Skip navigation

Tag Archives: security

The unknown-group-that-is-not-Impact-Team has just released a second archive containing data from Ashley Madison on the same webpage as the first one.

TL;DR :

  • The leak contains lots of source code (nearly 3M lines of code according to sloccount)
  • 73 different git repositories are present
  • Ashley Madison used gitlab internally
  • The 13GB compressed file which could contain AM CEO’s emails seems corrupted. Is it a fake one?
  • The leak contains plain text or poorly hashed (md5) db credentials

It has been released with a message referring to AM CEO, Noel Biderman, who stated that the previous leak might be a fake:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Noel, you can admit it's real now

- -Impact Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJV1VRfAAoJECQ3PNV0q6o4rKMP/0+1JUAg3fTN5iL7kqfoAKj/
YM5Ed5ZzUtsIdwZOmm9zuxyFSTVIwslf8tMyYBnSCGMpT7zXwckkcyJmGR7yu6tj
f+CiBcwZOfVfGWsxV69PrfvBbmHoIovuBv2n6fVhRWkzgpotRyK1WNHTDBWKkrKP
LKtXp+9xp/8d1f8wPMTU7HDiRNPaG1PErFtr4T7E/OiSPXNiaFRAWMm6kDDazVeD
fTNoCaJchz4GEz5DXlePS+cX3CoNms8w+1OFKdxjux7WsVqquNY6yjcm9tP1ybvT
nvzJYLz0dYwxJ/THgHARr+zJjZsFNKeL1Ts1F7j4TXl41YWr0N+H/Ohm7WtTMb2I
4trpNrag/7vOn89YPNbhPH4MKTepkbRtlHucorrh6YMbULKpkf970DmG8HqzVNEj
nyA/KTgWL2hSfUvLdcBvG27dD7HWR/k81uBCd6uie3L2JO8wFVIuATwGUFAWWX5y
NvcQgF/xgvvBrxTs4nNWs5TguNychtQTc1duUi0QrAE2DZkBWpSxG3HE5rLhQUDn
7ImbbHnNU9+PgwV+LxRCAPoUMDJc85/QG0+UMW2MJC2iGOKcPQD4BpmTNOfvJlU+
RB98fH+VWVfBT+/KdfqoDI3liiR6BAX9aCIQMhVpJnA7owMh+/HOLEeh/AbQnp59
ft1FwTGBCJB/eXxYf/1P
=5omL
-----END PGP SIGNATURE-----

Leak content

The archive is 19GB, which is the double of the first part of the leak. It contains the following files:

ashleymadison_part2

The leak contains lots of gitlab repositories. Here are the name of the projects and the name of the different repositories:

repositories

Sloccount announces nearly 3M lines of code :

Totals grouped by language (dominant language first):
php:        2440587 (81.58%)
objc:        192704 (6.44%)
ruby:        120264 (4.02%)
java:        104725 (3.50%)
cs:           60546 (2.02%)
ansic:        40943 (1.37%)
sh:           12857 (0.43%)
perl:         10349 (0.35%)
python:        5123 (0.17%)
cpp:           2646 (0.09%)
pascal:         848 (0.03%)
sed:            112 (0.00%)
lisp:             6 (0.00%)




Total Physical Source Lines of Code (SLOC)                = 2,991,710

ashleymadison.tgz

Contains all gitlab repositories related to the website.

avid.tgz

avid is the name of the company behind Ashley Madison.

This archive contains 12 gitlab repositories, belonging to the avid user.
The repositories are:

  • alm_billing
  • alm_billing.wiki
  • avid-generator
  • avid-generator.wiki
  • bill
  • bill.wiki
  • billing-builds
  • billing
  • gatekeeper
  • gatekeeper.wiki
  • utilitybelt
  • utilitybelt.wiki

qa.tgz

Contains four gitlab git repositories belonging to a qa user. The four repositories are qa-duck.wiki, qa-duck, qa-automation and am-automation.

More to come as I scrap through the data from this archive. This article will be updated during the next hours (dl @92.2%. And slowly downloading. Yay.)
Another (more complete) article will come in a few days with details on both parts of this leak.

Don’t forget to check my quick write up on the first part of this leak : Ashley Madison full dump has finally leaked

A quick blog post over Adobe recent leak of customers data.

Earlier this month, Adobe announced a leak of 2.9M users personal information (including encrypted credit card data). During last weeks, some partial dump that were announced to be linked with this leak were published online but nothing really interesting was published until 24th October when someone published a link to a file called users.tar.gz on Anonews forum (the thread was deleted, google cache). Since the file was hosted on a hacked server, it was quickly deleted and nearly nobody was able to download it. Nearly. On 29th October a post on a Russian “underground” forum linked to two files : ldap.tar.gz (8.2MB) and users.tar.gz (3.8GB). Thanks to m3g9tr0n we were able to get them and to start analyzing them.

About the ldap.tar.gz file : It contains 68276 emails addresses (including 64837 address ending in @adobe.com). It seems to be a dump of an internal LDAP server but there are no password information.

About the users.tar.gz file : It contains 153.004.870 lines which format is : <some uid> -|–|- <email address> -|- <base64 of encrypted password>-|- <password hint>|–

We weren’t able to determine the algorithm used by adobe to encrypt their passwords but we think that they *may* be (simple or triple) DES or Blowfish (in CBC or ECB block mode) (UPDATE : Adobe acknowledged that it is Triple DES and it is definitively using ECB block mode). Some people stated that the password were encrypted using some kind of “modified sha1” or “double DES”. They are not. Some more statistics about the passwords : there are 130.325.717 nonempty passwords fields and only 56.045.364 unique passwords. Since the encryption algorithm uses 64 bits blocs (8 characters), we can deduce passwords’ range length distribution : 50M are between 1 and 7 characters long, nearly 80M passwords are between 8 and 15 characters long, 58k are between 16 and 23 characters long and 5.6k are between 24 and 31 characters long. (UPDATE : Jeremi Gosney analyzed the passwords count and the hints and was able to make a top 100 of the passwords used(mirror of the stats here))

About the email addresses : there are many faulty addresses (e.g. : gmail.comm, <email service provider><password> (they forgot to press the tabulation key), some other mistakes or some fake email addresses) but we can make some statistics about email providers : 35.842.643 emails accounts are from hotmail.(com|fr|co.uk|de) (in this extension order), 24.476.674 are hosted on gmail.com or googlemail.com, 24.588.216 are from yahoo‘s email service and 3.478.697 are from aol.com.

And here we are at the moment since we can’t crack those password.

PS: m3g9tr0n pointed out it would be better to include the command lines I used to give those statistics, here they are :

To get a list of of the content of the n-th field (emails : n = 3, passwords : n = 4), I used this command (here in the case of emails):

cut -d\| -f3 cred | sed -rs 's/^-//' > emails

To get a list of mail service providers with count, I ran this command :
cut -d@ -f2- emails | sort --parallel=2 -S2G | uniq -c | sort -rn > email_providers
The

--parallel

flag makes sort use multiple processes to run faster while the -S flag permits to use more memory (and thus avoid writing temporary files on the disk which will slow down the sorting).

To get the count of Hotmail’s mail addresses I used this command line :
grep -P '\shotmail\.(com|fr|co\.uk|de)$' emails_providers | awk '{s+=$1} END {print s}'

This commands adds the different counts (in the first columns) and then prints it.

Hello folks 🙂

A few days after the last post about the linkedin password leak and the quick analysis of the passwords I recovered, a friend of mine gave me a link to the eharmony password archive. This archive contains 1513836 md5 hashes. I had a very big surprise with this dump because when I started to work on it, I quickly noticed that all password were uppercased… Thanks eHarmony ! Just to remember, the number of combinations for a N characters length password made of a charset of C different letters is C^N. Here, the « standard » charset [A-Za-z0-9] (26+26+10=62 chars) becomes [A-Z0-9] (26+10=32, nearly half the previous charset).

Read More »

Hello folks,

Few days ago, the linkedin password dump was released. It’s made of 6458020 sha1 unsalted-hashes. Yes, we are in 2012 and big websites still use unsalted hashes to store your passwords…
The dump is made of two different sort of hashes :

  • there are 3.521.180 “00000” masked hashes (e.g. 0000054bc8172921062252506762fd36a5f8a6ca)
  •  and 2.936.840 “normal” hashes.

While the origin of the masked hashes remains unknown, some people think that the hacker who released the dump masked the hashes he had already recovered. Anyway, we can recover those hashes. The hashcat author released two special versions of his tools (hashcat and oclhashcat) which support those zeroed hashes.
Read More »