BlackHash Allows Password Audit Without Access To Hashes

When performing a security audit, particularly as an outside consultant you may occasionally encounter “trust” issues, particularly when requesting sensitive information. Often this is simply required to complete the work that their execs have paid you to perform, but in the case of password strength auditing Richard B. Tilley’s BlackHash provides another alternative.

In the traditional process the security auditor will request a dump of password hashes from all systems that are to be scrutinized. Sources would include /etc/passwd (or shadow on shadow password enabled hosts), SQL (often used as a backend for RADIUS servers and other AAA systems), Active Directory, etc. All sources are dumped and then provided to the security team to run through dictionary cracking software like hashcat. The problem, of course, is that any guessed passwords could then be used for nefarious purposes and one has to trust the security team implicitly.

A more traditional way would be to anonymize the data provided. The simplest way of doing such a thing would be to provide only the hashes to the security team. They would report back with the weak hashes and the company’s trusted internal IT department would grep for the affected hashes and notify those users. This isn’t an ideal solution for a variety of reasons, the most obvious being that the security auditor still has a list of the hashes and this can’t be a good thing. Blackhash solves these problems by using bloom filters, which basically results in a workflow where the trusted IT team run the data into blackhash to produce a filter which the security team can then run against their dictionaries. If weak hashes are detected the file of weak filtered hashes is returned to the trusted IT team who then run it back through the software to determine the users and hashes affected.

Yes, it sounds convoluted and possibly isn’t of much help as most security audits require permissions which could be potentially more damaging to an organization than even leakage of their passwd files. Given the more paranoid organizations will have the security auditor accompanied by at least a minimally trained sysadmin at all times this appears to fill a niche need. Nonetheless I am continually impressed with Tilley’s work, which includes TCHead.

2 thoughts on “BlackHash Allows Password Audit Without Access To Hashes

  1. Why not simply doing it the other way round – instead of the company being audited giving hashes to the auditors, have the auditors provide cracking tools to the company’s IT department, which will run it itself and hand the results to the auditors to include in their reports?

    • Fair point, although I guess you have the argument that they may not fully disclose the extent of a problem (especially if the business certification depends on the audit, ie in the health sector) and, say instead report that say 13 accounts were cracked rather than 130. I guess in either case if they wanted to deceive the auditor they could pre-run the tools they are likely to use against some big dictionaries and fix any problems before the auditor sees it, so fair point…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s