26 HAKIN9
ATTACK
3/2008
To protect against a myriad of attacks,
including malicious injection attacks
and the exposure of archived data, user
data, particularly passwords are stored in a
non-reversible, non clear-text form. Interestingly
enough, this same thought process and storage
technique has carried over to the desktop login
space with desktop OS logins now tied into Active
Directory and other LDAP based back-ends.
Storing user data such as passwords in plain
text represents a potential security risk. In the event
of a breach, crackers gaining data access via
software flaws (such as improper input validation)
could gain unauthorized access to a multitude of
systems. These days the risk is exponentially higher
than in the past due to developments in Internet/Web
based single-password and single-sign-on (SSO)
technologies. This access could lead to malicious
activity of any arbitrary real user, with the permissions
of that user. The extent of these actions are limited
only by your imagination and what access the
target application has been allowed. To mitigate this
security risk the industry generally has relied upon
password data being stored as the output of a one-
way hashing algorithm. Although, given the elevated
sophistication of modern-day attack techniques
coupled with the way one-way hash algorithms
natively work, vanilla flavoured one-way hashing
algorithms have really outlived their effectiveness.
The need for randomness, which has come from the
age old techniques of the Unix world, became critical
to the industry. The specifics of this have come
ANDRES ANDREU
WHAT YOU WILL
LEARN...
How LDAP Salted SHA (SSHA)
Hashes are structured,
How to employ modern day
tools to crack LDAP SSHA
hashes,
Why LDAP SSHA hashes should
be treated as if they are clear-
text data.
WHAT YOU SHOULD
KNOW...
Basic knowledge of compiling
C source code in Linux (x-86
based),
Basic scripting in standard
languages (some code and/or
snippets given in Python, Ruby
& PHP),
Basic knowledge o