Dear Reader,

I just did a skype video chat with my girlfriend Juky. She is on an airplane from Shanghai to Copenhagen RIGHT NOW. Picture and sound quality are just perfect!!!

Ever uploaded an MP3 to an aeroplane?

She travels with SAS. Definitly the coolest airline on earth!

Thank you.

Dear Reader,

A few years ago, when I started to work at a new company, I asked for a certain password I needed to access some systems I had to work with. One of my new colleagues told me it was "enirstuda4711" and that it apparently was the best password ever! The reason why it was so incredibly good was that the containing letters were statistically distributed in some kind of perfect way.

“So we have a very hard to crack password here”, I said, “why not put in online and suggest for everyone to use it?” :-)

Yesterday I decided to setup a user on my windows machine and see if I could crack this password. I called the user Jabberwocky. From my laptop, my second computer in the local network, I first looked up the standard gatway to find out which subnet I was using:

ipconfig

My subnet mask is 192.168.1.*, as can be seen on the picture. The next step is to find out what machines live on the internal network. I ran the NMap port scanner with the ping scan option to search all IP’s between 192.168.1.1 and 192.168.1.255:

nmap -sP 192.168.1.1-255

So there are three machines on my network: one on port 1, this is my router and one on port 101, the laptop I was working from and a third on port 102, this is the machine I needed to grab the password file from.

On linux machines there is the passwd file in the /etc directory. It contains the information about all the users that have an account on the machine. Usually it also contains the hashed passwords. These password hashes are computed out of the plain text passwords by a one way function. Each time a user logs in, the provided password is put through the hash function and the result is then compared to the stored hash. If they match, the original passwords must match as well.

The hashed password could look like this:

02196B74B249B1C7B3CA94183F9EEE53

On linux systems, the password hashes are sometimes not stored in the passwd file itself, but in a file called shadow. This file has limited reading permissions, 640 instead of 644 which is the permission on the passwd file.

On Windows NT, 2000 and XP systems, these hashes are stored in the Registry and/or the SAM file. The SAM file is located under C:\WINDOWS\system32\config. If rdisk has ever been run, an old version will also be located under C:\WINDOWS\repair. The problem is, that you cannot access the SAM file on a running system. Some process has it under strict control and it would not let you access it.

So how can you access the hashes from Windows? There is no neat way.

• Boot the system with Knoppix and just copy paste the SAM file away. This however requires you to have physical access to the machine. Quite often not an option.
• Run PwDump. This handy little programm does a DLL injection and copies the hashes to a file. The first problem is, it will not suceed if a program like ProcessGuard is installed on the system. Second, and more of a problem, you have to have administrators access to the machine you want to get the SAM file of.
• Sniff the hashes from the network as they fly by. Probably the best choice.

Because all these methods are a bit akward, the normal hacker would probably try to find out more about the system. For example by running another NMap command, like this one:

nmap -sS -sV 192.168.1.102

This command does a port scan on the specified machine. We can see that some ports are open along with what programs are running on those ports and a “best guess” version information. From this information, the attacker can try to find vulnerabilities of a certain program that is connected to a port and eventually get root access to the system and retrieve the password hashes. This however is the “art” that makes a good hacker and I am not one of them.

Therefore I used PwDump to log in to the machine and get the SAM file out:

PwDump.exe 192.168.1.102 encryptedpasswords.txt raoul

This did the trick and, after removing accounts of no interest, the retrieved SAM file looked like this:

Jabberwocky:1011:02196B74B249B1C7B3CA94183F9EEE53:
1BE5C84F89A07C0F6BF47E37127ABDDC:::

No I am finally ready to decrypt the “best password ever” with John the Ripper or L0phtcrack (L0phtcrack has been bought from @stake by Symantec and it looks as if the product is not anymore available on the usual channels. Another way to do “security by obscurity“).

John the Ripper is a dictionary tool, trying out different words and their combination whereas L0phtcrack does a brute force attack, basically trying out every possiblity.

Both cracking tools eventually cracked the password enirstuda4711. However it took a few hours. Here are the results:

John:

L0phtcrack:

(Note: Both programs were actually run from the local machine, not the laptop, for performance reasons)

The only way to prevent L0phtcrack to eventually, in the far future, crack your super-duper password, is by using non-printable characters (as part of your password). They can be entered by using such non-printable ASCII characters on the numeric keypad. NUMLOCK has to be on and then you hit ALT-a-b-c. Where a, b and c each stand for a digit from the ASCII table, as in ALT-2-5-5.

So this is it. And by the way, the “best password ever”, enirstuda4711, is not in use anymore :-)

Thank you.

Dear Reader,

I just came home from shopping. While queueing forever, I had plenty of time studying the goodies that are usually placed just in front of the cashpoint. There is stuff that is meant for little kids so they annoy their parents with: “If I don’t get this, I cry like hell until you are so embarassed of everybody giving you weird looks, that you WILL buy it!”. But then there are other things there: cigarettes and alcoholic beverages, the strong stuff. The things that usually are excluded from general rebates.

However today I found ALL the shaving blades of Gillette right there as well! Prominently placed in very big packages, so it is harder to steal them. Why should you steal them? They are REALLY expensive! A set of the cheapest was CHF 23 (USD 19). Gillettes latest toy for “the best in man”, the Gillette Fusion Power blades were available for CHF 46 (USD 38).

That is a lot of money! To get these razor blades out into the stores all over the country, the retailers have to hire security companies that usually pick up the money in their bullet proof vans. That’s HOW valuebal those little things are! The saffron of the 21st century. Had I gotten all my salaries in razor blades instead of ordinary cash, I’d be a wealthy man by now…

“It looks like the big razor companies agreed to from some kind of a cartel to keep prices high. Someone should make a business out of selling cheap blades that go along with the gillette and wilkinson handles…”, I thought to myself. This was when I noticed the Matrix3 to the left of myself. Many meters in front of the cashpoint and in an ordinary, less guarded shelf.

“Wow! How is the cheeky company that dears to threaten the cartel?”. On the package I could only find the branding of the retailer I was at, Coop. From a very quick googling/asking I also did not find out a lot more. But it looks like it is some american company and that the Matrix3 can be bought in 1$ shops in the U.S. Here it is sold for CHF 7 (USD 5.7) for the handle and two blades and the extra blades cost CHF 6 (USD 4.9).

The Matrix3 (His Way) has three blades and looks like a normal razor. The only uncool thing about it so far is, that it misses the sexy way of unloading the old blade: The Gillette has a button that ejects the blade right into the bin. On the Matrix3 you have to kind of “break” it off. But unlike in the adverts, there is seldomly a sexy woman around who watches me shaving, let alone watching me swap blades. So that should not be the problem.

The essential question is: “Is this a razor that delivers a nice shave? Or do I cut myself all the time?”. Those are the key questions.

On the “old index” of wesblog (search for “matrix”), I found a “user-review” with the promising title:

“So You’ve Purchased a Matrix 3! (Alternate Title: So you’ve decided to kill yourself slowly and painfully!)”

Excerpt: “Got bored and glued some rusty blades to a stick today. All at weird angles and stuff. Dared my assistant to shave with it. We will be having the memorial service tomorrow.”

Apparently, it was invented by the spanish inquisition! Oh my God! What have I just bought! – Yes, I bought it and I AM REALLY AFRAID TO USE IT NOW! Damn! My only hope is that the editors of the wesblog are paid by the razor blade cartel…

So I found the blog of Tom Doobie. He gave me hope, a lot of hope, here’s an excerpt:

“The first shave seemed decent. Not blow me away decent, but good. Of course, I had a two-day growth on my face, so that may have factored in. But after that it was smooth sailing. The shaves were as good as the Sensor, if not better. But that’s not the best part. My stubble can render a new Gillette Sensor blade inoperable after two shaves…sometimes three. Ever since I’ve been using the Matrix3, I’ve been able to squeeze out up to a *week* of shaves before changing the blade. A WEEK. So not only is the Matrix3 cheaper than the Sensor, the blades last about three times as long. And guess what? I ran out of Matrix3 blades the other week and had to resort back to my Sensor. It tore my face up, even with a brand new blade.”

I just hope Tom is a honest man. I will find out myself tomorrow and let you know…

Thank you.