Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Published byVictor Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions."— Presentation transcript:

1 Nothing is Safe 1

2 Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions 2

3 Benefits of Using Passwords  Security …. Is there any other reason? 3

4 The password landscape is changing. With increased computing power, the time to crack passwords is dropping significantly 4

5 Password Events  In 2009, three Filipino residents hacked thousands of phone networks for profit by exploiting default passwords left on the private branch exchange (PBX) systems. (washingtonpost.com)  June 2011, LulzSec hacked FBI affiliate Infragard. Stolen passwords included plaintext passwords which were reused on other services and websites, leading to a wider-scale hack. (naked security)  Dec 2012, a 25-GPU cluster was developed with the power to check 350 billion guesses/sec. It can crack any 8 character Windows NTLM password in less than 6 hours. (ars technica)  Jan 2013, Google has been researching password-replacing technology. Currently this includes authentication via finger rings, USB cryptographic cards, and could potentially include wireless verification in the future. (wired) 5

6  In 2012, a Verizon analysis revealed that 90 percent of intrusions were the result of either weak passwords, default passwords, reused passwords, or stolen credentials. (knowledge miner) 6

7 Password Security  Windows recommendation: 7

8 Password Security  University of Idaho’s Password Requirements: A-Z, a-z, 0-9, symbols Password (expires in 90 days) 8 characters+ No dictionary words over 3 letters long Passphrase (expires in 400 days) 15+ characters Dictionary words allowed 8

9 Brute Force Crack Times  Class D: 10,000,000 Passwords/sec, Fast PC, Dual Processor PC.  Class E. 100,000,000 Passwords/sec, Workstation, or multiple PC's working together.  Class F. 1,000,000,000 Passwords/sec, Typical for medium to large scale distributed computing, Supercomputers. (lockdown) 9

10 Cracking Helpers  Dictionaries: Wordlists containing cracked passwords Also contain dictionary words May also have custom word lists for foreign languages  Rainbow Tables: A table of hashed passwords Computationally expensive to produce Password lookup is quick once the table is generated 10

11 Password Salting  A salt is random data that is added in a unique way to a password to make decrypting passwords from hashes more difficult.  Salts are usually generated at the time of account creation and stored in a database table separate from the password hash.  When a user logs onto a system, their stored salt is added to the typed in password and then hashed to compare to the stored password hash for verification. 11

12 Tools – John the Ripper  Attempts to crack hashed passwords from almost all commonly used hashing algorithms using user characteristics, word lists, and brute force modes.  JTR has three modes: -single -wordlist -incremental Default behavior is to run through each mode, in that order. (backreference) 12

13 Tools – Cain & Abel  “Allows easy recovery of various kinds of passwords by: sniffing the network, cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords, and analyzing routing protocols.” (oxid) 13

14 Tools - Hashcat  Hashcat is a multi-platform password cracking tool that can take advantage of your GPU and can run on up to 128 GPU’s. It has 4 variants that can be used depending on your needs. 14

15 Tools – Hashcat Attack Modes: Combinator Dictionary Fingerprinting Mask Permutation Rules-based Table-based Toggle-case 15

16 Demonstrations  John the Ripper  Cain & Abel  Hashcat 16

17 Conclusions  Many password cracking utilities are free and readily available.  With technological advances (Moore’s Law), password cracking is becoming faster and easier.  Because of increases in password cracking technology, alternate authentication technologies are being developed. 17

18 Summary  Why Passwords?  Current Events  Password Security and Crack Times  Cracking Demonstrations 18

19 References  http://support.uidaho.edu/2011/09/23/passphrases/  http://support.uidaho.edu/security/password-guidelines/  http://www.lockdown.co.uk/?pg=combi  http://voices.washingtonpost.com/securityfix/2009/06/default_password s_led_to_55_mi.html  http://nakedsecurity.sophos.com/2011/06/04/infragard-atlanta-an-fbi- affiliate-hacked-by-lulzsec/  http://www.wired.co.uk/magazine/archive/2013/01/features/hacked  http://www.knowledgeminer.net/major-security-risks-for-this-year- 2013.htm  http://backreference.org/2009/10/26/password-recovery-with-john-the- ripper/  www.wired.com/wiredenterprise/2013/01/google-password/all/  http://hashcat.net/oclhashcat-plus/  http://www.oxid.it/cain.html  http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every- standard-windows-password-in-6-hours/ 19

Download ppt "Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions."

Similar presentations

Password Cracking With Rainbow Tables

Password Cracking With Rainbow Tables
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
251959084756578934940271832400483985714 292821262040320277771378360436620207075 955562640185258807844069182906412495150 821892985591491761845028084891200728449.

The Cain Tool Presented by: Sagar Chivate CS 685F.

The Cain Tool Presented by: Sagar Chivate CS 685F.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
With a Penetration Tester’s Toolkit.  Background  What to Expect  Topics  Demonstrations.

With a Penetration Tester’s Toolkit.  Background  What to Expect  Topics  Demonstrations.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
95752:3-1 Access Control. 95752:3-2 Access Control Two methods of information control: –control access –control use or comprehension Access Control Methods.

95752:3-1 Access Control :3-2 Access Control Two methods of information control: –control access –control use or comprehension Access Control Methods.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Similar presentations

Ads by Google