January 2, 2017
By the end of the year, we witnessed a huge increase in the amount of attacks that extracted large quantities of personal information, emails and passwords. Even one of the biggest email services, Yahoo, suffered an attack by cyber-criminals and they robbed more than 500000 accounts, in doing so, accessing to everyone’s passwords. One of the most common methods of storing passwords on rest is hashing, it’s a mathematical function that transforms data into a fixed-length value or key that represents the original data.
You can use hashing algorithms to reinforce integrity and also to store passwords, as long as the data never changes. The resulting hash will always be the same. By comparing hashes created at two different times you can determine if the original data is still the same. Passwords are often stored as hashes, when a user creates a new password, the system calculates the hash and stores it. Later, when a user logs-in, the system calculates the hash of the password entered and compare it with the one stored, if it is the same then the person entered the correct password. The most common hashing algorithms are MD5 (Message Digest 5), SHA (Secure Hash Algorithm) and HMAC (Hash-based Message Authentication Code).
However, hashing has a vulnerability, rainbow tables. Which are huge databases of precomputed hashes, and it helps crackers to discover passwords comparing thehash of a stolen password with the database. Some of these tables are bigger that 160 GB in size, and they include hashes for almost every possible combination of characters.
Challenge Yashira Hash 3
In this challenge, they give us a hash that needs to be cracked, and then answered it with the password on clear text.
We could use a rainbow table to crack this hash but it will need a huge database or an algorithm that uses every hash and password to compare. On the contrary, we could use crackstation to do this task. It only needs the hash and the site cracks it with its own database.
Figure 2. crackstation hashing solver
It then discovers the clear text password of the hash given, telling us that it is SHA1. It uses colors to indicate if the search was successful, if a partial a partial match was found or if no password was found at all
Figure 3. Solution given by crackstation
To protect against these types of attacks, developers and systems administrators should add security measures additional to hash such as salt. Salting passwords prevent rainbow table attacks adding a set of random data at the end of the password before hashing it. These additional characters add complexity to the password and cause that password attacks that compare hashes to fail. Some of the common methods of salting are Bcrypt and PBKDF2 (Password-Based Key Derivation Function 2).
Recommended blog posts
You might be interested in the following related posts.
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting
For which security standards is pentesting a must-have?
Pentesting is a system-agnostic approach to security
Differences between these security testing approaches
Our CLI is an approved AST tool to secure cloud apps
How BAS solutions work, their importance and benefits
Disclosure rules proposed by SEC may soon take effect