CNIT 124: Ch 9: Password Attacks
1 like978 views
The document discusses advanced ethical hacking techniques, specifically focusing on password attacks, management, and common vulnerabilities. It covers online and offline password attacks, strategies for cracking passwords, and the importance of strong password hashing techniques like salting and stretching. Additionally, it highlights the risks of poor password storage practices and the potential for password recovery from RAM.
CNIT 124: Ch 9: Password Attacks
- 1. CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks
- 2. Topics • Password Management • Online Password Attacks • Offline Password Attacks • Dumping Passwords from RAM
- 4. Password Alternatives • Biometrics • Two-factor authentication • Digital certificates
- 5. Common Password Errors • Short passwords • Using dictionary words • Re-using passwords – Attackers know that a stolen password can often be re-used elsewhere
- 6. Password Reset • A weak spot for cloud services, especially free ones
- 8. Multiple Logins • Scripts try to login with passwords from a list • Can be blocked by lockout policies – After five failed logins, must wait an hour • Brute-forcing is possible – Trying every combination of characters – Impractical except for very short passwords
- 9. Wordlists • Usernames – Look at valid account names, try to deduce the pattern – CCSF uses first letter of first name, then last name, then 2 digits, like psmith01 – Find a list of real usernames, or use a list of common names
- 10. Password Lists • Packetstorm • For special purposes • Openwall has more general ones, but they cost money – Link Ch 9d
- 11. Targeting Wordlists • Use information about the targeted person • Such as a Facebook page • Generate passwords from clues – TaylorSwift13!
- 12. Cewl • Included in Kali • Creates wordlist from URL, reading words from pages
- 13. Crunch • Generates a wordlist from characters you specify (included in Kali)
- 14. Hydra • Online password cracker • Can use wordlists or pattens
- 16. Getting the Hashes • Most operating systems and Web services now hash passwords – Although some use plaintext, and most use weak hashing techniques • Windows stores hashes in an encrypted C: WindowsSAM file, but the key is available in the SYSTEM file
- 17. Two Ways to Strengthen Hashes • Salting – Add random bytes before hashing – Store them with the hash – This prevents attackers from pre-computing 'Rainbow Tables" of hashes • Stretching – Many rounds, typically 5000, of hashing – Slows down attackers
- 18. SAM and SYSTEM Files
- 19. Unavailable when Windows is Running
- 20. Win 7 Backup Files • Also unavailable when system is running • Win XP had C:WindowsRepair but it seems to be gone now
- 21. Reg.exe • Works on Windows 7 – Link Ch 8i
- 22. SAM is Encrypted • 128-bit RC4
- 23. Key is in SYSTEM • apt-get install bkhive FAILS on Kali 2 • Must install old versions of bkhive and samdump2 (link Ch 8l)
- 24. Extracting Hashes • LM Hash on the left (now obsolete) • NT hash on the right (designed in 1991)
- 25. Linux Boot Disk • You can gather hashes by booting the target system from a LiveCD or USB • Copy the files while Windows is not running
- 26. Cracking Windows Passwords • Hashcat tests 500,000 passwords in a few seconds – Because algorithm is 1 round of MD4 – Proj X16 in CNIT 123
- 27. Kali's Password Hashes • 5000 rounds of SHA-512 with a salt • Mac OS X is the same
- 28. Cracking Kali Hashes • Can only try 500 words in a few seconds
- 29. John the Ripper & Hashcat • Cracks many types of hashes – Auto-detects the algorithm – Can perform brute force, or dictionary, or modified dictionary attacks • Hashcat is newer and claims to be faster • oclHashcat – Designed to run in parallel on many GPUs
- 30. CloudCracker • Moxie Marlinspike's service • Runs on AWS machines
- 31. Cheap!
- 32. Mimikatz Gets Clear Passwords from RAM
- 33. Stolen Password Lists • Lists of millions of real stolen passwords are now available • The rockyou list is included in Kali – in /usr/share/wordlists – Link Ch 9e
- 35. • Hashed with MD5 (link Ch 9g)
- 36. • Link Ch 9h
- 37. Dumping Passwords from RAM
- 38. Plaintext Passwords • Windows stores the password of the currently logged-on user in RAM with "reversible encryption" • It can be recovered with Windows Credential Editor or mimikatz • No matter how long or complex it is
- 39. Analysis of Stolen Data Dumped by TEAMGHOSTSHELL on Aug 25, 2012
- 42. Password Storage: Awful Beyond Belief Plaintext, obvious, all the same
- 43. Plaintext Passwords, Easily Guessed
- 46. Beforward Transactions with PII
- 48. Password Storage: BASE64 Obfuscated, not hashed
- 49. Beforward.jp
- 50. BASE64 Encoding
- 51. Password Storage: Unsalted MD5 or SHA-1 Real hashing, but very easy to crack
- 52. MIT – MD5 Password Hashes
- 56. Cracking Hashes with Cain
- 57. SHA-1 Hash
- 58. Cracked!
- 59. MySQL 5 Password Hashes
- 61. Relative Space
- 62. Cracked!
- 66. Hashing Passwords • Three essential steps – One-way hash function • MD5, SHA-1, SHA-256, etc. – Salt • Random characters added to each password • Prevents rainbow-table attack – Stretching • Repeat the hash function many times (typically 5000) • Make it take 50 ms to calculate the hash • Minimally slows login • Makes attack MUCH slower
- 68. The Right Way
- 69. Popular Password Hashes Type Projected time to crack 1,000 hashes* Hash Function Salt (# chars) Stretching (# rounds) Drupal 7 1.7 years SHA-512 8 16385 Linux (Debian) 58 days SHA-512 8 5000 Wordpress 3.5.1 17 hours MD5 8 8193 Windows (all current versions) 5.4 min MD4 None 1 Joomla 4.6 min MD5 16 1 • Calculation assumes the passwords are found in a dictionary of 500,000 guesses • One virtual machine running Kali • A clusters of GPUs would be much faster