BlackHash Allows Password Audit Without Access To Hashes

When performing a security audit, particularly as an outside consultant you may occasionally encounter “trust” issues, particularly when requesting sensitive information. Often this is simply required to complete the work that their execs have paid you to perform, but in the case of password strength auditing Richard B. Tilley’s BlackHash provides another alternative.

In the traditional process the security auditor will request a dump of password hashes from all systems that are to be scrutinized. Sources would include /etc/passwd (or shadow on shadow password enabled hosts), SQL (often used as a backend for RADIUS servers and other AAA systems), Active Directory, etc. All sources are dumped and then provided to the security team to run through dictionary cracking software like hashcat. The problem, of course, is that any guessed passwords could then be used for nefarious purposes and one has to trust the security team implicitly.

A more traditional way would be to anonymize the data provided. The simplest way of doing such a thing would be to provide only the hashes to the security team. They would report back with the weak hashes and the company’s trusted internal IT department would grep for the affected hashes and notify those users. This isn’t an ideal solution for a variety of reasons, the most obvious being that the security auditor still has a list of the hashes and this can’t be a good thing. Blackhash solves these problems by using bloom filters, which basically results in a workflow where the trusted IT team run the data into blackhash to produce a filter which the security team can then run against their dictionaries. If weak hashes are detected the file of weak filtered hashes is returned to the trusted IT team who then run it back through the software to determine the users and hashes affected.

Yes, it sounds convoluted and possibly isn’t of much help as most security audits require permissions which could be potentially more damaging to an organization than even leakage of their passwd files. Given the more paranoid organizations will have the security auditor accompanied by at least a minimally trained sysadmin at all times this appears to fill a niche need. Nonetheless I am continually impressed with Tilley’s work, which includes TCHead.