1 / 10

Password cracking

Password cracking. Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski. Overview. Who uses password crackers? List of programs needed Gain access to password list Password Salting Installing John the Ripper How to use PwDump2 and John the Ripper How to make a strong password.

awena
Download Presentation

Password cracking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski

  2. Overview • Who uses password crackers? • List of programs needed • Gain access to password list • Password Salting • Installing John the Ripper • How to use PwDump2 and John the Ripper • How to make a strong password

  3. Who uses password crackers? • System Administrators • Test the strength of the user’s password • Hackers • Gain access to the user’s account

  4. List of programs needed • Pwdump2 • Retrieves user accounts and passwords in Windows and puts the information into a hash table (not needed in Unix) • John the Ripper • Uses hash table from pwdump2 and cracks password

  5. John the Ripper cont. • Runs against various encrypted password formats including: Unix (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash • It operates by the so-called dictionary attack. It takes text string samples (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. • It also can operate by the incremental attack. Where JTR tries every possible character combination as passwords. • Several thousand possibilities can be tried per second • Most sufficient way of cracking passwords in the past several decades

  6. Gain Password List • Windows • Use Pwdump2 to get SAM file when logged into account • Use a Live Bootable OS CD (Knoppix) to by-pass user login and change directory to the Windows SAM File and dump to disk • Unix • Unshadow password in /etc/passwd • ./unshadow /etc/passwd /etc/master.passwd > pass.txt • ypcat passwd when NIS is used • Use Live Bootable OS CD (Knoppix)

  7. Password Salting • Salts help strengthen the password list • The salt is suffixed with random values to the password before encrypting it; the salt is stored along with the encrypted password in the hash • Salts are different for each user, the attacker can no longer use a single encrypted version of each candidate password. • Makes for longer time of cracking passwords • More difficult for dictionary attack

  8. Installing Pwdump2 and JTR • Simply extract both programs to separate directories, no install needed for Windows • For Unix: • CD to ./src of the JTR dir after extraction. • make • make clean generic

  9. How to use Pwdump2 and JTR

  10. How to make a strong password • Do not use single dictionary words • Use a combination of words with a punctuation mark in between each word, along with a mix of upper and lower case letters for each word

More Related