Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Slides:

Advertisements

Similar presentations

Password Cracking With Rainbow Tables

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Password Cracking Lesson 10. Why crack passwords?

The Cain Tool Presented by: Sagar Chivate CS 685F.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

With a Penetration Tester’s Toolkit.  Background  What to Expect  Topics  Demonstrations.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

Cryptography and Network Security Chapter 20 Intruders

1 MD5 Cracking One way hash. Used in online passwords and file verification.

Chapter 3 Passwords Principals Authenticate to systems.

95752:3-1 Access Control :3-2 Access Control Two methods of information control: –control access –control use or comprehension Access Control Methods.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MASNET GroupXiuzhen ChengFeb 8, 2006 CSCI388 Project 1 Crack the WEP key Liran Ma Department of Computer Science The George Washington University

Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

CIS 450 – Network Security Chapter 8 – Password Security.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

CHAPTER 6 Cryptography. An Overview It is origin from the Greek word kruptos which means hidden. The objective is to hide information so that only the.

Mark Shtern. Passwords are the most common authentication method They are inherently insecure.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Network Security Lecture 11 Presented by: Dr. Munam Ali Shah.

Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.

The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.

Cryptography Lynn Ackler Southern Oregon University.

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Password Cracking By Allison Ramondetta & Christine Giordano.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Intro to Cryptography Lesson Introduction

PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.

Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.

King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.

CIS 250 Advanced Computer Applications Database Management Systems.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

CSCE 201 Identification and Authentication Fall 2015.

Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.

Understanding Security Policies Lesson 3. Objectives.

MIGHTY CRACKER Chris Bugg Chris Hamm Jon Wright Nick Baum We could consider using the Mighty Cracker Logo located in the Network Folder.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Top 10 Hacking Tool Welcome TO hackaholic Kumar shubham.

Authentication and Account Management

I have edited and added material.

Jason Ewing Troy Behmer

Password Cracking Lesson 10.

Kiran Subramanyam Password Cracking 1.

Exercise: Hashing, Password security, And File Integrity

Presentation transcript:

Nothing is Safe 1

Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions 2

Benefits of Using Passwords  Security …. Is there any other reason? 3

The password landscape is changing. With increased computing power, the time to crack passwords is dropping significantly 4

Password Events  In 2009, three Filipino residents hacked thousands of phone networks for profit by exploiting default passwords left on the private branch exchange (PBX) systems. (washingtonpost.com)  June 2011, LulzSec hacked FBI affiliate Infragard. Stolen passwords included plaintext passwords which were reused on other services and websites, leading to a wider-scale hack. (naked security)  Dec 2012, a 25-GPU cluster was developed with the power to check 350 billion guesses/sec. It can crack any 8 character Windows NTLM password in less than 6 hours. (ars technica)  Jan 2013, Google has been researching password-replacing technology. Currently this includes authentication via finger rings, USB cryptographic cards, and could potentially include wireless verification in the future. (wired) 5

 In 2012, a Verizon analysis revealed that 90 percent of intrusions were the result of either weak passwords, default passwords, reused passwords, or stolen credentials. (knowledge miner) 6

Password Security  Windows recommendation: 7

Password Security  University of Idaho’s Password Requirements: A-Z, a-z, 0-9, symbols Password (expires in 90 days) 8 characters+ No dictionary words over 3 letters long Passphrase (expires in 400 days) 15+ characters Dictionary words allowed 8

Brute Force Crack Times  Class D: 10,000,000 Passwords/sec, Fast PC, Dual Processor PC.  Class E. 100,000,000 Passwords/sec, Workstation, or multiple PC's working together.  Class F. 1,000,000,000 Passwords/sec, Typical for medium to large scale distributed computing, Supercomputers. (lockdown) 9

Cracking Helpers  Dictionaries: Wordlists containing cracked passwords Also contain dictionary words May also have custom word lists for foreign languages  Rainbow Tables: A table of hashed passwords Computationally expensive to produce Password lookup is quick once the table is generated 10

Password Salting  A salt is random data that is added in a unique way to a password to make decrypting passwords from hashes more difficult.  Salts are usually generated at the time of account creation and stored in a database table separate from the password hash.  When a user logs onto a system, their stored salt is added to the typed in password and then hashed to compare to the stored password hash for verification. 11

Tools – John the Ripper  Attempts to crack hashed passwords from almost all commonly used hashing algorithms using user characteristics, word lists, and brute force modes.  JTR has three modes: -single -wordlist -incremental Default behavior is to run through each mode, in that order. (backreference) 12

Tools – Cain & Abel  “Allows easy recovery of various kinds of passwords by: sniffing the network, cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords, and analyzing routing protocols.” (oxid) 13

Tools - Hashcat  Hashcat is a multi-platform password cracking tool that can take advantage of your GPU and can run on up to 128 GPU’s. It has 4 variants that can be used depending on your needs. 14

Tools – Hashcat Attack Modes: Combinator Dictionary Fingerprinting Mask Permutation Rules-based Table-based Toggle-case 15

Demonstrations  John the Ripper  Cain & Abel  Hashcat 16

Conclusions  Many password cracking utilities are free and readily available.  With technological advances (Moore’s Law), password cracking is becoming faster and easier.  Because of increases in password cracking technology, alternate authentication technologies are being developed. 17

Summary  Why Passwords?  Current Events  Password Security and Crack Times  Cracking Demonstrations 18

References     s_led_to_55_mi.html  affiliate-hacked-by-lulzsec/   htm  ripper/     standard-windows-password-in-6-hours/ 19