1 / 13

Sidebar – Password Cracking In Chapter 7, we described authentication mechanisms including

Sidebar – Password Cracking In Chapter 7, we described authentication mechanisms including <username, password > authenticators. We also indicated that anything short of one-time passwords was not strong password authentication. So… how are passwords broken – GUESSING AND CRACKING.

anson
Download Presentation

Sidebar – Password Cracking In Chapter 7, we described authentication mechanisms including

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sidebar – Password Cracking In Chapter 7, we described authentication mechanisms including <username, password > authenticators. We also indicated that anything short of one-time passwords was not strong password authentication. So… how are passwords broken – GUESSING AND CRACKING. Guessing – Find or guess a user’s identifier Create a list of possible passwords Try each one On success you are in, else keep trying Hampered by unsuccessful login timeout – If (n) attempts are unsuccessful, lock the system for (m) minutes – n & m variable. Password Cracking

  2. Password Cracking – Off Line Most cracking is done off-line to avoid the timeout problem. Major steps: Find user ids Get encrypted or hashed passwords or password files Create a list of trial passwords Encrypt or hash the trial passwords See if there is a match Attacks: Dictionary attacks (build a dictionary of passwords). Brute force (try all possible passwords). Hybrid attacks (modified dictionary attack using altered dictionary words (party becomes p$art%y). This really is still guessing – these systems don’t break encryption! Password Cracking

  3. Password Cracking - Starters What can we find out up front – commercial systems? Format for user id. Some user ids (e.g., guest, system, administrator) Password minimum/maximum length, legal characters. Rules of construction. The encryption or hash algorithm. Where the password file is stored by default. Password Cracking

  4. Password Cracking – Generic Methods Assume we have an encrypted or hashed passwords – the following methods are used to recover the plaintext password. Create a dictionary of words – encrypt or hash each word and test to see if the result matches the original encrypted/hashed password. Many Internet sites have downloadable dictionaries. Brute force means trying every possible combination (e.g., a, aa, aaa to zzzzzzzzzzzzzz, azbycx, etc.). This method will always recover the password sooner or later – later may be a long time, but gets shorter with each new technology advance Hybrid methods use a dictionary, but insert special characters (e.g., %, $ # or r0ya1- Zero for o and one for l) and/or permute words. Password Cracking

  5. Password Cracking – How Do We get the Passwords? If administrator – Dump the hashes to a file If not administrator – Sniff the passwords off the network Get administrator privilege Boot another OS and read the file Copy from backup Copy from emergency repair disk Reminder to physically protect the system and all media. Also to install patches that allow intrusions that result in root or administrator access. Password Cracking

  6. Password Cracking Tools – L0phtCrack The windows tool of choice – Win 9x, NT, 2000, XP. Cracks two types or passwords – LANMAN/NT. LAN MANager – Older network password system used to log onto a Microsoft network domain – used for mixed 9x & NT/2000/XP nets. NT – Newer network password system used in NT/2000/XP-only nets. Fully featured tool: Sniffs passwords Dumps passwords from the registry Cracks passwords Easy to use Graphical user Interface (GUI) Password Cracking

  7. LANMAN Passwords Maximum Length – 14 Characters (128 bits). Case – Converted to all upper case before processing. Processing – Split 14 characters into 2 7-Byte halves. Use each half as a DES key. Multiple encrypt each half and store in the Security Account Manager (SAM) database. Trouble is: Encryption algorithm is known. Only uses a 7-Byte key (56 bits). Easy to find the key. Why?? Password Cracking

  8. LANMAN Passwords – Easy Cracking Character Set = Uppercase alpha, numeric, specials, and punctuation. About 80 symbols. N = SL = 807 ~ 2.1 x 1013 Time = (2.1 x 1013)/(108 sec)(1/60x60x24) = 2.4 days (really easier). Password = Choose “Karen12$”. Becomes KAREN12$ (convert to upper case). Becomes KAREN12 & $_______ (split & pad). KAREN12 breaks with dictionary. $_______ breaks with brute force. More like minutes to break! Password Cracking

  9. NT Passwords – Not So Easy Cracking Character Set = Upper & lower case alpha, numeric, specials and punctuation – about 106 characters N = SL = 807 ~ 2.26 x 1028 Time = (2.26 x 1028)/(108 sec)(1/60x60x24) ~ 2.62 x 1015 days (harder) Now issue becomes the quality of construction – remember we are assuming that all passwords are equally likely – this is theory! The real result is the historical work function for a large set of user generated passwords. If poorly constructed, the dictionary will get them. Makes a very, very good audit tool for security folks! Password Cracking

  10. Password Cracking - Defenses Implement a password policy – specify construction, changes, etc. Move to NT passwords – easier said than done – legacy 9x systems. Use Microsoft’s password filter (passfilt.dll) to enforce construction rules – forces strong passwords. Protect the password SAM file (patches, backups, emergency disks). Implement strongest Microsoft patches (e.g., SYSKEY with 128 bit Encryption – better than DES). Implement stronger authentication (one-time passwords, tokens, etc.). Password Cracking

  11. Unix Passwords – John The Ripper Very capable password cracker for Unix systems including S/Key files and Kerberos Ticket Granting Tickets for the Andrew File System. Runs cross platform (Unix, DOE, 9x, NT). Takes a Unix password file as input - etc/passwd or etc/shadow. etc/passwd is a user-level public file etc/shadow requires root-level access Modes: Dictionary (called wordlist) – specify a text file to use as a dictionary. Brute force (called incremental mode) – tries all possible combinations. Password Cracking

  12. Unix Passwords – John The Ripper Modes: Single Crack mode – simplest mode. External mode – provides the means to add external functions that can be used to generate passwords to try. Since Unix uses different hash/encryption algorithms, the program Detects the encryption type: DES and double length DES BSDI’s DES, OpenBSD’s Blowfish, FreeBSD’s MD5 hashes Others are out there: Crack, Cracker Jack Password Cracking

  13. Password Cracking – Summary There are lots of crackers out there, some good, some bad, some so-so. http://www.pwcrack.com offers services to crack over 48 systems (e.g. NT/2000/XP), or applications (e.g. Adobe PDF, Wordperfect, Quicken). http://packetstorm.widexs.nl/Crackers/ lists over 200 different cracking programs There are even crackers (i.e., dictionaries) for other languages like Russian, Italian, etc. To get an idea of the breadth of interest in this subject, do a simple search on Google against “password crackers”. Password Cracking

More Related