Tools for Heavy-Duty Attacks Get a Little Too Easy

At most technical conferences, presenters bringing up risks from the cloud would talk about lost data, the difficulty of integrating authentication and monitoring among different platforms, the inability to verify the security of the hardware actually holding the data—all issues having to do more with process than technology.

In two presentations at the Black Hat security conference this week, however, researchers demonstrated one commercial service and one ‘bot-building technique designed as penetration tools for improving security—while also posing a potent threat on their own.

Information-security provider Praetorian announced July 31 a free, cloud-based password-cracking service designed to test or crack the password of every user in a company. is a password-security testing tool designed to automate the process of testing passwords, while making it clear to end users how to choose a good one.

“I cannot count the number of times that a site-wide compromise of a client’s environment started with a weak, default or re-used password,” according to a statement from Joshua Abraham, director of professional services at Praetorian in an announcement of the service.

PWAudit is designed to address potential problems in passwords by “proactively test[ing] their security posture by identifying weak passwords throughout their environment in an ongoing manner,” he added.

The site has a box onto which users can drag files loaded with passwords. It can auto-detect the type of password, upload many files at once, and use more than 15GB of word lists and 9TB of rainbow tables to actually crack passwords open. It can support hash types including LM-NT2, MD5, MSCACHE, MS SQL 05, MYSQLSHA1, SHA1, SHA256, SHA512, ORACLE, ORACLE11G, and DES.

The service relies on Amazon’s AWS EC2 running on Nvidia Tesla Fermi GPUs for processing power; users can spin up as many EC2 instances as they want for $2.20 per hour per GPU.

Well-known hacker Moxie Marlinspike, who runs the blog, launched a similar service last year that offers lower-cost flat rates, but offers to crack only wireless LAN WPA/WPA2, NTLM, SHA-512, MD-5 and MS-CHAP hashes. Or, for a flat rate, admins can run WPA-PSK hashes against a list of 604 million words for $17, or $1.2 billion words for $34 or 4.8 billion words for $136.

There are other online hash-cracking services, but most are designed for individual users who have lose their passwords or individual hackers pretending they did.

Just cracking a few passwords at a time shows a lack of appreciation of the power of the cloud, according to one presentation at this week’s Black Hat security conference in Las Vegas. Software bots installed as agents on vulnerable machines are a far more efficient way to crack passwords, send spam or launch DDOS attacks than simply using one cloud, especially if the attack uses a million slaved PCs assembled for next to no cost, according to the originators of the exploit—Jermiah Grossman, CTO of WhiteHat Security, and Matt Johansen, manager of WhateHat’s Threat Research Center.

Their demonstration showed a series of ways carefully written Javascript or even HTML could subvert the function of the browser and give attackers complete control. The exploit the two demonstrated relied on added or rewritten lines of Javascript to add libraries that, in turn, would load those applets on tens or thousands or tens of thousands of computers—often without leaving any indication the PC had been compromised.

Ad networks review the code in ads sent to them, but are not typically able to spot cleverly written malicious code, leaving users at risk for Javascript code that pops up, delivers its payload and goes away again.

The hack didn’t break any technical rules, the two said. It relied on normal queries, ad serving and Java running in browsers without many significant changes, though the pair did find a way to raise the number of simultaneous connections from a default of six to several hundred.

“This attack is not persistent,” Grossman told SecurityWatch. “There’s no trace of it. It does its ad-display and goes away. The code isn’t crazy fantastic, it’s just using the Web the way it’s supposed to work. So whose problem is it to fix?”

During the presentation, the two demonstrated an attack that brought down a server with connection requests launched from an ad they “purchased” on the demo server. Every time someone opened the page, a flood of network connections hit the target machine.

The same approach could be used to run calculations in parallel on hundreds or thousands of PCs simultaneously. “The Web has near complete control of your browser as long as you’re connected,” Johansen said in the SecurityWatch story. “Everything we do in our demo, we’re not hacking anything. We’re using the web the way it was meant to be used. My apologies, we don’t have a solution.”


Image: Maksim Kabakou/