Category Archives: Passwords

From CSV to CMD to qwerty

The ongoing breach stories of targeted email campaigns harbouring malicious attachments made me think of writing up a summary of a presentation I gave at the amazing NCC Con held in Dublin in January this year. The talk was based on a pentesting war story that started off exploiting the old (but I believe often overlooked) Dynamic Data Exchange (DDE) trick to go from an Excel export function in a web app to OS code running on users’ workstations. From there, the story takes us on to domain creds via some NTLMv2 theory (without a pentest laptop), a bug in hashcat and a new script “catflap”. Continue reading

How To Improve Password Storage Security Right Now

In episode 120 of the TechSNAP podcast [skip 20 mins in], hosts Chris and Allan were discussing the breach of the Ubuntu Forums last month, when 1.82 million account details were estimated to have been at risk. According to Ars Technica, MD5 hashing was in place with a per-user salt. But whether you’ve got plaintext passwords, unsalted hashes, or single-iteration hashing, it’s time to upgrade. Chris and Allan discussed this issue, noting that when a user logs in, the web application has the plaintext password so that’s the opportunity to store the password using the new algorithm; users who haven’t logged in for a while will just have to wait. Of course, it doesn’t have to be this way, you can be a lot more proactive – and I’m sure Chris and Allan, who were just speaking off the cuff, would realise that too with a moment’s thought. Continue reading