Downloaded 41 times
Uploaded bySam Bowne
CNIT 124: Ch 9: Password Attacks
The document discusses advanced ethical hacking techniques, specifically focusing on password attacks, management, and common vulnerabilities. It covers online and offline password attacks, strategies for cracking passwords, and the importance of strong password hashing techniques like salting and stretching. Additionally, it highlights the risks of poor password storage practices and the potential for password recovery from RAM.
More Related Content
Similar to CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
- 1. CNIT 124: Advanced Ethical Hacking Ch9: Password Attacks
- 2. Topics • Password Management •Online Password Attacks • Offline Password Attacks • Dumping Passwords from RAM
- 3.
- 4. Password Alternatives • Biometrics •Two-factor authentication • Digital certificates
- 5. Common Password Errors •Short passwords • Using dictionary words • Re-using passwords – Attackers know that a stolen password can often be re-used elsewhere
- 6. Password Reset • Aweak spot for cloud services, especially free ones
- 7.
- 8. Multiple Logins • Scriptstry to login with passwords from a list • Can be blocked by lockout policies – After five failed logins, must wait an hour • Brute-forcing is possible – Trying every combination of characters – Impractical except for very short passwords
- 9. Wordlists • Usernames – Lookat valid account names, try to deduce the pattern – CCSF uses first letter of first name, then last name, then 2 digits, like psmith01 – Find a list of real usernames, or use a list of common names
- 10. Password Lists • Packetstorm •For special purposes • Openwall has more general ones, but they cost money – Link Ch 9d
- 11. Targeting Wordlists • Useinformation about the targeted person • Such as a Facebook page • Generate passwords from clues – TaylorSwift13!
- 12. Cewl • Included inKali • Creates wordlist from URL, reading words from pages
- 13. Crunch • Generates awordlist from characters you specify (included in Kali)
- 14. Hydra • Online passwordcracker • Can use wordlists or pattens
- 15.
- 16. Getting the Hashes •Most operating systems and Web services now hash passwords – Although some use plaintext, and most use weak hashing techniques • Windows stores hashes in an encrypted C: WindowsSAM file, but the key is available in the SYSTEM file
- 17. Two Ways toStrengthen Hashes • Salting – Add random bytes before hashing – Store them with the hash – This prevents attackers from pre-computing 'Rainbow Tables" of hashes • Stretching – Many rounds, typically 5000, of hashing – Slows down attackers
- 18. SAM and SYSTEMFiles
- 19. Unavailable when Windowsis Running
- 20. Win 7 BackupFiles • Also unavailable when system is running • Win XP had C:WindowsRepair but it seems to be gone now
- 21. Reg.exe • Works onWindows 7 – Link Ch 8i
- 22. SAM is Encrypted •128-bit RC4
- 23. Key is inSYSTEM • apt-get install bkhive FAILS on Kali 2 • Must install old versions of bkhive and samdump2 (link Ch 8l)
- 24. Extracting Hashes • LMHash on the left (now obsolete) • NT hash on the right (designed in 1991)
- 25. Linux Boot Disk •You can gather hashes by booting the target system from a LiveCD or USB • Copy the files while Windows is not running
- 26. Cracking Windows Passwords •Hashcat tests 500,000 passwords in a few seconds – Because algorithm is 1 round of MD4 – Proj X16 in CNIT 123
- 27. Kali's Password Hashes •5000 rounds of SHA-512 with a salt • Mac OS X is the same
- 28. Cracking Kali Hashes •Can only try 500 words in a few seconds
- 29. John the Ripper& Hashcat • Cracks many types of hashes – Auto-detects the algorithm – Can perform brute force, or dictionary, or modified dictionary attacks • Hashcat is newer and claims to be faster • oclHashcat – Designed to run in parallel on many GPUs
- 30. CloudCracker • Moxie Marlinspike's service • Runson AWS machines
- 31.
- 32. Mimikatz Gets ClearPasswords from RAM
- 33. Stolen Password Lists •Lists of millions of real stolen passwords are now available • The rockyou list is included in Kali – in /usr/share/wordlists – Link Ch 9e
- 34.
- 35. • Hashed withMD5 (link Ch 9g)
- 36.
- 37.
- 38. Plaintext Passwords • Windowsstores the password of the currently logged-on user in RAM with "reversible encryption" • It can be recovered with Windows Credential Editor or mimikatz • No matter how long or complex it is
- 39. Analysis of StolenData Dumped by TEAMGHOSTSHELL on Aug 25, 2012
- 42. Password Storage: Awful BeyondBelief Plaintext, obvious, all the same
- 43. Plaintext Passwords, EasilyGuessed
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51. Password Storage: Unsalted MD5or SHA-1 Real hashing, but very easy to crack
- 52. MIT – MD5Password Hashes
- 55.
- 56.
- 57.
- 58.
- 59. MySQL 5 PasswordHashes
- 60.
- 61.
- 62.
- 65.
- 66. Hashing Passwords • Threeessential steps – One-way hash function • MD5, SHA-1, SHA-256, etc. – Salt • Random characters added to each password • Prevents rainbow-table attack – Stretching • Repeat the hash function many times (typically 5000) • Make it take 50 ms to calculate the hash • Minimally slows login • Makes attack MUCH slower
- 68.
- 69. Popular Password Hashes Type Projectedtime to crack 1,000 hashes* Hash Function Salt (# chars) Stretching (# rounds) Drupal 7 1.7 years SHA-512 8 16385 Linux (Debian) 58 days SHA-512 8 5000 Wordpress 3.5.1 17 hours MD5 8 8193 Windows (all current versions) 5.4 min MD4 None 1 Joomla 4.6 min MD5 16 1 • Calculation assumes the passwords are found in a dictionary of 500,000 guesses • One virtual machine running Kali • A clusters of GPUs would be much faster