Veronica Mars and NTLM password hashes

👋 This page was last updated ~4 years ago. Just so you know.

Intro

When I started my Patreon, I had no idea if it would work at all. The whole thing seemed like a gamble: spend an inordinate amount of time writing quality articles, and hope that folks will like it enough to kick in 5, 10, or 50 bucks a month just to see more of them.

I'm happy to say the gamble paid off - literally. Take that, impostor syndrome!

Cool bear

Don't get it mixed up, buddy - everyone's here for me.

Amos

But.. I write you.

Cool bear

Sure, whatever you need to tell yourself.

There were so many topics I wanted to write about. For a start, though, I wrote about about things I already knew about to some extent, like files and protocols.

My objective was always to "branch out": to not just talk about software, but hardware and other things too. Why not get people talking about their jobs? Why not discuss something that has very little to do with programming?

That's why I made it clear on the Patreon pitch: the common thread here, above all else, is curiosity.

One thing I couldn't figure out: what the heck kind of "goals" should I set up on the Patreon page?

The whole thing I want to do (and that folks seem to enjoy) is write! If I were to set up goals that were non-writing related, that would mean less time to write, and I was concerned I'd eventually spend all my time doing those "extras" rather than focusing on what I do best.

And that's where the problem and the solution meet - I figured I'd have, as a goal, to write about something I wouldn't usually write about.

My original goal for 25 patrons was:

Amos

I have several secret projects brewing, and I will reveal one of them when I reach this goal!

The secret project I was thinking of was a demake of Keep Talking And Nobody Explodes for Windows 98 Second Edition. The twist? When the bomb explodes, you get a Blue Screen of Death.

Sorry, I mean three! There were three batteries on the bomb!

I went ahead and sent this video to the developer of the original game, Steel Crate Games, and although they were impressed with it (and hadn't seen anything like it), they let me know that they could not approve any kind of public distribution of personal projects that borrow aspects of their own games.

So that fell a bit flat. I still have the post-mortem for that, and I might still publish it, although it's been... ten months now, I'd have to dive back into it, and I'm over it, a little. It was a big disappointment for sure.

My next goal, for 50 patrons, was:

Amos

I will go through an entire season of a TV show I like, and pick apart - in the most lovingly nerdy way - scenes that mention technology / computers / the internet / security threats, explain what they were probably thinking of, how likely this is in real life, and give a realism grade to each episode.

That goal was met, and then for 100 and 200 patrons, I didn't really promise anything, since I hadn't fulfilled either of the 25 or 50 goal yet.

So, it's time to make good on at least one of my promises.

Going through just one episode is already a lot of work, as you're about to find out. So, I'm starting this as a series, and I reserve the right to add to it whenever I watch an episode that I just can't... resist... dissecting.

Without further ado, let's jump into our first episode.

Veronica Mars

Let's take a look at one of my favorite shows: Veronica Mars! The show started airing in 2004, and is currently enjoying a perfectly respectable 8.3/10 on IMDB.

Seasons 1 through 3 are a delightful look back at the years 2004-2006. Of course, it's set in a "surfer town" in California, which is the furthest thing from where I grew up (a ski resort-adjacent town in France), but despite that, we shared countless cultural cornerstones.

What happened after Season 3 is... what it is.

There was the movie in 2014, and a Season 4 in 2019, both of which felt very different. In the first three seasons, a lot of tough and serious subject matter were tackled, but it was always wrapped in the youthful optimism of the 2000s. Sure, life threw curveballs at them, but so what? They had their whole life ahead of them!

Season 4 in particular kinda broke me. They're all "all grown up", and the problems they had when they were younger didn't magically fix themselves. Everything they're going through we should've seen coming, but didn't want to. I can't go into any more details without spoiling it for you, so I recommend you go take a look for yourself.

In Season 4, Logan is getting some well-deserved time off after the iZombie apocalypse.

Luckily, it's Season 1 we're looking at today. Blissfully stuck in the year 2004, when Facebook wasn't used for election interference yet, when everyone thought Gmail was an April's Fools, when Ubuntu wasn't run in Docker containers yet, and when World of Warcraft had no expansions.

The set-up

The show takes place in Neptune High, where everyone's parents are either millionaires, or working for millionaires. Class conflict is a central topic throughout the show - the 09ers (rich kids, named after their area code) are despised by "everyone else", and vice versa.

Someone looks happy to be here

Veronica (Kristen Bell, The Good Place, also the voice of Anna in Frozen) doesn't really pick a side. Back when he was Sheriff, her dad pissed off the entire town. Now, he's "just" a private investigator, and Veronica helps him out. That makes her a pariah, and the target of many a hazing.

Woops, no clothes. That'll teach you to be different!

She's a fighter, though. The friends she has, she doesn't get by playing nice. She gets rough, and she gets even, and the sensible kids in school end up respecting her for that - even the jocks.

Take that, Dick. (That's not a statement, the dude's name is Richard)

She's not afraid to use what she's learned to pursue her own investigations, either to help other high school students, or by sheer curiosity.

Veronica at her dad's office, definitely not looking into family secrets. No sir.

In Episode 8, there's a new craze overtaking Neptune High. Everyone is filling out this purity test. Rich kids and non-rich kids included.

Ah, 2004, before MacBooks existed. I'm pretty sure that's an iBook G3 or G4. It's <em>thick</em>.

It's just an online form you fill up, and then it gives you a purity percentage - if you get a 60, you're 60% pure, 40% naughty. One of the 09ers notes that "anything under 60 is really slutty".

Duncan Kane, explaining what 'double standard' means.

It's all fun and games until... until whoever is running the Purity Test website starts letting anyone buy the results of anyone else.

Honestly? $10 is a bargain. They really need some business advice.

Then, predictable drama unfolds. The day after, at school, it's mayhem.

Veronica, super glad to be single right now.

Veronica is enjoying the chaos, as ones does, until something catches her attention. Meg Manning (Alona Tal, Supernatural) is getting grilled by her boyfriend about being unfaithful during summer vacation, but she denies everything.

Smile, you're being framed!

Him, well, he's big mad.

Such drama.

And, as she does every single episode, Veronica gets involved. She tells Meg she can help, maybe. Because she's nice.

Don't forget. You're a high school girl. Do some high school girl things now and then.

Keith Mars, dad of the year

So, Veronica goes fishing. She starts by asking some dude a doozy of a question:

Someone's been using Yahoo! Search instead of going to bed last night.

And this is the first mention of technology we can really analyze. Usually, in that kind of scene, TV writers love to cook up a good word salad. Something about IP address, tracing, the calls coming from inside the house.

But here, it actually makes sense. Veronica's full question is:

Is there any way to convert ciphertext to plain text without initial knowledge of the crypto-algorithms?

Plain text refers to the unencrypted input, say, "Rob Thomas", whereas cipher text refers to the encrypted form. If we use the "crypto algorithm" rot13, the cipher text for "Rob Thomas" would be "Ebo Gubznf".

So, it is a meaningful question - if you only have the cipher text, ie. the encrypted version, can you recover the plain text, if you don't know which method was used to encrypt it?

The answer to that question is "it depends". In the words of Qasim Mohammed Hussein, from Tikrit University:

There is no available systematic method that can recognize the encryption algorithm of all type of cipher texts. Since each cipher has a special characteristics. But there are test to find the randomness of cipher test such: Index coincidence, frequency test, run test, serial test, poker test.

Most cryptography books include tests of text randomness that help in analysis the cipher text.

Source: ResearchGate

However, I don't think it's the question Veronica should be asking. Hiding the algorithm, or the method used to secure something, is Security through obscurity, which is generally frowned upon.

In 2004, assuming the story is contemporary with the show, the school would probably have been running Windows NT 4.0 (if they were lagging behind), or Windows 2000.

Cool bear

Isn't Windows 2000 just Windows NT 5.0?

Amos

Correct. Marketing names for the win.

If they'd just been overhauling their network, it's possible they would've been running Windows Server 2003 and Windows XP instead, but that's not what I spent weeks researching, and the security model would be just about the same, so, let's look at what a potential Windows 2000 setup for Neptune High School would look like.

Replicating the Neptune High school network

Windows 2000 came in four editions. The client edition, Windows 2000 Professional, and then three server editions: Server, Advanced Server, and Datacenter.

It's hard for me to guess exactly what the setup would have been, especially since it's a fictional school!

Cool bear

It's easy! Just pick up your fictional phone.

There is a Neptune High School, but it's in New Jersey. Instead, we're going to model our school network after the school Veronica Mars was shot in: Oceanside High School, in California — which has a pirate mascot!

Oceanside High School, circa 2019

Joe Dusel Photography

If we grab the California Department of Education enrollment records for 2004-2005, and look for Oceanside High School's data (with CDS 37-73569-3735206), we get (with some columns omitted):

ETHNICGENDERGR_9GR_10GR_11GR_12ENR_TOTAL
1F433111
1M324312
2F354315
2M763521
3F787325
3M1498435
4F815121247
4M101251340
5F199183155140677
5M194199186135714
6F27352916107
6M21422932124
7F76626254254
7M77987266313
8M10001

Summing everything up, we get a total of 2396 students.

According to the National Center for Education Statistics, the national pupil/teacher ratio for 2004, for private elementary and secondary schools, was 13.6 - we would be looking at around 177 teachers for Oceanside, who all need access to the school network as well -

Let's assume that there is a single server for the whole school, running Windows 2000 Server. If we buy it with 25 CALs (Client Access Licenses), it'll set us back $1800.

Then, we'll need CALs for the other users. Luckily, we can buy them in packs of 20, for only $800 per pack.

Cool bear

Cool bear's hot tip

One might wonder if "per-device" licensing wouldn't make more sense here, but that let's not forget that students can (and do) bring their computer to school. In this episode alone, we see Veronica, Dick, and Mac all using their laptops on the school network.

And then, for each school computer, we also need a Windows 2000 Professional license - that's $320.

In 2002, a study done by Ji-Sook Chung on The effect of the availability of technology on teachers' use of technology and student achievement on standardized tests gathered data from 1381 Pennsylvania area shool data files, and found the following:

Let's assume Neptune High, being a rich kid school and all, falls into the "High Computer" tier. The data is a little confusing to read (and from the wrong state), but we'll go with a conservative 1 computer for every 3.2 students - that's about 660 computers total.

So, the final cost of all our Windows licenses is...

...a little under $350K!

This sounded like a lot, that is, until I took a peek at the 2009 budget for the Oceanside Unified School District (which includes 15 elementary schools, 4 middle schools, and 2 high schools, one of them being Oceanside High). It includes:

  • 8.5 million dollars for "books and supplies"
  • 16 million dollars for "services and other operating expenditures"

...so, suddenly, our Windows licensing costs seem like a drop in the bucket.

Configuring Windows 2000 Server

Without further ado, let's set up our server. We'll want to enable some optional Windows features, so we can set up a DNS and DHCP server.

For the purpose of this exercise, we won't bother with internet access - although students definitely would've needed it, I'm honestly not sure how to make it all happen. Let's just worry about our intranet, which will be using the private 10.0.0.0/8 range.

All our clients (all the school computers besides the server) will obtain their IP address automatically (via DHCP):

And we're off to the races!

In the interest of seeing more than 256 colors, I went ahead and installed VirtualBox Guest Additions in both machines, which is not era-appropriate, but your eyes will thank me.

Cool bear

Ahhh, much better! And bigger!

The first thing we need to do is configure DNS. In the series, Veronica says all the students have an address like VeronicaMars@neptunehigh.com. I'm assuming the school actually has a public-facing website, and they own the actual domain.

However, here in 2020, it seems like it's squatted by some reseller, and I don't think it's worth spending the $280 just for authenticity.

Cool bear

That's probably for the best - Windows 2000 wasn't exactly known for its stellar security, let's keep those VMs off the internet, yes?

So, we'll just stay in our internal network, pretending we own neptunehigh.com.

Amos

I noticed right before publishing that article that the domain in the actual show is https://neptunehigh.org, and that one redirects to CBS.

Luckily, on Windows, everything is a wizard. Unluckily, I didn't go through School System Administrator Training, so I'm taking wild guesses here.

Just a few more steps and...

I think we're good to go! Next up is configuring the DHCP server.

Here too, we're on the yellow brick road, so let's try to find some courage.

I've made it this far in life without fully understanding how IP ranges and blocks and subnets and masks work, which should be all the proof you need that we're all faking it, and that you can too.

We'll also need to "authorize" the DHCP server, whatever that means. I guess we can't have rampant DHCP servers all up in our network? We have to bless the ones we want? I don't really see what would prevent them from sending DHCPOFFERs left and right, but okay.

Now that we've got DNS and DHCP all configured, we have to set up our server as an Active Directory Domain Controller.

And this means...

Cool bear

More wizards?

Amos

More wizards.

It's all very colorful. We're creating a new "forest". Sounds good.

What caught my attention was this: it asks us where we want to store the Active Directory database. Interesting!

It's time to add a few users to Active Directory.

Finally, let's set up one client - we'll call it "lab1", just to verify that we can, in fact, connect to the school network from a school computer.

As expected, it gets an IP address in the 10.0.1.0-10.0.255.0 range:

We can see the DHCP lease from our server:

But it's not part of the Active Directory Domain just yet. By right-clicking on "My Computer" from the desktop, going into "Network Identification", and going through our last wizard of the day, we can join the neptunehigh.com Active Directory domain, and then...

Well then we can log in.

Several progress indicators later... we're in! Logged as Veronica Mars.

How do we crack this thing?

Now, back to our original question. Given a system like the one we just set up, how would one go about obtaining other people's passwords?

Let's say I am Veronica, and I want to find Wallace's password.

Well, remember where we stored the Active Directory database? That would be a good place to start.

Oh. It doesn't exist. Of course, we're on a client, not on the server.

So, can we connect to the server somehow? Let's go fishing...

Mhh, nothing there, maybe if we search for computers? Assuming we know the server has "hub" in the name...

Heyy, we found it! What can we do from there?

Ah, there's the "Shared System Volume" (SYSVOL), but no trace of our Active Directory database. Shame.

Okay, say we (the attacker) somehow managed to sneak into the server room, so that we have physical access to "The Server", here's what we'd see:

That's... an issue. Of course, we could set up a whole heist - have someone distract the IT person hard enough that they'd leave the room while staying logged in - and then we'd have what we want.

But then they've seen us. And when funny business starts happening, like, oh, I don't know, other people's passwords being used, then the IT person might well remember us. In fact, when the IT person gets back to the server room and realizes they left without logging off, they might very well change all the passwords.

So, we need to think of something else.

What if we managed to get into the server room at night, and rebooted it?

Then we could boot into whatever we wanted...

...like a live CD of the first ever version of Ubuntu!

Just look at it.

I had this version. A friend slipped an extra CD of it to me at school. They sent CDs straight through your home back in the days! Just like AOL CDs with free internet minutes.

Cool bear

Alright grandpa.

Yes, yes, give me X server default background with original Gnome. Yes.

YES!!!

From here, well, we can do whatever we want. For example, we can plug in an era-appropriate 64 MiB flash drive and copy it out two innocent files (totalling 12 MiB):

And just like that, we can reboot the server, take back our CD and our thumb drive, and let it boot back up into Windows 2000 Server. Sure, if the school has good monitoring set up, they'll notice something went wrong, but I'd be surprised if they didn't chalk it up to "some random power outage".

Now that we've got the goods, we can look at them off-site.

Cool bear

Just how resourceful do you think high-schoolers are?

Amos

Have a little faith!

If we were a tech-savvy student in 2004... we probably had a Windows XP machine lying around - it would've been out for three years.

Just pop our thumb drive in and - here are the goods. Encrypted, but still.

Now, we need to find some way of dumping the password hashes from ntds.dit so that we can "crack" them.

The password cracking part, we can do with something like l0phtcracker. But the hash dump... I wasn't sure where to look.

After looking at many mirrors from GeoCities cites, I found... Cain & Abel. Which Chrome promptly marked as "malware" (duh).

Let's take a look.

Ohhh it even comes with a version of WinPcap, just like we used in making our own ping.

And here's what it looks like:

Unfortunately, neither of these are really what we want. We don't have the cleartext hashes yet, and "SAM files" do not apply here.

Cool bear

They don't?

Amos

No! When we promoted our server to an Active Directory controller, the SAM (Security Account Manager) was disabled, and our passwords are in the ntds.dit file instead.

Cool bear

Aren't those files similar? Couldn't you just give Cain an ntds.dit file?

Amos

No, they're two completely different formats. ntds.dit is in ESE, aka JET Blue format.

Cool bear

Oh boy.

Amos

And that's not all - as of Windows 2000 SP4 (which came out in 2003 and would definitely have been at that school), the hashes in ntds.dit are encrypted with the system boot key.

Cool bear

Which is in the system file we also grabbed, right?

Amos

Right!

So, let's recap, we have:

  • a system registry hive, which contains the boot key used to encrypt hashes in...
  • the ntds.dit file, which contains NTLM hashes...
  • which we can crack with Cain.

But we still don't know how to extract hashes out of ntds.dit.

...and that's where things get a little... interesting.

We can assume one of two things: either the Neptune High attacker was able to distract the system administrator, gain access to the server logged in as Administrator, plug in their USB thumb drive, and execute pwdump2, which, back in 2000, knew how to dump Active Directory password hashes, even when SYSKEY is enabled:

pwdump2 - This is an application which dumps the password hashes (OWFs) from NT's SAM database, whether or not SYSKEY is enabled on the system.

Changes: It can now dump password hashes on W2K domain controllers. The previous version was unable to get the hashes from Active Directory.

packetstormsecurity.com - April 2000

...and then they copied the unencrypted hashes to their USB thumb drive for later analysis.

Or... they had an uncle at Microsoft, that told them the intimate details of the ESE file format, and how NT hashes were encrypted using the SYSKEY.

Cool bear

...you're going to go with the "uncle at Microsoft" route aren't you.

Amos

Yeah! It's a lot more fun that way!

So, assuming they had an uncle at Microsoft, and knew all the implementation details, they could've come up with their own tool.

Cool bear

Wasn't most of this common knowledge by 2008? In a series of one, two, three articles by moyix?

Amos

Yeah! Even in 2007, creddump was a thing. I'm not clear exactly how capable it was, but it was definitely an area of interest.

Cool bear

What about l0phtcrack? Didn't it also have hash dumping abilities?

Amos

l0phtcrack 7 (2016) definitely mentions the ntds.dit file, but the documentation for l0phtcrack 2.5 (1999) does not.

Cool bear

Awww.

Amos

It's possible l0phtcrack 3, aka LC3 (2002) had that feature, in fact, you know what, let me check.

Amos

Mhhh, no dice.

Enough archeology! For the time being, we're going to assume that they either distracted the system administrator, or they had a Super Secret Hash Dumping Tool four years before anyone else.

A tool like NTSDumpEx (2017).

Profanity warning ⚠

Oh look! Password hashes!

Let's copy just the ones we care about in a file...

# in hashes.txt
Administrator:6608e4bc7b2b7a5f77ce3573570775af
VeronicaMars:816fd98e9cb03bc00500f57284d5cda7
WallaceFennel:30d025c36556fa65395fbb62eceeb99b
MegManning:ff23a8ac18ab518db9fd58555ffbf1d2

And since we're currently having nice things, let's not stop there.

Just out of curiosity, how long would these take to crack using a 2020 GPU-powered password cracking tool, like hashcat?

We'll run it with a flurry of flags:

  • --username lets hashcat know our input file contains usernames before it contains hashes
  • --separator ":" is what we use to separate the username from the hash itself in hashes.txt
  • --outfile-format 3 controls the format of the generated cracked.txt file
  • --workload-profile 3 selects the "High" profile, which has "high power consumption" and should make our desktop "unresponsive".
  • --attack-mode 3 attacks in "brute force" mode (really "mask mode")
  • --optimized-kernel-enable uses different algorithms? doesn't support really long passwords, we don't really care for those
  • --hash-type 1000 select "NTLM" hash mode
  • --outfile cracked.txt save recovered password in cracked.txt
  • --potfile-disable "potfiles" store hashes that were already cracked, and won't be cracked again. It's useful when running hashcat several times in a row, which we're not doing.
  • neptune.hcmask our mask file, which contains the patterns to look for.

We'll give it a custom mask file to speed up the search - let's say we knew the minimum password length was 6 characters:

# in neptune.hcmask
# length 6, uppercase
?u,?1?1?1?1?1?1
# length 6, lowercase
?l,?1?1?1?1?1?1
# length 6, uppercase + digits
?u?d,?1?1?1?1?1?1
# length 6, lowercase + digits
?l?d,?1?1?1?1?1?1
# length 6, uppercase + digits + special
?u?d?s,?1?1?1?1?1?1
# length 6, lowercase + digits + special
?u?d?s,?1?1?1?1?1?1
# length 7, uppercase
?u,?1?1?1?1?1?1?1
# length 7, lowercase
?l,?1?1?1?1?1?1?1
# length 7, uppercase + digits
?u?d,?1?1?1?1?1?1?1
# length 7, lowercase + digits
?l?d,?1?1?1?1?1?1?1
# length 7, uppercase + digits + special
?u?d?s,?1?1?1?1?1?1?1
# length 7, lowercase + digits + special
?u?d?s,?1?1?1?1?1?1?1

The documentation for hashcat is... nothing to write home about. Here's all you need to know to decipher the above (hopefully):

  • if the line starts with a #, it's a comment
  • otherwise, it goes custom-charset,pattern
  • ?u means uppercase letters (A-Z)
  • ?l means lowercase letters (a-z)
  • ?d means ddigits (a-z)
  • ?s means special characters (space, backquote, and !"#$%&'()*+,-./:;<=>?@[\]^_{|}~)

And here it is - one minute and fourty five seconds of glorious hacking:

Alright, so let's look at our passwords:

ff23a8ac18ab518db9fd58555ffbf1d2:DUNCAN

Oh Meg. Listen to the IT person!

What else do we have?

816fd98e9cb03bc00500f57284d5cda7:GJ7B!X

Hey, that's Veronica's!

He's not wrong, you know. A bit uptight maybe, but technically correct.

And the two others are just, well, Wallace, and the IT guy himself:

30d025c36556fa65395fbb62eceeb99b:POLEBOY
6608e4bc7b2b7a5f77ce3573570775af:hunter2

But we used a 2020 password cracking tool. Assuming the attacker somehow had managed to dump the hashes (either by distracting the admin, or being the first to dump an ntds.dit file offsite), they would've used a 2004-appropriate tool to crack the hashes.

So, let's try to plop our hashes into Cain, and see how long it would've taken to "crack" them:

Cool bear

Well?? What are we waiting for?

Amos

I can't find the button...

Cool bear

Have you tried right-clicking?

Amos

Ahh there it is.

Okay, so we have a bunch of charsets to pick from - if we wanted to match some of the masks we passed to hashcat, we could try this:

And in a little under a minute... Meg's password is cracked:

Cool bear

Let's talk realism. Hashcat was using your laptop's nVidia GTX 1050, so obviously it was not 2004-appropriate.

Amos

Right, yes.

Cool bear

But here, what is it using? Do you have multiple cores enabled?

Amos

Nope, just the one core. Which is era-appropriate, because the first dual-core consumer CPU (the Athlon 64 X2) only came out in 2005.

Cool bear

What about clock frequency? Your i7 8750H goes up to 4.1GHz does it not?

Amos

Right, that's where we're taking some creative liberties. It's possible that the hacker would've been rocking an AMD Athlon 64 FX-53, which clocks in at 2.4 GHz.

Cool bear

What about other improvements besides clock frequency?

Amos

Well, I can safely say that Cain 2.5 does not use instruction sets that were not available back then because, well, they hadn't been invented.

Cool bear

Yeah, obviously modern instruction sets are not being used, but what about the size of the CPU caches? Or the efficiency of the branch predictor?

Amos

That's well above my pay grade, but I would assume those would also make a difference. It would be interesting to have someone run Cain 2.5 on the actual hashes on 2004 hardware.

In the interest of this happening, here are the hashes in a format that can be imported into Cain.

Administrator:500:93d1f9ea182df34baad3b435b51404ee:6608e4bc7b2b7a5f77ce3573570775af:::
VeronicaMars:1109:bdd3b50f86f018d2aad3b435b51404ee:816fd98e9cb03bc00500f57284d5cda7:::
WallaceFennel:1110:6d8d3eaa2337305aaad3b435b51404ee:30d025c36556fa65395fbb62eceeb99b:::
MegManning:1111:ef9b11d7b3b40b55aad3b435b51404ee:ff23a8ac18ab518db9fd58555ffbf1d2:::

Now that we've got all of that out of the way - on our not-quite-2004-hardware set up, how long would it take to crack Veronica's password, if we knew its length and the character set used?

Turns out - a few hours!

Again, this is where having 2004 hardware would help a lot.

But that's not the only option in Cain...

In 2004, you could have gotten a 200 GB hard drive (for the low low price of $135). And you know what had just been invented, one year prior?

Rainbow tables!.

Now, downloading rainbow tables for NTLM hashes and a reasonably large charset might have been a bit too much to ask for back then: dial-up customers had an average connection speed of 34 kbps, DSL customers had 861 kbps, and cable subscribers had 2178 kbps on average.

Cool bear

Not to mention that data caps are still a thing in the United States today.

Thankfully there's another option! Cain, our password cracker, just happens to ship with winrtgen, a Rainbow table generator.

In the interest of finishing this article before winter, I've picked the exact character set and length Veronica used in her password - an attacker that did not have that knowledge would probably generate several sets of tables.

Cool bear

Uh oh, success probability 54%?

Amos

Fingers crossed! We could increase the chain length or the chain count if we wanted to raise the success chance.

I left our "Hacker Windows XP" instance to hash its heart out, and the next morning... tada!

Now, all we have to do is ask Cain to do a "cryptanalysis attack" on the NTLM hash for Veronica's password:

Load up our rainbow table:

And... thirteen seconds later:

We've got our password.

I guess the Rainbow Table paper was not overstating its claims:

Finally our experiment has demonstrated that the time-memory trade-off allows anybody owning a modern personal computer to break cryptographic systems which were believed to be secure when implemented years ago and which are still in use today. This goes to demonstrate the importance of phasing out old cryptographic systems when better systems exist to replace them. In particular, since memory has the same importance as processing speed for this type of attack, typical workstations benefit doubly from the progress of technology.

Philippe Oechslin, 2003 (PDF)

Cool bear

Cool bear's hot tip

If you want to know more about rainbow tables, check out What's in a rainbow table?.

And now back to the show

So, let's summarize. We've seen that if an attacker had:

  • A workstation at home
  • A 64 MiB thumb drive
  • A Live CD of Ubuntu 4.10
  • A large enough hard disk drive
  • A copy of Cain 2.5, including winrtgen

...and also, either an uncle working at Microsoft, or, more likely, the ability to distract the system administrator, gaining physical access to the server logged in as administrator, then they would have been able to "recover the plaintext" of, well, probably all the students in under a day.

Cool bear

That's cool! So the show is realistic, yes?

Amos

Overall, I'd say Veronica Mars is very realistic. Much better than the average TV show.

But here, it's even better. You see... none of that actually happened in the show.

See, when Veronica does her initial research, asking questions to Mac in exchange for breaking into her own car because whoops, nerd girl forgot her keys...

Oh Veronica. Your dad's never gonna be sheriff again if you keep breaking the law.

...Veronica actually gets quality information:

Anyone can buy a copy of the test, but to post the results in the first place, you need to use your password.

Who has that information?

Only the student and the I.T. guy.

...and Cain. But yes.

The conversation goes on for a bit:

Neptune High has their own I.T. guy?

Renny Demouy. We share him with the entire school district, but he's here Tuesday and Friday mornings.

You know his schedule by heart?

I do a lot of computer stuff!

Mac coming in with impeccable HUMINT.

So. Renny Demouy. The first time Veronica meets with him, she's surprised. She expected an old guy! But she quickly changes tactics and tries to play the clumsy girl in distress:

Ugh, interrupting the dude in the middle of changing his resolution. Rude.

Can I help you with something?

I hope so!

Um, my friend Julie, it's her Sweet sixteen tomorrow and I wanted to change her screensaver to say "Happy Birthday", like, as a surprise, but I don't know her password. I was told I could get it from you...

Oh boy.

She won't mind, I promise. We're, like, total BFFs.

I... don't know what that means, but... I cannot give you someone else's password. They are confidential.

Am I supposed to, like, pay you or something?

I cannot give it to you. I would lose my job.

I'm sorry, but... no way.

Renny is, from the get go, hella suspicious. What he should have said is "I cannot give it to you, because I don't have them."

It would make sense that when setting up the Active Directory accounts for students, Renny would need to tell the students what their password is, but:

  1. He's not supposed to keep a copy of them
  2. He probably should enable the "User must change password at next logon"

So anyway, it turns out that Kimmy, who was fighting with Meg over who would sing cabaret, was sleeping with Renny.

Smile for the camera!

That's right. Kimmy was being a jelly nellie. "Ooh, Meg gets all the attention, better violate the CFAA."

The jig is up! Run Kimmy run!!

And, yeah, in exchange for uh, favors, Renny gave Meg's password to Kimmy. Just that one password though - apparently it was someone else who took it way further and started sowing chaos at school by posting everyone's test results.

What, I.T. guy couldn't put two and two together?

...but there's something that bothers me.

Renny could give anyone the passwords if he wrote them down when he set up the accounts. But then how do you explain that conversation between Veronica and Renny?

You're back!

I need to change the password on my e-mail account.

Someone managed to figure out the old one.

That's why your password should always include numbers as well as letters.

Okay Renny. Even in 2004, that's pretty piss-poor advice. But do whatever you can to cover your leaky ass I guess.

Everyone thinks it's fun to use the name of your dog or boyfriend, but that actually makes it easy to crack.

No Renny, they don't think it's fun, they think "so if I forget this, my life is over, right? I'll pick something I can remember!".

And who could blame them.

My old password was GJ7B!X

Well, try and make this one a little bit tougher.

And this is one thing I don't understand. Obviously Renny doesn't remember everyone's passwords off the top of his shiny head. But how did he know Veronica's password if she clearly picked it herself?

Do all students go one by one in Mr. Demouy's office and tell him the password they want, out loud?

Or does Renny have an uncle who works at Microsoft?

You've somehow finished reading Technology, as seen on TV.

Comment on /r/fasterthanlime

(JavaScript is required to see this. Or maybe my stuff broke)

Here's another article just for you:

Image decay as a service

Since I write a lot of articles about Rust, I tend to get a lot of questions about specific crates: "Amos, what do you think of oauth2-simd? Is it better than openid-sse4? I think the latter has a lot of boilerplate."

And most of the time, I'm not sure what to responds. There's a lot of crates out there. I could probably review one crate a day until I retire!