidence, frequency test, run test, serial test, poker test.
Most cryptography books include tests of text randomness that help in analysis the cipher text.
Source: ResearchGate
However, I don't think it's the question Veronica should be asking. Hiding the algorithm, or the method used to secure something, is Security through obscurity, which is generally frowned upon.
In 2004, assuming the story is contemporary with the show, the school would probably have been running Windows NT 4.0 (if they were lagging behind), or Windows 2000.
Isn't Windows 2000 just Windows NT 5.0?
Correct. Marketing names for the win.
If they'd just been overhauling their network, it's possible they would've been running Windows Server 2003 and Windows XP instead, but that's not what I spent weeks researching, and the security model would be just about the same, so, let's look at what a potential Windows 2000 setup for Neptune High School would look like.
Replicating the Neptune High school network
Windows 2000 came in four editions. The client edition, Windows 2000 Professional, and then three server editions: Server, Advanced Server, and Datacenter.
It's hard for me to guess exactly what the setup would have been, especially since it's a fictional school!
It's easy! Just pick up your fictional phone.
There is a Neptune High School, but it's in New Jersey. Instead, we're going to model our school network after the school Veronica Mars was shot in: Oceanside High School, in California — which has a pirate mascot!
If we grab the California Department of Education enrollment records for 2004-2005, and look for Oceanside High School's data (with CDS 37-73569-3735206), we get (with some columns omitted):
ETHNIC | GENDER | GR_9 | GR_10 | GR_11 | GR_12 | ENR_TOTAL |
1 | F | 4 | 3 | 3 | 1 | 11 |
1 | M | 3 | 2 | 4 | 3 | 12 |
2 | F | 3 | 5 | 4 | 3 | 15 |
2 | M | 7 | 6 | 3 | 5 | 21 |
3 | F | 7 | 8 | 7 | 3 | 25 |
3 | M | 14 | 9 | 8 | 4 | 35 |
4 | F | 8 | 15 | 12 | 12 | 47 |
4 | M | 10 | 12 | 5 | 13 | 40 |
5 | F | 199 | 183 | 155 | 140 | 677 |
5 | M | 194 | 199 | 186 | 135 | 714 |
6 | F | 27 | 35 | 29 | 16 | 107 |
6 | M | 21 | 42 | 29 | 32 | 124 |
7 | F | 76 | 62 | 62 | 54 | 254 |
7 | M | 77 | 98 | 72 | 66 | 313 |
8 | M | 1 | 0 | 0 | 0 | 1 |
Summing everything up, we get a total of 2396 students.
According to the National Center for Education Statistics, the national pupil/teacher ratio for 2004, for private elementary and secondary schools, was 13.6 - we would be looking at around 177 teachers for Oceanside, who all need access to the school network as well -
Let's assume that there is a single server for the whole school, running Windows 2000 Server. If we buy it with 25 CALs (Client Access Licenses), it'll set us back $1800.
Then, we'll need CALs for the other users. Luckily, we can buy them in packs of 20, for only $800 per pack.
Cool bear's hot tip
One might wonder if "per-device" licensing wouldn't make more sense here, but that let's not forget that students can (and do) bring their computer to school. In this episode alone, we see Veronica, Dick, and Mac all using their laptops on the school network.
And then, for each school computer, we also need a Windows 2000 Professional license - that's $320.
In 2002, a study done by Ji-Sook Chung on The effect of the availability of technology on teachers' use of technology and student achievement on standardized tests gathered data from 1381 Pennsylvania area shool data files, and found the following:
Let's assume Neptune High, being a rich kid school and all, falls into the "High Computer" tier. The data is a little confusing to read (and from the wrong state), but we'll go with a conservative 1 computer for every 3.2 students - that's about 660 computers total.
So, the final cost of all our Windows licenses is...
...a little under $350K!
This sounded like a lot, that is, until I took a peek at the 2009 budget for the Oceanside Unified School District (which includes 15 elementary schools, 4 middle schools, and 2 high schools, one of them being Oceanside High). It includes:
- 8.5 million dollars for "books and supplies"
- 16 million dollars for "services and other operating expenditures"
...so, suddenly, our Windows licensing costs seem like a drop in the bucket.
Configuring Windows 2000 Server
Without further ado, let's set up our server. We'll want to enable some optional Windows features, so we can set up a DNS and DHCP server.
For the purpose of this exercise, we won't bother with internet access -
although students definitely would've needed it, I'm honestly not sure
how to make it all happen. Let's just worry about our intranet, which will
be using the private 10.0.0.0/8
range.
All our clients (all the school computers besides the server) will obtain their IP address automatically (via DHCP):
And we're off to the races!
In the interest of seeing more than 256 colors, I went ahead and installed VirtualBox Guest Additions in both machines, which is not era-appropriate, but your eyes will thank me.
Ahhh, much better! And bigger!
The first thing we need to do is configure DNS. In the series, Veronica says
all the students have an address like VeronicaMars@neptunehigh.com
. I'm
assuming the school actually has a public-facing website, and they own the
actual domain.
However, here in 2020, it seems like it's squatted by some reseller, and I don't think it's worth spending the $280 just for authenticity.
That's probably for the best - Windows 2000 wasn't exactly known for its stellar security, let's keep those VMs off the internet, yes?
So, we'll just stay in our internal network, pretending we own neptunehigh.com
.
I noticed right before publishing that article that the domain in the actual show is https://neptunehigh.org, and that one redirects to CBS.
Luckily, on Windows, everything is a wizard. Unluckily, I didn't go through School System Administrator Training, so I'm taking wild guesses here.
Just a few more steps and...
I think we're good to go! Next up is configuring the DHCP server.
Here too, we're on the yellow brick road, so let's try to find some courage.
I've made it this far in life without fully understanding how IP ranges and blocks and subnets and masks work, which should be all the proof you need that we're all faking it, and that you can too.
We'll also need to "authorize" the DHCP server, whatever that means. I guess we can't have rampant DHCP servers all up in our network? We have to bless the ones we want? I don't really see what would prevent them from sending DHCPOFFERs left and right, but okay.
Now that we've got DNS and DHCP all configured, we have to set up our server as an Active Directory Domain Controller.
And this means...
More wizards?
More wizards.
It's all very colorful. We're creating a new "forest". Sounds good.
What caught my attention was this: it asks us where we want to store the Active Directory database. Interesting!
It's time to add a few users to Active Directory.
Finally, let's set up one client - we'll call it "lab1", just to verify that we can, in fact, connect to the school network from a school computer.
As expected, it gets an IP address in the 10.0.1.0-10.0.255.0
range:
We can see the DHCP lease from our server:
But it's not part of the Active Directory Domain just yet. By right-clicking
on "My Computer" from the desktop, going into "Network Identification", and
going through our last wizard of the day, we can join the neptunehigh.com
Active Directory domain, and then...
Well then we can log in.
Several progress indicators later... we're in! Logged as Veronica Mars.
How do we crack this thing?
Now, back to our original question. Given a system like the one we just set up, how would one go about obtaining other people's passwords?
Let's say I am Veronica, and I want to find Wallace's password.
Well, remember where we stored the Active Directory database? That would be a good place to start.
Oh. It doesn't exist. Of course, we're on a client, not on the server.
So, can we connect to the server somehow? Let's go fishing...
Mhh, nothing there, maybe if we search for computers? Assuming we know the server has "hub" in the name...
Heyy, we found it! What can we do from there?
Ah, there's the "Shared System Volume" (SYSVOL), but no trace of our Active Directory database. Shame.
Okay, say we (the attacker) somehow managed to sneak into the server room, so that we have physical access to "The Server", here's what we'd see:
That's... an issue. Of course, we could set up a whole heist - have someone distract the IT person hard enough that they'd leave the room while staying logged in - and then we'd have what we want.
But then they've seen us. And when funny business starts happening, like, oh, I don't know, other people's passwords being used, then the IT person might well remember us. In fact, when the IT person gets back to the server room and realizes they left without logging off, they might very well change all the passwords.
So, we need to think of something else.
What if we managed to get into the server room at night, and rebooted it?
Then we could boot into whatever we wanted...
...like a live CD of the first ever version of Ubuntu!
Just look at it.
I had this version. A friend slipped an extra CD of it to me at school. They sent CDs straight through your home back in the days! Just like AOL CDs with free internet minutes.
Alright grandpa.
Yes, yes, give me X server default background with original Gnome. Yes.
YES!!!
From here, well, we can do whatever we want. For example, we can plug in an era-appropriate 64 MiB flash drive and copy it out two innocent files (totalling 12 MiB):
And just like that, we can reboot the server, take back our CD and our thumb drive, and let it boot back up into Windows 2000 Server. Sure, if the school has good monitoring set up, they'll notice something went wrong, but I'd be surprised if they didn't chalk it up to "some random power outage".
Now that we've got the goods, we can look at them off-site.
Just how resourceful do you think high-schoolers are?
Have a little faith!
If we were a tech-savvy student in 2004... we probably had a Windows XP machine lying around - it would've been out for three years.
Just pop our thumb drive in and - here are the goods. Encrypted, but still.
Now, we need to find some way of dumping the password hashes from
ntds.dit
so that we can "crack" them.
The password cracking part, we can do with something like l0phtcracker. But the hash dump... I wasn't sure where to look.
After looking at many mirrors from GeoCities cites, I found... Cain & Abel. Which Chrome promptly marked as "malware" (duh).
Let's take a look.
Ohhh it even comes with a version of WinPcap, just like we used in making our own ping.
And here's what it looks like:
Unfortunately, neither of these are really what we want. We don't have the cleartext hashes yet, and "SAM files" do not apply here.
They don't?
No! When we promoted our server to an Active Directory controller, the SAM
(Security Account Manager) was disabled, and our passwords are in the
ntds.dit
file instead.
Aren't those files similar? Couldn't you just give Cain an ntds.dit
file?
No, they're two completely different formats. ntds.dit
is in ESE, aka JET Blue format.
Oh boy.
And that's not all - as of Windows 2000 SP4 (which came out in 2003 and
would definitely have been at that school), the hashes in ntds.dit
are encrypted with the system boot key.
Which is in the system
file we also grabbed, right?
Right!
So, let's recap, we have:
- a
system
registry hive, which contains the boot key used to encrypt hashes in... - the
ntds.dit
file, which contains NTLM hashes... - which we can crack with Cain.
But we still don't know how to extract hashes out of ntds.dit
.
...and that's where things get a little... interesting.
We can assume one of two things: either the Neptune High attacker was able to distract the system administrator, gain access to the server logged in as Administrator, plug in their USB thumb drive, and execute pwdump2, which, back in 2000, knew how to dump Active Directory password hashes, even when SYSKEY is enabled:
pwdump2 - This is an application which dumps the password hashes (OWFs) from NT's SAM database, whether or not SYSKEY is enabled on the system.
Changes: It can now dump password hashes on W2K domain controllers. The previous version was unable to get the hashes from Active Directory.
...and then they copied the unencrypted hashes to their USB thumb drive for later analysis.
Or... they had an uncle at Microsoft, that told them the intimate details of the ESE file format, and how NT hashes were encrypted using the SYSKEY.
...you're going to go with the "uncle at Microsoft" route aren't you.
Yeah! It's a lot more fun that way!
So, assuming they had an uncle at Microsoft, and knew all the implementation details, they could've come up with their own tool.
Yeah! Even in 2007, creddump was a thing. I'm not clear exactly how capable it was, but it was definitely an area of interest.
What about l0phtcrack? Didn't it also have hash dumping abilities?
l0phtcrack 7 (2016) definitely mentions the ntds.dit file, but the documentation for l0phtcrack 2.5 (1999) does not.
Awww.
It's possible l0phtcrack 3, aka LC3 (2002) had that feature, in fact, you know what, let me check.
Mhhh, no dice.
Enough archeology! For the time being, we're going to assume that they either distracted the system administrator, or they had a Super Secret Hash Dumping Tool four years before anyone else.
A tool like NTSDumpEx (2017).
Profanity warning ⚠
Oh look! Password hashes!
Let's copy just the ones we care about in a file...
# in hashes.txt
Administrator:6608e4bc7b2b7a5f77ce3573570775af
VeronicaMars:816fd98e9cb03bc00500f57284d5cda7
WallaceFennel:30d025c36556fa65395fbb62eceeb99b
MegManning:ff23a8ac18ab518db9fd58555ffbf1d2
And since we're currently having nice things, let's not stop there.
Just out of curiosity, how long would these take to crack using a 2020 GPU-powered password cracking tool, like hashcat?
We'll run it with a flurry of flags:
--username
lets hashcat know our input file contains usernames before it contains hashes--separator ":"
is what we use to separate the username from the hash itself inhashes.txt
--outfile-format 3
controls the format of the generatedcracked.txt
file--workload-profile 3
selects the "High" profile, which has "high power consumption" and should make our desktop "unresponsive".--attack-mode 3
attacks in "brute force" mode (really "mask mode")--optimized-kernel-enable
uses different algorithms? doesn't support really long passwords, we don't really care for those--hash-type 1000
select "NTLM" hash mode--outfile cracked.txt
save recovered password incracked.txt
--potfile-disable
"potfiles" store hashes that were already cracked, and won't be cracked again. It's useful when running hashcat several times in a row, which we're not doing.neptune.hcmask
our mask file, which contains the patterns to look for.
We'll give it a custom mask file to speed up the search - let's say we knew the minimum password length was 6 characters:
# in neptune.hcmask
# length 6, uppercase
?u,?1?1?1?1?1?1
# length 6, lowercase
?l,?1?1?1?1?1?1
# length 6, uppercase + digits
?u?d,?1?1?1?1?1?1
# length 6, lowercase + digits
?l?d,?1?1?1?1?1?1
# length 6, uppercase + digits + special
?u?d?s,?1?1?1?1?1?1
# length 6, lowercase + digits + special
?u?d?s,?1?1?1?1?1?1
# length 7, uppercase
?u,?1?1?1?1?1?1?1
# length 7, lowercase
?l,?1?1?1?1?1?1?1
# length 7, uppercase + digits
?u?d,?1?1?1?1?1?1?1
# length 7, lowercase + digits
?l?d,?1?1?1?1?1?1?1
# length 7, uppercase + digits + special
?u?d?s,?1?1?1?1?1?1?1
# length 7, lowercase + digits + special
?u?d?s,?1?1?1?1?1?1?1
The documentation for hashcat is... nothing to write home about. Here's all you need to know to decipher the above (hopefully):
- if the line starts with a
#
, it's a comment - otherwise, it goes
custom-charset,pattern
?u
means uppercase letters (A-Z
)?l
means lowercase letters (a-z
)?d
means ddigits (a-z
)?s
means special characters (space, backquote, and!"#$%&'()*+,-./:;<=>?@[\]^_{|}~
)
And here it is - one minute and fourty five seconds of glorious hacking:
Alright, so let's look at our passwords:
ff23a8ac18ab518db9fd58555ffbf1d2:DUNCAN
Oh Meg. Listen to the IT person!
What else do we have?
816fd98e9cb03bc00500f57284d5cda7:GJ7B!X
Hey, that's Veronica's!
And the two others are just, well, Wallace, and the IT guy himself:
30d025c36556fa65395fbb62eceeb99b:POLEBOY
6608e4bc7b2b7a5f77ce3573570775af:hunter2
But we used a 2020 password cracking tool. Assuming the attacker
somehow had managed to dump the hashes (either by distracting
the admin, or being the first to dump an ntds.dit
file offsite),
they would've used a 2004-appropriate tool to crack the hashes.
So, let's try to plop our hashes into Cain, and see how long it would've taken to "crack" them:
Well?? What are we waiting for?
I can't find the button...
Have you tried right-clicking?
Ahh there it is.
Okay, so we have a bunch of charsets to pick from -
if we wanted to match some of the masks we passed
to hashcat
, we could try this:
And in a little under a minute... Meg's password is cracked:
Let's talk realism. Hashcat was using your laptop's nVidia GTX 1050, so obviously it was not 2004-appropriate.
Right, yes.
But here, what is it using? Do you have multiple cores enabled?
Nope, just the one core. Which is era-appropriate, because the first dual-core consumer CPU (the Athlon 64 X2) only came out in 2005.
What about clock frequency? Your i7 8750H goes up to 4.1GHz does it not?
Right, that's where we're taking some creative liberties. It's possible that the hacker would've been rocking an AMD Athlon 64 FX-53, which clocks in at 2.4 GHz.
What about other improvements besides clock frequency?
Well, I can safely say that Cain 2.5 does not use instruction sets that were not available back then because, well, they hadn't been invented.
Yeah, obviously modern instruction sets are not being used, but what about the size of the CPU caches? Or the efficiency of the branch predictor?
That's well above my pay grade, but I would assume those would also make a difference. It would be interesting to have someone run Cain 2.5 on the actual hashes on 2004 hardware.
In the interest of this happening, here are the hashes in a format that can be imported into Cain.
Administrator:500:93d1f9ea182df34baad3b435b51404ee:6608e4bc7b2b7a5f77ce3573570775af:::
VeronicaMars:1109:bdd3b50f86f018d2aad3b435b51404ee:816fd98e9cb03bc00500f57284d5cda7:::
WallaceFennel:1110:6d8d3eaa2337305aaad3b435b51404ee:30d025c36556fa65395fbb62eceeb99b:::
MegManning:1111:ef9b11d7b3b40b55aad3b435b51404ee:ff23a8ac18ab518db9fd58555ffbf1d2:::
Now that we've got all of that out of the way - on our not-quite-2004-hardware set up, how long would it take to crack Veronica's password, if we knew its length and the character set used?
Turns out - a few hours!
Again, this is where having 2004 hardware would help a lot.
But that's not the only option in Cain...
In 2004, you could have gotten a 200 GB hard drive (for the low low price of $135). And you know what had just been invented, one year prior?
Now, downloading rainbow tables for NTLM hashes and a reasonably large charset might have been a bit too much to ask for back then: dial-up customers had an average connection speed of 34 kbps, DSL customers had 861 kbps, and cable subscribers had 2178 kbps on average.
Not to mention that data caps are still a thing in the United States today.
Thankfully there's another option! Cain, our password cracker, just happens to ship with winrtgen, a Rainbow table generator.
In the interest of finishing this article before winter, I've picked the exact character set and length Veronica used in her password - an attacker that did not have that knowledge would probably generate several sets of tables.
Uh oh, success probability 54%?
Fingers crossed! We could increase the chain length or the chain count if we wanted to raise the success chance.
I left our "Hacker Windows XP" instance to hash its heart out, and the next morning... tada!
Now, all we have to do is ask Cain to do a "cryptanalysis attack" on the NTLM hash for Veronica's password:
Load up our rainbow table:
And... thirteen seconds later:
We've got our password.
I guess the Rainbow Table paper was not overstating its claims:
Finally our experiment has demonstrated that the time-memory trade-off allows anybody owning a modern personal computer to break cryptographic systems which were believed to be secure when implemented years ago and which are still in use today. This goes to demonstrate the importance of phasing out old cryptographic systems when better systems exist to replace them. In particular, since memory has the same importance as processing speed for this type of attack, typical workstations benefit doubly from the progress of technology.
Cool bear's hot tip
If you want to know more about rainbow tables, check out What's in a rainbow table?.
And now back to the show
So, let's summarize. We've seen that if an attacker had:
- A workstation at home
- A 64 MiB thumb drive
- A Live CD of Ubuntu 4.10
- A large enough hard disk drive
- A copy of Cain 2.5, including winrtgen
...and also, either an uncle working at Microsoft, or, more likely, the ability to distract the system administrator, gaining physical access to the server logged in as administrator, then they would have been able to "recover the plaintext" of, well, probably all the students in under a day.
That's cool! So the show is realistic, yes?
Overall, I'd say Veronica Mars is very realistic. Much better than the average TV show.
But here, it's even better. You see... none of that actually happened in the show.
See, when Veronica does her initial research, asking questions to Mac in exchange for breaking into her own car because whoops, nerd girl forgot her keys...
...Veronica actually gets quality information:
Anyone can buy a copy of the test, but to post the results in the first place, you need to use your password.
Who has that information?
Only the student and the I.T. guy.
The conversation goes on for a bit:
Neptune High has their own I.T. guy?
Renny Demouy. We share him with the entire school district, but he's here Tuesday and Friday mornings.
You know his schedule by heart?
I do a lot of computer stuff!
So. Renny Demouy. The first time Veronica meets with him, she's surprised. She expected an old guy! But she quickly changes tactics and tries to play the clumsy girl in distress:
Can I help you with something?
I hope so!
Um, my friend Julie, it's her Sweet sixteen tomorrow and I wanted to change her screensaver to say "Happy Birthday", like, as a surprise, but I don't know her password. I was told I could get it from you...
She won't mind, I promise. We're, like, total BFFs.
I... don't know what that means, but... I cannot give you someone else's password. They are confidential.
Am I supposed to, like, pay you or something?
I cannot give it to you. I would lose my job.
I'm sorry, but... no way.
Renny is, from the get go, hella suspicious. What he should have said is "I cannot give it to you, because I don't have them."
It would make sense that when setting up the Active Directory accounts for students, Renny would need to tell the students what their password is, but:
- He's not supposed to keep a copy of them
- He probably should enable the "User must change password at next logon"
So anyway, it turns out that Kimmy, who was fighting with Meg over who would sing cabaret, was sleeping with Renny.
That's right. Kimmy was being a jelly nellie. "Ooh, Meg gets all the attention, better violate the CFAA."
And, yeah, in exchange for uh, favors, Renny gave Meg's password to Kimmy. Just that one password though - apparently it was someone else who took it way further and started sowing chaos at school by posting everyone's test results.
...but there's something that bothers me.
Renny could give anyone the passwords if he wrote them down when he set up the accounts. But then how do you explain that conversation between Veronica and Renny?
You're back!
I need to change the password on my e-mail account.
Someone managed to figure out the old one.
That's why your password should always include numbers as well as letters.
Okay Renny. Even in 2004, that's pretty piss-poor advice. But do whatever you can to cover your leaky ass I guess.
Everyone thinks it's fun to use the name of your dog or boyfriend, but that actually makes it easy to crack.
No Renny, they don't think it's fun, they think "so if I forget this, my life is over, right? I'll pick something I can remember!".
And who could blame them.
My old password was GJ7B!X
Well, try and make this one a little bit tougher.
And this is one thing I don't understand. Obviously Renny doesn't remember everyone's passwords off the top of his shiny head. But how did he know Veronica's password if she clearly picked it herself?
Do all students go one by one in Mr. Demouy's office and tell him the password they want, out loud?
Or does Renny have an uncle who works at Microsoft?
Here's another article just for you:
Image decay as a service
Since I write a lot of articles about Rust, I tend to get a lot
of questions about specific crates: "Amos, what do you think of oauth2-simd
?
Is it better than openid-sse4
? I think the latter has a lot of boilerplate."
And most of the time, I'm not sure what to responds. There's a lot of crates out there. I could probably review one crate a day until I retire!