Today it is cold and cloudy in Seattle. It hasn't rained since I arrived on Sunday night, it is Wednesday now, I understand this is quite unusual for Seattle this time of year. I am enjoying the weather, the scenery, and the break from my daily routine. Today, I left my lunch ticket at the hotel, and so I had to find someplace outside of the conference to eat. I stopped at a tiny pizzeria around the corner. The pizza wasn't great, but it was good to flush out the bitter-coffee nausea engulfing my stomach this morning.
Last night, I stayed up working on two things. One, this blog. I finally have a scheme that is publishable (on a temporary basis - as is everything on my web site). You're looking at the fruit of my labour now. The Second thing was purely theoretical. Consequently I do my best thinking while drifting between sleep and wake. It was a restless night, so I made quite a bit of progress on this idea; time vector analysis of the SHA hashing algorithm. While dreaming of a framework to implement this, I delved into a more general arena of distributed pattern recognition, event correlation, dependancy extraction from seemingly random data etc. What is this?? This arena involves: finding relationships, dependent variables, and patterns in otherwise random data sets. For example a SHA hash. Can a relationship between the input and the output be determined. If so, this opens the door to a wide range of attacks on the use of one way hash algorithms. The idea between one way hashes is quite simple: to produce output as unique as possible for a given input, and to use an unstable algorithm. By unstable, I mean: for small changes in the input, we get large changes in the output. This adds to the security of the algorithm. I would like to setup a distributed system, in which a database of each clear text to hash output is stored. In doing so, we would have a good base for data mining relationships with. This approach isn't meant to crack large blocks of data, instead shorter passages, such as passwords or session tokens.
So, how can we find patterns/relationships in this kind of unstable data? Break it into pieces. Allow these pieces to represent vectors in a dimensional space (the dimension depends on the number of pieces that are used -- 3 or 4 would be handy). Now you can use some spatial analysis to look for dependancies within the data. If you were to draw a time-spatial diagram of the data, you should be able to see which input vectors affect the behavior of the output vectors.
Wow, the afternoon session at Black Hat where incredible. I attended:
Absolutely incredible information. I could use another week of this kind of lecturing. Throw in some labs and I might actually become a legitimate hacker. I definitely learned some new tricks from the last session. I had no idea you could use NTLM hashes to authenticate a user -- but it makes since. I also understand what "The Egg" in regards to exploit coding, thanks to Dave Aitel. Who by the way has a very nice product called Canvas for $995. Dan Kaminsky mostly discussed Scanrand, and some things that you could use it for. Very nice, it scanned 65,535 LAN addresses on port 80 in 4 seconds. I am considering integrating this into Nessus, if no one has already done it. I could really use a scanner like this to cover more ground more quickly. Once you get some host to answer up, then you can go back with nmap or queso and finger print the host.
Another super cool thing Dan showed us was this nice QT program called Phentropy using OpenQVIS. All you have to do is pass it a three dimensional matrix values, and it plots them in three dimensions. When I saw this, my jaw dropped. It is incredible for rendering MRI information on a PC -- and it is free. However, the thing that really got me going was that it fits right into the stuff I was thinking about this morning!! With doing a time-spatial analysis of SHA and MD5 hashes. If there are any relationships between the inputs and the outputs, I should be able to construct a suitable way to demonstrate this.
PS, I am so strung out on coffee. I have to stop drinking it now.
