Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.

Published byArthur Harrell Modified over 9 years ago

Similar presentations

Presentation on theme: "CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks."— Presentation transcript:

1 CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks

2 Topics Password Management Online Password Attacks Offline Password Attacks Dumping Passwords from RAM

3 Password Management

4 Password Alternatives Biometrics Two-factor authentication Digital certificates

5 Common Password Errors Short passwords Using dictionary words Re-using passwords – Attackers know that a stolen password can often be re-used elsewhere

6 Password Reset A weak spot for cloud services, especially free ones

7 Online Password Attacks

8 Multiple Logins Scripts try to login with passwords from a list Can be blocked by lockout policies – After five failed logins, must wait an hour Brute-forcing is possible – Trying every combination of characters – Impractical except for very short passwords

9 Wordlists Usernames – Look at valid account names, try to deduce the pattern – CCSF uses first letter of first name, then last name, then 2 digits, like psmith01 – Find a list of real usernames, or use a list of common names

10 Password Lists Packetstorm For special purposes Openwall has more general ones, but they cost money – Link Ch 9d

11 Targeting Wordlists Use information about the targeted person Such as a Facebook page Generate passwords from clues – TaylorSwift13!

12 Cewl Included in Kali Creates wordlist from URL, reading words from pages

13 Crunch Generates a wordlist from characters you specify (included in Kali)

14 Hydra Online password cracker Can use wordlists or pattens

15 Offline Password Attacks

16 Getting the Hashes Most operating systems and Web services now hash passwords – Although some use plaintext, and most use weak hashing techniques Windows stores hashes in an encrypted C:\Windows\SAM file, but the key is available in the SYSTEM file

17 Two Ways to Strengthen Hashes Salting – Add random bytes before hashing – Store them with the hash – This prevents attackers from pre-computing 'Rainbow Tables" of hashes Stretching – Many rounds, typically 5000, of hashing – Slows down attackers

18 SAM and SYSTEM Files

19 Unavailable when Windows is Running

20 Win 7 Backup Files Also unavailable when system is running Win XP had C:\Windows\Repair but it seems to be gone now

21 Reg.exe Works on Windows 7 – Link Ch 8i

22 SAM is Encrypted 128-bit RC4

23 Key is in SYSTEM apt-get install bkhive FAILS on Kali 2 Must install old versions of bkhive and samdump2 (link Ch 8l)

24 Extracting Hashes LM Hash on the left (now obsolete) NT hash on the right (designed in 1991)

25 Linux Boot Disk You can gather hashes by booting the target system from a LiveCD or USB Copy the files while Windows is not running

26 Cracking Windows Passwords Hashcat tests 500,000 passwords in a few seconds – Because algorithm is 1 round of MD4 – Proj X16 in CNIT 123

27 Kali's Password Hashes 5000 rounds of SHA-512 with a salt Mac OS X is the same

28 Cracking Kali Hashes Can only try 500 words in a few seconds

29 John the Ripper & Hashcat Cracks many types of hashes – Auto-detects the algorithm – Can perform brute force, or dictionary, or modified dictionary attacks Hashcat is newer and claims to be faster oclHashcat – Designed to run in parallel on many GPUs

30 CloudCracker Moxie Marlinspike's service Runs on AWS machines

31 Cheap!

32

33 Stolen Password Lists Lists of millions of real stolen passwords are now available The rockyou list is included in Kali – in /usr/share/wordlists – Link Ch 9e

34 Passphrases are Vulnerable

35 Hashed with MD5 (link Ch 9g)

36 Link Ch 9h

37 Dumping Passwords from RAM

38 Plaintext Passwords Windows stores the password of the currently logged-on user in RAM with "reversible encryption" It can be recovered with Windows Credential Editor or mimikatz No matter how long or complex it is

39 Analysis of Stolen Data Dumped by TEAMGHOSTSHELL on Aug 25, 2012

40

41

42 Password Storage: Awful Beyond Belief Plaintext, obvious, all the same

43 Plaintext Passwords, Easily Guessed

44

45 Sparklan Passwords

46 Beforward Transactions with PII

47 Plaintext Passwords

48 Password Storage: BASE64 Obfuscated, not hashed

49 Beforward.jp

50 BASE64 Encoding

51 Password Storage: Unsalted MD5 or SHA-1 Real hashing, but very easy to crack

52 MIT – MD5 Password Hashes

53

54

55 MySQL323 Password Hashes

56 Cracking Hashes with Cain

57 SHA-1 Hash

58 Cracked!

59 MySQL 5 Password Hashes

60 Wordpress Password Hashes

61 Relative Space

62 Cracked!

63

64

65 Password Hashing Algorithms

66 Hashing Passwords Three essential steps – One-way hash function MD5, SHA-1, SHA-256, etc. – Salt Random characters added to each password Prevents rainbow-table attack – Stretching Repeat the hash function many times (typically 5000) Make it take 50 ms to calculate the hash Minimally slows login Makes attack MUCH slower

67

68 The Right Way

69 Popular Password Hashes Type Projected time to crack 1,000 hashes* Hash Function Salt (# chars) Stretching (# rounds) Drupal 7 1.7 yearsSHA-512816385 Linux (Debian) 58 daysSHA-51285000 Wordpress 3.5.1 17 hoursMD588193 Windows (all current versions) 5.4 minMD4None1 Joomla 4.6 minMD5161 Calculation assumes the passwords are found in a dictionary of 500,000 guesses One virtual machine running Kali A clusters of GPUs would be much faster

Download ppt "CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks."

Similar presentations

Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
The Cain Tool Presented by: Sagar Chivate CS 685F.

The Cain Tool Presented by: Sagar Chivate CS 685F.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.

The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.
Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.

Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.
Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Similar presentations

Ads by Google