Computer Science Innovations, LLC Review Computer Science Innovations, LLC
Cracking Passwords/Decrypting Computer Science Innovations, LLC
The Calculus is Easy Or Hard?
Can You Define the Calculus with Algebra? If you could do that would it be good? Yes. Because we believe Algebra is not an exclusive club.
Is .9999999 = 1? Argue the Calculus, in the beginning – limit, is the study of infinity. If we say 10X = 9.999999999999(forever) x = .9999999999999999(forever) by subtraction 9x = 9 therefore x = 1
Tools/Review One Way Encryption Three mechanisms Brute force... John the Ripper Command: sudo apt-get install john Industry leader in brute force... all combinations. Fallen out of favor.... complexity of algorithms It could take weeks on a Amazon cluster. Dictionary Approach – Yesterday. Dictionary words in conjunction with patterns.
One Way Encryption File transfer ---- big file.... SHA1 Transfer the file -----> same SHA1 or MD5 200 gig file multi-character sum... You cannot reverse it.
Break One Way Encryption Two mechanism. One is brute force. You try all the permutations. THE DOG MD5 sum and is that sum what you are looking for. If so, you are done, if not.. try another. Long – You many not get a result in your lifetime.
Another Way Rainbow tables..... Terabytes of sums..... They are store Plaintext password, SUM.. When the sum matches. You have the password – likely. So we have a mechanism to get password more easily.
Vendor, work around? Make it harder. People are going to use words in their We have this concept of SALTS... What is that. Injection variable ---> put in to hash to make it more secure. Both sides need to know the hash, precomputed.
See an Example root@companion:~# grep scott /etc/shadow scott:$6$8eyQBVh1$gcCRGBLBgGsBqmbgDAn hD3HVQL9qa3SjBtEhv/U8OglJN36Aip5Vu1j.t wDrfGuAOUH68VIdZXYd0OlrUF8gM1:15527: 0:99999:7::: The $6$ says the next thing is the SALT. So 8eyQBVh1 is the SALT.
So Now, How Do We Crack with SALT? Use a Rainbow table for …. the stuff after the salt, then we must use, brute force for the SALT. So all the Rainbow table algorithms are rendered useless ----- temporarily
Rainbow Tables. Rainbow Tables – Ophcrack, or Rcracki Both run in all platforms. Both... do the same thing. Rcracki works with the new version of Rainbow tables and works on MD5 as well as SHA1. Ophcrack does not work with newer rainbow tables and it only works with NTLM and other simple passwords. Standardize on Rcracki
Crack Systems Take the rc.tgz from my drive. Put in on your computer.. Get it to compile You have make errors g++ Install rcracki...
How? wget 10.10.10.243/rc.tgz cd cd /tmp ls tar xvfz rc.tgz cd rcracki_mt_0.6.6_src/ make history
Pre-setup sudo apt-get install g++ sudo apt-get install openssl sudo apt-get install openssl-dev sudo apt-get install libssl-dev
Access Scott's Drive Samba --- Command sudo apt-get install smbclient Create a directory Command mkdir /scott /etc/fstab put in an entry 10.10.10.243:rainbow /scott cifs uid=root,gid=root,workgroup=StreitFamily,user name=scott,password=redskins1992 0 0 Command mount /scott
Try It! rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 /scott
Steps Download it. Unzip it. It is currently not packaged for Ubuntu 12.04. So this means there is no sudo apt- get install.... can't do it. Do we care? No. Compile ourselves. When compile yourself, you are responsible for maintenance. That means if you load a kernel update, you have to recompile. If it was a package it would take care of it for you.
Let's Assume I have Downloaded Unzip it. Go to root directory and as a normal user (least privilege), run make Now we need to install it. Run sudo make install
We Have Two Tools First video is concepts only. Ophcrack rcracki try it out. Go to your windows box... that is host operating system. Command window. Command is: net use * \\10.10.10.234\rainbow
What We Do Get a hash.... unix /etc/shadow Take the hash and you seach.... for the actual password. Takes every entry in the rainbow tables and compares it against the hash.. When it matches it takes the plain text... returns it to you. Much faster to do a string search than it is to compute MD5 or SHA1 encryption. Faster than brute force.
Computer Science Choices Process without storing partial results (brute force) Process using temporary results: entailments. All computer problems are scaling problems. Everything a computer does, you can do with a pencil and paper. Brute force vs. Entailments.
What it Looks Like Command: vi /etc/shadow scott:$6$eHcWMokA$Qr3aR4Od7eiLkMmH3Gx cPsdF6yUIGZNpXbfsOggb843sTSAySnBiDpJj 8NtFu1CUu.kAVUKH8wfetPLJ1Lc91.:15456:0: 99999:7::: hash
Case Study aghaster@debian:~$ rcracki_mt k/ usage: rcracki_mt -h hash rainbow_table_pathname rcracki_mt -l hash_list_file rainbow_table_pathname rcracki_mt -f pwdump_file rainbow_table_pathname -r [-s session_name]: resume from previous session, optional session name rainbow_table_pathname: pathname(s) of the rainbow table(s) Extra options: -t [nr] use this amount of threads/cores, default is 1 -o [output_file] write (temporary) results to this file -s [session_name] write session data with this name -k keep precalculation on disk -v show debug information example: rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 [path]/MD5 rcracki_mt -l hash.txt [path_to_specific_table]/* rcracki_mt -f hash.txt -t 4 -o results.txt *.rti
Solution..... rcracki_mt -c lst_file rainbow_table_pathname -h hash: use raw hash as input -l hash_list_file: use hash list file as input, each hash in a line
Best Practice? rcracki Source: download it Command: make in the source directory Command: make install Run rcracki using the command line options Take a hash from /etc/shadow Use my rainbow tables.... Get the password: root... what is the password find toor.
Lab Decrypt a hash in /etc/shadow Use my rainbow tables. Choice windows or linux: Mapped as a windows drive. Map as Unix Drive.
Review TCSEC – Trusted Computer System Evaluation Criteria – The Orange Book. MITRE Corporation. 1984. Measure Security. C2 is less secure than B1... etc. It is still the overriding source for security requirements and solutions. Discretionary Access Control – C2 – Where do we see this. Unix out of the Box and in Windows Posix Compliant. Cygwin... What does it mean.... Named Subjects accessing Named Object. To do this what Do we Need?
What Do We Need for DAC? So We Want DAC, what is required. Assert an Identity. Some examples, username, password, PKI certs, Biometrics. The major change is Biometrics. Getting Cheap. Gather Roles. What are roles. They tell you what you can and cannot do. In Unix (Posix) they are Groups.. at C2. How do you see what groups. Command id. Permissions O G W RWE RWE RWE plus 2 bit first for inherit group from the Directory above.
Next for DAC We may adjudicate access... We did this. We had a private area and a Shared Area. What can we never have. A group Login and maintain DAC. Auditing. We may Audit the access for Subjects and Objects. Constant Protection... Guarantee that our adjudication and auditing are always called. Assurance.... Representation of an easily understood security model
What Else for DAC Least Privilege Footprint for Least Privilege? Ports > 1024 user (id command) being normal. What does not use Least Privilege but occurs commonly? Apache/Php... Simple model, not hard core CS, but works.
Mandatory Access Control(MAC) What is needed for it? Most important. Provenance..... What failure caused Provenance to greatly enter our field. No weapons of Mass Desctruction. What is in Provenance? What, who, when, security labels, and most importantly confidence and Original Source.
MAC Algorithm for MAC is: Flatten hierarchies If data is a subset of users roles (groups), you can see it. Cannot write below. No read up, no write down. Bell-Lapadula model. Implement it. We recognize MLS (MAC) in a RDMBS is difficult because we typically label at the row. Semantic Web... Google, Google Marketplace, Whole E-Commerce Industry. Provenance at the triple level.
How Does Google Get Participation If you participate you come up earlier in the Search Engine. 100%. More than 10,000 e- commerce sites implemented. Back to MAC – How do we do Constant Protection? Through Aspect Oriented Programming (AOP), interceptors. Assurance – Simple set theory for the model.
Wireshark Evaluation forms. Brian gets forms. Wireshark, practice, test. Pass, email.
Solution..... rcracki_mt -c lst_file rainbow_table_pathname -h hash: use raw hash as input -l hash_list_file: use hash list file as input, each hash in a line
Best Practice? rcracki Source: download it Command: make in the source directory Command: make install Run rcracki using the command line options Take a hash from /etc/shadow Use my rainbow tables.... Get the password: root... what is the password find toor.
Lab Decrypt a hash in /etc/shadow Use my rainbow tables. Choice windows or linux: Mapped as a windows drive. Map as Unix Drive.
Mail Mail: Google has a sender and receiver. Convention: There is nothing in SMTP (Simple Mail Transport Protocol) that says the from has to be real. Mail in Unix you could specify the from. So you send an email and make the from --- the President. Write an application program.
ISPs have Turned of 25 That means you cannot send mail from your computer as a server. Why do you think they did this. Stop Spammers.
ARP Poisoning Application Presentation Session Transport Network Datalink --- worked at -------- Physical
Solution All routers --- all... now prevent MAC Flooding and any type of poisoning. The tools, ettercap, wireshark... they will attempt To impact the Datalink Layer, but to no avail. They will report --- no success.
History We used to have Bridges... one piece of hardware and Routers … another piece of hardware... and Interconnection (FIOS, cable modem) that was yet a third piece of hardware. There were distinct attacks on all three. What has happened since. Now, everything is integrated, you essentially get countermeasures and update automatically.
Lab – We Don't Believe Scott Ettercap wireshark Start with ettercap.. you run it … startx Command: ettercap -G you have to run this as root. So if you go to plugins and check poison, you will see it did not work.
Lab Problem Problem: 1) You have a virus on a Windows box in the boot sector, you cannot get to the network and you want to get your data files off. How? 2) You forgot the root password on your Unix box, you want to use rainbow tables to find it. Same answer for both, how do you do this?
More Ettercap Additionally, the sniffing on a switched network shows nothing. So you need a broadcast network. So where do we have a broadcast network.
Mandatory Access Control Concept... Discretionary Access Control..... Coarse control So a file or a directory had controls at the Owner, Group, World and Read, Write, Execute, Set Group Id. Here is the concept. What if a piece of data is Top Secret, another piece is Secret, a third piece in For UK Citizens... what do we have here? We have a problem that does not nicely fit into Owner, Group, World, Read Write, Execute.
Fine Grained So what does this mean. We have some data: what do we use to label it. Provenance. So we in a relational database We have a row that is troop locations, It is Top Secret and only for US Citizens. The next row is Military Bases. It is Secret and only for NATO. How do we do this?
What does this look like? Row 1 Vietnam we have 2,000 troops in XYZ Row 2 We have a military base in Japan. This is called Multi-level secure.
Multi-level Secure (MLS) It does not just apply to military... Consider the following: Bank of America... To do a wire transfer that is $5,000 is different than one for $5,000,000 What is this,,,, Multi-level Secure.
Specification B1 – TCSEC... Security shall have …. categories that are... flat and categories that are hierarchical What is an example of this? Citizenship... Flat Hierarchical... Top Secret implies.. Top Secret, Secret, Confidential, FOUO, etc.
MLS Requires Labeling This means that every piece of data must be labeled. How do we do this... Provenance... Get labels, who, what, when, confidence, source. Proof that the protection is constant..... Come back to this... Important. Adjudication algorithm.... How do we do this.
Adjudication Algorithm Step 1).. Gather roles which are all labels. Step 2).. Flatten all hierarchies Step 3).. Is the data (roles) a subset of the Users? If so,,,, user may read.. If not. Don't show it. Algorithm for Read. Now let's see it in Action.
Our MLS Example Troops 2,000 is Top Secret US Citizen Labels …. Top Secret, Secret, Unclassified, FOUO, US Citizen Military Base – Secret... Labels Secret, Unclassified, FOUO Michael US CITIZEN, Jeremiah, SECRET, US CITIZEN Tim, US CITIZEN, Top Secret, Secret, Unclassfied, FOUO. What can Tim see... 2,000 troops and the Base What can Jeremiah see, Just the Base What can Michael, Nothing.
Rules for MLS Bell and LaPadula Model. No read up and no write down. The previous slide was no read up. How did we do it. Flatten hierarchies and apply set theory. What's left. No Write Down. How? What?
Write Example – No Write Down Troops 2,000 is Top Secret US Citizen Labels …. Top Secret, Secret, Unclassified, FOUO, US Citizen Military Base – Secret... Labels Secret, Unclassified, FOUO Michael US CITIZEN, Jeremiah, SECRET, US CITIZEN Tim, US CITIZEN, Top Secret, Secret, Unclassified, FOUO If we have no restrictions on writing. Then Tim could take something Top Secret, Troop Locations and write it as Secret.. That invalidates security.
How You do No Write Down For Writing Purposes, you work at one and only one security level at a time. So if Tim is working at Top Secret. What can he write as Top Secret. We summarize the Bell-Lapadula model as No Read Up, No Write Down.
Lab Tim US Citizen, Over Six Feet Tall, Gasol, Bryant Michael, US Citizen, Jeremiah, US Citizen Data: Pau Gasol Contract (Over Six Feet Tall) Kobe Bryant Contract (Over Six Feet Tall), US Citizen Andrew Bynum Contract (Over Seven Feet Tall), US Citizen Who can see what?
Granularity RDBMS Row ½ data on the row is Secret and ½ is Top Secret? What do you do? Label it, Row? By columns. So this drives the query and the data nuts. Typically in an RDBMS we do Row Level Labeling. So it is not granular enough for MLS. So you say to me, Scott how do we do MLS then.
New Technology Semantic Web, Web 2.0???? Databases there are two forms of storing Data. 1) is Normalized... Customer has many Accounts and a Account participates in many Transactions.
Normalized Example ER-D Customer Accounts Transactions
What if... Your Model Changes Constantly So in the previous example... the structure was Stable. Jesus, Luke, Quickbooks does it. Not likely to change. What happens if the structure is morphing constantly. What is an example. Threats in the war on Terror. Human Genome Project
Column-Wise Data Structure Dr. E.F. Codd in 1978.. He said it was column wise data because we need tag/value pairs Id Tag value Parent_id 2 Person Michael null 3 Child Damien 2 4 Child Patrick 2
Philosophy Tim Berners-Lee he invented html... The current web. He said, we have solved the easy problems... Problems whose structure are fairly static, so what is left... Those that are morphing. Morphing structures are column- wise and they require a different set of processing rules. They are the Web 2.0 or …. The semantic web.
Semantic Web Label at Data Items So all data is represented as Subject Predicate Object …. and Provenance Therefore, we label every piece of data … and therefore …. make it MLS.
Example The entire field of E-Commerce is defined by two sets of Ontologies - Good Relations and Schema.org. Google says …. Doug Cutting... Google says... if the world was structured and not unstructured, boy could searches be accurate. Structure... S P O.... and Provenance... What can you do easily.... MLS...
Continuous Protection So to this point..... we have a simple adjudication... In fact, I believe that by flattening hierarchies and using set theory.. the adjudicator is simple. So what's left... Proving that the only way you may get to the data is ….. through the adjudicator.
How Do You Prove it? Fortunately, there is a specification that handles it. AOP.. Aspect-Oriented Programming. Invented by Bill Burke at Redhat... What does it say.. It says that I may define in an XML file that all methods (or some) must call a method at call time and exit time. So call method --- browser calls for data... turns into Browser calls Aspect.. calls Data.. calls Aspect. Guaranteed interceptor....
Interceptor Does Adjudication and Auditing.. Therefore we are MLS. We have an adjudication model, simple. We label all data – provenance. We guarantee all calls, AOP.. What do we have here. About 30-40 lines of code to do it all. So now we have MLS...... easily.
So At This Point We have covered the TCSEC in its entirety. Now all you have to do, is pass that test... That means Nothing....