I love it. News keeps coming out about how to use the cloud to break security, or even to offer hacking as a pay per use cloud service using “Exploit-as-a-Service” models. The almost limitless availability of compute power in the cloud makes us rethink some core security techniques like hashing.
Today, however, a researcher announced he can use the cloud to crack MD-5 hashes, which are a relatively difficult hash to crack, using Google, and with almost zero compute cycles. It sounds impossible, but it’s elegant in its simplicity. Very out of the box way to think like a hacker.
We’ve seen how you can use Amazon’s cloud (AWS) to launch password-cracking attacks on Wi-Fi passwords, and with Amazon’s “Cluster GPU Instances” you can get access to number-crunching NVIDIA cards on a server with 10 Gig network I/O and 22 GB of memory. Way easier than setting up an ambient cloud (a botnet in this case) to do it.
This researcher was able to crack more than 10 SHA-1 hashed passwords in less than an hour of time on a single Cluster GPU Instance. That’s about $0.20 of CPU time per password.
But the new approach announced today is way cooler. Instead of brute-forcing a dictionary attack using masses of servers in the cloud, its creator takes advantage of another mass of servers in the cloud called “Google Search.” In a shockingly simple way of breaking some MD-5 hashes, the software simply searches Google for the hash and assumes the clear text password will be on the first page of Google results. It usually is.
This works because when you need to store a file indexed by a key, a common technique is to make the filename the key’s MD5 hash. (Yes, MD5 is good for more than just security…) In this case, it’s useful because it’s fast and resistant to accidental collisions. (A collision is the rare instance when 2 different words have the same hash.)
So in effect, Google is storing the result of millions of MD5 hashes of common filenames, which means you can simply look up the hash and see what file names are associated with them. So if your password is “pictures” you can be pretty sure there’s a file with that name that’s been hashed.
In fact, it’s really simple. I MD5 hashed “pictures” using this online hasher, and got “9ed98e5c3e9685aa3de82c99009a2ed3” as the hash. I googled it and sure enough, the word “pictures” was in almost every search result:
Huge tip o’ the (monochromatic) hat to Juuso Salonen, who created the Ruby script called BozoCrack that cracks MD5 hashed passwords using Google searches, although it seems this has been used before, simply without automation.